validate

package

v1.98.2 Latest Latest Go to latest Published: Apr 19, 2026 License: MPL-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/itcmsgr/nftban

Links

Open Source Insights

Documentation ¶

Overview ¶

============================================================================= NFTBan v1.73 - Installer Post-Install Assertions ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-validate-assertions" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Post-install kernel + service + state assertions" meta:inventory.files="internal/installer/validate/assertions.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================

============================================================================= NFTBan v1.73 - Installer Authority File Write ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-validate-authority" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Write /var/lib/nftban/state/authority and .firewall_authority" meta:inventory.files="internal/installer/validate/authority.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================

Index ¶

func AllPassed(results []AssertionResult) bool
func FailedNames(results []AssertionResult) []string
func RunPermissionsEnforce(exec executor.Executor, log *logging.Logger)
func SetImmutableFlags(exec executor.Executor, log *logging.Logger)
func WriteAuthorityFiles(exec executor.Executor, decision authority.Decision, log *logging.Logger)
type AssertionResult
- func RunAssertions(exec executor.Executor, sshPort int, log *logging.Logger) []AssertionResult
type RevalidateResult
- func RunWithBoundedFix(exec executor.Executor, sshPort int, log *logging.Logger) RevalidateResult

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AllPassed ¶

func AllPassed(results []AssertionResult) bool

AllPassed returns true if all assertions passed.

func FailedNames ¶

func FailedNames(results []AssertionResult) []string

FailedNames returns the names of all failed assertions.

func RunPermissionsEnforce ¶ added in v1.76.0

func RunPermissionsEnforce(exec executor.Executor, log *logging.Logger)

RunPermissionsEnforce calls `nftban permissions enforce` for full FHS fix (G10 parity).

func SetImmutableFlags ¶ added in v1.76.0

func SetImmutableFlags(exec executor.Executor, log *logging.Logger)

SetImmutableFlags sets chattr +i on security-critical files (G8 parity). Shell postinst set immutable on nftban.conf and nft_schema.sh to prevent accidental or malicious modification.

func WriteAuthorityFiles ¶

func WriteAuthorityFiles(exec executor.Executor, decision authority.Decision, log *logging.Logger)

WriteAuthorityFiles records the authority decision to state files. Two locations for compatibility:

/var/lib/nftban/state/authority (primary, read by Go daemon)
/etc/nftban/.firewall_authority (legacy, read by CLI scripts)

Types ¶

type AssertionResult ¶

type AssertionResult struct {
	Name   string
	Passed bool
	Detail string
}

AssertionResult holds the outcome of a single assertion.

func RunAssertions ¶

func RunAssertions(exec executor.Executor, sshPort int, log *logging.Logger) []AssertionResult

RunAssertions performs all post-install assertions and returns the results. None of these are individually fatal — the caller decides based on the aggregate.

type RevalidateResult ¶ added in v1.98.0

type RevalidateResult struct {
	// Validate1Passed is true if initial assertions all passed.
	Validate1Passed bool

	// FixAttempted is true if bounded safe fix was run (only when V1 fails).
	FixAttempted bool

	// FixExitCode is the exit code of the permissions enforce command.
	FixExitCode int

	// Validate2Passed is true if re-validation passed after fix.
	// Only meaningful when FixAttempted is true.
	Validate2Passed bool

	// FinalPassed is the authoritative result: V1 if no fix needed, V2 if fix ran.
	FinalPassed bool

	// FailedNames contains assertion names that failed in the final validation.
	FailedNames []string
}

RevalidateResult captures the outcome of the VALIDATE_1 → FIX → VALIDATE_2 flow.

func RunWithBoundedFix ¶ added in v1.98.0

func RunWithBoundedFix(exec executor.Executor, sshPort int, log *logging.Logger) RevalidateResult

RunWithBoundedFix implements the VALIDATE_1 → FIX → VALIDATE_2 state machine.

Flow:

Run assertions (VALIDATE_1)
If all pass → return success immediately
If some fail → run bounded safe fix (permissions enforce only, INV-I-011)
Re-run assertions (VALIDATE_2, INV-I-013)
Return VALIDATE_2 result as authoritative

The fix runs at most ONCE (INV-I-012). It calls ONLY 'nftban permissions enforce' which is bounded to chmod/chown on FHS-managed paths. It does NOT call 'health fix all'.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL