From a64a06382866286a77ff8c5dd2e720f5a46cd15d Mon Sep 17 00:00:00 2001
From: Eno Compton <enocom@google.com>
Date: Fri, 16 Sep 2022 15:51:12 -0600
Subject: [PATCH 1/3] fix: allow group and other access to Unix socket

This is a port of https://github.com/GoogleCloudPlatform/cloud-sql-proxy/pull/1405.
---
 internal/proxy/proxy.go              |  8 ++++++++
 internal/proxy/proxy_other_test.go   | 16 ++++++++++++++++
 internal/proxy/proxy_test.go         |  2 ++
 internal/proxy/proxy_windows_test.go | 11 +++++++++++
 4 files changed, 37 insertions(+)
 create mode 100644 internal/proxy/proxy_other_test.go
 create mode 100644 internal/proxy/proxy_windows_test.go

diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index 8bc17c94..343ab928 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -477,6 +477,14 @@ func newSocketMount(ctx context.Context, conf *Config, pc *portConfig, inst Inst
 	if err != nil {
 		return nil, err
 	}
+	// Change file permisions to allow access for user, group, and other.
+	if network == "unix" {
+		// Best effort. If this call fails, group and other won't have write
+		// access.
+		err := os.Chmod(address, 0777)
+		fmt.Println(err)
+	}
+
 	m := &socketMount{inst: inst.Name, listener: ln}
 	return m, nil
 }
diff --git a/internal/proxy/proxy_other_test.go b/internal/proxy/proxy_other_test.go
new file mode 100644
index 00000000..0207eae8
--- /dev/null
+++ b/internal/proxy/proxy_other_test.go
@@ -0,0 +1,16 @@
+package proxy_test
+
+import (
+	"os"
+	"testing"
+)
+
+func verifySocketPermissions(t *testing.T, addr string) {
+	fi, err := os.Stat(addr)
+	if err != nil {
+		t.Fatalf("os.Stat(%v): %v", addr, err)
+	}
+	if fm := fi.Mode(); fm != 0777|os.ModeSocket {
+		t.Fatalf("file mode: want = %v, got = %v", 0777|os.ModeSocket, fm)
+	}
+}
diff --git a/internal/proxy/proxy_test.go b/internal/proxy/proxy_test.go
index 245d578d..b0881d92 100644
--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@@ -235,6 +235,8 @@ func TestClientInitialization(t *testing.T) {
 			}
 
 			for _, addr := range tc.wantUnixAddrs {
+				verifySocketPermissions(t, addr)
+
 				conn, err := net.Dial("unix", addr)
 				if err != nil {
 					t.Fatalf("want error = nil, got = %v", err)
diff --git a/internal/proxy/proxy_windows_test.go b/internal/proxy/proxy_windows_test.go
new file mode 100644
index 00000000..e94a206d
--- /dev/null
+++ b/internal/proxy/proxy_windows_test.go
@@ -0,0 +1,11 @@
+package proxy_test
+
+import (
+	"testing"
+)
+
+func verifySocketPermissions(t *testing.T, addr string) {
+	// On Linux and Darwin, we check that the socket named by addr exists with
+	// os.Stat. That operation is not supported on Windows.
+	// See https://github.com/microsoft/Windows-Containers/issues/97#issuecomment-887713195
+}

From 6e30505d07e920d2e8af11c2270fb4de4f97458d Mon Sep 17 00:00:00 2001
From: Eno Compton <enocom@google.com>
Date: Fri, 16 Sep 2022 16:13:13 -0600
Subject: [PATCH 2/3] woops

---
 internal/proxy/proxy_other_test.go   | 17 +++++++++++++++++
 internal/proxy/proxy_windows_test.go | 14 ++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/internal/proxy/proxy_other_test.go b/internal/proxy/proxy_other_test.go
index 0207eae8..75e33e2b 100644
--- a/internal/proxy/proxy_other_test.go
+++ b/internal/proxy/proxy_other_test.go
@@ -1,3 +1,20 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !windows
+// +build !windows
+
 package proxy_test
 
 import (
diff --git a/internal/proxy/proxy_windows_test.go b/internal/proxy/proxy_windows_test.go
index e94a206d..6a4299d5 100644
--- a/internal/proxy/proxy_windows_test.go
+++ b/internal/proxy/proxy_windows_test.go
@@ -1,3 +1,17 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package proxy_test
 
 import (

From 2944aa920e7afcb7eb31e8f780351ccb934c6ba1 Mon Sep 17 00:00:00 2001
From: Eno Compton <enocom@google.com>
Date: Wed, 21 Sep 2022 09:21:53 -0600
Subject: [PATCH 3/3] remove erroneous fmt.Println

---
 internal/proxy/proxy.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index bdbc00d7..4aced1de 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -552,8 +552,7 @@ func newSocketMount(ctx context.Context, conf *Config, pc *portConfig, inst Inst
 	if network == "unix" {
 		// Best effort. If this call fails, group and other won't have write
 		// access.
-		err := os.Chmod(address, 0777)
-		fmt.Println(err)
+		_ = os.Chmod(address, 0777)
 	}
 
 	m := &socketMount{inst: inst.Name, listener: ln}