Azure · nilekhc · Jan 19, 2022 · Nov 1, 2021 · Nov 1, 2021 · Nov 2, 2021
@@ -98,6 +98,15 @@ type KeyVaultObject struct {
 	// The encoding of the object in KeyVault
 	// Supported encodings are Base64, Hex, Utf-8
 	ObjectEncoding string `json:"objectEncoding" yaml:"objectEncoding"`
+	// FilePermission is the file permissions
+	FilePermission string `json:"filePermission" yaml:"filePermission"`
+}
+
+// SecretFile holds content and metadata of a secret file
+type SecretFile struct {
+	Content  []byte
+	Path     string
+	FileMode int32
 }
 
 // StringArray ...
@@ -175,7 +184,7 @@ func (mc *mountConfig) GetServicePrincipalToken(resource string) (*adal.ServiceP
 }
 
 // MountSecretsStoreObjectContent mounts content of the secrets store object to target path
-func (p *Provider) MountSecretsStoreObjectContent(ctx context.Context, attrib map[string]string, secrets map[string]string, targetPath string, permission os.FileMode) (map[string][]byte, map[string]string, error) {
+func (p *Provider) MountSecretsStoreObjectContent(ctx context.Context, attrib map[string]string, secrets map[string]string, targetPath string, defaultFilePermission os.FileMode) ([]SecretFile, map[string]string, error) {
 	keyvaultName := strings.TrimSpace(attrib["keyvaultName"])
 	cloudName := strings.TrimSpace(attrib["cloudName"])
 	usePodIdentityStr := strings.TrimSpace(attrib["usePodIdentity"])
@@ -257,7 +266,7 @@ func (p *Provider) MountSecretsStoreObjectContent(ctx context.Context, attrib ma
 	klog.V(5).InfoS("unmarshaled key vault objects", "keyVaultObjects", keyVaultObjects, "count", len(keyVaultObjects), "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
 
 	if len(keyVaultObjects) == 0 {
-		return make(map[string][]byte), make(map[string]string), nil
+		return nil, make(map[string]string), nil
 	}
 
 	vaultURL, err := mc.getVaultURL()
@@ -273,7 +282,7 @@ func (p *Provider) MountSecretsStoreObjectContent(ctx context.Context, attrib ma
 	}
 
 	objectVersionMap := make(map[string]string)
-	files := make(map[string][]byte)
+	files := []SecretFile{}
 	for _, keyVaultObject := range keyVaultObjects {
 		klog.V(5).InfoS("fetching object from key vault", "objectName", keyVaultObject.ObjectName, "objectType", keyVaultObject.ObjectType, "keyvault", mc.keyvaultName, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
 		if err := validateObjectFormat(keyVaultObject.ObjectFormat, keyVaultObject.ObjectType); err != nil {
@@ -290,6 +299,11 @@ func (p *Provider) MountSecretsStoreObjectContent(ctx context.Context, attrib ma
 			return nil, nil, wrapObjectTypeError(err, keyVaultObject.ObjectType, keyVaultObject.ObjectName, keyVaultObject.ObjectVersion)
 		}
 
+		filePermission, err := validateFilePermission(keyVaultObject.FilePermission, defaultFilePermission)
+		if err != nil {
+			return nil, nil, err
+		}
+
 		// fetch the object from Key Vault
 		content, newObjectVersion, err := p.GetKeyVaultObjectContent(ctx, kvClient, keyVaultObject, *vaultURL)
 		if err != nil {
@@ -307,7 +321,11 @@ func (p *Provider) MountSecretsStoreObjectContent(ctx context.Context, attrib ma
 		}
 
 		// these files will be returned to the CSI driver as part of gRPC response
-		files[fileName] = objectContent
+		files = append(files, SecretFile{
+			Path:     fileName,
+			Content:  objectContent,
+			FileMode: filePermission,
+		})
 		klog.V(5).InfoS("added file to the gRPC response", "file", fileName, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
 	}
 
