@@ -180,14 +180,29 @@ func (ssm *fileBasedSecureStorageManager) withLock(action func(cacheFile *os.Fil
180
180
func (ssm * fileBasedSecureStorageManager ) withCacheFile (action func (* os.File )) {
181
181
cacheFile , err := os .OpenFile (ssm .credFilePath (), os .O_CREATE | os .O_RDWR , 0600 )
182
182
if err != nil {
183
- logger .Warn ("cannot access %v. %v" , ssm .credFilePath (), err )
183
+ logger .Warnf ("cannot access %v. %v" , ssm .credFilePath (), err )
184
184
return
185
185
}
186
186
defer func (file * os.File ) {
187
187
if err := file .Close (); err != nil {
188
188
logger .Warnf ("cannot release file descriptor for %v. %v" , ssm .credFilePath (), err )
189
189
}
190
190
}(cacheFile )
191
+
192
+ cacheDir , err := os .Open (ssm .credDirPath )
193
+ if err != nil {
194
+ logger .Warnf ("cannot access %v. %v" , ssm .credDirPath , err )
195
+ }
196
+
197
+ if err := ssm .ensurePermissionsAndOwner (cacheFile , 0600 ); err != nil {
198
+ logger .Warnf ("failed to ensure permission for temporary cache file. %v" , err )
199
+ return
200
+ }
201
+ if err := ssm .ensurePermissionsAndOwner (cacheDir , 0700 | os .ModeDir ); err != nil {
202
+ logger .Warnf ("failed to ensure permission for temporary cache dir. %v" , err )
203
+ return
204
+ }
205
+
191
206
action (cacheFile )
192
207
}
193
208
@@ -298,68 +313,34 @@ func (ssm *fileBasedSecureStorageManager) credFilePath() string {
298
313
return filepath .Join (ssm .credDirPath , credCacheFileName )
299
314
}
300
315
301
- func (ssm * fileBasedSecureStorageManager ) ensurePermissions (cacheFile * os.File ) error {
302
- dirInfo , err := os .Stat (ssm .credDirPath )
303
- if err != nil {
304
- return err
305
- }
306
-
307
- if dirInfo .Mode ().Perm () != 0700 & os .ModePerm {
308
- return fmt .Errorf ("incorrect permissions(%o, expected 700) for %s" , dirInfo .Mode ().Perm (), ssm .credDirPath )
309
- }
310
-
311
- fileInfo , err := cacheFile .Stat ()
316
+ func (ssm * fileBasedSecureStorageManager ) ensurePermissionsAndOwner (f * os.File , expectedMode os.FileMode ) error {
317
+ fileInfo , err := f .Stat ()
312
318
if err != nil {
313
319
return err
314
320
}
315
321
316
- if fileInfo .Mode (). Perm () != 0600 & os . ModePerm {
317
- return fmt .Errorf ("incorrect permissions(%v, expected 600 ) for credential file" , fileInfo .Mode (). Perm () )
322
+ if fileInfo .Mode () != expectedMode {
323
+ return fmt .Errorf ("incorrect permissions(%v, expected %v ) for credential file" , fileInfo .Mode (), expectedMode )
318
324
}
319
325
320
- return nil
321
- }
322
-
323
- func (ssm * fileBasedSecureStorageManager ) ensureOwnerForDir (filePath string ) error {
324
- ownerUID , err := providePathOwner (filePath )
325
- if err != nil && ! errors .Is (err , os .ErrNotExist ) {
326
- return err
327
- }
328
- return ssm .ensureOwner (ownerUID )
329
- }
330
-
331
- func (ssm * fileBasedSecureStorageManager ) ensureOwnerForFile (file * os.File ) error {
332
- ownerUID , err := provideFileOwner (file )
326
+ ownerUID , err := provideFileOwner (f )
333
327
if err != nil && ! errors .Is (err , os .ErrNotExist ) {
334
328
return err
335
329
}
336
- return ssm .ensureOwner (ownerUID )
337
- }
338
-
339
- func (ssm * fileBasedSecureStorageManager ) ensureOwner (ownerID uint32 ) error {
340
330
currentUser , err := user .Current ()
341
331
if err != nil {
342
332
return err
343
333
}
344
334
if errors .Is (err , os .ErrNotExist ) {
345
335
return nil
346
336
}
347
- if strconv .Itoa (int (ownerID )) != currentUser .Uid {
337
+ if strconv .Itoa (int (ownerUID )) != currentUser .Uid {
348
338
return errors .New ("incorrect owner of " + ssm .credDirPath )
349
339
}
350
340
return nil
351
341
}
352
342
353
343
func (ssm * fileBasedSecureStorageManager ) readTemporaryCacheFile (cacheFile * os.File ) (map [string ]any , error ) {
354
- if err := ssm .ensurePermissions (cacheFile ); err != nil {
355
- return map [string ]any {}, fmt .Errorf ("failed to ensure permission for temporary cache file. %v" , err )
356
- }
357
- if err := ssm .ensureOwnerForDir (ssm .credDirPath ); err != nil {
358
- return map [string ]any {}, fmt .Errorf ("failed to ensure owner for %v. %v" , ssm .credDirPath , err )
359
- }
360
- if err := ssm .ensureOwnerForFile (cacheFile ); err != nil {
361
- return map [string ]any {}, fmt .Errorf ("failed to ensure owner for %v. %v" , ssm .credFilePath (), err )
362
- }
363
344
364
345
jsonData , err := io .ReadAll (cacheFile )
365
346
if err != nil {
@@ -407,10 +388,6 @@ func (ssm *fileBasedSecureStorageManager) deleteCredential(tokenSpec *secureToke
407
388
}
408
389
409
390
func (ssm * fileBasedSecureStorageManager ) writeTemporaryCacheFile (cache map [string ]any , cacheFile * os.File ) error {
410
- if err := ssm .ensureOwnerForDir (ssm .credDirPath ); err != nil {
411
- return err
412
- }
413
-
414
391
bytes , err := json .Marshal (cache )
415
392
if err != nil {
416
393
return fmt .Errorf ("failed to marshal credential cache map. %w" , err )
0 commit comments