From 18daa6ef3756fcd8ce4fbc391ab7e6bd64dfcce6 Mon Sep 17 00:00:00 2001
From: Chris Norman <17420369+chrnorm@users.noreply.github.com>
Date: Tue, 24 Sep 2024 18:09:50 +0100
Subject: [PATCH] Revert "update file permissions to read/write (#751)" (#755)

Fixes the permissions issue in the latest Granted release.

---------

Co-authored-by: James Belleau <james.belleau@instructure.com>
---
 pkg/accessrequest/role.go          |  9 ++-------
 pkg/cfaws/ssotoken.go              |  9 ++-------
 pkg/config/config.go               | 24 +++++++-----------------
 pkg/frecency/frecency.go           | 11 +++--------
 pkg/granted/exp/request/request.go |  7 +------
 pkg/granted/registry/add.go        |  5 +++++
 pkg/granted/registry/ini.go        |  5 -----
 pkg/shells/file.go                 |  9 ++-------
 8 files changed, 22 insertions(+), 57 deletions(-)

diff --git a/pkg/accessrequest/role.go b/pkg/accessrequest/role.go
index 28d77f96..a153ce66 100644
--- a/pkg/accessrequest/role.go
+++ b/pkg/accessrequest/role.go
@@ -14,11 +14,6 @@ import (
 	"github.com/common-fate/granted/pkg/config"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
 type Role struct {
 	Account string `json:"account"`
 	Role    string `json:"role"`
@@ -51,7 +46,7 @@ func (r Role) Save() error {
 	}
 
 	file := filepath.Join(configFolder, "latest-role")
-	return os.WriteFile(file, roleBytes, USER_READ_WRITE_PERM)
+	return os.WriteFile(file, roleBytes, 0644)
 }
 
 func LatestRole() (*Role, error) {
@@ -96,7 +91,7 @@ func (p Profile) Save() error {
 	}
 
 	file := filepath.Join(configFolder, "latest-profile")
-	return os.WriteFile(file, profileBytes, USER_READ_WRITE_PERM)
+	return os.WriteFile(file, profileBytes, 0644)
 }
 
 func LatestProfile() (*Profile, error) {
diff --git a/pkg/cfaws/ssotoken.go b/pkg/cfaws/ssotoken.go
index 7578f1d2..317984b5 100644
--- a/pkg/cfaws/ssotoken.go
+++ b/pkg/cfaws/ssotoken.go
@@ -15,11 +15,6 @@ import (
 	"github.com/common-fate/granted/pkg/securestorage"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
 type SSOPlainTextOut struct {
 	AccessToken    string `json:"accessToken"`
 	ExpiresAt      string `json:"expiresAt"`
@@ -93,13 +88,13 @@ func dumpTokenFile(jsonToken []byte, key string) error {
 	}
 
 	if _, err := os.Stat(path); os.IsNotExist(err) {
-		err := os.MkdirAll(path, USER_READ_WRITE_PERM)
+		err := os.MkdirAll(path, 0700)
 		if err != nil {
 			return fmt.Errorf("unable to create sso cache directory with err: %s", err)
 		}
 	}
 
-	err = os.WriteFile(filepath.Join(path, key), jsonToken, USER_READ_WRITE_PERM)
+	err = os.WriteFile(filepath.Join(path, key), jsonToken, 0600)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/config/config.go b/pkg/config/config.go
index f1933dbd..f53a529c 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -17,16 +17,6 @@ import (
 	"github.com/common-fate/granted/internal/build"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_EXECUTE_PERM = 0700
-)
-
 type BrowserLaunchTemplate struct {
 	// UseForkProcess specifies whether to use forkprocess to launch the browser.
 	//
@@ -152,7 +142,7 @@ func SetupConfigFolder() error {
 		return err
 	}
 	if _, err := os.Stat(grantedFolder); os.IsNotExist(err) {
-		err := os.Mkdir(grantedFolder, USER_READ_WRITE_PERM)
+		err := os.Mkdir(grantedFolder, 0700)
 		if err != nil {
 			return err
 		}
@@ -168,14 +158,14 @@ func SetupZSHAutoCompleteFolderAssume() (string, error) {
 	}
 	zshPath := path.Join(grantedFolder, "zsh_autocomplete")
 	if _, err := os.Stat(zshPath); os.IsNotExist(err) {
-		err := os.Mkdir(zshPath, USER_READ_WRITE_EXECUTE_PERM)
+		err := os.Mkdir(zshPath, 0700)
 		if err != nil {
 			return "", err
 		}
 	}
 	zshPath = path.Join(zshPath, build.AssumeScriptName())
 	if _, err := os.Stat(zshPath); os.IsNotExist(err) {
-		err := os.Mkdir(zshPath, USER_READ_WRITE_EXECUTE_PERM)
+		err := os.Mkdir(zshPath, 0700)
 		if err != nil {
 			return "", err
 		}
@@ -191,14 +181,14 @@ func SetupZSHAutoCompleteFolderGranted() (string, error) {
 	}
 	zshPath := path.Join(grantedFolder, "zsh_autocomplete")
 	if _, err := os.Stat(zshPath); os.IsNotExist(err) {
-		err := os.Mkdir(zshPath, USER_READ_WRITE_EXECUTE_PERM)
+		err := os.Mkdir(zshPath, 0700)
 		if err != nil {
 			return "", err
 		}
 	}
 	zshPath = path.Join(zshPath, build.GrantedBinaryName())
 	if _, err := os.Stat(zshPath); os.IsNotExist(err) {
-		err := os.Mkdir(zshPath, USER_READ_WRITE_EXECUTE_PERM)
+		err := os.Mkdir(zshPath, 0700)
 		if err != nil {
 			return "", err
 		}
@@ -284,7 +274,7 @@ func Load() (*Config, error) {
 		return nil, err
 	}
 
