(bug) fix permissions problems with pregen cache access (#1018)

grokspawn · web-flow · commit ce3bb44f7618 · 2022-08-31T08:37:39.000-04:00
* fix permissions problems with pregen cache access

Signed-off-by: Jordan &lt;jordan@nimblewidget.com&gt;

* constant replacement

Signed-off-by: Jordan &lt;jordan@nimblewidget.com&gt;

Signed-off-by: Jordan &lt;jordan@nimblewidget.com&gt;
diff --git a/go.mod b/go.mod
@@ -34,6 +34,7 @@ require (
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
 	google.golang.org/grpc v1.45.0
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v0.0.0-20200709232328-d8193ee9cc3e
 	google.golang.org/protobuf v1.28.0
@@ -147,7 +148,6 @@ require (
 	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
 	golang.org/x/crypto v0.0.0-20220408190544-5352b0902921 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
diff --git a/pkg/registry/query.go b/pkg/registry/query.go
@@ -17,6 +17,11 @@ import (
 	"github.com/operator-framework/operator-registry/pkg/api"
 )
 
+const (
+	cachePermissionDir  = 0750
+	cachePermissionFile = 0640
+)
+
 type Querier struct {
 	*cache
 }
@@ -423,7 +428,7 @@ func newEphemeralCache() (*cache, error) {
 	if err != nil {
 		return nil, err
 	}
-	if err := os.MkdirAll(filepath.Join(baseDir, "cache"), 0700); err != nil {
+	if err := os.MkdirAll(filepath.Join(baseDir, "cache"), cachePermissionDir); err != nil {
 		return nil, err
 	}
 	return &cache{
@@ -434,7 +439,7 @@ func newEphemeralCache() (*cache, error) {
 }
 
 func newPersistentCache(baseDir string) (*cache, error) {
-	if err := os.MkdirAll(baseDir, 0700); err != nil {
+	if err := os.MkdirAll(baseDir, cachePermissionDir); err != nil {
 		return nil, err
 	}
 	qc := &cache{baseDir: baseDir, persist: true}
@@ -481,6 +486,10 @@ func (qc *cache) loadFromCache() error {
 }
 
 func (qc *cache) repopulateCache(model digestableModel) error {
+	// ensure that generated cache is available to all future users
+	oldUmask := umask(000)
+	defer umask(oldUmask)
+
 	m, err := model.GetModel()
 	if err != nil {
 		return err
@@ -494,7 +503,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 			return err
 		}
 	}
-	if err := os.MkdirAll(filepath.Join(qc.baseDir, "cache"), 0700); err != nil {
+	if err := os.MkdirAll(filepath.Join(qc.baseDir, "cache"), cachePermissionDir); err != nil {
 		return err
 	}
 
@@ -507,7 +516,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 	if err != nil {
 		return err
 	}
-	if err := os.WriteFile(filepath.Join(qc.baseDir, "cache", "packages.json"), packageJson, 0600); err != nil {
+	if err := os.WriteFile(filepath.Join(qc.baseDir, "cache", "packages.json"), packageJson, cachePermissionFile); err != nil {
 		return err
 	}
 
@@ -524,7 +533,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 					return err
 				}
 				filename := filepath.Join(qc.baseDir, "cache", fmt.Sprintf("%s_%s_%s.json", p.Name, ch.Name, b.Name))
-				if err := os.WriteFile(filename, jsonBundle, 0666); err != nil {
+				if err := os.WriteFile(filename, jsonBundle, cachePermissionFile); err != nil {
 					return err
 				}
 				qc.apiBundles[apiBundleKey{p.Name, ch.Name, b.Name}] = filename
@@ -533,7 +542,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {
 	}
 	computedHash, err := model.GetDigest()
 	if err == nil {
-		if err := os.WriteFile(filepath.Join(qc.baseDir, "digest"), []byte(computedHash), 0600); err != nil {
+		if err := os.WriteFile(filepath.Join(qc.baseDir, "digest"), []byte(computedHash), cachePermissionFile); err != nil {
 			return err
 		}
 	} else if !errors.Is(err, errNonDigestable) {
diff --git a/pkg/registry/syscall_unix.go b/pkg/registry/syscall_unix.go
@@ -0,0 +1,8 @@
+//go:build !windows
+// +build !windows
+
+package registry
+
+import "golang.org/x/sys/unix"
+
+var umask = unix.Umask
diff --git a/pkg/registry/syscall_windows.go b/pkg/registry/syscall_windows.go
@@ -0,0 +1,6 @@
+//go:build windows
+// +build windows
+
+package registry
+
+var umask = func(i int) int { return 0 }

