Fix explicit permissions in DEB and RPM packages

Author: rpalcolea

src/main/groovy/com/netflix/gradle/plugins/deb/DebCopyAction.groovy

@@ -121,7 +121,22 @@ class DebCopyAction extends AbstractPackagingCopyAction<Deb> {
         String group = lookup(specToLookAt, 'permissionGroup') ?: task.permissionGroup
         Integer gid = (Integer) lookup(specToLookAt, 'gid') ?: task.gid ?: 0
 
-        int fileMode = FilePermissionUtil.getUnixPermission(fileDetails)
+        // Priority system: explicit permissions take precedence over filesystem detection
+        Integer explicitMode = FilePermissionUtil.getFileMode(specToLookAt)  
+        int workaroundMode = FilePermissionUtil.getUnixPermission(fileDetails)
+        
+        logger.debug("File: ${fileDetails.relativePath.pathString}, explicitMode: ${explicitMode}, workaroundMode: ${workaroundMode}")
+        
+        int fileMode
+        if (explicitMode != null) {
+            // We have detected truly explicit permissions - use them
+            fileMode = explicitMode
+            logger.debug("Using explicit permissions: ${explicitMode}")
+        } else {
+            // Use workaround when no explicit permissions detected
+            fileMode = workaroundMode
+            logger.debug("No explicit permissions, using workaround: ${workaroundMode}")
+        }
 
         debFileVisitorStrategy.addFile(fileDetails, inputFile, user, uid, group, gid, fileMode)
     }
@@ -138,7 +153,10 @@ class DebCopyAction extends AbstractPackagingCopyAction<Deb> {
             Integer gid = (Integer) lookup(specToLookAt, 'gid') ?: task.gid ?: 0
             Boolean setgid = lookup(specToLookAt, 'setgid')
 
-            int dirMode = FilePermissionUtil.getUnixPermission(dirDetails)
+            // Priority system for directories - same as files
+            Integer explicitDirMode = FilePermissionUtil.getDirMode(specToLookAt)
+            
+            int dirMode = explicitDirMode != null ? explicitDirMode : FilePermissionUtil.getUnixPermission(dirDetails)
             if (setgid == null) {
                 setgid = task.setgid
             }

src/main/groovy/com/netflix/gradle/plugins/rpm/RpmCopyAction.groovy

@@ -160,7 +160,22 @@ class RpmCopyAction extends AbstractPackagingCopyAction<Rpm> {
         String user = lookup(specToLookAt, 'user') ?: task.user
         String group = lookup(specToLookAt, 'permissionGroup') ?: task.permissionGroup
 
-        int fileMode =  FilePermissionUtil.getFileMode(specToLookAt) ?: FilePermissionUtil.getUnixPermission(fileDetails)
+        // Priority system: explicit permissions take precedence over filesystem detection
+        Integer explicitMode = FilePermissionUtil.getFileMode(specToLookAt)  
+        int workaroundMode = FilePermissionUtil.getUnixPermission(fileDetails)
+        
+        logger.debug("File: ${fileDetails.relativePath.pathString}, explicitMode: ${explicitMode}, workaroundMode: ${workaroundMode}")
+        
+        int fileMode
+        if (explicitMode != null) {
+            // We have detected truly explicit permissions - use them
+            fileMode = explicitMode
+            logger.debug("Using explicit permissions: ${explicitMode}")
+        } else {
+            // Use workaround when no explicit permissions detected
+            fileMode = workaroundMode
+            logger.debug("No explicit permissions, using workaround: ${workaroundMode}")
+        }
         def specAddParentsDir = lookup(specToLookAt, 'addParentDirs')
         boolean addParentsDir = specAddParentsDir != null ? specAddParentsDir : task.addParentDirs
 
@@ -181,7 +196,11 @@ class RpmCopyAction extends AbstractPackagingCopyAction<Rpm> {
 
         if (createDirectoryEntry) {
             logger.debug 'adding directory {}', dirDetails.relativePath.pathString
-            int dirMode = FilePermissionUtil.getDirMode(specToLookAt) ?: FilePermissionUtil.getUnixPermission(dirDetails)
+            
+            // Priority system for directories - same as files
+            Integer explicitDirMode = FilePermissionUtil.getDirMode(specToLookAt)
+            
+            int dirMode = explicitDirMode != null ? explicitDirMode : FilePermissionUtil.getUnixPermission(dirDetails)
             Directive directive = (Directive) lookup(specToLookAt, 'fileType') ?: task.fileType
             String user = lookup(specToLookAt, 'user') ?: task.user
             String group = lookup(specToLookAt, 'permissionGroup') ?: task.permissionGroup

src/main/groovy/com/netflix/gradle/plugins/utils/FilePermissionUtil.groovy

@@ -30,7 +30,6 @@ class FilePermissionUtil {
      * @return Unix permission as integer (e.g., 0755, 0644)
      */
     static int getUnixPermission(FileCopyDetails details) {
-
         int newApiMode = details.permissions.toUnixNumeric()
 
         // Gradle 9.0 permissions API may not detect executable bits correctly
@@ -62,33 +61,64 @@ class FilePermissionUtil {
      * @param details
      * @return
      */
-    static Integer getFileMode(SyncSpec copySpecInternal) {
+    static Integer getFileMode(def copySpecInternal) {
         if(!copySpecInternal) {
             return null
         }
 
