From ece413462fd0de1c9ffef0ff6c2607e4b7edf885 Mon Sep 17 00:00:00 2001
From: Max Jonas Werner <max@e13.dev>
Date: Fri, 3 Feb 2023 16:50:37 +0100
Subject: [PATCH] Apply default permission mode to all files/dirs in an
 artifact archive

Files: 0644
Directories: 0755

closes #1019

Signed-off-by: Max Jonas Werner <max@e13.dev>
---
 controllers/ocirepository_controller_test.go |  1 +
 controllers/storage.go                       | 10 ++++++++
 controllers/storage_test.go                  | 25 +++++++++++++-------
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/controllers/ocirepository_controller_test.go b/controllers/ocirepository_controller_test.go
index b4d9ce423..737b582c4 100644
--- a/controllers/ocirepository_controller_test.go
+++ b/controllers/ocirepository_controller_test.go
@@ -43,6 +43,7 @@ import (
 	gcrv1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/format"
 	coptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/pkg/cosign"
diff --git a/controllers/storage.go b/controllers/storage.go
index 57993a0a5..fd9e6240d 100644
--- a/controllers/storage.go
+++ b/controllers/storage.go
@@ -47,6 +47,12 @@ import (
 
 const GarbageCountLimit = 1000
 
+// defaultFileMode is the permission mode applied to all files inside of an artifact archive.
+const defaultFileMode int64 = 0o644
+
+// defaultDirMode is the permission mode applied to all directories inside of an artifact archive.
+const defaultDirMode int64 = 0o755
+
 // Storage manages artifacts
 type Storage struct {
 	// BasePath is the local directory path where the source artifacts are stored.
@@ -404,6 +410,10 @@ func (s *Storage) Archive(artifact *sourcev1.Artifact, dir string, filter Archiv
 		header.ModTime = time.Time{}
 		header.AccessTime = time.Time{}
 		header.ChangeTime = time.Time{}
+		header.Mode = defaultFileMode
+		if fi.Mode().IsDir() {
+			header.Mode = defaultDirMode
+		}
 
 		if err := tw.WriteHeader(header); err != nil {
 			return err
diff --git a/controllers/storage_test.go b/controllers/storage_test.go
index e5a65a9b4..a84d0bac8 100644
--- a/controllers/storage_test.go
+++ b/controllers/storage_test.go
@@ -60,16 +60,16 @@ func TestStorageConstructor(t *testing.T) {
 
 // walks a tar.gz and looks for paths with the basename. It does not match
 // symlinks properly at this time because that's painful.
-func walkTar(tarFile string, match string, dir bool) (int64, bool, error) {
+func walkTar(tarFile string, match string, dir bool) (int64, int64, bool, error) {
 	f, err := os.Open(tarFile)
 	if err != nil {
-		return 0, false, fmt.Errorf("could not open file: %w", err)
+		return 0, 0, false, fmt.Errorf("could not open file: %w", err)
 	}
 	defer f.Close()
 
 	gzr, err := gzip.NewReader(f)
 	if err != nil {
-		return 0, false, fmt.Errorf("could not unzip file: %w", err)
+		return 0, 0, false, fmt.Errorf("could not unzip file: %w", err)
 	}
 	defer gzr.Close()
 
@@ -79,24 +79,24 @@ func walkTar(tarFile string, match string, dir bool) (int64, bool, error) {
 		if err == io.EOF {
 			break
 		} else if err != nil {
-			return 0, false, fmt.Errorf("corrupt tarball reading header: %w", err)
+			return 0, 0, false, fmt.Errorf("corrupt tarball reading header: %w", err)
 		}
 
 		switch header.Typeflag {
 		case tar.TypeDir:
 			if header.Name == match && dir {
-				return 0, true, nil
+				return 0, header.Mode, true, nil
 			}
 		case tar.TypeReg:
 			if header.Name == match {
-				return header.Size, true, nil
+				return header.Size, header.Mode, true, nil
 			}
 		default:
 			// skip
 		}
 	}
 
-	return 0, false, nil
+	return 0, 0, false, nil
 }
 
 func TestStorage_Archive(t *testing.T) {
@@ -134,7 +134,7 @@ func TestStorage_Archive(t *testing.T) {
 			if !mustExist {
 				name = name[1:]
 			}
-			s, exist, err := walkTar(storage.LocalPath(artifact), name, false)
+			s, m, exist, err := walkTar(storage.LocalPath(artifact), name, false)
 			if err != nil {
 				t.Fatalf("failed reading tarball: %v", err)
 			}
@@ -148,13 +148,16 @@ func TestStorage_Archive(t *testing.T) {
 					t.Errorf("tarball contained excluded file %q", name)
 				}
 			}
+			if exist && m != defaultFileMode {
+				t.Fatalf("%q mode %v != %v", name, m, defaultFileMode)
+			}
 		}
 		for _, name := range dirs {
 			mustExist := !(name[0:1] == "!")
 			if !mustExist {
 				name = name[1:]
 			}
-			_, exist, err := walkTar(storage.LocalPath(artifact), name, true)
+			_, m, exist, err := walkTar(storage.LocalPath(artifact), name, true)
 			if err != nil {
 				t.Fatalf("failed reading tarball: %v", err)
 			}
@@ -165,6 +168,10 @@ func TestStorage_Archive(t *testing.T) {
 					t.Errorf("tarball contained excluded file %q", name)
 				}
 			}
+			if exist && m != defaultDirMode {
+				t.Fatalf("%q mode %v != %v", name, m, defaultDirMode)
+			}
+
 		}
 	}