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,11 @@ import (`
`17`	`17`	`"github.com/operator-framework/operator-registry/pkg/api"`
`18`	`18`	`)`
`19`	`19`
	`20`	`+const (`
	`21`	`+ cachePermissionDir = 0750`
	`22`	`+ cachePermissionFile = 0640`
	`23`	`+)`
	`24`	`+`
`20`	`25`	`type Querier struct {`
`21`	`26`	`*cache`
`22`	`27`	`}`
`@@ -423,7 +428,7 @@ func newEphemeralCache() (*cache, error) {`
`423`	`428`	`if err != nil {`
`424`	`429`	`return nil, err`
`425`	`430`	`}`
`426`		`- if err := os.MkdirAll(filepath.Join(baseDir, "cache"), 0700); err != nil {`
	`431`	`+ if err := os.MkdirAll(filepath.Join(baseDir, "cache"), cachePermissionDir); err != nil {`
`427`	`432`	`return nil, err`
`428`	`433`	`}`
`429`	`434`	`return &cache{`
`@@ -434,7 +439,7 @@ func newEphemeralCache() (*cache, error) {`
`434`	`439`	`}`
`435`	`440`
`436`	`441`	`func newPersistentCache(baseDir string) (*cache, error) {`
`437`		`- if err := os.MkdirAll(baseDir, 0700); err != nil {`
	`442`	`+ if err := os.MkdirAll(baseDir, cachePermissionDir); err != nil {`
`438`	`443`	`return nil, err`
`439`	`444`	`}`
`440`	`445`	`qc := &cache{baseDir: baseDir, persist: true}`
`@@ -481,6 +486,10 @@ func (qc *cache) loadFromCache() error {`
`481`	`486`	`}`
`482`	`487`
`483`	`488`	`func (qc *cache) repopulateCache(model digestableModel) error {`
	`489`	`+ // ensure that generated cache is available to all future users`
	`490`	`+ oldUmask := umask(000)`
	`491`	`+ defer umask(oldUmask)`
	`492`	`+`
`484`	`493`	`m, err := model.GetModel()`
`485`	`494`	`if err != nil {`
`486`	`495`	`return err`
`@@ -494,7 +503,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {`
`494`	`503`	`return err`
`495`	`504`	`}`
`496`	`505`	`}`
`497`		`- if err := os.MkdirAll(filepath.Join(qc.baseDir, "cache"), 0700); err != nil {`
	`506`	`+ if err := os.MkdirAll(filepath.Join(qc.baseDir, "cache"), cachePermissionDir); err != nil {`
`498`	`507`	`return err`
`499`	`508`	`}`
`500`	`509`
`@@ -507,7 +516,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {`
`507`	`516`	`if err != nil {`
`508`	`517`	`return err`
`509`	`518`	`}`
`510`		`- if err := os.WriteFile(filepath.Join(qc.baseDir, "cache", "packages.json"), packageJson, 0600); err != nil {`
	`519`	`+ if err := os.WriteFile(filepath.Join(qc.baseDir, "cache", "packages.json"), packageJson, cachePermissionFile); err != nil {`
`511`	`520`	`return err`
`512`	`521`	`}`
`513`	`522`
`@@ -524,7 +533,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {`
`524`	`533`	`return err`
`525`	`534`	`}`
`526`	`535`	`filename := filepath.Join(qc.baseDir, "cache", fmt.Sprintf("%s_%s_%s.json", p.Name, ch.Name, b.Name))`
`527`		`- if err := os.WriteFile(filename, jsonBundle, 0666); err != nil {`
	`536`	`+ if err := os.WriteFile(filename, jsonBundle, cachePermissionFile); err != nil {`
`528`	`537`	`return err`
`529`	`538`	`}`
`530`	`539`	`qc.apiBundles[apiBundleKey{p.Name, ch.Name, b.Name}] = filename`
`@@ -533,7 +542,7 @@ func (qc *cache) repopulateCache(model digestableModel) error {`
`533`	`542`	`}`
`534`	`543`	`computedHash, err := model.GetDigest()`
`535`	`544`	`if err == nil {`
`536`		`- if err := os.WriteFile(filepath.Join(qc.baseDir, "digest"), []byte(computedHash), 0600); err != nil {`
	`545`	`+ if err := os.WriteFile(filepath.Join(qc.baseDir, "digest"), []byte(computedHash), cachePermissionFile); err != nil {`
`537`	`546`	`return err`
`538`	`547`	`}`
`539`	`548`	`} else if !errors.Is(err, errNonDigestable) {`