From c7e5eba60c96471e9ce03a96ce9a978785494e4b Mon Sep 17 00:00:00 2001 From: Keegan Witt Date: Fri, 13 Sep 2024 15:56:56 -0400 Subject: [PATCH] Switch new conf options from string to int Signed-off-by: Keegan Witt --- README.md | 8 ++-- cmd/spiffe-helper/config/config.go | 46 +++++-------------- cmd/spiffe-helper/config/config_test.go | 12 +++-- cmd/spiffe-helper/config/testdata/helper.conf | 8 ++-- 4 files changed, 28 insertions(+), 46 deletions(-) diff --git a/README.md b/README.md index 8affd80..bd11a39 100644 --- a/README.md +++ b/README.md @@ -33,10 +33,10 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f | `jwt_svids` | An array with the audience and file name to store the JWT SVIDs. File is Base64-encoded string). | `[{jwt_audience="your-audience", jwt_svid_file_name="jwt_svid.token"}]` | | `jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | | `include_federated_domains` | Include trust domains from federated servers in the CA bundle. | `true` | -| `cert_file_mode` | The octal file mode to use when saving the X.509 public certificate file. | "0644" | -| `key_file_mode` | The octal file mode to use when saving the X.509 private key file | "0600" | -| `jwt_bundle_file_mode` | The octal file mode to use when saving a JWT Bundle file. | "0600" | -| `jwt_svid_file_mode` | The octal file mode to use when saving a JWT SVID file. | "0600" | +| `cert_file_mode` | The octal file mode to use when saving the X.509 public certificate file. | 644 | +| `key_file_mode` | The octal file mode to use when saving the X.509 private key file | 600 | +| `jwt_bundle_file_mode` | The octal file mode to use when saving a JWT Bundle file. | 600 | +| `jwt_svid_file_mode` | The octal file mode to use when saving a JWT SVID file. | 600 | ### Configuration example ``` diff --git a/cmd/spiffe-helper/config/config.go b/cmd/spiffe-helper/config/config.go index 570c8f4..9d354b4 100644 --- a/cmd/spiffe-helper/config/config.go +++ b/cmd/spiffe-helper/config/config.go @@ -3,9 +3,7 @@ package config import ( "errors" "flag" - "math" "os" - "strconv" "github.com/hashicorp/hcl" "github.com/sirupsen/logrus" @@ -30,10 +28,10 @@ type Config struct { CmdArgsDeprecated string `hcl:"cmdArgs"` CertDir string `hcl:"cert_dir"` CertDirDeprecated string `hcl:"certDir"` - CertFileMode string `hcl:"cert_file_mode"` - KeyFileMode string `hcl:"key_file_mode"` - JwtBundleFileMode string `hcl:"jwt_bundle_file_mode"` - JwtSvidFileMode string `hcl:"jwt_svid_file_mode"` + CertFileMode *int `hcl:"cert_file_mode"` + KeyFileMode *int `hcl:"key_file_mode"` + JwtBundleFileMode *int `hcl:"jwt_bundle_file_mode"` + JwtSvidFileMode *int `hcl:"jwt_svid_file_mode"` IncludeFederatedDomains bool `hcl:"include_federated_domains"` RenewSignal string `hcl:"renew_signal"` RenewSignalDeprecated string `hcl:"renewSignal"` @@ -179,40 +177,20 @@ func (c *Config) ValidateConfig(log logrus.FieldLogger) error { func NewSidecarConfig(config *Config, log logrus.FieldLogger) *sidecar.Config { certFileMode := defaultCertFileMode - if config.CertFileMode != "" { - parsedCertFileMode, err := strconv.ParseUint(config.CertFileMode, 8, 32) - if err != nil || parsedCertFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedCertFileMode) //nolint:gosec,G115 - } + if config.CertFileMode != nil { + certFileMode = os.FileMode(*config.CertFileMode) } keyFileMode := defaultKeyFileMode - if config.KeyFileMode != "" { - parsedKeyFileMode, err := strconv.ParseUint(config.KeyFileMode, 8, 32) - if err != nil || parsedKeyFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedKeyFileMode) //nolint:gosec,G115 - } + if config.KeyFileMode != nil { + certFileMode = os.FileMode(*config.KeyFileMode) } jwtBundleFileMode := defaultJwtBundleFileMode - if config.JwtBundleFileMode != "" { - parsedJwtBundleFileMode, err := strconv.ParseUint(config.JwtBundleFileMode, 8, 32) - if err != nil || parsedJwtBundleFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedJwtBundleFileMode) //nolint:gosec,G115 - } + if config.JwtBundleFileMode != nil { + certFileMode = os.FileMode(*config.JwtBundleFileMode) } jwtSvidFileMode := defaultJwtSvidFileMode - if config.JwtSvidFileMode != "" { - parsedJwtSvidFileMode, err := strconv.ParseUint(config.JwtSvidFileMode, 8, 32) - if err != nil || parsedJwtSvidFileMode > math.MaxUint32 { - log.WithError(err).Error("failed to parse file mode, using default") - } else { - certFileMode = os.FileMode(parsedJwtSvidFileMode) //nolint:gosec,G115 - } + if config.JwtSvidFileMode != nil { + certFileMode = os.FileMode(*config.JwtSvidFileMode) } sidecarConfig := &sidecar.Config{ AddIntermediatesToBundle: config.AddIntermediatesToBundle, diff --git a/cmd/spiffe-helper/config/config_test.go b/cmd/spiffe-helper/config/config_test.go index f8a5add..8221f2c 100644 --- a/cmd/spiffe-helper/config/config_test.go +++ b/cmd/spiffe-helper/config/config_test.go @@ -31,10 +31,14 @@ func TestParseConfig(t *testing.T) { expectedJWTSVIDFileName := "jwt_svid.token" expectedJWTBundleFileName := "jwt_bundle.json" expectedJWTAudience := "your-audience" - expectedCertFileMode := "0444" - expectedKeyFileMode := "0444" - expectedJwtBundleFileMode := "0444" - expectedJwtSvidFileMode := "0444" + certFileMode := 444 + expectedCertFileMode := &certFileMode + keyFileMode := 444 + expectedKeyFileMode := &keyFileMode + jwtBundleFileMode := 444 + expectedJwtBundleFileMode := &jwtBundleFileMode + jwtSvidFileMode := 444 + expectedJwtSvidFileMode := &jwtSvidFileMode assert.Equal(t, expectedAgentAddress, c.AgentAddress) assert.Equal(t, expectedCmd, c.Cmd) diff --git a/cmd/spiffe-helper/config/testdata/helper.conf b/cmd/spiffe-helper/config/testdata/helper.conf index ae88122..0219e30 100644 --- a/cmd/spiffe-helper/config/testdata/helper.conf +++ b/cmd/spiffe-helper/config/testdata/helper.conf @@ -2,10 +2,10 @@ agent_address = "/tmp/spire-agent/public/api.sock" cmd = "hot-restarter.py" cmd_args = "start_envoy.sh" cert_dir = "certs" -cert_file_mode = "0444" -key_file_mode = "0444" -jwt_bundle_file_mode = "0444" -jwt_svid_file_mode = "0444" +cert_file_mode = 444 +key_file_mode = 444 +jwt_bundle_file_mode = 444 +jwt_svid_file_mode = 444 renew_signal = "SIGHUP" svid_file_name = "svid.pem" svid_key_file_name = "svid_key.pem"