Fix proxy_exec secret masking cleanup on Windows

Author: saracen

commands/helpers/internal/store/store.go

@@ -31,16 +31,16 @@ func Open(dir string) (*Store, error) {
 	sum := sha256.Sum256([]byte(pathname))
 	keyPath := filepath.Join(dir, "runner"+hex.EncodeToString(sum[:]))
 
-	_ = os.MkdirAll(filepath.Dir(pathname), 0o750)
+	_ = os.MkdirAll(filepath.Dir(pathname), 0o755)
 	_, err := os.Stat(pathname)
 	if err != nil {
 		// store file doesn't exist, so re-generate key
-		if err := os.WriteFile(keyPath, generateKey(), 0o600); err != nil {
+		if err := os.WriteFile(keyPath, generateKey(), 0o644); err != nil {
 			return nil, fmt.Errorf("writing key: %w", err)
 		}
 	}
 
-	f, err := os.OpenFile(pathname, os.O_APPEND|os.O_RDWR|os.O_CREATE, 0640)
+	f, err := openFile(pathname)
 	if err != nil {
 		return nil, fmt.Errorf("opening store file: %w", err)
 	}

commands/helpers/internal/store/store_test.go

@@ -0,0 +1,67 @@
+//go:build !integration
+
+package store
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestOpen(t *testing.T) {
+	t.Run("create and reopen", func(t *testing.T) {
+		dir := t.TempDir()
+
+		db, err := Open(dir)
+		require.NoError(t, err)
+		require.NoError(t, db.Add("test-secret"))
+		db.Close()
+
+		db, err = Open(dir)
+		require.NoError(t, err)
+		defer db.Close()
+
+		items, err := db.List()
+		require.NoError(t, err)
+		require.Equal(t, []string{"test-secret"}, items)
+	})
+
+	t.Run("recreates key when db missing", func(t *testing.T) {
+		dir := t.TempDir()
+
+		db, err := Open(dir)
+		require.NoError(t, err)
+		require.NoError(t, db.Add("old-secret"))
+		db.Close()
+
+		require.NoError(t, os.Remove(filepath.Join(dir, "masking.db")))
+
+		db, err = Open(dir)
+		require.NoError(t, err)
+		defer db.Close()
+
+		items, err := db.List()
+		require.NoError(t, err)
+		require.Empty(t, items)
+	})
+
+	t.Run("fails with missing key file", func(t *testing.T) {
+		dir := t.TempDir()
+
+		db, err := Open(dir)
+		require.NoError(t, err)
+		db.Close()
+
+		pathname := filepath.Join(dir, "masking.db")
+		sum := sha256.Sum256([]byte(pathname))
+		keyPath := filepath.Join(dir, "runner"+hex.EncodeToString(sum[:]))
+		require.NoError(t, os.Remove(keyPath))
+
+		_, err = Open(dir)
+		require.Error(t, err)
+	})
+}

commands/helpers/internal/store/store_unix.go

@@ -0,0 +1,9 @@
+//go:build !windows
+
+package store
+
+import "os"
+
+func openFile(pathname string) (*os.File, error) {
+	return os.OpenFile(pathname, os.O_APPEND|os.O_RDWR|os.O_CREATE, 0666)
+}

commands/helpers/internal/store/store_windows.go

@@ -0,0 +1,34 @@
+//go:build windows
+
+package store
+
+import (
+	"fmt"
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+// openFile is like os.OpenFile, but adds FILE_SHARE_DELETE, allowing the file
+// to be deleted, even when open, on Windows.
+func openFile(pathname string) (*os.File, error) {
+	p, err := windows.UTF16PtrFromString(pathname)
+	if err != nil {
+		return nil, fmt.Errorf("converting pathname to UTF16: %w", err)
+	}
+
+	h, err := windows.CreateFile(
+		p,
+		windows.GENERIC_READ|windows.FILE_APPEND_DATA,
+		windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE|windows.FILE_SHARE_DELETE,
+		nil,
+		windows.OPEN_ALWAYS,
+		windows.FILE_ATTRIBUTE_NORMAL,
+		0,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("creating file share file: %w", err)
+	}
+
+	return os.NewFile(uintptr(h), pathname), nil
+}

commands/helpers/internal/store/store_windows_test.go

@@ -0,0 +1,28 @@
+//go:build windows && !integration
+
+package store
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestDeleteOpenFile(t *testing.T) {
+	dir := t.TempDir()
+
+	pathname := filepath.Join(dir, "masking.db")
+	sum := sha256.Sum256([]byte(pathname))
+	keyPath := filepath.Join(dir, "runner"+hex.EncodeToString(sum[:]))
+
+	require.NoError(t, os.WriteFile(keyPath, nil, 0o640))
+	db, err := Open(dir)
+	defer db.Close()
+	require.NoError(t, err)
+
+	require.NoError(t, os.Remove(pathname))
+}