From 3450cddb1a34761609832c063ff2a928eb863317 Mon Sep 17 00:00:00 2001
From: kaihsun <kaihsun@anyscale.com>
Date: Tue, 5 Dec 2023 05:43:37 +0000
Subject: [PATCH] Set file mode explicitly for regular files

* As shown in the following code snippet, the function `ensureFiles`
checks the file mode for both regular files and secret files.
  https://github.com/nginxinc/nginx-gateway-fabric/blob/6d4cfd7f0de32e9f98dae358cb6cec93529109a5/internal/mode/static/nginx/file/manager_test.go#L43-L47

* The function `ReplaceFiles` in `nginx/file/manager.go` creates files
by internally calling [os.Create](https://pkg.go.dev/os#Create), which,
by default, creates files with mode 0666 (before applying `umask`). See
the [source
code](https://github.com/golang/go/blob/de5b418bea70aaf27de1f47e9b5813940d1e15a4/src/os/file.go#L357-L364)
of `os.Create` for more details.

* The function `writeFile` changes the mode of secret files to 0640 by
calling `chmod`, but does nothing for regular files. Hence, the check
`Expect(info.Mode()).To(Equal(os.FileMode(0o644))) ` in
`nginx/file/manager_test.go` only passes for `umask` with specific
values.

* In my environment, the `umask` value is 002. Therefore, the mode for
regular files will be 0666 - 0002 = 0664, causing the unit test to fail.
In the following screenshot, 420 is 0o644, and 436 is 0o664.
  ![Screen Shot 2023-12-02 at 6 05 36
PM](https://github.com/nginxinc/nginx-gateway-fabric/assets/20109646/b621c7de-2465-4c5a-988b-4cf625e5dca7)

* Solution: This PR sets the file mode explicitly.
---
 internal/mode/static/nginx/file/manager.go | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/internal/mode/static/nginx/file/manager.go b/internal/mode/static/nginx/file/manager.go
index 632a3af34..4ac6a3163 100644
--- a/internal/mode/static/nginx/file/manager.go
+++ b/internal/mode/static/nginx/file/manager.go
@@ -10,6 +10,8 @@ import (
 )
 
 const (
+	// regularFileMode defines the default file mode for regular files.
+	regularFileMode = 0o644
 	// secretFileMode defines the default file mode for files with secrets.
 	secretFileMode = 0o640
 )
@@ -136,11 +138,20 @@ func writeFile(fileMgr OSFileManager, file File) error {
 		}
 	}()
 
-	if file.Type == TypeSecret {
+	switch file.Type {
+	case TypeRegular:
+		if err := fileMgr.Chmod(f, regularFileMode); err != nil {
+			resultErr = fmt.Errorf(
+				"failed to set file mode to %#o for %q: %w", regularFileMode, file.Path, err)
+			return resultErr
+		}
+	case TypeSecret:
 		if err := fileMgr.Chmod(f, secretFileMode); err != nil {
-			resultErr = fmt.Errorf("failed to set file mode for %q: %w", file.Path, err)
+			resultErr = fmt.Errorf("failed to set file mode to %#o for %q: %w", secretFileMode, file.Path, err)
 			return resultErr
 		}
+	default:
+		panic(fmt.Sprintf("unknown file type %d", file.Type))
 	}
 
 	if err := fileMgr.Write(f, file.Content); err != nil {