VAULT-12299 Use file.Stat when checking file permissions (#19311)

* use file.Stat for config files * cleanup and add path * include directory path * revert changes to LoadConfigDir * remove path, add additional test: * add changelog
2025-11-03 03:58:01 +00:00 · 2023-02-23 18:05:00 +01:00
parent 354af62b1d
commit 20b347e3cd
4 changed files with 127 additions and 4 deletions
--- a/helper/osutil/fileinfo_test.go
+++ b/helper/osutil/fileinfo_test.go
@@ -4,6 +4,7 @@ import (
 	"io/fs"
 	"os"
 	"os/user"
+	"path/filepath"
 	"runtime"
 	"strconv"
 	"testing"
@@ -82,3 +83,98 @@ func TestCheckPathInfo(t *testing.T) {
 		}
 	}
 }
+
+// TestOwnerPermissionsMatchFile creates a file and verifies that the current user of the process is the owner of the
+// file
+func TestOwnerPermissionsMatchFile(t *testing.T) {
+	currentUser, err := user.Current()
+	if err != nil {
+		t.Fatal("failed to get current user", err)
+	}
+	uid, err := strconv.ParseInt(currentUser.Uid, 0, 64)
+	if err != nil {
+		t.Fatal("failed to convert uid", err)
+	}
+	dir := t.TempDir()
+	path := filepath.Join(dir, "foo")
+	f, err := os.Create(path)
+	if err != nil {
+		t.Fatal("failed to create test file", err)
+	}
+	defer f.Close()
+
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatal("failed to stat test file", err)
+	}
+
+	if err := OwnerPermissionsMatchFile(f, int(uid), int(info.Mode())); err != nil {
+		t.Fatalf("expected no error but got %v", err)
+	}
+}
+
+// TestOwnerPermissionsMatchFile_OtherUser creates a file using the user that started the current process and verifies
+// that a different user is not the owner of the file
+func TestOwnerPermissionsMatchFile_OtherUser(t *testing.T) {
+	currentUser, err := user.Current()
+	if err != nil {
+		t.Fatal("failed to get current user", err)
+	}
+	uid, err := strconv.ParseInt(currentUser.Uid, 0, 64)
+	if err != nil {
+		t.Fatal("failed to convert uid", err)
+	}
+	dir := t.TempDir()
+	path := filepath.Join(dir, "foo")
+	f, err := os.Create(path)
+	if err != nil {
+		t.Fatal("failed to create test file", err)
+	}
+	defer f.Close()
+
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatal("failed to stat test file", err)
+	}
+
+	if err := OwnerPermissionsMatchFile(f, int(uid)+1, int(info.Mode())); err == nil {
+		t.Fatalf("expected error but none")
+	}
+}
+
+// TestOwnerPermissionsMatchFile_Symlink creates a file and a symlink to that file. The test verifies that the current
+// user of the process is the owner of the file
+func TestOwnerPermissionsMatchFile_Symlink(t *testing.T) {
+	currentUser, err := user.Current()
+	if err != nil {
+		t.Fatal("failed to get current user", err)
+	}
+	uid, err := strconv.ParseInt(currentUser.Uid, 0, 64)
+	if err != nil {
+		t.Fatal("failed to convert uid", err)
+	}
+	dir := t.TempDir()
+	path := filepath.Join(dir, "foo")
+	f, err := os.Create(path)
+	if err != nil {
+		t.Fatal("failed to create test file", err)
+	}
+	defer f.Close()
+
+	symlink := filepath.Join(dir, "symlink")
+	err = os.Symlink(path, symlink)
+	if err != nil {
+		t.Fatal("failed to symlink file", err)
+	}
+	symlinkedFile, err := os.Open(symlink)
+	if err != nil {
+		t.Fatal("failed to open file", err)
+	}
+	info, err := os.Stat(symlink)
+	if err != nil {
+		t.Fatal("failed to stat test file", err)
+	}
+	if err := OwnerPermissionsMatchFile(symlinkedFile, int(uid), int(info.Mode())); err != nil {
+		t.Fatalf("expected no error but got %v", err)
+	}
+}