From f65c019065f72519d087007723210495129000d8 Mon Sep 17 00:00:00 2001
From: janskiba <jan.skiba@dkfz-heidelberg.de>
Date: Wed, 31 Jan 2024 14:23:14 +0000
Subject: [PATCH] fix: Correctly set file permissions

---
 ccp/modules/datashield-setup.sh | 8 +++++---
 lib/functions.sh                | 1 -
 lib/prepare-system.sh           | 4 +++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh
index 464b0e1..9324305 100644
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@@ -12,9 +12,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
   TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
   if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
     mkdir -p /tmp/bridgehead/
-    chown -R bridgehead:docker /tmp/bridgehead/
     openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
-    chmod g+r /tmp/bridgehead/opal-key.pem
   fi
   mkdir -p /tmp/bridgehead/opal-map
   sites="$(cat ./$PROJECT/modules/datashield-mappings.json)"
@@ -29,6 +27,10 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
     "internal": "opal:8443",
     "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
   }]' > /tmp/bridgehead/opal-map/local.json
-  chown -R bridgehead:docker /tmp/bridgehead/*
+  if [ "$USER" == "root" ]; then
+    chown -R bridgehead:docker /tmp/bridgehead
+    chmod g+wr /tmp/bridgehead/opal-map/*
+    chmod g+r /tmp/bridgehead/opal-key.pem
+  fi
   add_private_oidc_redirect_url "/opal/*"
 fi
diff --git a/lib/functions.sh b/lib/functions.sh
index b54ceec..897eef2 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -279,7 +279,6 @@ function sync_secrets() {
     fi
     mkdir -p /var/cache/bridgehead/secrets/
     touch /var/cache/bridgehead/secrets/oidc
-    chown -R bridgehead:docker /var/cache/bridgehead/secrets
     # The oidc provider will need to be switched based on the project at some point I guess
     docker run --rm \
         -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index cd470b2..c43c0b1 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -88,7 +88,9 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then
     git clone "$url" /etc/bridgehead
 fi
 
-chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+mkdir -p /tmp/bridgehead /var/cache/bridgehead
+chown -R bridgehead:docker /etc/bridgehead /srv/docker/bridgehead /tmp/bridgehead /var/cache/bridgehead
+chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead
 
 log INFO "System preparation is completed and configuration is present."