Extract constant for the most restricted write-once private files

These files are only written once and must only be read by gitaly.

4 files changed, 14 insertions, 4 deletions

diff --git a/internal/git/ssh.go b/internal/git/ssh.go
index be411576f..93f312597 100644
--- a/internal/git/ssh.go
+++ b/internal/git/ssh.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus"
+	"gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm"
 )
 
 // BuildSSHInvocation builds a command line to invoke SSH with the provided key and known hosts.
@@ -32,7 +33,7 @@ func BuildSSHInvocation(ctx context.Context, sshKey, knownHosts string) (string,
 	args := []string{sshCommand}
 	if sshKey != "" {
 		sshKeyFile := filepath.Join(tmpDir, "ssh-key")
-		if err := os.WriteFile(sshKeyFile, []byte(sshKey), 0o400); err != nil {
+		if err := os.WriteFile(sshKeyFile, []byte(sshKey), perm.PrivateWriteOnceFile); err != nil {
 			cleanup()
 			return "", nil, fmt.Errorf("create ssh key file: %w", err)
 		}
@@ -42,7 +43,7 @@ func BuildSSHInvocation(ctx context.Context, sshKey, knownHosts string) (string,
 
 	if knownHosts != "" {
 		knownHostsFile := filepath.Join(tmpDir, "known-hosts")
-		if err := os.WriteFile(knownHostsFile, []byte(knownHosts), 0o400); err != nil {
+		if err := os.WriteFile(knownHostsFile, []byte(knownHosts), perm.PrivateWriteOnceFile); err != nil {
 			cleanup()
 			return "", nil, fmt.Errorf("create known hosts file: %w", err)
 		}
diff --git a/internal/helper/perm/perm.go b/internal/helper/perm/perm.go
index 2783f284c..869665384 100644
--- a/internal/helper/perm/perm.go
+++ b/internal/helper/perm/perm.go
@@ -23,6 +23,11 @@ const (
 	// written outside of gitaly.
 	PublicDir fs.FileMode = 0o777
 
+	// PrivateWriteOnceFile is the most restrictive file permission. Given to
+	// files that are expected to be written only once and must be read only by
+	// gitaly.
+	PrivateWriteOnceFile fs.FileMode = 0o400
+
 	// PrivateFile is the permissions given for a file that must only be used
 	// by gitaly.
 	PrivateFile fs.FileMode = 0o600
diff --git a/internal/safe/locking_directory.go b/internal/safe/locking_directory.go
index 2f51e5a8e..c3baa7340 100644
--- a/internal/safe/locking_directory.go
+++ b/internal/safe/locking_directory.go
@@ -6,6 +6,8 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+
+	"gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm"
 )
 
 type lockingDirectoryState int
@@ -50,7 +52,7 @@ func (ld *LockingDirectory) Lock() error {
 		return errors.New("locking directory not lockable")
 	}
 
-	lock, err := os.OpenFile(ld.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0o400)
+	lock, err := os.OpenFile(ld.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, perm.PrivateWriteOnceFile)
 	if err != nil {
 		if os.IsExist(err) {
 			return ErrFileAlreadyLocked
diff --git a/internal/safe/locking_file_writer.go b/internal/safe/locking_file_writer.go
index c43720cbe..bb52de6b2 100644
--- a/internal/safe/locking_file_writer.go
+++ b/internal/safe/locking_file_writer.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"io"
 	"os"
+
+	"gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm"
 )
 
 type lockingFileWriterState int
@@ -136,7 +138,7 @@ func (fw *LockingFileWriter) Lock() error {
 		return err
 	}
 
-	lock, err := os.OpenFile(fw.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0o400)
+	lock, err := os.OpenFile(fw.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, perm.PrivateWriteOnceFile)
 	if err != nil {
 		if os.IsExist(err) {
 			return ErrFileAlreadyLocked