Merge pull request #56 from Shivam7-1/patch-1

Enhance Security: Implement File Permission Check for Client Secret File
google · Apr 23, 2024 · 0c2964f · 0c2964f
2 parents 3f01bad + 6725074
commit 0c2964f
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -161,6 +161,27 @@ An example file:
 
 (Yes, the curly braces are required.  Sorry.  It's a JSON dictionary.)
 
+
+
+
+### New Requirements
+In addition to the existing setup, please ensure the following requirements are met:
+
+1. **File Permission Check**: The client secret file (`client_secret.json`) must have restricted permissions to ensure sensitive credentials are protected.
+
+### Why This Change is Necessary
+Ensuring that sensitive files, such as client secret files containing authentication credentials, are accessible only by authorized users is crucial for preventing unauthorized access and potential security breaches. By implementing a file permission check, we mitigate the risk of exposing sensitive information to unauthorized users or processes.
+
+### Configuration Notes:
+To comply with the new security measure and meet the new requirements, please follow these configuration steps:
+
+1. **File Permission Requirement**: 
+    - Ensure that the client secret file (`client_secret.json`) is only readable by the owner. This can be achieved by setting appropriate file permissions using the `chmod` command. For example:
+      ```
+      chmod 600 client_secret.json
+      ```
+    This command restricts read and write permissions to the owner only, ensuring that sensitive credentials are protected from unauthorized access.
+
 ## Known Issues
 
 *   Occasionally the shutdown is not as clean as it should be.

diff --git a/calblink.go b/calblink.go
@@ -73,6 +73,29 @@ import (
 // MultiEvent indicates whether to show two events if there are multiple events in the time range.
 
 // responseState is an enumerated list of event response states, used to control which events will activate the blink(1).
+
+func loadClientCredentials(clientSecretPath string) ([]byte, error) {
+	// Check if the file exists and is readable
+	info, err := os.Stat(clientSecretPath)
+	if os.IsNotExist(err) {
+		return nil, fmt.Errorf("client secret file not found: %s", clientSecretPath)
+	}
+
+	// Check if the file has secure permissions (readable only by owner)
+	if info.Mode().Perm() != 0400 {
+		return nil, fmt.Errorf("insecure permissions for client secret file: %s", clientSecretPath)
+	}
+
+	// Read the contents of the file
+	content, err := ioutil.ReadFile(clientSecretPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read client secret file: %v", err)
+	}
+
+	return content, nil
+}
+
+
 type responseState string
 
 const (
@@ -911,7 +934,7 @@ func main() {
 	if *debugFlag {
 		debugOut = os.Stdout
 	}
-
+	
 	userPrefs := readUserPrefs()
 
 	// Overrides from command-line
@@ -940,7 +963,7 @@ func main() {
 	// BEGIN GOOGLE CALENDAR API SAMPLE CODE
 	ctx := context.Background()
 
-	b, err := ioutil.ReadFile(*clientSecretFlag)
+	b, err := loadClientCredentials(*clientSecretFlag)
 	if err != nil {
 		log.Fatalf("Unable to read client secret file: %v", err)
 	}
@@ -1023,4 +1046,6 @@ func main() {
 		fmt.Fprint(dotOut, ".")
 		sleep(time.Duration(userPrefs.pollInterval) * time.Second)
 	}
+
+
 }