Merge pull request #12034 from spzala/automated-cherry-pick-of-#11798-upstream-release-3.4

Automated cherry pick of #11798
2024-09-27 06:25:44 +00:00 · 2020-06-24 20:38:46 -07:00 · 2020-06-24 20:38:46 -07:00 · 2212a84adb
commit 2212a84adb
parent 37ac22205b 434f7e83f0
4 changed files with 72 additions and 12 deletions
--- a/etcdmain/etcd.go
+++ b/etcdmain/etcd.go
@ -358,9 +358,16 @@ func startProxy(cfg *config) error {
 	}

 	cfg.ec.Dir = filepath.Join(cfg.ec.Dir, "proxy")
-	err = os.MkdirAll(cfg.ec.Dir, fileutil.PrivateDirMode)
-	if err != nil {
-		return err
+	if fileutil.Exist(cfg.ec.Dir) {
+		err := fileutil.CheckDirPermission(cfg.ec.Dir, fileutil.PrivateDirMode)
+		if err != nil {
+			return err
+		}
+	} else {
+		err = os.MkdirAll(cfg.ec.Dir, fileutil.PrivateDirMode)
+		if err != nil {
+			return err
+		}
 	}

 	var peerURLs []string
--- a/pkg/fileutil/fileutil.go
+++ b/pkg/fileutil/fileutil.go
@ -46,14 +46,22 @@ func IsDirWriteable(dir string) error {
 // TouchDirAll is similar to os.MkdirAll. It creates directories with 0700 permission if any directory
 // does not exists. TouchDirAll also ensures the given directory is writable.
 func TouchDirAll(dir string) error {
-	// If path is already a directory, MkdirAll does nothing
-	// and returns nil.
-	err := os.MkdirAll(dir, PrivateDirMode)
-	if err != nil {
-		// if mkdirAll("a/text") and "text" is not
-		// a directory, this will return syscall.ENOTDIR
-		return err
+	// If path is already a directory, MkdirAll does nothing and returns nil, so,
+	// first check if dir exist with an expected permission mode.
+	if Exist(dir) {
+		err := CheckDirPermission(dir, PrivateDirMode)
+		if err != nil {
+			return err
+		}
+	} else {
+		err := os.MkdirAll(dir, PrivateDirMode)
+		if err != nil {
+			// if mkdirAll("a/text") and "text" is not
+			// a directory, this will return syscall.ENOTDIR
+			return err
+		}
 	}
+
 	return IsDirWriteable(dir)
 }

@ -102,3 +110,22 @@ func ZeroToEnd(f *os.File) error {
 	_, err = f.Seek(off, io.SeekStart)
 	return err
 }
+
+// CheckDirPermission checks permission on an existing dir.
+// Returns error if dir is empty or exist with a different permission than specified.
+func CheckDirPermission(dir string, perm os.FileMode) error {
+	if !Exist(dir) {
+		return fmt.Errorf("directory %q empty, cannot check permission.", dir)
+	}
+	//check the existing permission on the directory
+	dirInfo, err := os.Stat(dir)
+	if err != nil {
+		return err
+	}
+	dirMode := dirInfo.Mode().Perm()
+	if dirMode != perm {
+		err = fmt.Errorf("directory %q exist without desired file permission. %q", dir, dirInfo.Mode())
+		return err
+	}
+	return nil
+}
--- a/pkg/fileutil/fileutil_test.go
+++ b/pkg/fileutil/fileutil_test.go
@ -148,3 +148,21 @@ func TestZeroToEnd(t *testing.T) {
 		}
 	}
 }
+
+func TestDirPermission(t *testing.T) {
+	tmpdir, err := ioutil.TempDir(os.TempDir(), "foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	tmpdir2 := filepath.Join(tmpdir, "testpermission")
+	// create a new dir with 0700
+	if err = CreateDirAll(tmpdir2); err != nil {
+		t.Fatal(err)
+	}
+	// check dir permission with mode different than created dir
+	if err = CheckDirPermission(tmpdir2, 0600); err == nil {
+		t.Errorf("expected error, got nil")
+	}
+}
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@ -31,6 +31,7 @@ import (
 	"strings"
 	"time"

+	"go.etcd.io/etcd/pkg/fileutil"
 	"go.etcd.io/etcd/pkg/tlsutil"

 	"go.uber.org/zap"
@ -114,8 +115,15 @@ func (info TLSInfo) Empty() bool {
 }

 func SelfCert(lg *zap.Logger, dirpath string, hosts []string, additionalUsages ...x509.ExtKeyUsage) (info TLSInfo, err error) {
-	if err = os.MkdirAll(dirpath, 0700); err != nil {
-		return
+	if fileutil.Exist(dirpath) {
+		err = fileutil.CheckDirPermission(dirpath, fileutil.PrivateDirMode)
+		if err != nil {
+			return
+		}
+	} else {
+		if err = os.MkdirAll(dirpath, fileutil.PrivateDirMode); err != nil {
+			return
+		}
 	}
 	info.Logger = lg