Merge pull request #637 from stgraber/cli

shared/cliconfig: Ensure client certificate key is 0600
lxc · Mar 21, 2024 · 62c688f · 62c688f
2 parents 20af3f7 + 7beea2a
commit 62c688f
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/shared/cliconfig/cert.go b/shared/cliconfig/cert.go
@@ -45,14 +45,24 @@ func (c *Config) GenerateClientCertificate() error {
 
 // CopyGlobalCert will copy global (system-wide) certificates to the user config path.
 func (c *Config) CopyGlobalCert(src string, dst string) error {
-	copyFile := func(oldPath string, newPath string) error {
+	copyFile := func(oldPath string, newPath string, mode os.FileMode) error {
 		sourceFile, err := os.Open(oldPath)
 		if err != nil {
 			return err
 		}
 
 		defer sourceFile.Close()
 
+		// Get the mode from the source file if not specified.
+		if mode == 0 {
+			fInfo, err := sourceFile.Stat()
+			if err != nil {
+				return err
+			}
+
+			mode = fInfo.Mode()
+		}
+
 		// Create new file.
 		newFile, err := os.Create(newPath)
 		if err != nil {
@@ -61,6 +71,13 @@ func (c *Config) CopyGlobalCert(src string, dst string) error {
 
 		defer newFile.Close()
 
+		// Apply the file mode.
+		err = newFile.Chmod(mode)
+		if err != nil {
+			return err
+		}
+
+		// Copy the content.
 		_, err = io.Copy(newFile, sourceFile)
 		if err != nil {
 			return err
@@ -74,7 +91,7 @@ func (c *Config) CopyGlobalCert(src string, dst string) error {
 	if util.PathExists(oldPath) {
 		newPath := c.ConfigPath("servercerts", fmt.Sprintf("%s.crt", dst))
 
-		err := copyFile(oldPath, newPath)
+		err := copyFile(oldPath, newPath, 0)
 		if err != nil {
 			return err
 		}
@@ -85,7 +102,7 @@ func (c *Config) CopyGlobalCert(src string, dst string) error {
 	if util.PathExists(oldPath) {
 		newPath := c.ConfigPath("clientcerts", fmt.Sprintf("%s.crt", dst))
 
-		err := copyFile(oldPath, newPath)
+		err := copyFile(oldPath, newPath, 0)
 		if err != nil {
 			return err
 		}
@@ -96,7 +113,7 @@ func (c *Config) CopyGlobalCert(src string, dst string) error {
 	if util.PathExists(oldPath) {
 		newPath := c.ConfigPath("clientcerts", fmt.Sprintf("%s.key", dst))
 
-		err := copyFile(oldPath, newPath)
+		err := copyFile(oldPath, newPath, 0600)
 		if err != nil {
 			return err
 		}
@@ -107,7 +124,7 @@ func (c *Config) CopyGlobalCert(src string, dst string) error {
 	if util.PathExists(oldPath) {
 		newPath := c.ConfigPath("clientcerts", fmt.Sprintf("%s.ca", dst))
 
-		err := copyFile(oldPath, newPath)
+		err := copyFile(oldPath, newPath, 0)
 		if err != nil {
 			return err
 		}