patch: fixed file permissions and added tests

Author: AshishNaware

src/code.cloudfoundry.org/cf-tcp-router/config/config.go

@@ -164,7 +164,7 @@ func (c *Config) initConfigFromFile(path string) error {
 			}
 
 			dirPath := filepath.Join(basePath, name)
-			if err := os.MkdirAll(dirPath, 0755); err != nil {
+			if err := os.MkdirAll(dirPath, 0750); err != nil {
 				if !(isReadOnlyFS(err) || isPermissionDenied(err)) {
 					return err
 				}
@@ -173,11 +173,11 @@ func (c *Config) initConfigFromFile(path string) error {
 			certFilePath := filepath.Join(dirPath, fmt.Sprintf("%s.pem", name))
 			keyFilePath := filepath.Join(dirPath, fmt.Sprintf("%s.pem.key", name))
 
-			if err := writeFile(certFilePath, []byte(certChain), 0640, uid, gid); err != nil {
+			if err := writeFile(certFilePath, []byte(certChain), 0750, uid, gid); err != nil {
 				return err
 			}
 
-			if err := writeFile(keyFilePath, []byte(privateKey), 0600, uid, gid); err != nil {
+			if err := writeFile(keyFilePath, []byte(privateKey), 0750, uid, gid); err != nil {
 				return err
 			}
 
@@ -287,7 +287,7 @@ func certHasSAN(cert *x509.Certificate) bool {
 //  2. tcp_router_ctl which doesn't have the necessary privs but also invokes this function
 //     and so can be safely skipped
 func writeFile(path string, data []byte, mode os.FileMode, uid, gid int) error {
-	if err := os.WriteFile(path, data, 0600); err != nil {
+	if err := os.WriteFile(path, data, mode); err != nil {
 		if isReadOnlyFS(err) || isPermissionDenied(err) {
 			return nil
 		}
@@ -301,13 +301,6 @@ func writeFile(path string, data []byte, mode os.FileMode, uid, gid int) error {
 		return err
 	}
 
-	if err := os.Chmod(path, mode); err != nil {
-		if isReadOnlyFS(err) || isPermissionDenied(err) {
-			return nil
-		}
-		return err
-	}
-
 	return nil
 }
 

src/code.cloudfoundry.org/cf-tcp-router/config/config_test.go

@@ -272,12 +272,73 @@ var _ = Describe("Config", Serial, func() {
 			})
 		})
 
+		Context("with invalid cert and key", func() {
+			BeforeEach(func() {
+				cfg, err = config.New("fixtures/valid_frontend_cert.yml")
+			})
+
+			It("loads config without error", func() {
+				Expect(err).NotTo(HaveOccurred())
+			})
+
+			It("adds the certs and keys to the expected directories", func() {
+				Expect(err).NotTo(HaveOccurred())
+				Expect(cfg.FrontendTLS).To(HaveLen(2))
+
+				Expect(cfg.FrontendTLS[0]).To(Equal(config.FrontendTLSConfig{
+					Enabled:        true,
+					CertificateDir: filepath.Join(tmpDir, "prod"),
+				}))
+
+				Expect(cfg.FrontendTLS[1]).To(Equal(config.FrontendTLSConfig{
+					Enabled:        true,
+					CertificateDir: filepath.Join(tmpDir, "dev"),
+				}))
+			})
+
+			It("writes the correct cert and key files with correct permissions", func() {
+				for i, name := range []string{"prod", "dev"} {
+					certPath := filepath.Join(tmpDir, name, name+".pem")
+					keyPath := filepath.Join(tmpDir, name, name+".pem.key")
+
+					Expect(certPath).To(BeAnExistingFile())
+					Expect(keyPath).To(BeAnExistingFile())
+
+					certData, certErr := os.ReadFile(certPath)
+					Expect(certErr).NotTo(HaveOccurred())
+					Expect(string(certData)).To(Equal(cfg.FrontendTLSJob[i].CertChain))
+
+					keyData, keyErr := os.ReadFile(keyPath)
+					Expect(keyErr).NotTo(HaveOccurred())
+					Expect(string(keyData)).To(Equal(cfg.FrontendTLSJob[i].PrivateKey))
+
+					certInfo, err := os.Stat(certPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(os.FileMode(0750)).To(Equal(certInfo.Mode().Perm()))
+
+					keyInfo, err := os.Stat(keyPath)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(os.FileMode(0750)).To(Equal(keyInfo.Mode().Perm()))
+				}
+			})
+		})
+
 		Context("with invalid frontend_tls config", func() {
 			It("should fail if cert_chain is missing SAN information", func() {
-				_, err := config.New("fixtures/invalid_frontend_cert.yml")
+				_, err := config.New("fixtures/frontend_cert_without_san.yml")
 				Expect(err).To(HaveOccurred())
 				Expect(err.Error()).To(Equal("frontend_tls[0].cert_chain must include a subjectAltName extension"))
 			})
+			It("should fail if certs or keys are empty", func() {
+				_, err := config.New("fixtures/no_frontend_certs.yml")
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(Equal("frontend_tls[0] must include name, cert_chain, and private_key"))
+			})
+			It("should fail if cert is invalid", func() {
+				_, err := config.New("fixtures/invalid_frontend_certs.yml")
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(Equal("failed to parse PEM block"))
+			})
 
 		})
 	})

src/code.cloudfoundry.org/cf-tcp-router/config/fixtures/invalid_frontend_cert.yml renamed to src/code.cloudfoundry.org/cf-tcp-router/config/fixtures/frontend_cert_without_san.yml

@@ -0,0 +1,24 @@
+oauth:
+  token_endpoint: "uaa.service.cf.internal"
+  client_name: "someclient"
+  client_secret: "somesecret"
+  port: 8443
+  skip_ssl_validation: true
+  ca_certs: "some-ca-cert"
+
+routing_api:
+  uri: http://routing-api.service.cf.internal
+  port: 3000
+  auth_disabled: false
+  client_cert_path: /a/client_cert
+  client_private_key_path: /b/private_key
+  ca_cert_path: /c/ca_cert
+
+haproxy_pid_file: /path/to/pid/file
+isolation_segments: ["foo-iso-seg"]
+reserved_system_component_ports: [8080, 8081]
+frontend_tls:
+  - name: "prod"
+    cert_chain: |-
+      invalid cert 
+    private_key: "some key"

src/code.cloudfoundry.org/cf-tcp-router/config/fixtures/invalid_frontend_certs.yml

@@ -0,0 +1,23 @@
+oauth:
+  token_endpoint: "uaa.service.cf.internal"
+  client_name: "someclient"
+  client_secret: "somesecret"
+  port: 8443
+  skip_ssl_validation: true
+  ca_certs: "some-ca-cert"
+
+routing_api:
+  uri: http://routing-api.service.cf.internal
+  port: 3000
+  auth_disabled: false
+  client_cert_path: /a/client_cert
+  client_private_key_path: /b/private_key
+  ca_cert_path: /c/ca_cert
+
+haproxy_pid_file: /path/to/pid/file
+isolation_segments: ["foo-iso-seg"]
+reserved_system_component_ports: [8080, 8081]
+frontend_tls:
+  - name: "prod"
+    cert_chain: 
+    private_key: