1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
#include "catch.hpp"
#include "duckdb.hpp"
#include "duckdb/main/database.hpp"
#include "duckdb/main/extension/extension_loader.hpp"
#include "duckdb/main/secret/secret.hpp"
#include "duckdb/main/secret/secret_manager.hpp"
#include "duckdb/main/secret/secret_storage.hpp"
#include "test_helpers.hpp"
#include <sys/stat.h>
#ifndef _WIN32
#include <fcntl.h>
#include <sys/stat.h>
#endif
using namespace duckdb;
using namespace std;
#ifndef _WIN32
static void assert_correct_permission(string file) {
struct stat st;
auto res = lstat(file.c_str(), &st);
REQUIRE(res == 0);
// Only permissions should be User Read+Write
REQUIRE(st.st_mode & (S_IRUSR | S_IWUSR));
// The rest should be 0
REQUIRE(!(st.st_mode & (S_IXUSR | S_IRWXG | S_IRWXO)));
}
TEST_CASE("Test file permissions on linux/macos", "[secret][.]") {
DuckDB db(nullptr);
Connection con(db);
if (!db.ExtensionIsLoaded("httpfs")) {
return;
}
// Set custom secret path to prevent interference with other tests
REQUIRE_NO_FAIL(con.Query("set allow_persistent_secrets=true;"));
auto secret_dir = TestCreatePath("test_persistent_secret_permissions");
REQUIRE_NO_FAIL(con.Query("set secret_directory='" + secret_dir + "'"));
REQUIRE_NO_FAIL(con.Query("CREATE PERSISTENT SECRET oh_so_secret (TYPE S3)"));
assert_correct_permission(secret_dir + "/" + "oh_so_secret.duckdb_secret");
}
static void assert_duckdb_will_reject_persistent_secret() {
DuckDB db(nullptr);
Connection con(db);
// Set custom secret path to prevent interference with other tests
REQUIRE_NO_FAIL(con.Query("set allow_persistent_secrets=true;"));
auto secret_dir = TestCreatePath("test_persistent_secret_permissions");
REQUIRE_NO_FAIL(con.Query("set secret_directory='" + secret_dir + "'"));
auto res = con.Query("FROM duckdb_secrets()");
REQUIRE(res->HasError());
REQUIRE(StringUtil::Contains(res->GetError(),
"has incorrect permissions! Please set correct permissions or remove file"));
}
TEST_CASE("Test that DuckDB rejects secrets with incorrect permissions on linux/macos", "[secret][.]") {
DuckDB db(nullptr);
Connection con(db);
if (!db.ExtensionIsLoaded("httpfs")) {
return;
}
// Set custom secret path to prevent interference with other tests
REQUIRE_NO_FAIL(con.Query("set allow_persistent_secrets=true;"));
auto secret_dir = TestCreatePath("test_persistent_secret_permissions");
REQUIRE_NO_FAIL(con.Query("set secret_directory='" + secret_dir + "'"));
REQUIRE_NO_FAIL(con.Query("CREATE PERSISTENT SECRET also_very_secret (TYPE S3)"));
string secret_path = secret_dir + "/" + "also_very_secret.duckdb_secret";
mode_t incorrect_permissions[] {S_IRUSR | S_IWUSR | S_IRGRP, // user rw + group read
S_IRUSR | S_IWUSR | S_IWGRP, // user rw + group write
S_IRUSR | S_IWUSR | S_IXGRP, // user rw + group execute
S_IRUSR | S_IWUSR | S_IROTH, // user rw + other read
S_IRUSR | S_IWUSR | S_IWOTH, // user rw + other write
S_IRUSR | S_IWUSR | S_IXOTH}; // user rw + other execute
// Now confirm that for all possible incorrect permissions, we throw
for (auto perm : incorrect_permissions) {
chmod(secret_path.c_str(), perm);
assert_duckdb_will_reject_persistent_secret();
}
// Setting back to correct permission should allow us to read it again
chmod(secret_path.c_str(), S_IRUSR | S_IWUSR);
// Should be gud now
DuckDB db2(nullptr);
Connection con2(db2);
REQUIRE_NO_FAIL(con2.Query("set allow_persistent_secrets=true;"));
REQUIRE_NO_FAIL(con2.Query("set secret_directory='" + secret_dir + "'"));
REQUIRE_NO_FAIL(con2.Query("FROM duckdb_secrets()"));
}
#endif
|
