From 5b829f92f0743a781b7ad725d6bd0d19f8dc946b Mon Sep 17 00:00:00 2001
From: Valery Klachkov <zgdump@gmail.com>
Date: Fri, 25 Oct 2024 01:05:45 +0200
Subject: [PATCH] fix: deployment file modes (#5)

Docker & other things want access to the generated secret directories, yet you can't just bind-mount them elsewhere as deployer user might be different from app user, resulting in "Permission denied" errors. Grant other users permission to read secret files and access secret directories without giving access to the outer directories.

* Set correct permissions for all files and dirs

* Fixes after review
---
 Cargo.lock      |  2 +-
 Cargo.toml      |  2 +-
 src/fs_utils.rs | 14 ++++++++++++++
 src/keystore.rs | 24 ++++++++++++++++++------
 src/main.rs     |  1 +
 5 files changed, 35 insertions(+), 8 deletions(-)
 create mode 100644 src/fs_utils.rs

diff --git a/Cargo.lock b/Cargo.lock
index bfadcfa..515b381 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -357,7 +357,7 @@ dependencies = [
 
 [[package]]
 name = "baedeker"
-version = "0.1.4"
+version = "0.1.5"
 dependencies = [
  "bip39",
  "chainql-core",
diff --git a/Cargo.toml b/Cargo.toml
index cb1247b..046a3d0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "baedeker"
-version = "0.1.4"
+version = "0.1.5"
 edition = "2021"
 description = "Substrate network orchestration framework"
 license = "MIT"
diff --git a/src/fs_utils.rs b/src/fs_utils.rs
new file mode 100644
index 0000000..621f5b3
--- /dev/null
+++ b/src/fs_utils.rs
@@ -0,0 +1,14 @@
+use std::{fs::DirBuilder, io, os::unix::fs::DirBuilderExt, path::Path};
+
+/// Recursively create a directory and all of its parent components if they
+/// are missing with given permissions.
+///
+/// # Errors
+///
+/// The same as from [`std::fs::create_dir_all`]
+pub fn create_dir_mode<P: AsRef<Path>>(path: P, mode: u32) -> io::Result<()> {
+	DirBuilder::new()
+		.recursive(true)
+		.mode(mode)
+		.create(path.as_ref())
+}
diff --git a/src/keystore.rs b/src/keystore.rs
index 1b11e76..7e5a544 100644
--- a/src/keystore.rs
+++ b/src/keystore.rs
@@ -1,6 +1,8 @@
 use std::{
-	env, fs,
+	env,
+	fs::{self, Permissions, create_dir_all},
 	io::{self, ErrorKind, Write},
+	os::unix::fs::PermissionsExt,
 	path::PathBuf,
 	result,
 	str::FromStr,
@@ -12,6 +14,8 @@ use sp_core::crypto::{SecretStringError, Ss58AddressFormat};
 use tempfile::{NamedTempFile, PersistError};
 use tracing::info;
 
+use crate::fs_utils::create_dir_mode;
+
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
 	#[error("io: {0}")]
@@ -109,17 +113,21 @@ impl FileNodeKeys {
 	}
 	fn keystore_dir(&self, node: &str) -> Result<Option<PathBuf>> {
 		let mut path = self.root.to_path_buf();
-		path.push(format!("keystore-{node}"));
+		path.push(format!("keystore/{node}"));
 		if !path.is_dir() {
 			return Ok(None);
 		}
 		Ok(Some(path))
 	}
+
 	fn keystore_dir_create(&self, node: &str) -> Result<PathBuf> {
-		let mut path = self.root.to_path_buf();
-		path.push(format!("keystore-{node}"));
-		fs::create_dir_all(&path)?;
-		Ok(path)
+		let keystore_path = self.root.join("keystore");
+		create_dir_all(&keystore_path)?;
+
+		let keystore_node_path = keystore_path.join(node);
+		create_dir_mode(&keystore_node_path, 0o744)?;
+
+		Ok(keystore_node_path)
 	}
 	fn wallet_dir(&self) -> Result<Option<PathBuf>> {
 		let mut path = self.root.to_path_buf();
@@ -144,6 +152,8 @@ impl SecretStorage for FileNodeKeys {
 
 		let mut temp = NamedTempFile::new_in(&self.root)?;
 		temp.write_all(keypair.secret().as_ref())?;
+		temp.as_file_mut()
+			.set_permissions(Permissions::from_mode(0o600))?;
 		temp.persist(path)?;
 
 		Ok(())
@@ -193,6 +203,8 @@ impl SecretStorage for FileNodeKeys {
 		{
 			let mut file = NamedTempFile::new_in(&dir)?;
 			file.write_all(serde_json::to_string(&suri).unwrap().as_bytes())?;
+			file.as_file_mut()
+				.set_permissions(Permissions::from_mode(0o600))?;
 			file.persist(&secret)?;
 		}
 
diff --git a/src/main.rs b/src/main.rs
index fbb1c1e..fbbf722 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -29,6 +29,7 @@ use crate::docker::EMPTY_IMAGE;
 
 // mod asset;
 mod docker;
+mod fs_utils;
 mod keystore;
 mod library;
 mod spec_builder;