File Type

This document describes the design of the file resource type for managing files and directories.

Overview

The file resource manages files and directories with three aspects:

Existence: Whether the file/directory exists or is absent
Content: The contents of a file (from inline content or source file)
Attributes: Owner, group, and permissions

Provider Interface

File providers must implement the FileProvider interface:

type FileProvider interface {
    model.Provider

    CreateDirectory(ctx context.Context, dir string, owner string, group string, mode string) error
    Store(ctx context.Context, file string, contents []byte, source string, owner string, group string, mode string) error
    Status(ctx context.Context, file string) (*model.FileState, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Query current file state (existence, type, content hash, attributes)
`Store`	Create or update a file with content and attributes
`CreateDirectory`	Create a directory with attributes

Status Response

The Status method returns a FileState containing:

type FileState struct {
    CommonResourceState
    Metadata *FileMetadata
}

type FileMetadata struct {
    Name     string         // File path
    Checksum string         // SHA256 hash of contents (files only)
    Owner    string         // Owner username
    Group    string         // Group name
    Mode     string         // Permissions in octal (e.g., "0644")
    Provider string         // Provider name (e.g., "posix")
    MTime    time.Time      // Modification time
    Size     int64          // File size in bytes
    Extended map[string]any // Provider-specific metadata
}

The Ensure field in CommonResourceState is set to:

present if a regular file exists
directory if a directory exists
absent if the path does not exist

Available Providers

Provider	Platform	Documentation
`posix`	Unix/Linux	Posix

Ensure States

Value	Description
`present`	Path must be a regular file with specified content
`absent`	Path must not exist
`directory`	Path must be a directory

Content Sources

Files can receive content from two mutually exclusive sources:

Property	Description
`contents`	Inline string content (template-resolved)
`source`	Path to local file to copy from

# Inline content with template
- file:
    - /etc/motd:
        ensure: present
        content: |
          Welcome to {{ lookup('facts.hostname') }}
          Managed by CCM
        owner: root
        group: root
        mode: "0644"

# Copy from source file
- file:
    - /etc/app/config.yaml:
        ensure: present
        source: files/config.yaml
        owner: app
        group: app
        mode: "0640"

When using source, the path is relative to the manifest’s working directory if one is set.

Required Properties

Unlike some resources, file resources require explicit attributes:

Property	Required	Description
`owner`	Yes	Username that owns the file
`group`	Yes	Group that owns the file
`mode`	Yes	Permissions in octal notation

This prevents accidental creation of files with default or inherited permissions.

Apply Logic

┌─────────────────────────────────────────┐
│ Get current state via Status()          │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Is current state desired state?         │
└─────────────────┬───────────────────────┘
              Yes │         No
                  ▼         │
          ┌───────────┐     │
          │ No change │     │
          └───────────┘     │
                            ▼
              ┌─────────────────────────┐
              │ What is desired ensure? │
              └─────────────┬───────────┘
                            │
    ┌───────────────────────┼───────────────────────┐
    │ absent                │ directory             │ present
    ▼                       ▼                       ▼
┌────────────┐      ┌───────────────┐      ┌───────────────┐
│ Remove     │      │ CreateDir     │      │ Store         │
│ (os.Remove)│      │               │      │               │
└────────────┘      └───────────────┘      └───────────────┘

Idempotency

The file resource checks multiple attributes for idempotency:

State Checks (in order)

Ensure match: Current type matches desired (present/absent/directory)
Content match: SHA256 checksum of contents matches (for ensure: present)
Owner match: Current owner matches desired
Group match: Current group matches desired
Mode match: Current permissions match desired

Decision Table

Desired	Current State	Action
`absent`	absent	None
`absent`	present/directory	Remove
`directory`	directory + matching attrs	None
`directory`	absent/present	CreateDirectory
`directory`	directory + wrong attrs	CreateDirectory (updates attrs)
`present`	present + matching all	None
`present`	absent	Store
`present`	present + wrong content	Store
`present`	present + wrong attrs	Store

Content Comparison

Content is compared using SHA256 checksums:

Source	Checksum Method
`contents` property	`Sha256HashBytes([]byte(contents))`
`source` property	`Sha256HashFile(adjustedPath)`
Existing file	`Sha256HashFile(filePath)`

Mode Validation

File modes are validated during resource creation:

Valid Formats:

"0644" - Standard octal
"644" - Without leading zero
"0o755" - With 0o prefix
"0O700" - With 0O prefix

Validation Rules:

Must be valid octal number (digits 0-7)
Must be ≤ 0777 (no setuid/setgid/sticky via mode)

Path Validation

File paths must be:

Absolute (start with /)
Clean (no . or .. components, filepath.Clean(path) == path)

if filepath.Clean(p.Name) != p.Name {
    return fmt.Errorf("file path must be absolute")
}

Working Directory

When a manifest has a working directory (e.g., extracted from an archive), the source property is resolved relative to it:

if properties.Source != "" && mgr.WorkingDirectory() != "" {
    source = filepath.Join(mgr.WorkingDirectory(), properties.Source)
}

This allows manifests bundled with their source files to use relative paths.