@@ -783,3 +801,18 @@ func fetchCertChains(data []byte) ([]byte, error) {
 	}
 	return pemData, nil
 }
+
+// validateFilePermission checks if the given file permission is correct octal number, returns decimal equivalent
+// and error if it's not valid.
+func validateFilePermission(filePermission string, defaultFilePermission os.FileMode) (int32, error) {
+	if filePermission == "" {
+		return int32(defaultFilePermission), nil
+	}
+
+	permission, err := strconv.ParseInt(filePermission, 8, 32)
+	if err != nil {
+		return 0, fmt.Errorf("file permission must be a valid octal number. - %w", err)
+	}
+
+	return int32(permission), nil
+}
@@ -983,3 +983,48 @@ func TestGetObjectVersion(t *testing.T) {
 	actual := getObjectVersion(id)
 	assert.Equal(t, expectedVersion, actual)
 }
+
+func TestValidateFilePermisssion(t *testing.T) {
+	cases := []struct {
+		desc                  string
+		filePermission        string
+		defaultFilePermission os.FileMode
+		isErrorExpected       bool
+	}{
+		{
+			desc:                  "valid file permission",
+			filePermission:        "0600",
+			defaultFilePermission: os.FileMode(0644),
+			isErrorExpected:       false,
+		},
+		{
+			desc:                  "empty file permission",
+			filePermission:        "",
+			defaultFilePermission: os.FileMode(0644),
+			isErrorExpected:       false,
+		},
+		{
+			desc:                  "invalid file permission",
+			filePermission:        "0900",
+			defaultFilePermission: os.FileMode(0644),
+			isErrorExpected:       true,
+		},
+		{
+			desc:                  "invalid octal number",
+			filePermission:        "900",
+			defaultFilePermission: os.FileMode(0644),
+			isErrorExpected:       true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			_, err := validateFilePermission(tc.filePermission, tc.defaultFilePermission)
+			if tc.isErrorExpected {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
@@ -34,7 +34,7 @@ func New() *CSIDriverProviderServer {
 // writes the contents to the pod mount and returns the object versions as part of MountResponse
 func (s *CSIDriverProviderServer) Mount(ctx context.Context, req *v1alpha1.MountRequest) (*v1alpha1.MountResponse, error) {
 	var attrib, secret map[string]string
-	var filePermission os.FileMode
+	var defaultFilePermission os.FileMode
 	var err error
 
 	err = json.Unmarshal([]byte(req.GetAttributes()), &attrib)
@@ -47,13 +47,13 @@ func (s *CSIDriverProviderServer) Mount(ctx context.Context, req *v1alpha1.Mount
 		klog.ErrorS(err, "failed to unmarshal node publish secrets ref")
 		return &v1alpha1.MountResponse{}, fmt.Errorf("failed to unmarshal secrets, error: %w", err)
 	}
-	err = json.Unmarshal([]byte(req.GetPermission()), &filePermission)
+	err = json.Unmarshal([]byte(req.GetPermission()), &defaultFilePermission)
 	if err != nil {
 		klog.ErrorS(err, "failed to unmarshal file permission")
 		return &v1alpha1.MountResponse{}, fmt.Errorf("failed to unmarshal file permission, error: %w", err)
 	}
 
-	files, objectVersions, err := s.Provider.MountSecretsStoreObjectContent(ctx, attrib, secret, req.GetTargetPath(), filePermission)
+	files, objectVersions, err := s.Provider.MountSecretsStoreObjectContent(ctx, attrib, secret, req.GetTargetPath(), defaultFilePermission)
 	if err != nil {
 		klog.ErrorS(err, "failed to process mount request")
 		return &v1alpha1.MountResponse{}, fmt.Errorf("failed to mount objects, error: %w", err)
@@ -66,11 +66,11 @@ func (s *CSIDriverProviderServer) Mount(ctx context.Context, req *v1alpha1.Mount
 	f := []*v1alpha1.File{}
 	// CSI driver v0.0.21+ will write to the filesystem if the files are in the response.
 	// No files in the response translates to "not implemented" in the CSI driver.
-	for k, v := range files {
+	for _, file := range files {
 		f = append(f, &v1alpha1.File{
-			Path:     k,
-			Contents: v,
-			Mode:     int32(filePermission),
+			Path:     file.Path,
+			Contents: file.Content,
+			Mode:     file.FileMode,
 		})
 	}