From 67d62bcc36c0e4e7bad34cc7be86e6893d970886 Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 20 Apr 2026 19:33:05 +0200 Subject: [PATCH] chore(registry-setup): writing `auth.json` should have proper permissions (#17103) refactor(registry-setup): specify file mode Signed-off-by: axel7083 <42176370+axel7083@users.noreply.github.com> --- .../src/utils/registry-setup.spec.ts | 21 ++++++++++++++++++- .../extension/src/utils/registry-setup.ts | 12 ++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/extensions/podman/packages/extension/src/utils/registry-setup.spec.ts b/extensions/podman/packages/extension/src/utils/registry-setup.spec.ts index 9433bb415e2..ba7c0e8a6b7 100644 --- a/extensions/podman/packages/extension/src/utils/registry-setup.spec.ts +++ b/extensions/podman/packages/extension/src/utils/registry-setup.spec.ts @@ -17,7 +17,7 @@ ***********************************************************************/ import * as fs from 'node:fs'; -import { readFile, writeFile } from 'node:fs/promises'; +import { chmod, readFile, writeFile } from 'node:fs/promises'; import * as extensionApi from '@podman-desktop/api'; import { afterEach, beforeAll, beforeEach, expect, test, vi } from 'vitest'; @@ -38,6 +38,10 @@ export class TestRegistrySetup extends RegistrySetup { updateRegistries(): Promise { return super.updateRegistries(); } + + publicWriteAuthFile(data: string): Promise { + return super.writeAuthFile(data); + } } let registrySetup: TestRegistrySetup; @@ -239,3 +243,18 @@ test.each([ await vi.waitFor(() => expect(writeFile).toHaveBeenCalledTimes(timesCalled)); }); + +test('writeAuthFile should call writeFile and chmod with 0o600', async () => { + const data = JSON.stringify({ auth: {} }); + const authJsonLocation = '/tmp/containers/auth.json'; + const mockGetAuthFileLocation = vi.spyOn(registrySetup, 'getAuthFileLocation'); + mockGetAuthFileLocation.mockReturnValue(authJsonLocation); + + await registrySetup.publicWriteAuthFile(data); + + expect(writeFile).toHaveBeenCalledWith(authJsonLocation, data, { + encoding: 'utf8', + mode: 0o600, + }); + expect(chmod).toHaveBeenCalledWith(authJsonLocation, 0o600); +}); diff --git a/extensions/podman/packages/extension/src/utils/registry-setup.ts b/extensions/podman/packages/extension/src/utils/registry-setup.ts index a646f63b9aa..bfb1de1b000 100644 --- a/extensions/podman/packages/extension/src/utils/registry-setup.ts +++ b/extensions/podman/packages/extension/src/utils/registry-setup.ts @@ -17,7 +17,7 @@ ***********************************************************************/ import * as fs from 'node:fs'; -import { readFile, writeFile } from 'node:fs/promises'; +import { chmod, readFile, writeFile } from 'node:fs/promises'; import * as os from 'node:os'; import * as path from 'node:path'; @@ -205,7 +205,13 @@ export class RegistrySetup { } } - protected writeAuthFile(data: string): Promise { - return writeFile(this.getAuthFileLocation(), data, 'utf8'); + protected async writeAuthFile(data: string): Promise { + const path = this.getAuthFileLocation(); + await writeFile(path, data, { + encoding: 'utf8', + mode: 0o600, + }); + // writeFile is not updating the mode if the file already exist + await chmod(path, 0o600); } }