-	file, err := os.OpenFile(configFilePath, os.O_RDWR|os.O_CREATE, USER_READ_WRITE_PERM)
+	file, err := os.OpenFile(configFilePath, os.O_RDWR|os.O_CREATE, 0600)
 	if err != nil {
 		return nil, err
 	}
@@ -306,7 +296,7 @@ func (c *Config) Save() error {
 		return err
 	}
 
-	file, err := os.OpenFile(configFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, USER_READ_WRITE_PERM)
+	file, err := os.OpenFile(configFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/frecency/frecency.go b/pkg/frecency/frecency.go
index c59459a4..ab4986b9 100644
--- a/pkg/frecency/frecency.go
+++ b/pkg/frecency/frecency.go
@@ -11,11 +11,6 @@ import (
 	"github.com/common-fate/granted/pkg/config"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
 // change these to play with the weights
 // values between 0 and 1
 // 0 will exclude the metric all together from the ordering
@@ -75,14 +70,14 @@ func Load(fecencyStoreKey string) (*FrecencyStore, error) {
 
 	// check if the providers file exists
 	if _, err = os.Stat(c.path); os.IsNotExist(err) {
-		err := os.MkdirAll(configFolder, USER_READ_WRITE_PERM)
+		err := os.MkdirAll(configFolder, 0700)
 		if err != nil {
 			return nil, err
 		}
 		return &c, nil
 	}
 
-	file, err := os.OpenFile(c.path, os.O_RDWR|os.O_CREATE, USER_READ_WRITE_PERM)
+	file, err := os.OpenFile(c.path, os.O_RDWR|os.O_CREATE, 0600)
 	if err != nil {
 		return nil, err
 	}
@@ -191,7 +186,7 @@ func (store *FrecencyStore) save() error {
 	// 	store.Entries = store.Entries[0 : len(store.Entries)-1]
 	// }
 
-	file, err := os.OpenFile(store.path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, USER_READ_WRITE_PERM)
+	file, err := os.OpenFile(store.path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/granted/exp/request/request.go b/pkg/granted/exp/request/request.go
index e5daff53..6fbf6ab6 100644
--- a/pkg/granted/exp/request/request.go
+++ b/pkg/granted/exp/request/request.go
@@ -38,11 +38,6 @@ import (
 	"gopkg.in/ini.v1"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
 var Command = cli.Command{
 	Name:  "request",
 	Usage: "Request access to a role",
@@ -731,7 +726,7 @@ func updateCachedAccessRule(ctx context.Context, opts updateCacheOpts) error {
 		return err
 	}
 
-	err = os.WriteFile(filename, ruleBytes, USER_READ_WRITE_PERM)
+	err = os.WriteFile(filename, ruleBytes, 0644)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/granted/registry/add.go b/pkg/granted/registry/add.go
index 2e05660c..0308af97 100644
--- a/pkg/granted/registry/add.go
+++ b/pkg/granted/registry/add.go
@@ -15,6 +15,11 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
+const (
+	// permission for user to read/write/execute.
+	USER_READ_WRITE_PERM = 0700
+)
+
 var AddCommand = cli.Command{
 	Name:        "add",
 	Description: "Add a Profile Registry that you want to sync with aws config file",
diff --git a/pkg/granted/registry/ini.go b/pkg/granted/registry/ini.go
index 38de2c40..916c08c1 100644
--- a/pkg/granted/registry/ini.go
+++ b/pkg/granted/registry/ini.go
@@ -10,11 +10,6 @@ import (
 	"gopkg.in/ini.v1"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
 // Find the ~/.aws/config absolute path based on OS.
 func getDefaultAWSConfigLocation() (string, error) {
 	h, err := os.UserHomeDir()
diff --git a/pkg/shells/file.go b/pkg/shells/file.go
index 978110ac..1a40ecde 100644
--- a/pkg/shells/file.go
+++ b/pkg/shells/file.go
@@ -6,11 +6,6 @@ import (
 	"strings"
 )
 
-const (
-	// permission for user to read/write.
-	USER_READ_WRITE_PERM = 0644
-)
-
 // AppendLine writes a line to a file if it does not already exist
 func AppendLine(file string, line string) error {
 	b, err := os.ReadFile(file)
@@ -24,7 +19,7 @@ func AppendLine(file string, line string) error {
 	}
 
 	// open the file for writing
-	out, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY, USER_READ_WRITE_PERM)
+	out, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY, 0644)
 	if err != nil {
 		return err
 	}
@@ -78,7 +73,7 @@ func RemoveLine(file string, lineToRemove string) error {
 	}
 
 	output := strings.Join(ignored, "\n")
-	err = os.WriteFile(file, []byte(output), USER_READ_WRITE_PERM)
+	err = os.WriteFile(file, []byte(output), 0644)
 	if err != nil {
 		return err
 	}