From 100e8e4a01aef9f26a1bdd972202fe764434e524 Mon Sep 17 00:00:00 2001
From: thesayyn <thesayyn@gmail.com>
Date: Tue, 20 Feb 2024 15:26:25 -0800
Subject: [PATCH] fix: match rules_docker modes

---
 distroless/private/home.bzl   | 8 +++++++-
 distroless/private/passwd.bzl | 8 ++++++--
 distroless/private/tar.bzl    | 2 +-
 docs/rules.md                 | 3 ++-
 examples/flatten/BUILD.bazel  | 8 ++++----
 examples/home/BUILD.bazel     | 6 +++---
 examples/passwd/BUILD.bazel   | 2 +-
 7 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/distroless/private/home.bzl b/distroless/private/home.bzl
index 97d0ec8..028c47d 100644
--- a/distroless/private/home.bzl
+++ b/distroless/private/home.bzl
@@ -16,7 +16,13 @@ def home(name, dirs, **kwargs):
 
     for home in dirs:
         mtree.extend(
-            tar_lib.mtree.add_directory_with_parents(home["home"], uid = str(home["uid"]), gid = str(home["gid"])),
+            tar_lib.mtree.add_directory_with_parents(
+                home["home"],
+                uid = str(home["uid"]),
+                gid = str(home["gid"]),
+                # the default matches https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L81C24-L81C27
+                mode = getattr(home, "gid", "700"),
+            ),
         )
 
     tar(
diff --git a/distroless/private/passwd.bzl b/distroless/private/passwd.bzl
index 229ab56..967e944 100644
--- a/distroless/private/passwd.bzl
+++ b/distroless/private/passwd.bzl
@@ -5,7 +5,9 @@ load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@aspect_bazel_lib//lib:utils.bzl", "propagate_common_rule_attributes")
 load("@bazel_skylib//rules:write_file.bzl", "write_file")
 
-def passwd(name, passwds, **kwargs):
+# WARNING: the mode `0o644` is important
+# See: https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L149C54-L149C57
+def passwd(name, passwds, mode = "644", **kwargs):
     """
     Create a passwd file from array of dicts.
 
@@ -20,6 +22,7 @@ def passwd(name, passwds, **kwargs):
             ```
             dict(gid = 0, uid = 0, home = "/root", shell = "/bin/bash", username = "root")
             ```
+        mode: the mode bits for the passwd file
         **kwargs: other named arguments to expanded targets. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).
     """
     common_kwargs = propagate_common_rule_attributes(kwargs)
@@ -50,11 +53,12 @@ def passwd(name, passwds, **kwargs):
         stamp = 0,
         template = [
             "#mtree",
-            "./etc/passwd uid=0 gid=0 mode=0700 time=0 type=file content={content}",
+            "./etc/passwd uid=0 gid=0 mode={mode} time=0 type=file content={content}",
             "",
         ],
         substitutions = {
             "{content}": "$(BINDIR)/$(rootpath :%s_content)" % name,
+            "{mode}": mode,
         },
         **common_kwargs
     )
diff --git a/distroless/private/tar.bzl b/distroless/private/tar.bzl
index 931fc60..a23a504 100644
--- a/distroless/private/tar.bzl
+++ b/distroless/private/tar.bzl
@@ -45,7 +45,7 @@ def _add_file_with_parents(path, file):
     return lines
 
 def _add_directory_with_parents(path, **kwargs):
-    lines = _add_parents(path)
+    lines = _add_parents(path, **kwargs)
     lines.append(_mtree_line(path, "dir", **kwargs))
     return lines
 
diff --git a/docs/rules.md b/docs/rules.md
index 47c833d..dbc26a2 100644
--- a/docs/rules.md
+++ b/docs/rules.md
@@ -207,7 +207,7 @@ https://www.freedesktop.org/software/systemd/man/latest/os-release.html
 ## passwd
 
 <pre>
-passwd(<a href="#passwd-name">name</a>, <a href="#passwd-passwds">passwds</a>, <a href="#passwd-kwargs">kwargs</a>)
+passwd(<a href="#passwd-name">name</a>, <a href="#passwd-passwds">passwds</a>, <a href="#passwd-mode">mode</a>, <a href="#passwd-kwargs">kwargs</a>)
 </pre>
 
