()
| 1335 | } |
| 1336 | |
| 1337 | func (c *LocalCluster) setupSecrets() error { |
| 1338 | // WidenSecretFilePerms is a public hook in dgraphtest/hooks.go; the |
| 1339 | // default is no-op. Secret files use mode 0600 (owner-only), which |
| 1340 | // is correct upstream. Downstream consumers running the dgraph |
| 1341 | // container as a non-root user that differs from the host owner |
| 1342 | // override the hook to widen perms — for example, adding group- or |
| 1343 | // world-read — so the in-container uid can read the bind-mounted |
| 1344 | // secret files. |
| 1345 | if c.conf.encryption { |
| 1346 | // use this key because some of the data is already encrypted using this key. |
| 1347 | encKey := []byte("1234567890123456") |
| 1348 | c.encKeyPath = filepath.Join(c.tempSecretsDir, encKeyFile) |
| 1349 | if err := os.WriteFile(c.encKeyPath, encKey, 0600); err != nil { |
| 1350 | return err |
| 1351 | } |
| 1352 | if err := WidenSecretFilePerms(c.encKeyPath); err != nil { |
| 1353 | return err |
| 1354 | } |
| 1355 | } |
| 1356 | |
| 1357 | if c.conf.acl { |
| 1358 | aclSecretPath := filepath.Join(c.tempSecretsDir, aclKeyFile) |
| 1359 | if err := generateACLSecret(c.conf.aclAlg, aclSecretPath); err != nil { |
| 1360 | return err |
| 1361 | } |
| 1362 | if err := WidenSecretFilePerms(aclSecretPath); err != nil { |
| 1363 | return err |
| 1364 | } |
| 1365 | } |
| 1366 | |
| 1367 | return nil |
| 1368 | } |
| 1369 | |
| 1370 | func generateACLSecret(alg jwt.SigningMethod, pathToFile string) error { |
| 1371 | if alg == nil { |
no test coverage detected