diff --git a/README.md b/README.md index 8affd80..bd11a39 100644 --- a/README.md +++ b/README.md @@ -33,10 +33,10 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f | `jwt_svids` | An array with the audience and file name to store the JWT SVIDs. File is Base64-encoded string). | `[{jwt_audience="your-audience", jwt_svid_file_name="jwt_svid.token"}]` | | `jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | | `include_federated_domains` | Include trust domains from federated servers in the CA bundle. | `true` | -| `cert_file_mode` | The octal file mode to use when saving the X.509 public certificate file. | "0644" | -| `key_file_mode` | The octal file mode to use when saving the X.509 private key file | "0600" | -| `jwt_bundle_file_mode` | The octal file mode to use when saving a JWT Bundle file. | "0600" | -| `jwt_svid_file_mode` | The octal file mode to use when saving a JWT SVID file. | "0600" | +| `cert_file_mode` | The octal file mode to use when saving the X.509 public certificate file. | 644 | +| `key_file_mode` | The octal file mode to use when saving the X.509 private key file | 600 | +| `jwt_bundle_file_mode` | The octal file mode to use when saving a JWT Bundle file. | 600 | +| `jwt_svid_file_mode` | The octal file mode to use when saving a JWT SVID file. | 600 | ### Configuration example ``` diff --git a/cmd/spiffe-helper/config/config.go b/cmd/spiffe-helper/config/config.go index 570c8f4..a7aefc9 100644 --- a/cmd/spiffe-helper/config/config.go +++ b/cmd/spiffe-helper/config/config.go @@ -30,10 +30,10 @@ type Config struct { CmdArgsDeprecated string `hcl:"cmdArgs"` CertDir string `hcl:"cert_dir"` CertDirDeprecated string `hcl:"certDir"` - CertFileMode string `hcl:"cert_file_mode"` - KeyFileMode string `hcl:"key_file_mode"` - JwtBundleFileMode string `hcl:"jwt_bundle_file_mode"` - JwtSvidFileMode string `hcl:"jwt_svid_file_mode"` + CertFileMode int32 `hcl:"cert_file_mode"` + KeyFileMode int32 `hcl:"key_file_mode"` + JwtBundleFileMode int32 `hcl:"jwt_bundle_file_mode"` + JwtSvidFileMode int32 `hcl:"jwt_svid_file_mode"` IncludeFederatedDomains bool `hcl:"include_federated_domains"` RenewSignal string `hcl:"renew_signal"` RenewSignalDeprecated string `hcl:"renewSignal"` @@ -179,40 +179,28 @@ func (c *Config) ValidateConfig(log logrus.FieldLogger) error { func NewSidecarConfig(config *Config, log logrus.FieldLogger) *sidecar.Config { certFileMode := defaultCertFileMode - if config.CertFileMode != "" { - parsedCertFileMode, err := strconv.ParseUint(config.CertFileMode, 8, 32) - if err != nil || parsedCertFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedCertFileMode) //nolint:gosec,G115 - } + if config.CertFileMode <= 0 { + log.Error("failed to parse file mode, using default") + } else { + certFileMode = os.FileMode(config.CertFileMode) } keyFileMode := defaultKeyFileMode - if config.KeyFileMode != "" { - parsedKeyFileMode, err := strconv.ParseUint(config.KeyFileMode, 8, 32) - if err != nil || parsedKeyFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedKeyFileMode) //nolint:gosec,G115 - } + if config.KeyFileMode <= 0 { + log.Error("failed to parse file mode, using default") + } else { + certFileMode = os.FileMode(config.KeyFileMode) } jwtBundleFileMode := defaultJwtBundleFileMode - if config.JwtBundleFileMode != "" { - parsedJwtBundleFileMode, err := strconv.ParseUint(config.JwtBundleFileMode, 8, 32) - if err != nil || parsedJwtBundleFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedJwtBundleFileMode) //nolint:gosec,G115 - } + if config.JwtBundleFileMode <= 0 { + log.Error("failed to parse file mode, using default") + } else { + certFileMode = os.FileMode(config.JwtBundleFileMode) } jwtSvidFileMode := defaultJwtSvidFileMode - if config.JwtSvidFileMode != "" { - parsedJwtSvidFileMode, err := strconv.ParseUint(config.JwtSvidFileMode, 8, 32) - if err != nil || parsedJwtSvidFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedJwtSvidFileMode) //nolint:gosec,G115 - } + if config.JwtSvidFileMode <= 0 { + log.Error("failed to parse file mode, using default") + } else { + certFileMode = os.FileMode(config.JwtSvidFileMode) } sidecarConfig := &sidecar.Config{ AddIntermediatesToBundle: config.AddIntermediatesToBundle,