storage: change default file permissions

hiddeco · hiddeco · commit 646089e07ed4 · 2023-11-06T12:22:40.000+01:00
Signed-off-by: Hidde Beydals &lt;hidde@hhh.computer&gt;
diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go
@@ -48,6 +48,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/gittestserver"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	conditionscheck "github.com/fluxcd/pkg/runtime/conditions/check"
@@ -56,7 +57,6 @@ import (
 	"github.com/fluxcd/pkg/ssh"
 	"github.com/fluxcd/pkg/testserver"
 
-	"github.com/fluxcd/pkg/git"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	serror "github.com/fluxcd/source-controller/internal/error"
 	"github.com/fluxcd/source-controller/internal/features"
@@ -970,7 +970,7 @@ func TestGitRepositoryReconciler_reconcileArtifact(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, obj *sourcev1.GitRepository) {
 				t.Expect(obj.GetArtifact()).ToNot(BeNil())
-				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:60a3bf69f337cb5ec9ebd00abefbb6e7f2a2cf27158ecf438d52b2035b184172"))
+				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:34d9af1a2fcfaef3ee9487d67dc2d642bc7babdb9444a5f60d1f32df32e4de7d"))
 				t.Expect(obj.Status.IncludedArtifacts).ToNot(BeEmpty())
 			},
 			want: sreconcile.ResultSuccess,
@@ -1005,7 +1005,7 @@ func TestGitRepositoryReconciler_reconcileArtifact(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, obj *sourcev1.GitRepository) {
 				t.Expect(obj.GetArtifact()).ToNot(BeNil())
-				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:11f7f007dce5619bd79e6c57688261058d09f5271e802463ac39f2b9ead7cabd"))
+				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:a17037f96f541a47bdadcd12ab40b943c50a9ffd25dc8a30a5e9af52971fd94f"))
 			},
 			want: sreconcile.ResultSuccess,
 			assertConditions: []metav1.Condition{
@@ -1020,7 +1020,7 @@ func TestGitRepositoryReconciler_reconcileArtifact(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, obj *sourcev1.GitRepository) {
 				t.Expect(obj.GetArtifact()).ToNot(BeNil())
-				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:29186e024dde5a414cfc990829c6b2e85f6b3bd2d950f50ca9f418f5d2261d79"))
+				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:ad9943d761b30e943e2a770ea9083a40fc03f09846efd61f6c442cc48fefad11"))
 			},
 			want: sreconcile.ResultSuccess,
 			assertConditions: []metav1.Condition{
@@ -1036,7 +1036,7 @@ func TestGitRepositoryReconciler_reconcileArtifact(t *testing.T) {
 			},
 			afterFunc: func(t *WithT, obj *sourcev1.GitRepository) {
 				t.Expect(obj.GetArtifact()).ToNot(BeNil())
-				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:60a3bf69f337cb5ec9ebd00abefbb6e7f2a2cf27158ecf438d52b2035b184172"))
+				t.Expect(obj.GetArtifact().Digest).To(Equal("sha256:34d9af1a2fcfaef3ee9487d67dc2d642bc7babdb9444a5f60d1f32df32e4de7d"))
 			},
 			want: sreconcile.ResultSuccess,
 			assertConditions: []metav1.Condition{
@@ -1075,7 +1075,7 @@ func TestGitRepositoryReconciler_reconcileArtifact(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 
-			resetChmod(tt.dir, 0o755, 0o644)
+			resetChmod(tt.dir, 0o750, 0o600)
 
