From 9699ff24989e41651e49d044f882d4a128ca9835 Mon Sep 17 00:00:00 2001
From: Omer Tuchfeld <omer@tuchfeld.dev>
Date: Wed, 10 Jun 2026 15:30:57 +0200
Subject: [PATCH] Discourage use of unredacted summary file

The summary file option is too innocently named when considering what it
outputs. It's not used in any production contexts. It's only meant for
dev.

This commit puts it behind a cargo feature flag, and bails if you try
to use it without the feature.

Also sets the permissions of the summary file to 0600.
---
 Cargo.toml     |  1 +
 src/logging.rs | 13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 3e29c2cc9..31225eb63 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -66,6 +66,7 @@ prost-build = "0.12.1"
 
 [features]
 generate = []
+insecure_dev_only_unredacted_summary = []
 
 # See https://github.com/coreos/cargo-vendor-filterer
 [package.metadata.vendor-filter]
diff --git a/src/logging.rs b/src/logging.rs
index f2ee54ea7..10e920559 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -106,9 +106,18 @@ pub(crate) fn generate_summary(
         error: error.map(|e| format!("{:?}", e)),
     };
 
+    #[cfg(not(feature = "insecure_dev_only_unredacted_summary"))]
+    if summary.recert_config.summary_file.is_some() {
+        bail!("summary_file contains unredacted secret keys - use summary_file_clean instead, or build with --features insecure_dev_only_unredacted_summary");
+    }
+
+    #[cfg(feature = "insecure_dev_only_unredacted_summary")]
     if let Some(summary_file) = summary.recert_config.summary_file.clone() {
-        let summary_file = summary_file.0.create().context("opening summary file for writing")?;
-        serde_yaml::to_writer(summary_file, &summary).context("serializing cluster crypto into summary file")?;
+        use std::os::unix::fs::PermissionsExt;
+        let path = summary_file.0.path().to_owned();
+        let file = summary_file.0.create().context("opening summary file for writing")?;
+        std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600)).context("setting summary file permissions to 0600")?;
+        serde_yaml::to_writer(file, &summary).context("serializing cluster crypto into summary file")?;
     }
 
     if let Some(summary_file_clean) = summary.recert_config.summary_file_clean.clone() {