From 5555dc0c243d05640dccea1558d69af556b89dd7 Mon Sep 17 00:00:00 2001 From: "Harper, Jason M" Date: Tue, 6 Jan 2026 12:42:49 -0800 Subject: [PATCH 1/3] Implement privilege checks and skip targets with no collectable data Signed-off-by: Harper, Jason M --- internal/workflow/collection.go | 29 +++++++++++++++++++++++------ internal/workflow/workflow.go | 11 +++++++++++ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/internal/workflow/collection.go b/internal/workflow/collection.go index 82983d65..5cb19aed 100644 --- a/internal/workflow/collection.go +++ b/internal/workflow/collection.go @@ -110,6 +110,9 @@ func outputsFromTargets(cmd *cobra.Command, myTargets []target.Target, tables [] // isTableForTarget checks if the given table is applicable for the specified target func isTableForTarget(tbl table.TableDefinition, t target.Target, localTempDir string) bool { + if tableNeedsElevatedPrivileges(tbl) && !t.CanElevatePrivileges() { + return false + } if len(tbl.Architectures) > 0 { architecture, err := t.GetArchitecture() if err != nil { @@ -147,17 +150,31 @@ func isTableForTarget(tbl table.TableDefinition, t target.Target, localTempDir s // elevatedPrivilegesRequired returns true if any of the scripts needed for the tables require elevated privileges func elevatedPrivilegesRequired(tables []table.TableDefinition) bool { - for _, tbl := range tables { - for _, scriptName := range tbl.ScriptNames { - script := script.GetScriptByName(scriptName) - if script.Superuser { - return true - } + return slices.ContainsFunc(tables, tableNeedsElevatedPrivileges) +} + +// tableNeedsElevatedPrivileges checks if any of the scripts in the table require elevated privileges +func tableNeedsElevatedPrivileges(tbl table.TableDefinition) bool { + for _, scriptName := range tbl.ScriptNames { + script := script.GetScriptByName(scriptName) + if script.Superuser { + return true } } return false } +// numTablesForTarget returns the number of tables applicable for the specified target +func numTablesForTarget(tables []table.TableDefinition, t target.Target, localTempDir string) int { + count := 0 + for _, tbl := range tables { + if isTableForTarget(tbl, t, localTempDir) { + count++ + } + } + return count +} + // collectOnTarget runs the scripts on the target and sends the results to the appropriate channels func collectOnTarget(myTarget target.Target, scriptsToRun []script.ScriptDefinition, localTempDir string, duration string, ctrlCToStop bool, channelTargetScriptOutputs chan TargetScriptOutputs, channelError chan error, statusUpdate progress.MultiSpinnerUpdateFunc) { // run the scripts on the target diff --git a/internal/workflow/workflow.go b/internal/workflow/workflow.go index eef4f5ed..56926701 100644 --- a/internal/workflow/workflow.go +++ b/internal/workflow/workflow.go @@ -133,6 +133,17 @@ func (rc *ReportingCommand) Run() error { for i := len(indicesToRemove) - 1; i >= 0; i-- { myTargets = slices.Delete(myTargets, indicesToRemove[i], indicesToRemove[i]+1) } + // remove targets if no tables to collect + indicesToRemove = []int{} + for i, target := range myTargets { + if numTablesForTarget(rc.Tables, target, localTempDir) == 0 { + _ = multiSpinner.Status(target.GetName(), "No collectable data on this target, skipping") + indicesToRemove = append(indicesToRemove, i) + } + } + for i := len(indicesToRemove) - 1; i >= 0; i-- { + myTargets = slices.Delete(myTargets, indicesToRemove[i], indicesToRemove[i]+1) + } // set up signal handler to help with cleaning up child processes on ctrl-c/SIGINT or SIGTERM configureSignalHandler(myTargets, multiSpinner.Status) // collect data from targets From 8a63911af771167dce282600c1e491087e902470 Mon Sep 17 00:00:00 2001 From: "Harper, Jason M" Date: Tue, 6 Jan 2026 13:57:03 -0800 Subject: [PATCH 2/3] rule out table only if all scripts require superuser Signed-off-by: Harper, Jason M --- internal/workflow/collection.