Noop Mode

In noop mode, the file type:

Queries current state normally
Computes content checksums
Logs what actions would be taken
Sets appropriate NoopMessage:
- “Would have created the file”
- “Would have created directory”
- “Would have removed the file”
Reports Changed: true if changes would occur
Does not call provider Store/CreateDirectory methods
Does not remove files

Desired State Validation

After applying changes (in non-noop mode), the type verifies the file reached the desired state by calling Status() again and checking all attributes match. If validation fails, ErrDesiredStateFailed is returned.

Posix Provider

This document describes the implementation details of the Posix file provider for managing files and directories on Unix-like systems.

Provider Selection

The Posix provider is the default and only file provider. It is always available and returns priority 1 for all file resources.

Operations

Store (Create/Update File)

Process:

Verify parent directory exists
Parse file mode from octal string
Open source file if source property is set
Create temporary file in the same directory as target
Set file permissions on temp file
Write content (from source file or contents property)
Set ownership (chown) on temp file
Close temp file
Atomic rename temp file to target path

Atomic Write Pattern:

[parent dir]/<basename>.* (temp file)
    ↓ chmod (set permissions)
    ↓ write content
    ↓ chown (set owner/group)
    ↓ close
    ↓ rename
[parent dir]/<basename> (final file)

The temp file is created in the same directory as the target to ensure os.Rename() is atomic (same filesystem).

Content Sources:

Property	Behavior
`contents`	Write string directly to file (template-resolved)
`source`	Copy from local file path (adjusted for working directory)

If both are empty, an empty file is created.

Error Handling:

Condition	Behavior
Parent directory doesn’t exist	Return error: “is not a directory”
Invalid mode format	Return error from `strconv.ParseUint`
Source file not found	Return error from `os.Open`
Permission denied	Return error from underlying syscall
Rename failure	Return error: “could not rename temporary file”

CreateDirectory

Process:

Parse file mode from octal string
Create directory and parents via os.MkdirAll()
Lookup numeric UID/GID from owner/group names
Set permissions via os.Chmod() (ensures correct mode even if umask affected MkdirAll)
Set ownership via os.Chown()

Command Sequence:

os.MkdirAll(dir, parsedMode)    // Create directory tree
os.Chmod(dir, parsedMode)        // Ensure correct permissions
os.Chown(dir, uid, gid)          // Set ownership

The explicit Chmod after MkdirAll is necessary because MkdirAll applies the process umask to the mode.

Status

Process:

Initialize state with default metadata
Call os.Stat() on file path
Based on result, populate state accordingly

State Detection:

`os.Stat()` Result	Ensure Value	Metadata
File exists	`present`	Size, mtime, owner, group, mode, checksum
Directory exists	`directory`	Size, mtime, owner, group, mode
`os.ErrNotExist`	`absent`	None
`os.ErrPermission`	`absent`	None (logged as warning)
Other error	(unchanged)	None (logged as warning)

Metadata Collection:

Field	Source
`Name`	From properties
`Provider`	“posix”
`Size`	`FileInfo.Size()`
`MTime`	`FileInfo.ModTime()`
`Owner`	`util.GetFileOwner()` - resolves UID to username
`Group`	`util.GetFileOwner()` - resolves GID to group name
`Mode`	`util.GetFileOwner()` - octal string (e.g., “0644”)
`Checksum`	`util.Sha256HashFile()` - SHA256 hash (files only)

Note: Checksum is only calculated for regular files, not directories.

