Skip to content
This repository has been archived by the owner on Mar 10, 2023. It is now read-only.

setting file permissions on datastore directory #15

Closed

Conversation

KatTraxler
Copy link

You are using the File API to create a directory ('datastore') which ultimately stores OAuth2 credentials. Utilizing methods on the File API, I was able to set the read and write permission on that directory to restrict the permission to the owner of the directory. This change doesn't really fix the issue.

It appears as though the creation of the file which stores the credentials ('StoredCredentials') is being handled by the [com.google.auth.oauth2.UserCredentials](https://googleapis.dev/java/google-auth-library/0.23.0/index.html) Class. I don't see any native capability to set file permissions in this library.

You might need to migrate to a different method of creating the 'StoredCredentials' file, one that allows more control of the StoredCredentials File or request an upgrade to the underlying library.

@google-cla
Copy link

google-cla bot commented Feb 17, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@anantdamle anantdamle linked an issue Feb 17, 2021 that may be closed by this pull request
@anantdamle
Copy link
Collaborator

@KatTraxler Thanks for this PR. Can you sign the CLA and update this conversation.
I am curious to learn if this approach will allow running the JAR file through cron

@KatTraxler
Copy link
Author

KatTraxler commented Feb 17, 2021 via email

@anantdamle
Copy link
Collaborator

Thanks @KatTraxler for the PR.
This solution does not solve the issue completely.

Do you think one of the following may be a better solution:

  1. accepting datastore folder as an input parameter. Allows the user to setup protections outside of the code.
  2. Removing the stored credentials. Use service account credentials to access all services including SA360.

@KatTraxler
Copy link
Author

Hi @anantdamle
I don't imagine either of the options would address the underlying issue:

Option 1: accepting datastore folder as an input parameter. Allows the user to setup protections outside of the code.
The users OAuth credentials are contained in the 'StoredCredentials' file, in the 'datastore' directory. If instead of creating the 'datastore' directory in code, the user was asked to provide a directory, the resultant file where the OAuth credentials are stored is still created by com.google.auth.oauth2.UserCredentials Class and is still the same 'StoredCredentials' file with insecure permissions.
Option 2: Removing the stored credentials. Use service account credentials to access all services including SA360.
I'm assuming proposal entails generating a private key for a service account? If that's the case, this solution would likely be worse than the current state. Today, the credentials that are stored insecurely are considered 'short-term'. They will always have an expiration.
Changing this application to have the ability to run as a service account would result in durable credentials being stored on a local file system where if not explicitly set, the default and insecure set of file permissions are -rw-r--r--

Recommendation:
Open an issue with the maintainers of the Java google-auth-library asking if there is a Method on the Class com.google.auth.oauth2.UserCredentials allowing you configure the permissions on the file which is created when OAuth2 credentials are generated.

@anantdamle
Copy link
Collaborator

anantdamle commented Feb 23, 2021

@KatTraxler Thanks for notifying of the bug and proposing a PR. This is a temporary solution. Long term solution is fixing Issue#8. Will work on building that solution.
Directory level permissions would not fix the file permissions.

@anantdamle anantdamle closed this Feb 23, 2021
@anantdamle anantdamle linked an issue Feb 23, 2021 that may be closed by this pull request
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Insecure Permissions for /datastore/StoredCredential File Support Service Account credentials
2 participants