openstack
/
charms.openstack
Code Issues Proposed changes

Ensure config files rendered with sane permissions 

All configuration files are being rendered with root.root ownership
with mask 0444 (including global read!).  Render configuration files
as owner root, with a group read permission appropriate to the
consuming charm.  This can be configured by setting the group
attribute of the Charm subclass, but will default to 'root' if
not supplied (preserving the previous behaviour).

Change-Id: Ib1e2d3801b171e5c7ea79d058fb36dfc532d5d20
Closes-Bug: 1780490
This commit is contained in:
James Page 2018-07-15 11:41:48 +01:00
parent 0ac8eb2781
commit 51d00c45e2
2 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
charms_openstack/charm/core.py
View File

@ -326,6 +326,12 @@ class BaseOpenStackCharm(object, metaclass=BaseOpenStackCharmMeta):
package_codenames = {}
# File permissions
# config files written with 'group' read permission but always
# owned by root.
user = 'root'
group = 'root'
@property
def singleton(self):
"""Return the only instance of the charm class in this run"""
@ -763,7 +769,9 @@ class BaseOpenStackCharmActions(object):
'templates/', self.release),
target=conf,
context=adapters_instance,
config_template=config_template
config_template=config_template,
group=self.group,
perms=0o640,
)
def render_with_interfaces(self, interfaces, configs=None):

38
unit_tests/charms_openstack/charm/test_core.py
View File

@ -473,7 +473,9 @@ class TestMyOpenStackCharm(BaseOpenStackCharmTest):
template_loader='my-loader',
target='path1',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
)
# assert the context was an MyAdapter instance.
context = self.render.call_args_list[0][1]['context']
@ -511,6 +513,8 @@ class TestMyOpenStackCharm(BaseOpenStackCharmTest):
target='path1',
context=mock.ANY,
config_template=config_template,
group='root',
perms=0o640,
)
# assert the context was an MyAdapter instance.
context = self.render.call_args_list[0][1]['context']
@ -576,28 +580,36 @@ class TestMyOpenStackCharm(BaseOpenStackCharmTest):
template_loader='my-loader',
target='path1',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
mock.call(
source='path2',
template_loader='my-loader',
target='path2',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
mock.call(
source='path3',
template_loader='my-loader',
target='path3',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
mock.call(
source='path4',
template_loader='my-loader',
target='path4',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
]
self.render.assert_has_calls(calls, any_order=True)
@ -635,28 +647,36 @@ class TestMyOpenStackCharm(BaseOpenStackCharmTest):
template_loader='my-loader',
target='path1',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
mock.call(
source='path2',
template_loader='my-loader',
target='path2',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
mock.call(
source='path3',
template_loader='my-loader',
target='path3',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
mock.call(
source='path4',
template_loader='my-loader',
target='path4',
context=mock.ANY,
config_template=None
config_template=None,
group='root',
perms=0o640,
),
]
self.render.assert_has_calls(calls, any_order=True)