From 047e3c11f1b45a75d016b33c92d3a4a39e1eb18c Mon Sep 17 00:00:00 2001
From: James Slagle <jslagle@redhat.com>
Date: Wed, 24 Jun 2015 16:37:32 -0400
Subject: [PATCH] Secure permissions on /etc/puppet/hieradata and
 /etc/puppet/hieradata/puppet-stack-config.yaml

Change-Id: I7cd014914db998d583f79328ed82270d3a280ff5
Resolves: rhbz#1234962
---
 .../install.d/02-puppet-stack-config          |  4 ++
 .../os-apply-config/root/stackrc              |  2 +-
 .../root/tripleo-undercloud-passwords         | 40 +++++++++----------
 instack_undercloud/undercloud.py              |  2 +-
 4 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/elements/puppet-stack-config/install.d/02-puppet-stack-config b/elements/puppet-stack-config/install.d/02-puppet-stack-config
index 33ca374e1..a577d0537 100755
--- a/elements/puppet-stack-config/install.d/02-puppet-stack-config
+++ b/elements/puppet-stack-config/install.d/02-puppet-stack-config
@@ -73,3 +73,7 @@ if not os.path.exists(os.path.dirname(puppet_stack_config_yaml_path)):
     os.makedirs(os.path.dirname(puppet_stack_config_yaml_path))
 with open(puppet_stack_config_yaml_path, 'w') as f:
     f.write(puppet_stack_config_yaml)
+
+# Secure permissions
+os.chmod(os.path.dirname(puppet_stack_config_yaml_path), 0750)
+os.chmod(puppet_stack_config_yaml_path, 0600)
diff --git a/elements/undercloud-stack-config/os-apply-config/root/stackrc b/elements/undercloud-stack-config/os-apply-config/root/stackrc
index d624d572b..7ba16370a 100644
--- a/elements/undercloud-stack-config/os-apply-config/root/stackrc
+++ b/elements/undercloud-stack-config/os-apply-config/root/stackrc
@@ -1,5 +1,5 @@
 export NOVA_VERSION=1.1
-export OS_PASSWORD=$(hiera admin_password)
+export OS_PASSWORD=$(sudo hiera admin_password)
 export OS_AUTH_URL=http://{{local-ip}}:5000/v2.0
 export OS_USERNAME=admin
 export OS_TENANT_NAME=admin
diff --git a/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords b/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
index 08f4900c4..5725f375c 100644
--- a/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
+++ b/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
@@ -1,21 +1,21 @@
-UNDERCLOUD_ADMIN_PASSWORD=$(hiera admin_password)
-UNDERCLOUD_ADMIN_TOKEN=$(hiera keystone::admin_token)
-UNDERCLOUD_CEILOMETER_METERING_SECRET=$(hiera ceilometer::metering_secret)
-UNDERCLOUD_CEILOMETER_PASSWORD=$(hiera ceilometer::api::keystone_password)
-UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(hiera snmpd_readonly_user_password)
-UNDERCLOUD_CEILOMETER_SNMPD_USER=$(hiera snmpd_readonly_user_name)
-UNDERCLOUD_DB_PASSWORD=$(hiera admin_password)
-UNDERCLOUD_GLANCE_PASSWORD=$(hiera glance::api::keystone_password)
-UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(hiera heat::engine::auth_encryption_key)
-UNDERCLOUD_HEAT_PASSWORD=$(hiera heat::keystone_password)
-UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(hiera heat_stack_domain_admin_password)
-UNDERCLOUD_HORIZON_SECRET_KEY=$(hiera horizon_secret_key)
-UNDERCLOUD_IRONIC_PASSWORD=$(hiera ironic::api::admin_password)
-UNDERCLOUD_NEUTRON_PASSWORD=$(hiera neutron::server::auth_password)
-UNDERCLOUD_NOVA_PASSWORD=$(hiera nova::api::admin_password)
-UNDERCLOUD_RABBIT_COOKIE=$(hiera rabbit_cookie)
-UNDERCLOUD_RABBIT_PASSWORD=$(hiera rabbit_password)
-UNDERCLOUD_RABBIT_USERNAME=$(hiera rabbit_username)
-UNDERCLOUD_SWIFT_HASH_SUFFIX=$(hiera swift::swift_hash_suffix)
-UNDERCLOUD_SWIFT_PASSWORD=$(hiera swift::proxy::authtoken::admin_password)
+UNDERCLOUD_ADMIN_PASSWORD=$(sudo hiera admin_password)
+UNDERCLOUD_ADMIN_TOKEN=$(sudo hiera keystone::admin_token)
+UNDERCLOUD_CEILOMETER_METERING_SECRET=$(sudo hiera ceilometer::metering_secret)
+UNDERCLOUD_CEILOMETER_PASSWORD=$(sudo hiera ceilometer::api::keystone_password)
+UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password)
+UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name)
+UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password)
+UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password)
+UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key)
+UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password)
+UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password)
+UNDERCLOUD_HORIZON_SECRET_KEY=$(sudo hiera horizon_secret_key)
+UNDERCLOUD_IRONIC_PASSWORD=$(sudo hiera ironic::api::admin_password)
+UNDERCLOUD_NEUTRON_PASSWORD=$(sudo hiera neutron::server::auth_password)
+UNDERCLOUD_NOVA_PASSWORD=$(sudo hiera nova::api::admin_password)
+UNDERCLOUD_RABBIT_COOKIE=$(sudo hiera rabbit_cookie)
+UNDERCLOUD_RABBIT_PASSWORD=$(sudo hiera rabbit_password)
+UNDERCLOUD_RABBIT_USERNAME=$(sudo hiera rabbit_username)
+UNDERCLOUD_SWIFT_HASH_SUFFIX=$(sudo hiera swift::swift_hash_suffix)
+UNDERCLOUD_SWIFT_PASSWORD=$(sudo hiera swift::proxy::authtoken::admin_password)
 UNDERCLOUD_TUSKAR_PASSWORD={{tuskar.service-password}}
diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py
index f70c1e7d5..b0c6aec0e 100644
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@@ -474,7 +474,7 @@ def _configure_ssh_keys():
     args = ['sudo', 'chown', getpass.getuser() + ':',
             os.path.expanduser('~/stackrc')]
     _run_command(args, name='Chown stackrc')
-    password = _run_command(['hiera', 'admin_password']).rstrip()
+    password = _run_command(['sudo', 'hiera', 'admin_password']).rstrip()
     user = _extract_from_stackrc('OS_USERNAME')
     auth_url = _extract_from_stackrc('OS_AUTH_URL')
     tenant = _extract_from_stackrc('OS_TENANT')