Merge pull request #21 from DevopsArtFactory/codex/windows-permission-fix-main

YoungJinJung · web-flow · commit c90e0be1805a · 2026-04-09T17:37:28.000+09:00
fix: handle private key permission checks correctly on windows
diff --git a/USAGE_EN.md b/USAGE_EN.md
@@ -318,7 +318,8 @@ Options:
   - `verify-required=true` by default in `decrypt`
   - unknown sender IDs are rejected during decrypt
   - Plaintext stdout blocked by default (`--out -` required)
-  - Private key file permission `0600` enforced
+  - Private key file permission `0600` enforced on Unix-like systems
+  - Windows skips POSIX mode checks because NTFS ACLs do not map to `0600`
 
 - Operational safety
   - Secrets are handled via file/stdin paths, not CLI secret arguments
diff --git a/USAGE_KO.md b/USAGE_KO.md
@@ -318,7 +318,8 @@ recipient + trusted sender를 한 번에 등록
   - `decrypt`에서 `verify-required=true` 기본
   - unknown sender ID는 복호화 단계에서 거부
   - 평문 stdout 기본 차단 (`--out -` 명시 필요)
-  - 개인키 파일 권한 `0600` 강제
+  - Unix 계열에서는 개인키 파일 권한 `0600` 강제
+  - Windows는 NTFS ACL이 `0600`과 직접 매핑되지 않아 POSIX 모드 검사를 생략
 
 - 운영/감사 관점
   - 비밀값을 CLI 인자로 받지 않고 파일/stdin 중심 처리
diff --git a/internal/policy/policy.go b/internal/policy/policy.go
@@ -3,13 +3,18 @@ package policy
 import (
 	"fmt"
 	"os"
+	"runtime"
 )
 
 func EnsurePrivateFile(path string) error {
 	info, err := os.Stat(path)
 	if err != nil {
 		return fmt.Errorf("stat private file %s: %w", path, err)
 	}
+	if runtime.GOOS == "windows" {
+		// Windows ACLs do not map cleanly to POSIX mode bits.
+		return nil
+	}
 	mode := info.Mode().Perm()
 	if mode != 0o600 {
 		return fmt.Errorf("private key file %s must have 0600 permission, got %o", path, mode)
diff --git a/internal/policy/policy_test.go b/internal/policy/policy_test.go
@@ -3,6 +3,7 @@ package policy
 import (
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 )
 
@@ -18,6 +19,12 @@ func TestEnsurePrivateFile(t *testing.T) {
 	if err := os.Chmod(p, 0o644); err != nil {
 		t.Fatal(err)
 	}
+	if runtime.GOOS == "windows" {
+		if err := EnsurePrivateFile(p); err != nil {
+			t.Fatalf("expected Windows permission check bypass: %v", err)
+		}
+		return
+	}
 	if err := EnsurePrivateFile(p); err == nil {
 		t.Fatal("expected failure for 0644")
 	}

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package policy`
`3`	`3`	`import (`
`4`	`4`	`"os"`
`5`	`5`	`"path/filepath"`
	`6`	`+ "runtime"`
`6`	`7`	`"testing"`
`7`	`8`	`)`
`8`	`9`
`@@ -18,6 +19,12 @@ func TestEnsurePrivateFile(t *testing.T) {`
`18`	`19`	`if err := os.Chmod(p, 0o644); err != nil {`
`19`	`20`	`t.Fatal(err)`
`20`	`21`	`}`
	`22`	`+ if runtime.GOOS == "windows" {`
	`23`	`+ if err := EnsurePrivateFile(p); err != nil {`
	`24`	`+ t.Fatalf("expected Windows permission check bypass: %v", err)`
	`25`	`+ }`
	`26`	`+ return`
	`27`	`+ }`
`21`	`28`	`if err := EnsurePrivateFile(p); err == nil {`
`22`	`29`	`t.Fatal("expected failure for 0644")`
`23`	`30`	`}`