From 71a5b88da55cc37809d7b73969f84c6c5ffb6ca9 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Wed, 26 Oct 2022 12:11:50 -0700
Subject: [PATCH] backport of commit a5e019e0200a51523e434cfc156ccd6f8d864a72
 (#17670) (#17669)

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 .circleci/config.yml                  | 68 +++++++++++++++++++++++++--
 .circleci/config/commands/go_test.yml | 17 ++++++-
 2 files changed, 80 insertions(+), 5 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index c78eb24b4e7d..cb5185554bf7 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -246,7 +246,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -267,6 +269,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             export TEST_DOCKER_NETWORK_ID=$(docker network list -q -f 'name=vaulttest')
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
               TEST_DOCKER_NETWORK_ID=$(docker network create vaulttest)
@@ -481,7 +496,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -502,6 +519,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             export TEST_DOCKER_NETWORK_ID=$(docker network list -q -f 'name=vaulttest')
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
               TEST_DOCKER_NETWORK_ID=$(docker network create vaulttest)
@@ -668,7 +698,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -689,6 +721,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             export TEST_DOCKER_NETWORK_ID=$(docker network list -q -f 'name=vaulttest')
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
               TEST_DOCKER_NETWORK_ID=$(docker network create vaulttest)
@@ -975,7 +1020,9 @@ jobs:
           # has its own remote docker VM.
 
           make prep
-          mkdir -p test-results/go-test
+
+          # Permissions have changed inside docker containers; see hack note below.
+          mkdir --mode=777 -p test-results/go-test
 
           # We don't want VAULT_LICENSE set when running Go tests, because that's
           # not what developers have in their environments and it could break some
@@ -996,6 +1043,19 @@ jobs:
             # reasons unclear.
             export DOCKER_API_VERSION=1.39
 
+            # Hack: Docker permissions appear to have changed; let's explicitly
+            # chmod the docker certificate path to give other grouped users
+            # access.
+            #
+            # Notably, in this shell pipeline we see:
+            # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+            #
+            # but inside the docker image below, we see:
+            # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+            #
+            # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+            chmod o+rx -R $DOCKER_CERT_PATH
+
             export TEST_DOCKER_NETWORK_ID=$(docker network list -q -f 'name=vaulttest')
             if [ -z $TEST_DOCKER_NETWORK_ID ]; then
               TEST_DOCKER_NETWORK_ID=$(docker network create vaulttest)
diff --git a/.circleci/config/commands/go_test.yml b/.circleci/config/commands/go_test.yml
index f763c67f67dd..afa98bcc25cf 100644
--- a/.circleci/config/commands/go_test.yml
+++ b/.circleci/config/commands/go_test.yml
@@ -95,7 +95,9 @@ steps:
         # has its own remote docker VM.
 
         make prep
-        mkdir -p test-results/go-test
+
+        # Permissions have changed inside docker containers; see hack note below.
+        mkdir --mode=777 -p test-results/go-test
 
         # We don't want VAULT_LICENSE set when running Go tests, because that's
         # not what developers have in their environments and it could break some
@@ -116,6 +118,19 @@ steps:
           # reasons unclear.
           export DOCKER_API_VERSION=1.39
 
+          # Hack: Docker permissions appear to have changed; let's explicitly
+          # chmod the docker certificate path to give other grouped users
+          # access.
+          #
+          # Notably, in this shell pipeline we see:
+          # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci)
+          #
+          # but inside the docker image below, we see:
+          # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci)
+          #
+          # See also: https://github.com/CircleCI-Public/cimg-base/issues/122
+          chmod o+rx -R $DOCKER_CERT_PATH
+
           export TEST_DOCKER_NETWORK_ID=$(docker network list -q -f 'name=vaulttest')
           if [ -z $TEST_DOCKER_NETWORK_ID ]; then
             TEST_DOCKER_NETWORK_ID=$(docker network create vaulttest)