Ensure /etc/neutron/secret.txt is not world readable

/etc/neutron/secret.txt is used to store the UUID to configure the shared secret in neutron-metadata-agent and the nova-api-metadata service for authentication of metadata requests from instances. Ensure that this file can only be read by the root user. Change-Id: I6a18ebabade887922c13824c23ad5e0a8da74ba8 Closes-Bug: 1847230
2019-10-08 12:20:59 +01:00
parent b44bf586b8
commit 47fb279533
2 changed files with 18 additions and 9 deletions
--- a/hooks/neutron_ovs_context.py
+++ b/hooks/neutron_ovs_context.py
@@ -30,6 +30,7 @@ from charmhelpers.core.hookenv import (
 from charmhelpers.core.host import (
    CompareHostReleases,
    lsb_release,
+    write_file,
 )
 from charmhelpers.contrib.openstack import context
 from charmhelpers.contrib.openstack.utils import (
@@ -537,9 +538,10 @@ def get_shared_secret():
    secret = None
    if not os.path.exists(SHARED_SECRET):
        secret = str(uuid.uuid4())
-        with open(SHARED_SECRET, 'w') as secret_file:
-            secret_file.write(secret)
+        write_file(SHARED_SECRET, secret,
+                   perms=0o400)
    else:
+        os.chmod(SHARED_SECRET, 0o400)
        with open(SHARED_SECRET, 'r') as secret_file:
            secret = secret_file.read().strip()
    return secret
--- a/unit_tests/test_neutron_ovs_context.py
+++ b/unit_tests/test_neutron_ovs_context.py
@@ -38,6 +38,7 @@ TO_PATCH = [
    'relation_get',
    'related_units',
    'lsb_release',
+    'write_file',
 ]


@@ -642,15 +643,17 @@ class SharedSecretContext(CharmTestCase):
    def test_secret_created_stored(self, _uuid4, _path):
        _path.exists.return_value = False
        _uuid4.return_value = 'secret_thing'
-        with patch_open() as (_open, _file):
-            self.assertEqual(context.get_shared_secret(),
-                             'secret_thing')
-            _open.assert_called_with(
-                context.SHARED_SECRET.format('quantum'), 'w')
-            _file.write.assert_called_with('secret_thing')
+        self.assertEqual(context.get_shared_secret(),
+                         'secret_thing')
+        self.write_file.assert_called_once_with(
+            context.SHARED_SECRET,
+            'secret_thing',
+            perms=0o400,
+        )

+    @patch('os.chmod')
    @patch('os.path')
-    def test_secret_retrieved(self, _path):
+    def test_secret_retrieved(self, _path, _chmod):
        _path.exists.return_value = True
        with patch_open() as (_open, _file):
            _file.read.return_value = 'secret_thing\n'
@@ -658,6 +661,10 @@ class SharedSecretContext(CharmTestCase):
                             'secret_thing')
            _open.assert_called_with(
                context.SHARED_SECRET.format('quantum'), 'r')
+        _chmod.assert_called_once_with(
+            context.SHARED_SECRET,
+            0o400
+        )

    @patch.object(context, 'NeutronAPIContext')
    @patch.object(context, 'get_shared_secret')