     Create a passwd file from array of dicts.
@@ -222,6 +222,7 @@ https://www.ibm.com/docs/en/aix/7.3?topic=passwords-using-etcpasswd-file
 | :------------- | :------------- | :------------- |
 | <a id="passwd-name"></a>name |  name of the target   |  none |
 | <a id="passwd-passwds"></a>passwds |  an array of dicts which will be serialized into single passwd file.<br><br>An example;<br><br><pre><code> dict(gid = 0, uid = 0, home = "/root", shell = "/bin/bash", username = "root") </code></pre>   |  none |
+| <a id="passwd-mode"></a>mode |  the mode bits for the passwd file   |  <code>"644"</code> |
 | <a id="passwd-kwargs"></a>kwargs |  other named arguments to expanded targets. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).   |  none |
 
 
diff --git a/examples/flatten/BUILD.bazel b/examples/flatten/BUILD.bazel
index c8b05b4..bb5e931 100644
--- a/examples/flatten/BUILD.bazel
+++ b/examples/flatten/BUILD.bazel
@@ -52,15 +52,15 @@ assert_tar_listing(
     actual = "flatten",
     expected = """\
 #mtree
-./etc/passwd nlink=0 time=0.0 mode=700 gid=0 uid=0 type=file size=33 cksum=3891093834 sha1digest=94f013494b98f8ed618ce2e670d405f818ec3915
+./etc/passwd nlink=0 time=0.0 mode=644 gid=0 uid=0 type=file size=33 cksum=3891093834 sha1digest=94f013494b98f8ed618ce2e670d405f818ec3915
 ./examples time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten/dir time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten/dir/changelog nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=0 cksum=4294967295 sha1digest=da39a3ee5e6b4b0d3255bfef95601890afd80709
 ./examples/flatten/dir/sub time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten/dir/sub/content.txt nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=0 cksum=4294967295 sha1digest=da39a3ee5e6b4b0d3255bfef95601890afd80709
-./home time=0.0 mode=755 gid=0 uid=0 type=dir
-./home/nonroot time=0.0 mode=755 gid=666 uid=666 type=dir
-./root time=0.0 mode=755 gid=0 uid=0 type=dir
+./home time=0.0 mode=700 gid=666 uid=666 type=dir
+./home/nonroot time=0.0 mode=700 gid=666 uid=666 type=dir
+./root time=0.0 mode=700 gid=0 uid=0 type=dir
 """,
 )
diff --git a/examples/home/BUILD.bazel b/examples/home/BUILD.bazel
index 4ec14cc..d5c107e 100644
--- a/examples/home/BUILD.bazel
+++ b/examples/home/BUILD.bazel
@@ -22,8 +22,8 @@ assert_tar_listing(
     actual = "home",
     expected = """\
 #mtree
-./home time=0.0 mode=755 gid=0 uid=0 type=dir
-./home/nonroot time=0.0 mode=755 gid=666 uid=666 type=dir
-./root time=0.0 mode=755 gid=0 uid=0 type=dir
+./home time=0.0 mode=700 gid=666 uid=666 type=dir
+./home/nonroot time=0.0 mode=700 gid=666 uid=666 type=dir
+./root time=0.0 mode=700 gid=0 uid=0 type=dir
 """,
 )
diff --git a/examples/passwd/BUILD.bazel b/examples/passwd/BUILD.bazel
index 231e021..5560105 100644
--- a/examples/passwd/BUILD.bazel
+++ b/examples/passwd/BUILD.bazel
@@ -27,6 +27,6 @@ assert_tar_listing(
     actual = "passwd",
     expected = """\
 #mtree
-./etc/passwd nlink=0 time=0.0 mode=700 gid=0 uid=0 type=file size=35 cksum=2298809208 sha1digest=31ad675c1210fd0413dd9b2441aaaf13c18d1547
+./etc/passwd nlink=0 time=0.0 mode=644 gid=0 uid=0 type=file size=35 cksum=2298809208 sha1digest=31ad675c1210fd0413dd9b2441aaaf13c18d1547
 """,
 )