Set umask for integration tests

So that cardano-node does not complain about file permissions.

lib/launcher/src/Cardano/Startup.hs

@@ -19,6 +19,10 @@ module Cardano.Startup
     , withShutdownHandler'
     , installSignalHandlers
 
+    -- * File permissions
+    , setDefaultFilePermissions
+    , restrictFileMode
+
     -- * Logging
     , ShutdownHandlerLog(..)
     ) where
@@ -60,10 +64,8 @@ import System.IO.CodePage
 
 #ifdef WINDOWS
 import Cardano.Startup.Windows
-    ( installSignalHandlers )
 #else
 import Cardano.Startup.POSIX
-    ( installSignalHandlers )
 #endif
 
 import qualified Data.ByteString as BS

lib/launcher/src/Cardano/Startup/POSIX.hs

@@ -6,12 +6,18 @@
 
 module Cardano.Startup.POSIX
     ( installSignalHandlers
+    , setDefaultFilePermissions
+    , restrictFileMode
     ) where
 
 import Prelude
 
 import Control.Monad
     ( void )
+import Data.Bits
+    ( (.|.) )
+import System.Posix.Files
+    ( groupModes, otherModes, ownerReadMode, setFileCreationMask, setFileMode )
 import System.Posix.Signals
     ( Handler (..)
     , installHandler
@@ -29,3 +35,14 @@ installSignalHandlers notify = void $
         termHandler = CatchOnce $ do
             notify
             raiseSignal keyboardSignal
+
+-- | Restricts the process umask so that any files created are only readable by
+-- their owner.
+setDefaultFilePermissions :: IO ()
+setDefaultFilePermissions = void $ setFileCreationMask mask
+    where mask = groupModes .|. otherModes
+
+-- | Changes permissions of an existing file so that only the owner can read
+-- them.
+restrictFileMode :: FilePath -> IO ()
+restrictFileMode f = setFileMode f ownerReadMode

lib/launcher/src/Cardano/Startup/Windows.hs

@@ -6,10 +6,20 @@
 
 module Cardano.Startup.Windows
     ( installSignalHandlers
+    , setDefaultFilePermissions
+    , restrictFileMode
     ) where
 
 import Prelude
 
 -- | Stub function for windows.
 installSignalHandlers :: IO () -> IO ()
 installSignalHandlers _ = pure ()
+
+-- | Stub function for windows.
+setDefaultFilePermissions :: IO ()
+setDefaultFilePermissions = pure ()
+
+-- | Stub function for windows.
+restrictFileMode :: FilePath -> IO ()
+restrictFileMode _ = pure ()

lib/shelley/cardano-wallet.cabal

@@ -43,6 +43,7 @@ library
     , cardano-crypto
     , cardano-crypto-class
     , cardano-crypto-wrapper
+    , cardano-wallet-launcher
     , cardano-ledger
     , cardano-slotting
     , cardano-wallet-cli
@@ -81,7 +82,6 @@ library
     , text-class
     , time
     , transformers
-    , unix
     , unordered-containers
     , vector
     , warp

lib/shelley/src/Cardano/Wallet/Shelley/Launch.hs

@@ -91,6 +91,8 @@ import Cardano.Launcher.Node
     )
 import Cardano.Pool.Metadata
     ( SMASHPoolId (..) )
+import Cardano.Startup
+    ( restrictFileMode )
 import Cardano.Wallet.Api.Server
     ( Listen (..) )
 import Cardano.Wallet.Logging
@@ -195,8 +197,6 @@ import System.IO.Temp
     ( createTempDirectory, getCanonicalTemporaryDirectory, withTempDirectory )
 import System.IO.Unsafe
     ( unsafePerformIO )
-import System.Posix.Files
-    ( ownerReadMode, setFileMode )
 import System.Process
     ( readProcess, readProcessWithExitCode )
 import Test.Utils.Paths
@@ -668,7 +668,7 @@ withBFTNode tr baseDir params action =
         let copyKeyFile f = do
                 let dst = dir </> f
                 copyFile (source </> f) dst
-                setFileMode dst ownerReadMode
+                restrictFileMode dst
                 pure dst
 
         [bftCert, bftPrv, vrfPrv, kesPrv, opCert] <- forM

lib/shelley/test/integration/Main.hs

@@ -25,7 +25,7 @@ import Cardano.CLI
 import Cardano.Launcher
     ( ProcessHasExited (..) )
 import Cardano.Startup
-    ( withUtf8Encoding )
+    ( setDefaultFilePermissions, withUtf8Encoding )
 import Cardano.Wallet.Api.Server
     ( Listen (..) )
 import Cardano.Wallet.Api.Types
@@ -144,6 +144,7 @@ instance KnownCommand Shelley where
 main :: forall t n . (t ~ Shelley, n ~ 'Mainnet) => IO ()
 main = withUtf8Encoding $ withTracers $ \tracers -> do
     hSetBuffering stdout LineBuffering
+    setDefaultFilePermissions
     nix <- inNixBuild
     hspec $ do
         describe "No backend required" $