lib/symmetric_encryption/keystore/file.rb in symmetric-encryption-4.3.1 vs lib/symmetric_encryption/keystore/file.rb in symmetric-encryption-4.3.2

@@ -1,20 +1,21 @@
 module SymmetricEncryption
   module Keystore
     class File
       include Utils::Files
+      ALLOWED_PERMISSIONS = %w[100600 100400].freeze
 
       attr_accessor :file_name, :key_encrypting_key
 
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
       def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
         new(key_filename: dek_file_name, key_encrypting_key: kek).write(dek.key)
 
@@ -54,10 +55,17 @@
         unless correct_permissions?
           raise(SymmetricEncryption::ConfigError,
                 "Symmetric Encryption key file '#{file_name}' has the wrong "\
                 "permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.")
         end
+        unless owned?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "owner (#{stat.uid}) or group (#{stat.gid}). "\
+                "Expected it to be owned by current user "\
+                "#{ENV['USER'] || ENV['USERNAME']}.")
+        end
 
         data = read_from_file(file_name)
         key_encrypting_key ? key_encrypting_key.decrypt(data) : data
       end
 
@@ -71,12 +79,18 @@
 
       # Returns true if the file is owned by the user running this code and it
       # has the correct mode - readable and writable by its owner and no one
       # else, much like the keys one has in ~/.ssh
       def correct_permissions?
-        stat = ::File.stat(file_name)
+        ALLOWED_PERMISSIONS.include?(stat.mode.to_s(8))
+      end
 
-        stat.owned? && %w[100600 100400].include?(stat.mode.to_s(8))
+      def owned?
+        stat.owned?
+      end
+
+      def stat
+        ::File.stat(file_name)
       end
     end
   end
 end