improve credential files protection

README.md

@@ -133,6 +133,25 @@ HTTP_PROXY=http://10.0.1.2:8080 soracom subscribers list
 ```
 
 
+### Trouble shooting
+
+If you get an error message like the following:
+
+```
+Error: Permissions for the file 'path/to/default.json' which contains your credentials are too open.
+It is required that your credential files are NOT accessible by others.
+```
+
+Please try the following to fix it:
+
+```
+soracom unconfigure
+soracom configure
+```
+
+i.e. perform `unconfigure` and then `configure` again in order to re-create a credentials file with appropriate permissions.
+
+
 # How to build / test
 
 For developers who want to build from source or for those who wish to make a pull request such as bug fix / function addition, please build and test in one of the following ways.

README_ja.md

@@ -133,6 +133,25 @@ soracom subscribers list
 HTTP_PROXY=http://10.0.1.2:8080 soracom subscribers list
 ```
 
+### トラブルシューティング
+
+もし、以下のようなエラーメッセージが表示されてしまったら、
+
+```
+Error: 認証情報ファイル 'path/to/default.json' へのアクセス権が十分に絞り込まれていません。
+認証情報ファイルへは、soracom コマンドを実行しているユーザーのみがアクセス可能なように設定する必要があります。
+```
+
+以下のコマンドを実行して修復を試みてください。
+
+```
+soracom unconfigure
+soracom configure
+```
+
+いったん `unconfigure` してから `configure` することにより、認証情報ファイルを適切なパーミッションで再作成します。
+
+
 
 # ビルド/テスト方法
 

generators/assets/i18n/soracom-api.text.en.json

@@ -2838,7 +2838,7 @@
       "summary": "Show, create or update configurations.",
       "description": "Show, create or update configurations.",
       "profile": {
-        "permission_is_too_open": "Permissions for the file '%s' which contains your credentials are too open. It is required that your credential files are NOT accessible by others.",
+        "permission_is_too_open": "Permissions for the file '%s' which contains your credentials are too open.\nIt is required that your credential files are NOT accessible by others.",
         "prompt": "--- SORACOM CLI setup ---\nThis will create a directory %s if it does not exist yet and place '%s.json' in it.",
         "coverage_type": {
           "prompt": "\n\nPlease select which coverage type to use.\n\n1. Global\n2. Japan\n\n",

generators/assets/i18n/soracom-api.text.zh.json

@@ -2838,7 +2838,7 @@
       "summary": "Show, create or update configurations.",
       "description": "Show, create or update configurations.",
       "profile": {
-        "permission_is_too_open": "Permissions for the file '%s' which contains your credentials are too open. It is required that your credential files are NOT accessible by others.",
+        "permission_is_too_open": "Permissions for the file '%s' which contains your credentials are too open.\nIt is required that your credential files are NOT accessible by others.",
         "prompt": "--- SORACOM CLI setup ---\nThis will create a directory %s if it does not exist yet and place '%s.json' in it.",
         "auth": {
           "prompt": "\n\nPlease select which authentication method to use.\n\n1. Input AuthKeyId and AuthKey * Recommended * \n2. Input Operator credentials (Operator Email and Password)\n3. Input SAM credentials (OperatorId, User name and Password)\n\n",

generators/cmd/predefined/profiles.go

@@ -7,7 +7,6 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"syscall"
 
@@ -143,10 +142,9 @@ func saveProfile(profileName string, prof *profile) error {
 			return errors.New("abort")
 		}
 
-		os.Chmod(path, 0600)
-
-		if runtime.GOOS == "windows" {
-			// TODO: handle ACL on windows
+		err = lib.ProtectFile(path)
+		if err != nil {
+			return err
 		}
 	}
 
@@ -160,8 +158,9 @@ func saveProfile(profileName string, prof *profile) error {
 		return err
 	}
 
-	if runtime.GOOS == "windows" {
-		// TODO: handle ACL on windows
+	err = lib.ProtectFile(path)
+	if err != nil {
+		return err
 	}
 
 	return nil

generators/lib/fileperm.go

@@ -16,3 +16,7 @@ func IsFilePermissionTooOpen(path string) (bool, error) {
 
 	return false, nil
 }
+
+func ProtectFile(path string) error {
+	return os.Chmod(path, 0600)
+}

generators/lib/fileperm_windows.go

@@ -5,6 +5,7 @@ package lib
 import (
 	"fmt"
 
+	acl "github.com/bearmini/go-acl"
 	"github.com/bearmini/go-acl/api"
 	"golang.org/x/sys/windows"
 )
@@ -77,3 +78,7 @@ func sidToString(sid *windows.SID) string {
 	}
 	return str
 }
+
+func ProtectFile(path string) error {
+	return acl.Apply(path, true, false, acl.GrantName((0600)<<23, "CREATOR OWNER"))
+}

scripts/build.sh

@@ -56,6 +56,8 @@ fi
     echo "Building artifacts ..."
     go generate
     go get ./...
+    go get -u github.com/bearmini/go-acl # required to specify some dependencies explicitly as they are imported only in windows builds
+    go get -u golang.org/x/sys/windows
     gofmt -s -w .
     gas ./...
     #gox -ldflags="-X github.com/soracom/soracom-cli/soracom/generated/cmd.version $VERSION" -osarch="windows/386 windows/amd64 darwin/amd64 linux/386 linux/amd64 linux/arm" -parallel=6 -output="bin/{{.OS}}/{{.Arch}}/soracom"

soracom/generated/cmd/profiles.go

@@ -7,7 +7,6 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"syscall"
 
@@ -143,10 +142,9 @@ func saveProfile(profileName string, prof *profile) error {
 			return errors.New("abort")
 		}
 
-		os.Chmod(path, 0600)
-
-		if runtime.GOOS == "windows" {
-			// TODO: handle ACL on windows
+		err = lib.ProtectFile(path)
+		if err != nil {
+			return err
 		}
 	}
 
@@ -160,8 +158,9 @@ func saveProfile(profileName string, prof *profile) error {
 		return err
 	}
 
-	if runtime.GOOS == "windows" {
-		// TODO: handle ACL on windows
+	err = lib.ProtectFile(path)
+	if err != nil {
+		return err
 	}
 
 	return nil