Check for file perms as provided in the conf module (#784)

* Check for file perms as provided in the conf module * Fix whitespace * Check for file permissions * Use only Lstat for error handling and continue if file does not exist * Update comments to make sure that the todo is more understandable * conflicts resolved
2026-02-03 11:00:32 +00:00 · 2018-10-26 15:53:05 -04:00
parent 3a190df2db
commit b600753926
2 changed files with 88 additions and 4 deletions
@@ -2,9 +2,11 @@ package config

 import (
 	"fmt"
+	"os"
 	"path/filepath"

 	"github.com/BurntSushi/toml"
+	"github.com/gomods/athens/pkg/errors"
 	"github.com/kelseyhightower/envconfig"
 	validator "gopkg.in/go-playground/validator.v9"
 )
@@ -35,6 +37,11 @@ func ParseConfigFile(configFile string) (*Config, error) {
 		return nil, err
 	}

+	// Check file perms from config
+	if err := checkFilePerms(config.FilterFile); err != nil {
+		return nil, err
+	}
+
 	// override values with environment variables if specified
 	if err := envOverride(&config); err != nil {
 		return nil, err
@@ -64,10 +71,7 @@ func setRuntimeDefaults(config *Config) {

 // envOverride uses Environment variables to override unspecified properties
 func envOverride(config *Config) error {
-	if err := envconfig.Process("athens", config); err != nil {
-		return err
-	}
-	return nil
+	return envconfig.Process("athens", config)
 }

 func validateConfig(c Config) error {
@@ -92,3 +96,28 @@ func GetConf(path string) (*Config, error) {
 	}
 	return conf, nil
 }
+
+// checkFilePerms given a list of files
+func checkFilePerms(files ...string) error {
+	const op = "config.checkFilePerms"
+
+	for _, f := range files {
+		if f == "" {
+			continue
+		}
+
+		// TODO: Do not ignore errors when a file is not found
+		// There is a subtle bug in the filter module which ignores the filter file if it does not find it.
+		// This check can be removed once that has been fixed
+		fInfo, err := os.Lstat(f)
+		if err != nil {
+			continue
+		}
+
+		if fInfo.Mode() != 0600 {
+			return errors.E(op, f+" should have 0600 as permission")
+		}
+	}
+
+	return nil
+}
@@ -1,6 +1,7 @@
 package config

 import (
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -357,3 +358,57 @@ func restoreEnv(envVars map[string]string) {
 		}
 	}
 }
+
+func Test_checkFilePerms(t *testing.T) {
+	f1, err := ioutil.TempFile(os.TempDir(), "prefix-")
+	if err != nil {
+		t.FailNow()
+	}
+	defer os.Remove(f1.Name())
+	err = os.Chmod(f1.Name(), 0777)
+
+	f2, err := ioutil.TempFile(os.TempDir(), "prefix-")
+	if err != nil {
+		t.FailNow()
+	}
+	defer os.Remove(f2.Name())
+	err = os.Chmod(f2.Name(), 0600)
+
+	type args struct {
+		files []string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			"should not have an error on empty file name",
+			args{
+				[]string{"", f2.Name()},
+			},
+			false,
+		},
+		{
+			"should have an error if all the files have incorrect permissions",
+			args{
+				[]string{f1.Name(), f1.Name(), f1.Name()},
+			},
+			true,
+		},
+		{
+			"should have an error when at least 1 file has wrong permissions",
+			args{
+				[]string{f2.Name(), f1.Name()},
+			},
+			true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := checkFilePerms(tt.args.files...); (err != nil) != tt.wantErr {
+				t.Errorf("checkFilePerms() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}