 			r := &GitRepositoryReconciler{
 				EventRecorder: record.NewFakeRecorder(32),
diff --git a/internal/controller/ocirepository_controller_test.go b/internal/controller/ocirepository_controller_test.go
@@ -1810,7 +1810,7 @@ func TestOCIRepository_reconcileArtifact(t *testing.T) {
 				"latest.tar.gz",
 			},
 			afterFunc: func(g *WithT, obj *ociv1.OCIRepository) {
-				g.Expect(obj.Status.Artifact.Digest).To(Equal("sha256:de37cb640bfe6c789f2b131416d259747d5757f7fe5e1d9d48f32d8c30af5934"))
+				g.Expect(obj.Status.Artifact.Digest).To(Equal("sha256:6a5bd135a816ec0ad246c41cfdd87629e40ef6520001aeb2d0118a703abe9e7a"))
 			},
 			assertConditions: []metav1.Condition{
 				*conditions.TrueCondition(sourcev1.ArtifactInStorageCondition, meta.SucceededReason, "stored artifact for digest"),
@@ -1828,7 +1828,7 @@ func TestOCIRepository_reconcileArtifact(t *testing.T) {
 				"latest.tar.gz",
 			},
 			afterFunc: func(g *WithT, obj *ociv1.OCIRepository) {
-				g.Expect(obj.Status.Artifact.Digest).To(Equal("sha256:05aada03e3e3e96f5f85a8f31548d833974ce862be14942fb3313eef2df861ec"))
+				g.Expect(obj.Status.Artifact.Digest).To(Equal("sha256:9102e9c8626e48821a91a4963436f1673cd85f8fb3deb843c992f85b995c38ea"))
 			},
 			assertConditions: []metav1.Condition{
 				*conditions.TrueCondition(sourcev1.ArtifactInStorageCondition, meta.SucceededReason, "stored artifact for digest"),
@@ -2019,10 +2019,10 @@ func TestOCIRepository_reconcileArtifact(t *testing.T) {
 				tt.afterFunc(g, obj)
 			}
 
-			for _, path := range tt.assertPaths {
+			for _, p := range tt.assertPaths {
 				localPath := testStorage.LocalPath(*obj.GetArtifact())
-				path = filepath.Join(filepath.Dir(localPath), path)
-				_, err := os.Lstat(path)
+				p = filepath.Join(filepath.Dir(localPath), p)
+				_, err := os.Lstat(p)
 				g.Expect(err).ToNot(HaveOccurred())
 			}
 		})
diff --git a/internal/controller/storage.go b/internal/controller/storage.go
@@ -49,11 +49,11 @@ const GarbageCountLimit = 1000
 
 const (
 	// defaultFileMode is the permission mode applied to files inside an artifact archive.
-	defaultFileMode int64 = 0o644
+	defaultFileMode int64 = 0o600
 	// defaultDirMode is the permission mode applied to all directories inside an artifact archive.
-	defaultDirMode int64 = 0o755
+	defaultDirMode int64 = 0o750
 	// defaultExeFileMode is the permission mode applied to executable files inside an artifact archive.
-	defaultExeFileMode int64 = 0o744
+	defaultExeFileMode int64 = 0o700
 )
 
 // Storage manages artifacts
diff --git a/internal/helm/repository/chart_repository_test.go b/internal/helm/repository/chart_repository_test.go
@@ -456,7 +456,7 @@ func TestChartRepository_StrategicallyLoadIndex(t *testing.T) {
 		g := NewWithT(t)
 
 		i := filepath.Join(t.TempDir(), "index.yaml")
-		g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o644)).To(Succeed())
+		g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o600)).To(Succeed())
 
 		r := newChartRepository()
 		r.Path = i
@@ -498,7 +498,7 @@ func TestChartRepository_LoadFromPath(t *testing.T) {
 		g := NewWithT(t)
 
 		i := filepath.Join(t.TempDir(), "index.yaml")
-		g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o644)).To(Succeed())
+		g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o600)).To(Succeed())
 
 		r := newChartRepository()
 		r.Path = i
@@ -532,7 +532,7 @@ func TestChartRepository_Digest(t *testing.T) {
 		g := NewWithT(t)
 
 		p := filepath.Join(t.TempDir(), "index.yaml")
-		g.Expect(repo.NewIndexFile().WriteFile(p, 0o644)).To(Succeed())
+		g.Expect(repo.NewIndexFile().WriteFile(p, 0o600)).To(Succeed())
 
 		r := newChartRepository()
 		r.Path = p
@@ -563,7 +563,7 @@ func TestChartRepository_Digest(t *testing.T) {
 		expect := digest.Digest("sha256:fake")
 
 		i := filepath.Join(t.TempDir(), "index.yaml")
-		g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o644)).To(Succeed())
+		g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o600)).To(Succeed())
 
 		r := newChartRepository()
 		r.Path = i
@@ -589,7 +589,7 @@ func TestChartRepository_HasFile(t *testing.T) {
 	g.Expect(r.HasFile()).To(BeFalse())
 
 	i := filepath.Join(t.TempDir(), "index.yaml")
-	g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o644)).To(Succeed())
+	g.Expect(os.WriteFile(i, []byte(`apiVersion: v1`), 0o600)).To(Succeed())
 	r.Path = i
 	g.Expect(r.HasFile()).To(BeTrue())
 }
