open-vault/vault/diagnose/file_checks.go

package diagnose

import (
	"fmt"
	"io/fs"
	"os"
	"path/filepath"
)

const (
	FileIsSymlinkWarning          = "raft storage backend file is a symlink"
	FileTooPermissiveWarning      = "too many permissions"
	FilePermissionsMissingWarning = "owner or group needs read and write permissions"
)

func IsDir(info fs.FileInfo) bool {
	if info.Mode().IsDir() {
		return true
	}
	return false
}

func HasDB(path string) bool {
	dbPath := filepath.Join(path, DatabaseFilename)
	if _, err := os.Stat(dbPath); os.IsNotExist(err) {
		return false
	}
	return true
}

// CheckFilePerms checks if the specified file does not have other permissions, and
// whether the specified file just has owner rw permissions.
func CheckFilePerms(info fs.FileInfo) (bool, []string) {
	var errors []string
	mode := info.Mode()
	hasOnlyOwnerRW := false
	hasOwnerRead := false
	hasOwnerWrite := false
	hasSomeRead := false
	hasSomeWrite := false

	// Check owner perms
	if mode&0o400 != 0 {
		hasSomeRead = true
		hasOwnerRead = true
	}
	if mode&0o200 != 0 {
		hasSomeWrite = true
		hasOwnerWrite = true
	}

	if hasOwnerRead && hasOwnerWrite {
		hasOnlyOwnerRW = true
	}

	// These are "other" perms.
	// These don't count has "some read" or "some write" permissions because there should
	// never be a case when these permissions are set.
	if mode&0o007 != 0 {
		hasOnlyOwnerRW = false
		errors = append(errors, fmt.Sprintf(FileTooPermissiveWarning+": perms are %s", mode.String()))
	}

	// Check group permissions
	if mode&0o040 != 0 {
		hasOnlyOwnerRW = false
		hasSomeRead = true
	}
	if mode&0o020 != 0 {
		hasOnlyOwnerRW = false
		hasSomeWrite = true
	}

	// check that owners have read and write permissions
	if !hasSomeRead || !hasSomeWrite {
		errors = append(errors, fmt.Sprintf(FilePermissionsMissingWarning+": perms are %s", mode.String()))
	}

	if mode&os.ModeSymlink != 0 {
		errors = append(errors, FileIsSymlinkWarning)
	}

	if hasOnlyOwnerRW {
		return true, errors
	}
	return false, errors
}