Allow setting file mode on vault agent sink file (#7275)

* feat: enable setting mode on vault agent sink file

* doc: update vault agent file sink with mode configuration

command/agent/sink/file/file_sink.go

@@ -16,6 +16,7 @@ import (
 // fileSink is a Sink implementation that writes a token to a file
 type fileSink struct {
 	path   string
+	mode   os.FileMode
 	logger hclog.Logger
 }
 
@@ -29,6 +30,7 @@ func NewFileSink(conf *sink.SinkConfig) (sink.Sink, error) {
 
 	f := &fileSink{
 		logger: conf.Logger,
+		mode:   0640,
 	}
 
 	pathRaw, ok := conf.Config["path"]
@@ -42,11 +44,26 @@ func NewFileSink(conf *sink.SinkConfig) (sink.Sink, error) {
 
 	f.path = path
 
+	if modeRaw, ok := conf.Config["mode"]; ok {
+		f.logger.Debug("verifying override for default file sink mode")
+		mode, typeOK := modeRaw.(int)
+		if !typeOK {
+			return nil, errors.New("could not parse 'mode' as integer")
+		}
+
+		if !os.FileMode(mode).IsRegular() {
+			return nil, fmt.Errorf("file mode does not represent a regular file")
+		}
+
+		f.logger.Debug("overriding default file sink", "mode", mode)
+		f.mode = os.FileMode(mode)
+	}
+
 	if err := f.WriteToken(""); err != nil {
 		return nil, errwrap.Wrapf("error during write check: {{err}}", err)
 	}
 
-	f.logger.Info("file sink configured", "path", f.path)
+	f.logger.Info("file sink configured", "path", f.path, "mode", f.mode)
 
 	return f, nil
 }
@@ -69,7 +86,7 @@ func (f *fileSink) WriteToken(token string) error {
 	fileName := filepath.Base(f.path)
 	tmpSuffix := strings.Split(u, "-")[0]
 
-	tmpFile, err := os.OpenFile(filepath.Join(targetDir, fmt.Sprintf("%s.tmp.%s", fileName, tmpSuffix)), os.O_WRONLY|os.O_CREATE, 0640)
+	tmpFile, err := os.OpenFile(filepath.Join(targetDir, fmt.Sprintf("%s.tmp.%s", fileName, tmpSuffix)), os.O_WRONLY|os.O_CREATE, f.mode)
 	if err != nil {
 		return errwrap.Wrapf(fmt.Sprintf("error opening temp file in dir %s for writing: {{err}}", targetDir), err)
 	}

command/agent/sink/file/file_sink_test.go

@@ -80,3 +80,65 @@ func TestFileSink(t *testing.T) {
 		t.Fatalf("expected %s, got %s", uuidStr, string(fileBytes))
 	}
 }
+
+func testFileSinkMode(t *testing.T, log hclog.Logger) (*sink.SinkConfig, string) {
+	tmpDir, err := ioutil.TempDir("", fmt.Sprintf("%s.", fileServerTestDir))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	path := filepath.Join(tmpDir, "token")
+
+	config := &sink.SinkConfig{
+		Logger: log.Named("sink.file"),
+		Config: map[string]interface{}{
+			"path": path,
+			"mode": 0644,
+		},
+	}
+
+	s, err := NewFileSink(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	config.Sink = s
+
+	return config, tmpDir
+}
+
+func TestFileSinkMode(t *testing.T) {
+	log := logging.NewVaultLogger(hclog.Trace)
+
+	fs, tmpDir := testFileSinkMode(t, log)
+	defer os.RemoveAll(tmpDir)
+
+	path := filepath.Join(tmpDir, "token")
+
+	uuidStr, _ := uuid.GenerateUUID()
+	if err := fs.WriteToken(uuidStr); err != nil {
+		t.Fatal(err)
+	}
+
+	file, err := os.Open(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	fi, err := file.Stat()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if fi.Mode() != os.FileMode(0644) {
+		t.Fatalf("wrong file mode was detected at %s", path)
+	}
+
+	fileBytes, err := ioutil.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if string(fileBytes) != uuidStr {
+		t.Fatalf("expected %s, got %s", uuidStr, string(fileBytes))
+	}
+}

website/source/docs/agent/autoauth/sinks/file.html.md

@@ -18,8 +18,10 @@ generally it is best for the client to remove the file as soon as it is seen.
 
 It is also best practice to write the file to a ramdisk, ideally an encrypted
 ramdisk, and use appropriate filesystem permissions. The file is currently
-always written with `0640` permissions.
+written with `0640` permissions as default, but can be overridden with the optional
+'mode' setting.
 
 ## Configuration
 
 - `path` `(string: required)` - The path to use to write the token file
+- `mode` `(int: optional)` - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to "0000" to prevent Vault from modifying the file mode