Fix permission denied for external config

cmd/ad-runtime-utils/app.go

@@ -18,6 +18,8 @@ const (
 	exitOK         = 0
 	exitUserError  = 1
 	exitParseError = 2
+	runtimeJava    = "java"
+	runtimePython  = "python"
 )
 
 func Run(args []string, stdout, stderr io.Writer) int {
@@ -54,12 +56,12 @@ func Run(args []string, stdout, stderr io.Writer) int {
 	}
 
 	if *printCACerts {
-		if strings.ToLower(*runtime) != "java" {
+		if strings.ToLower(*runtime) != runtimeJava {
 			fmt.Fprintln(stderr, "--print-cacerts is only valid with --runtime=java")
 			return exitUserError
 		}
 		var javaHome string
-		javaHome, err = detect.ResolveRuntime(cfg, *service, "java")
+		javaHome, err = detect.ResolveRuntime(cfg, *service, runtimeJava)
 		if err != nil {
 			fmt.Fprintf(stderr, "detection failed: %v\n", err)
 			return exitUserError
@@ -106,9 +108,9 @@ func detectEnvName(cfg *config.Config, service, runtime string) string {
 		return def.EnvVar
 	}
 	switch strings.ToLower(runtime) {
-	case "java":
+	case runtimeJava:
 		return "JAVA_HOME"
-	case "python":
+	case runtimePython:
 		return "VIRTUAL_ENV"
 	default:
 		return strings.ToUpper(runtime) + "_HOME"

internal/config/config.go

@@ -126,7 +126,7 @@ func parseExternalServiceConfig(path string) (ServiceConfig, error) {
 	var cfg ServiceConfig
 	extData, err := os.ReadFile(path)
 	if err != nil {
-		if os.IsNotExist(err) {
+		if os.IsNotExist(err) || os.IsPermission(err) {
 			return cfg, nil
 		}
 		return cfg, fmt.Errorf("read service config %q: %w", path, err)

internal/config/config_test.go

@@ -135,6 +135,46 @@ services:
 	}
 }
 
+func TestLoad_ServiceExternalPermissionDenied(t *testing.T) {
+	tmpDir := t.TempDir()
+	extFile := filepath.Join(tmpDir, "restricted.yaml")
+	if err := os.WriteFile(extFile, []byte(`
+runtimes:
+  java:
+    version: "11"
+`), 0o644); err != nil {
+		t.Fatalf("write restricted external config: %v", err)
+	}
+	if err := os.Chmod(extFile, 0); err != nil {
+		t.Fatalf("restrict external config permissions: %v", err)
+	}
+	defer func() {
+		if err := os.Chmod(extFile, 0o644); err != nil {
+			t.Logf("restore external config permissions: %v", err)
+		}
+	}()
+	if _, err := os.ReadFile(extFile); err == nil {
+		t.Skip("external config remains readable after permission restriction")
+	} else if !os.IsPermission(err) {
+		t.Fatalf("expected permission error reading external config, got: %v", err)
+	}
+
+	mainContent := []byte(`
+services:
+  foo:
+    path: "` + extFile + `"
+`)
+	mainFile := filepath.Join(tmpDir, "cfg.yaml")
+	if err := os.WriteFile(mainFile, mainContent, 0o644); err != nil {
+		t.Fatalf("write main config: %v", err)
+	}
+
+	_, err := Load(mainFile)
+	if err != nil {
+		t.Fatalf("Load() returned error for permission denied external service config: %v", err)
+	}
+}
+
 func TestLoad_ServiceExternalParseError(t *testing.T) {
 	tmpDir := t.TempDir()
 	extFile := filepath.Join(tmpDir, "bad.yaml")

internal/detect/detect.go

@@ -19,6 +19,7 @@ func checkCandidate(cand, exe string) (string, bool) {
 		resolved = cand
 	}
 	candidateExe := filepath.Join(resolved, "bin", exe)
+	// #nosec G703 -- Runtime homes intentionally come from config/env; this only probes bin/exe existence.
 	if _, statErr := os.Stat(candidateExe); statErr == nil {
 		return resolved, true
 	}
@@ -62,7 +63,7 @@ func tryEnvVar(cfg config.RuntimeSetting, exe string) (string, bool) {
 	}
 	p := expandPath(raw)
 
-	if _, err := os.Stat(filepath.Join(p, "bin", exe)); err == nil {
+	if _, ok := checkCandidate(p, exe); ok {
 		return p, true
 	}
 	return "", false

internal/detect/resolve.go

@@ -6,12 +6,17 @@ import (
 	"github.com/arenadata/ad-runtime-utils/internal/config"
 )
 
+const (
+	runtimeJava   = "java"
+	runtimePython = "python"
+)
+
 func exeName(rt string) string {
 	switch rt {
-	case "java":
-		return "java"
-	case "python":
-		return "python"
+	case runtimeJava:
+		return runtimeJava
+	case runtimePython:
+		return runtimePython
 	default:
 		return rt
 	}