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/workflow/collection.go b/internal/workflow/collection.go index 5cb19aed..b5f0b381 100644 --- a/internal/workflow/collection.go +++ b/internal/workflow/collection.go @@ -110,7 +110,7 @@ func outputsFromTargets(cmd *cobra.Command, myTargets []target.Target, tables [] // isTableForTarget checks if the given table is applicable for the specified target func isTableForTarget(tbl table.TableDefinition, t target.Target, localTempDir string) bool { - if tableNeedsElevatedPrivileges(tbl) && !t.CanElevatePrivileges() { + if tableRequiresElevatedPrivileges(tbl) && !t.CanElevatePrivileges() { return false } if len(tbl.Architectures) > 0 { @@ -150,18 +150,18 @@ func isTableForTarget(tbl table.TableDefinition, t target.Target, localTempDir s // elevatedPrivilegesRequired returns true if any of the scripts needed for the tables require elevated privileges func elevatedPrivilegesRequired(tables []table.TableDefinition) bool { - return slices.ContainsFunc(tables, tableNeedsElevatedPrivileges) + return slices.ContainsFunc(tables, tableRequiresElevatedPrivileges) } -// tableNeedsElevatedPrivileges checks if any of the scripts in the table require elevated privileges -func tableNeedsElevatedPrivileges(tbl table.TableDefinition) bool { +// tableRequiresElevatedPrivileges checks if all scripts in the table require elevated privileges +func tableRequiresElevatedPrivileges(tbl table.TableDefinition) bool { for _, scriptName := range tbl.ScriptNames { script := script.GetScriptByName(scriptName) - if script.Superuser { - return true + if !script.Superuser { + return false } } - return false + return true } // numTablesForTarget returns the number of tables applicable for the specified target From cd5b6411b15e114b982029de4e867cf2398c503f Mon Sep 17 00:00:00 2001 From: "Harper, Jason M" Date: Tue, 6 Jan 2026 14:20:40 -0800 Subject: [PATCH 3/3] fix: restore correct logic in elevatedPrivilegesRequired The refactored function was using tableRequiresElevatedPrivileges which checks if ALL scripts require superuser. This changed the semantics from "any script needs elevation" to "any table has all scripts needing elevation". - Restored the original logic in elevatedPrivilegesRequired to check if ANY script requires superuser - Renamed tableRequiresElevatedPrivileges to allTableScriptsRequireSuperuser for clarity about its behavior --- internal/workflow/collection.go | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/internal/workflow/collection.go b/internal/workflow/collection.go index b5f0b381..245a5925 100644 --- a/internal/workflow/collection.go +++ b/internal/workflow/collection.go @@ -110,7 +110,7 @@ func outputsFromTargets(cmd *cobra.Command, myTargets []target.Target, tables [] // isTableForTarget checks if the given table is applicable for the specified target func isTableForTarget(tbl table.TableDefinition, t target.Target, localTempDir string) bool { - if tableRequiresElevatedPrivileges(tbl) && !t.CanElevatePrivileges() { + if allTableScriptsRequireSuperuser(tbl) && !t.CanElevatePrivileges() { return false } if len(tbl.Architectures) > 0 { @@ -150,11 +150,19 @@ func isTableForTarget(tbl table.TableDefinition, t target.Target, localTempDir s // elevatedPrivilegesRequired returns true if any of the scripts needed for the tables require elevated privileges func elevatedPrivilegesRequired(tables []table.TableDefinition) bool { - return slices.ContainsFunc(tables, tableRequiresElevatedPrivileges) + for _, tbl := range tables { + for _, scriptName := range tbl.ScriptNames { + script := script.GetScriptByName(scriptName) + if script.Superuser { + return true + } + } + } + return false } -// tableRequiresElevatedPrivileges checks if all scripts in the table require elevated privileges -func tableRequiresElevatedPrivileges(tbl table.TableDefinition) bool { +// allTableScriptsRequireSuperuser checks if all scripts in the table require superuser privileges +func allTableScriptsRequireSuperuser(tbl table.TableDefinition) bool { for _, scriptName := range tbl.ScriptNames { script := script.GetScriptByName(scriptName) if !script.Superuser {