Create crypto tool output streams with RW permissions for owner only

author: Tor Brede Vekterli <vekterli@yahooinc.com> 2023-05-02 16:38:32 +0200
committer: Tor Brede Vekterli <vekterli@yahooinc.com> 2023-05-02 16:38:32 +0200
commit: 9efc6df01c94971e9254affd2800f04b4dd0cb68 (patch)
tree: 301773eb31a2031d02eb2ef66e55a09f8c432e60 /vespaclient-java
parent: e23486dfb4adaf88242053c9ce27acdc2beeb6ff (diff)
2 files changed, 13 insertions, 4 deletions
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/CliUtils.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/CliUtils.java
index a60c3647b41..b09ae17cd77 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/CliUtils.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/CliUtils.java
@@ -8,6 +8,7 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.nio.file.attribute.PosixFilePermissions;
 
 /**
  * @author vekterli
@@ -43,7 +44,10 @@ public class CliUtils {
             return stdOut;
         } else {
             // TODO fail if file already exists?
-            return Files.newOutputStream(Paths.get(pathOrDash));
+            var privFilePerms = PosixFilePermissions.fromString("rw-------");
+            var outPath = Paths.get(pathOrDash);
+            Files.createFile(outPath, PosixFilePermissions.asFileAttribute(privFilePerms));
+            return Files.newOutputStream(outPath);
         }
     }
 
diff --git a/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java b/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java
index f55278342e1..05d7e8c9511 100644
--- a/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java
+++ b/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java
@@ -64,6 +64,12 @@ public class CryptoToolsTest {
         Files.writeString(keyPath, contents);
     }
 
+    private static void assertOnlyFileOwnerHasAccessRights(Path file) throws IOException {
+        var actualFilePerms = Files.getPosixFilePermissions(file);
+        var expectedPerms   = PosixFilePermissions.fromString("rw-------");
+        assertEquals(expectedPerms, actualFilePerms);
+    }
+
     @Test
     void top_level_help_page_printed_if_help_option_given() throws IOException {
         verifyStdoutMatchesFile(List.of("--help"), "expected-help-output.txt");
@@ -180,9 +186,7 @@ public class CryptoToolsTest {
                                       "--private-out-file", absPathOf(privKeyFile),
                                       "--public-out-file",  absPathOf(pubKeyFile)));
         assertEquals(0, procOut.exitCode());
-        var privKeyPerms  = Files.getPosixFilePermissions(privKeyFile);
-        var expectedPerms = PosixFilePermissions.fromString("rw-------");
-        assertEquals(expectedPerms, privKeyPerms);
+        assertOnlyFileOwnerHasAccessRights(privKeyFile);
     }
 
     private static final String TEST_PRIV_KEY     = "GFg54SaGNCmcSGufZCx68SKLGuAFrASoDeMk3t5AjU6L";
@@ -381,6 +385,7 @@ public class CryptoToolsTest {
         assertEquals("", procOut.stdErr());
 
         assertEquals(greatSecret, Files.readString(decryptedPath));
+        assertOnlyFileOwnerHasAccessRights(decryptedPath);
     }
 
     @Test
author	Tor Brede Vekterli <vekterli@yahooinc.com>	2023-05-02 16:38:32 +0200
committer	Tor Brede Vekterli <vekterli@yahooinc.com>	2023-05-02 16:38:32 +0200
commit	9efc6df01c94971e9254affd2800f04b4dd0cb68 (patch)
tree	301773eb31a2031d02eb2ef66e55a09f8c432e60 /vespaclient-java
parent	e23486dfb4adaf88242053c9ce27acdc2beeb6ff (diff)