fix: deployment file modes (#5)

Docker & other things want access to the generated secret directories, yet you can't just bind-mount them elsewhere as deployer user might be different from app user, resulting in "Permission denied" errors. Grant other users permission to read secret files and access secret directories without giving access to the outer directories. * Set correct permissions for all files and dirs * Fixes after review
UniqueNetwork · Oct 24, 2024 · 5b829f9 · 5b829f9
1 parent d2d0a9b
commit 5b829f9
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "baedeker"
-version = "0.1.4"
+version = "0.1.5"
 edition = "2021"
 description = "Substrate network orchestration framework"
 license = "MIT"

diff --git a/src/fs_utils.rs b/src/fs_utils.rs
@@ -0,0 +1,14 @@
+use std::{fs::DirBuilder, io, os::unix::fs::DirBuilderExt, path::Path};
+
+/// Recursively create a directory and all of its parent components if they
+/// are missing with given permissions.
+///
+/// # Errors
+///
+/// The same as from [`std::fs::create_dir_all`]
+pub fn create_dir_mode<P: AsRef<Path>>(path: P, mode: u32) -> io::Result<()> {
+	DirBuilder::new()
+		.recursive(true)
+		.mode(mode)
+		.create(path.as_ref())
+}
diff --git a/src/keystore.rs b/src/keystore.rs
@@ -1,6 +1,8 @@
 use std::{
-	env, fs,
+	env,
+	fs::{self, Permissions, create_dir_all},
 	io::{self, ErrorKind, Write},
+	os::unix::fs::PermissionsExt,
 	path::PathBuf,
 	result,
 	str::FromStr,
@@ -12,6 +14,8 @@ use sp_core::crypto::{SecretStringError, Ss58AddressFormat};
 use tempfile::{NamedTempFile, PersistError};
 use tracing::info;
 
+use crate::fs_utils::create_dir_mode;
+
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
 	#[error("io: {0}")]
@@ -109,17 +113,21 @@ impl FileNodeKeys {
 	}
 	fn keystore_dir(&self, node: &str) -> Result<Option<PathBuf>> {
 		let mut path = self.root.to_path_buf();
-		path.push(format!("keystore-{node}"));
+		path.push(format!("keystore/{node}"));
 		if !path.is_dir() {
 			return Ok(None);
 		}
 		Ok(Some(path))
 	}
+
 	fn keystore_dir_create(&self, node: &str) -> Result<PathBuf> {
-		let mut path = self.root.to_path_buf();
-		path.push(format!("keystore-{node}"));
-		fs::create_dir_all(&path)?;
-		Ok(path)
+		let keystore_path = self.root.join("keystore");
+		create_dir_all(&keystore_path)?;
+
+		let keystore_node_path = keystore_path.join(node);
+		create_dir_mode(&keystore_node_path, 0o744)?;
+
+		Ok(keystore_node_path)
 	}
 	fn wallet_dir(&self) -> Result<Option<PathBuf>> {
 		let mut path = self.root.to_path_buf();
@@ -144,6 +152,8 @@ impl SecretStorage for FileNodeKeys {
 
 		let mut temp = NamedTempFile::new_in(&self.root)?;
 		temp.write_all(keypair.secret().as_ref())?;
+		temp.as_file_mut()
+			.set_permissions(Permissions::from_mode(0o600))?;
 		temp.persist(path)?;
 
 		Ok(())
@@ -193,6 +203,8 @@ impl SecretStorage for FileNodeKeys {
 		{
 			let mut file = NamedTempFile::new_in(&dir)?;
 			file.write_all(serde_json::to_string(&suri).unwrap().as_bytes())?;
+			file.as_file_mut()
+				.set_permissions(Permissions::from_mode(0o600))?;
 			file.persist(&secret)?;
 		}
 

diff --git a/src/main.rs b/src/main.rs
@@ -29,6 +29,7 @@ use crate::docker::EMPTY_IMAGE;
 
 // mod asset;
 mod docker;
+mod fs_utils;
 mod keystore;
 mod library;
 mod spec_builder;