Idempotency

The file resource achieves idempotency by comparing current state against desired state:

State Checks

The isDesiredState() function checks (in order):

Ensure value matches - present, absent, or directory
Content checksum matches - SHA256 of contents vs existing file (for files only)
Owner matches - Username comparison
Group matches - Group name comparison
Mode matches - Octal permission string comparison

Decision Flow

┌─────────────────────────────────────────┐
│ What is the desired ensure state?       │
└─────────────────┬───────────────────────┘
                  │
    ┌─────────────┼─────────────┬─────────────┐
    │ absent      │ directory   │ present     │
    ▼             ▼             ▼             │
┌───────────┐ ┌───────────┐ ┌───────────────┐ │
│ File      │ │ Directory │ │ File exists?  │ │
│ exists?   │ │ exists?   │ │ Content match?│ │
└─────┬─────┘ └─────┬─────┘ │ Owner match?  │ │
      │             │       │ Group match?  │ │
  Yes │ No      Yes │ No    │ Mode match?   │ │
      ▼             ▼       └───────┬───────┘ │
┌─────────┐ ┌───────────┐           │         │
│ Remove  │ │ Stable    │     All Yes│    No   │
│ file    │ │           │           ▼         ▼
└─────────┘ └───────────┘   ┌───────────┐ ┌───────────┐
                            │ Stable    │ │ Store     │
                            └───────────┘ └───────────┘

Content Comparison

For files with ensure: present:

Content Source	Checksum Calculation
`contents` property	`Sha256HashBytes([]byte(contents))`
`source` property	`Sha256HashFile(adjustedSourcePath)`

The source path is adjusted based on the manager’s working directory when set.

Mode Validation

File modes are validated during resource creation:

Strip optional 0o or 0O prefix
Parse as octal number (base 8)
Validate range: must be ≤ 0777

Valid Mode Examples:

Input	Parsed Value
`"0644"`	0o644
`"644"`	0o644
`"0o755"`	0o755
`"0O700"`	0o700

Invalid Mode Examples:

Input	Error
`"0888"`	Invalid octal digit
`"1777"`	Exceeds maximum (setuid/setgid not supported via mode)
`"rw-r--r--"`	Not octal format

Ownership Resolution

Owner and group names are resolved to numeric UID/GID via:

uid, gid, err := util.LookupOwnerGroup(owner, group)

This uses the system’s user database (/etc/passwd, /etc/group, or equivalent):

user.Lookup(owner) → UID
user.LookupGroup(group) → GID

Error Handling:

Condition	Behavior
User not found	Return error: “could not lookup user”
Group not found	Return error: “could not lookup group”
Invalid UID/GID format	Return error from `strconv.Atoi`

Working Directory Support

When a manager has a working directory set (e.g., from extracted manifest), the source property path is adjusted:

func (t *Type) adjustedSource(properties *model.FileResourceProperties) string {
    source := properties.Source
    if properties.Source != "" && t.mgr.WorkingDirectory() != "" {
        source = filepath.Join(t.mgr.WorkingDirectory(), properties.Source)
    }
    return source
}

This allows manifests to use relative paths for source files bundled with the manifest.

Platform Support

The Posix provider uses Unix-specific system calls:

Operation	System Call
Get file owner/group	`syscall.Stat_t` (UID/GID from stat)
Set ownership	`os.Chown()` → `chown(2)`
Set permissions	`os.Chmod()` → `chmod(2)`

The provider has separate implementations for Unix and Windows (file_unix.go, file_windows.go in internal/util), with Windows returning errors for ownership operations.

Security Considerations

Atomic Writes

Files are written atomically via temp file + rename. This prevents:

Partial file reads during write
Corruption if process is interrupted
Race conditions with concurrent readers

Permission Ordering

Permissions and ownership are set on the temp file before rename:

Chmod - Set permissions
Write content
Chown - Set ownership
Rename to target

This ensures the file never exists at the target path with incorrect permissions.

Path Validation

File paths must be absolute and clean (no . or .. components):

if filepath.Clean(p.Name) != p.Name {
    return fmt.Errorf("file path must be absolute")
}

Required Properties

Owner, group, and mode are required properties and cannot be empty, preventing accidental creation of files with default/inherited permissions.

File Type

Overview

Provider Interface

Method Responsibilities

Status Response

Available Providers

Ensure States

Content Sources

Required Properties

Apply Logic

Idempotency

State Checks (in order)

Decision Table

Content Comparison

Mode Validation

Path Validation

Working Directory

Noop Mode

Desired State Validation

Subsections of File Type

Posix Provider

Provider Selection

Operations

Store (Create/Update File)

CreateDirectory

Status

Idempotency

State Checks

Decision Flow

Content Comparison

Mode Validation

Ownership Resolution

Working Directory Support

Platform Support

Security Considerations

Atomic Writes

Permission Ordering

Path Validation

Required Properties