fix: Set permission to read-only for the war file (#1592)

.rpm-packaging/ors-war.spec

@@ -202,7 +202,7 @@ alternatives --set java $(readlink -f /etc/alternatives/jre_%{java_version})/bin
 
 # chown to the tomcat user and ors group and give owner read and write permissions and group read and execute permissions
 chown %{tomcat_user} ${jws_webapps_folder}/ors.war
-chmod 750 ${jws_webapps_folder}/ors.war
+chmod 440 ${jws_webapps_folder}/ors.war
 # Set ownership of the ors home folder to the ors user and ors group
 chown -R %{ors_user}:%{ors_group} ${ORS_HOME}
 # Make everything 770 for Owner read+write and Group read+write and the ability to create folders.
@@ -241,4 +241,4 @@ if [ "$1" = "0" ]; then
     groupdel %{ors_group}
     # Remove the permanent variables
     rm -rf ${ORS_HOME}/.openrouteservice-jws5-permanent-state
-fi
+fi

.rpm-packaging/rhel8_post_install_check.sh

@@ -59,6 +59,8 @@ check_user_group_permissions '${ORS_HOME}/.openrouteservice-jws5-permanent-state
 check_file_exists "$JWS_WEBAPPS_DIRECTORY/ors.war" true || SUCCESSFUL=false
 # Check the ownership of the file
 find_owned_content "$JWS_WEBAPPS_DIRECTORY/ors.war" "tomcat" "" 1 || SUCCESSFUL=false
+# Check the permissions
+check_user_group_permissions "$JWS_WEBAPPS_DIRECTORY/ors.war" "tomcat" "" "440" || SUCCESSFUL=false
 
 # Check user and group setup
 check_group_exists 'openrouteservice' true || SUCCESSFUL=false
@@ -87,4 +89,4 @@ find_owned_content '${ORS_HOME}/*' "" "tomcat" 0 || SUCCESSFUL=false
 if [[ "$SUCCESSFUL" == false ]]; then
   log_error "Post-install check failed. Please check the logs for more details."
   exit 1
-fi
+fi

.rpm-packaging/scripts/helper_functions.sh

@@ -281,16 +281,47 @@ check_user_group_permissions() {
     local permissions="$4"
 
     # Fail if any of the variables are empty
-    if [ -z "$path_to_file" ] || [ -z "$permissions" ] || [ -z "$user" ] || [ -z "$group" ]; then
+    if [ -z "$path_to_file" ] || [ -z "$permissions" ]; then
         log_error "Please provide all variables to the check_user_group_permissions function."
         return 1
     fi
 
-    local result=$(${CONTAINER_ENGINE} exec -u root "$CONTAINER_NAME" bash -c "stat -c '%a %U %G' $path_to_file")
-    if [[ "$result" != "$permissions $user $group" ]]; then
-        log_error "Permissions for $path_to_file should be $permissions $user $group but are $result"
+    # Fail if neither user nor group are set
+    if [ -z "$user" ] && [ -z "$group" ]; then
+        log_error "Please provide at least one of user or group to the check_user_group_permissions function."
         return 1
     fi
+
+    if [ -n "$user" ] && [ -z "$group" ]; then
+      # Set group to empty string
+      group=""
+      # If only user is set, get stats without group
+      local result=$(${CONTAINER_ENGINE} exec -u root "$CONTAINER_NAME" bash -c "stat -c '%a %U' $path_to_file")
+      if [[ "$result" != "$permissions $user" ]]; then
+          log_error "Permissions for $path_to_file should be $permissions $user but are $result"
+          return 1
+      fi
+      log_success "Permissions for $path_to_file are $permissions $user as expected."
+      return 0
+    elif [ -z "$user" ] && [ -n "$group" ]; then
+      # Check for group only
+      # Set user to empty string
+      user=""
+      local result=$(${CONTAINER_ENGINE} exec -u root "$CONTAINER_NAME" bash -c "stat -c '%a %G' $path_to_file")
+      if [[ "$result" != "$permissions $group" ]]; then
+          log_error "Permissions for $path_to_file should be $permissions $group but are $result"
+          return 1
+      fi
+      log_success "Permissions for $path_to_file are $permissions $group as expected."
+      return 0
+    else
+      # Check for user and group
+      local result=$(${CONTAINER_ENGINE} exec -u root "$CONTAINER_NAME" bash -c "stat -c '%a %U %G' $path_to_file")
+      if [[ "$result" != "$permissions $user $group" ]]; then
+          log_error "Permissions for $path_to_file should be $permissions $user $group but are $result"
+          return 1
+      fi
+    fi
     log_success "Permissions for $path_to_file are $permissions $user $group as expected."
 }
 # Check that the CONTAINER_NAME variables are set