engine: exec: support uid/gid/mask for secret mounts

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>

plan/task/exec.go

@@ -260,10 +260,19 @@ func (t *execTask) mountSecret(pctx *plancontext.Context, dest string, mnt *comp
 		return nil, err
 	}
 
-	// FIXME: handle uid, gid, optional
+	opts := struct {
+		UID  int
+		GID  int
+		Mask int
+	}{}
+
+	if err := mnt.Decode(&opts); err != nil {
+		return nil, err
+	}
+
 	return llb.AddSecret(dest,
 		llb.SecretID(contents.ID()),
-		llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
+		llb.SecretFileOpt(opts.UID, opts.GID, opts.Mask),
 	), nil
 }
 

stdlib/europa/dagger/engine/exec.cue

@@ -63,9 +63,9 @@ package engine
 	} | {
 		type:     "secret"
 		contents: #Secret
-		uid:      uint32 | *0
+		uid:      int | *0
-		gid:      uint32 | *0
+		gid:      int | *0
-		optional: true | *false
+		mask:     int | *0o400
 	}
 }
 

tests/tasks/exec/mount_secret.cue

@@ -21,8 +21,29 @@ engine.#Plan & {
 				"sh", "-c",
 				#"""
 					test "$(cat /run/secrets/test)" = "hello world"
+					ls -l /run/secrets/test | grep -- "-r--------"
 					"""#,
 			]
 		}
+
+		verifyPerm: engine.#Exec & {
+			input: image.output
+			mounts: secret: {
+				dest:     "/run/secrets/test"
+				contents: context.secrets.testSecret.contents
+				uid:      42
+				gid:      24
+				mask:     0o666
+			}
+			args: [
+				"sh", "-c",
+				#"""
+					ls -l /run/secrets/test | grep -- "-rw-rw-rw-"
+					ls -l /run/secrets/test | grep -- "42"
+					ls -l /run/secrets/test | grep -- "24"
+					"""#,
+			]
+		}
+
 	}
 }