-        if(copySpecInternal.filePermissions.present){
-            copySpecInternal.filePermissions.get().toUnixNumeric()
-        } else {
-            return null
+        try {
+            if(copySpecInternal?.hasProperty('filePermissions') && copySpecInternal.filePermissions?.present) {
+                def permissions = copySpecInternal.filePermissions.get()
+                def numeric = permissions.toUnixNumeric()
+                
+                // Try to detect if this copySpec has explicit configuration (includes, excludes, etc.)
+                def hasExplicitConfiguration = false
+                try {
+                    // Look for signs of explicit configuration
+                    if (copySpecInternal.hasProperty('includes') && copySpecInternal.includes?.size() > 0) {
+                        hasExplicitConfiguration = true
+                    }
+                    if (copySpecInternal.hasProperty('excludes') && copySpecInternal.excludes?.size() > 0) {
+                        hasExplicitConfiguration = true
+                    }
+                } catch (Exception e) {
+                    // Ignore - could not check explicit configuration
+                }
+                
+                // If we have explicit configuration OR the permission is not default 644, treat as explicit
+                if (hasExplicitConfiguration || numeric != 420) {
+                    return numeric
+                } else {
+                    // Default 644 with no explicit configuration - treat as default
+                    return null
+                }
+            }
+        } catch (Exception e) {
+            // Ignore - not a proper SyncSpec or permissions not set
         }
+        return null
     }
 
     /**
      * Get the unix permission of a directory.
      * @param copySpecInternal
      * @return
      */
-    static Integer getDirMode(SyncSpec copySpecInternal) {
+    static Integer getDirMode(def copySpecInternal) {
         if(!copySpecInternal) {
             return null
         }
 
-        if(copySpecInternal.dirPermissions.present){
-            copySpecInternal.dirPermissions.get().toUnixNumeric()
-        } else {
-            return null
+        try {
+            // Check if dirPermissions was explicitly configured
+            // This detects the presence of a dirPermissions { } block
+            if(copySpecInternal?.hasProperty('dirPermissions') && copySpecInternal.dirPermissions?.present){
+                return copySpecInternal.dirPermissions.get().toUnixNumeric()
+            }
+        } catch (Exception e) {
+            // Ignore - not a proper SyncSpec or permissions not set
         }
+        return null
     }
 
     /**

src/test/groovy/com/netflix/gradle/plugins/deb/DebPluginTest.groovy

@@ -254,6 +254,52 @@ class DebPluginTest extends ProjectSpec {
 
     }
 
+    def 'explicit permissions override filesystem detection'() {
+        given:
+        File srcDir = new File(projectDir, 'src')
+        srcDir.mkdirs()
+        
+        // Create executable file
+        def scriptFile = new File(srcDir, 'script.sh')
+        FileUtils.writeStringToFile(scriptFile, '#!/bin/bash\necho "test"')
+        scriptFile.setExecutable(true, false)
+        
+        // Create regular file 
+        def dataFile = new File(srcDir, 'data.txt')
+        FileUtils.writeStringToFile(dataFile, 'test data')
+        dataFile.setExecutable(false, false)
+
+        project.apply plugin: 'com.netflix.nebula.deb'
+
+        when:
+        Deb debTask = project.task('buildDeb', type: Deb) {
+            packageName = 'explicit-permissions-test'
+            from(srcDir) {
+                // Override executable script to be non-executable
+                include 'script.sh'
+                filePermissions {
+                    unix(0644) 
+                }
+            }
+            from(srcDir) {
+                // Override non-executable file to be executable  
+                include 'data.txt'
+                filePermissions {
+                    unix(0755)
+                }
+            }
+        }
+        debTask.copy()
+
+        then:
+        File debFile = debTask.archiveFile.get().asFile
+        def scan = new Scanner(debFile)
+        
+        // Explicit permissions should override filesystem detection
+        0644 == scan.getEntry('./script.sh').mode  // Explicitly set to non-executable
+        0755 == scan.getEntry('./data.txt').mode   // Explicitly set to executable
+    }
+
     def 'specify complete maintainer scripts'() {
         given:
         project.version = 1.0

src/test/groovy/com/netflix/gradle/plugins/rpm/RpmPluginIntegrationTest.groovy

@@ -529,4 +529,60 @@ buildRpm {
         true        | 1444
         false       | 0644
     }
+
+    def 'explicit permissions override filesystem detection'() {
+        given:
+        // Create test files with specific filesystem permissions
+        File srcDir = new File(projectDir, 'src')
+        srcDir.mkdirs()
+        
+        // Create an executable script
+        File scriptFile = new File(srcDir, 'script.sh')
+        scriptFile.text = '#!/bin/bash\necho "Hello World"'
+        scriptFile.setExecutable(true, false)
+        
+        // Create a non-executable data file
+        File dataFile = new File(srcDir, 'data.txt')
+        dataFile.text = 'Some data content'
+        dataFile.setExecutable(false, false)
+
+        buildFile << """
+plugins {
+    id 'com.netflix.nebula.rpm'
+}
+
+version = '1.0.0'
+
+task buildRpm(type: com.netflix.gradle.plugins.rpm.Rpm) {
+    packageName = 'explicit-permissions-test'
+    from('src') {
+        // Override executable script to be non-executable  
+        include 'script.sh'
+        filePermissions {
+            unix(0644) 
+        }
+    }
+    from('src') {
+        // Override non-executable file to be executable
+        include 'data.txt'
+        filePermissions {
+            unix(0755)
+        }
+    }
+}
+"""
+
+        when:
+        runTasks('buildRpm')
+
+        then:
+        def rpmFile = file('build/distributions/explicit-permissions-test-1.0.0.noarch.rpm')
+        def scanFiles = Scanner.scan(rpmFile).files
+        def scriptEntry = scanFiles.find { it.name == './script.sh' }
+        def dataEntry = scanFiles.find { it.name == './data.txt' }
+        
+        // Explicit permissions should override filesystem detection
+        scriptEntry.permissions == 0644  // Explicitly set to non-executable
+        dataEntry.permissions == 0755    // Explicitly set to executable
+    }
 }