operating-room-monitor-server/backend/app/host_log_permissions.py

"""Keep bind-mounted log files readable on the Docker host."""

from __future__ import annotations

import os
from pathlib import Path


def _runtime_owner() -> tuple[int, int] | None:
    uid_raw = (os.environ.get("APP_UID") or "").strip()
    gid_raw = (os.environ.get("APP_GID") or "").strip()
    if not uid_raw or not gid_raw:
        return None
    try:
        uid = int(uid_raw)
        gid = int(gid_raw)
    except ValueError:
        return None
    if uid < 0 or gid < 0:
        return None
    return uid, gid


def ensure_bind_mount_readable(path: Path) -> None:
    """Best-effort: world-readable modes and optional chown to APP_UID/APP_GID."""
    try:
        if path.is_dir():
            path.chmod(0o775)
        elif path.is_file():
            path.chmod(0o664)
    except OSError:
        pass

    owner = _runtime_owner()
    if owner is None:
        return
    uid, gid = owner
    try:
        os.chown(path, uid, gid)
    except OSError:
        return
    if path.is_file():
        try:
            os.chown(path.parent, uid, gid)
        except OSError:
            pass