Change perms from 0400 to 0600 for acl-token

If the acl-init command is re-run, it needs to be able to overwrite the previously written acl-token file.
hashicorp · Apr 22, 2020 · e0bad41 · e0bad41
1 parent e68ed3f
commit e0bad41
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 BUG FIXES:
 
 * Connect: Fix upstream annotation parsing when multiple prepared queries are separated by spaces [[GH-224](https://github.com/hashicorp/consul-k8s/issues/224)]
+* ACLs: Fix bug with `acl-init -token-sink-file` where running the command twice would fail [[GH-248](https://github.com/hashicorp/consul-k8s/pull/248)]
 
 ## 0.13.0 (April 06, 2020)
 

diff --git a/subcommand/acl-init/command.go b/subcommand/acl-init/command.go
@@ -104,7 +104,9 @@ func (c *Command) Run(args []string) int {
 			return 1
 		}
 
-		// Write the data out as a file
+		// Write the data out as a file.
+		// Must be 0644 because this is written by the consul-k8s user but needs
+		// to be readable by the consul user.
 		err = ioutil.WriteFile(filepath.Join(c.flagACLDir, "acl-config.json"), buf.Bytes(), 0644)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error writing config file: %s", err))
@@ -113,7 +115,9 @@ func (c *Command) Run(args []string) int {
 	}
 
 	if c.flagTokenSinkFile != "" {
-		err := ioutil.WriteFile(c.flagTokenSinkFile, []byte(secret), 0400)
+		// Must be 0600 in case this command is re-run. In that case we need
+		// to have permissions to overwrite our file.
+		err := ioutil.WriteFile(c.flagTokenSinkFile, []byte(secret), 0600)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error writing token to file %q: %s", c.flagTokenSinkFile, err))
 			return 1

diff --git a/subcommand/acl-init/command_test.go b/subcommand/acl-init/command_test.go
@@ -85,3 +85,48 @@ func TestRun_TokenSinkFileErr(t *testing.T) {
 		`Error writing token to file "/this/filepath/does/not/exist": open /this/filepath/does/not/exist: no such file or directory`,
 	)
 }
+
+// Test that if the command is run twice it succeeds. This test is the result
+// of a bug that we discovered where the command failed on second runs because
+// the token file only had read permissions (0400).
+func TestRun_TokenSinkFileTwice(t *testing.T) {
+	t.Parallel()
+	require := require.New(t)
+	tmpDir, err := ioutil.TempDir("", "")
+	require.NoError(err)
+	defer os.RemoveAll(tmpDir)
+
+	// Set up k8s with the secret.
+	token := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+	k8sNS := "default"
+	secretName := "secret-name"
+	k8s := fake.NewSimpleClientset()
+	k8s.CoreV1().Secrets(k8sNS).Create(&v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secretName,
+		},
+		Data: map[string][]byte{
+			"token": []byte(token),
+		},
+	})
+
+	sinkFile := filepath.Join(tmpDir, "acl-token")
+	ui := cli.NewMockUi()
+	cmd := Command{
+		UI:        ui,
+		k8sClient: k8s,
+	}
+
+	// Run twice.
+	for i := 0; i < 2; i++ {
+		code := cmd.Run([]string{
+			"-k8s-namespace", k8sNS,
+			"-token-sink-file", sinkFile,
+		})
+		require.Equal(0, code, ui.ErrorWriter.String())
+
+		bytes, err := ioutil.ReadFile(sinkFile)
+		require.NoError(err)
+		require.Equal(token, string(bytes), "exp: %s, got: %s", token, string(bytes))
+	}
+}