feat: support for customising file permissions

krystal · Jul 25, 2022 · 4e036b5 · 4e036b5
1 parent 7c5878b
commit 4e036b5
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,9 @@ certificates:
       private_key: /etc/certs/service.key.pem
       chain: /etc/certs/service.chain.pem
       certificate_with_chain: /etc/certs/service.cert-with-chain.pem
+    permissions:
+      certificates: 644
+      keys: 600
     commands:
       - systemctl reload apache2
       - touch /etc/certs/service.cert.updated

diff --git a/certificate.go b/certificate.go
@@ -32,23 +32,35 @@ func (c *Certificate) Process(logger zerolog.Logger) (bool, error) {
 	if c.Paths.Certificate == "" {
 		logger.Info().Msg("Not saving certificate file because no path defined")
 	} else {
-		err = os.WriteFile(c.Paths.Certificate, []byte(metadata.Files.Certificate), 0644)
+		err = os.WriteFile(c.Paths.Certificate, []byte(metadata.Files.Certificate), c.Permissions.CertificatesFileMode())
 		if err != nil {
 			logger.Error().Err(err).Str("path", c.Paths.Certificate).Msg("Failed to write certificate file")
 			return true, err
 		}
 		logger.Info().Str("path", c.Paths.Certificate).Msg("Certificate file saved")
+
+		err = os.Chmod(c.Paths.Certificate, c.Permissions.CertificatesFileMode())
+		if err != nil {
+			logger.Error().Err(err).Str("path", c.Paths.Certificate).Msg("Failed to set permissions for certificate file")
+			return true, err
+		}
 	}
 
 	if c.Paths.PrivateKey == "" {
 		logger.Info().Msg("Not saving private key file because no path defined")
 	} else {
-		err = os.WriteFile(c.Paths.PrivateKey, []byte(metadata.Files.PrivateKey), 0600)
+		err = os.WriteFile(c.Paths.PrivateKey, []byte(metadata.Files.PrivateKey), c.Permissions.KeysFileMode())
 		if err != nil {
 			logger.Error().Err(err).Str("path", c.Paths.PrivateKey).Msg("Failed to write private key file")
 			return true, err
 		}
 		logger.Info().Str("path", c.Paths.PrivateKey).Msg("Private key file saved")
+
+		err = os.Chmod(c.Paths.PrivateKey, c.Permissions.KeysFileMode())
+		if err != nil {
+			logger.Error().Err(err).Str("path", c.Paths.PrivateKey).Msg("Failed to set permissions for private key file")
+			return true, err
+		}
 	}
 
 	if c.Paths.Chain == "" {
@@ -57,24 +69,36 @@ func (c *Certificate) Process(logger zerolog.Logger) (bool, error) {
 		if metadata.Files.Chain == "" {
 			logger.Info().Msg("No chain file provided")
 		} else {
-			err = os.WriteFile(c.Paths.Chain, []byte(metadata.Files.Chain), 0600)
+			err = os.WriteFile(c.Paths.Chain, []byte(metadata.Files.Chain), c.Permissions.CertificatesFileMode())
 			if err != nil {
 				logger.Error().Err(err).Str("path", c.Paths.Chain).Msg("Failed to write chain file")
 				return true, err
 			}
 			logger.Info().Str("path", c.Paths.Chain).Msg("Chain file saved")
+
+			err = os.Chmod(c.Paths.Chain, c.Permissions.CertificatesFileMode())
+			if err != nil {
+				logger.Error().Err(err).Str("path", c.Paths.Chain).Msg("Failed to set permissions for chain file")
+				return true, err
+			}
 		}
 	}
 
 	if c.Paths.CertificateWithChain == "" {
 		logger.Info().Msg("Not saving certificate with chain file because no path defined")
 	} else {
-		err = os.WriteFile(c.Paths.CertificateWithChain, []byte(metadata.Files.CertificateWithChain()), 0600)
+		err = os.WriteFile(c.Paths.CertificateWithChain, []byte(metadata.Files.CertificateWithChain()), c.Permissions.CertificatesFileMode())
 		if err != nil {
 			logger.Error().Err(err).Str("path", c.Paths.CertificateWithChain).Msg("Failed to write certificate with chain file")
 			return true, err
 		}
 		logger.Info().Str("path", c.Paths.PrivateKey).Msg("Certificate with chain file saved")
+
+		err = os.Chmod(c.Paths.CertificateWithChain, c.Permissions.CertificatesFileMode())
+		if err != nil {
+			logger.Error().Err(err).Str("path", c.Paths.CertificateWithChain).Msg("Failed to set permissions for certificate with chain file")
+			return true, err
+		}
 	}
 
 	err = c.runCommands(logger)

diff --git a/config.go b/config.go
@@ -1,7 +1,9 @@
 package main
 
 import (
+	"io/fs"
 	"io/ioutil"
+	"strconv"
 
 	"gopkg.in/yaml.v3"
 )
@@ -11,10 +13,10 @@ type Config struct {
 }
 
 type Certificate struct {
-	URL   string `yaml:"url"`
-	Paths Paths  `yaml:"paths"`
-
-	Commands []string `yaml:"commands"`
+	URL         string      `yaml:"url"`
+	Paths       Paths       `yaml:"paths"`
+	Permissions Permissions `yaml:"permissions"`
+	Commands    []string    `yaml:"commands"`
 }
 
 type Paths struct {
@@ -24,6 +26,31 @@ type Paths struct {
 	CertificateWithChain string `yaml:"certificate_with_chain"`
 }
 
+type Permissions struct {
+	Certificates int64 `yaml:"certificates"`
+	Keys         int64 `yaml:"keys"`
+}
+
+func (p Permissions) CertificatesFileMode() fs.FileMode {
+	if p.Certificates == 0 {
+		return fs.FileMode(0644)
+	}
+
+	i := strconv.FormatInt(p.Certificates, 10)
+	fm, _ := strconv.ParseInt(i, 8, 32)
+	return fs.FileMode(fm)
+}
+
+func (p Permissions) KeysFileMode() fs.FileMode {
+	if p.Keys == 0 {
+		return fs.FileMode(0600)
+	}
+
+	i := strconv.FormatInt(p.Keys, 10)
+	fm, _ := strconv.ParseInt(i, 8, 32)
+	return fs.FileMode(fm)
+}
+
 func NewConfigFromFile(path string) (*Config, error) {
 	data, err := ioutil.ReadFile(path)
 	if err != nil {