From 375920352ac7ba34071a6c40eee40422b24afe37 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Mon, 22 Apr 2024 21:21:45 +0900
Subject: [PATCH] Make sure storage server config files are not world-readable

... instead of vaguely rely on the umask.

Change-Id: I685888c8368cea53c225c103c62e5147db2ee28b
---
 manifests/storage/server.pp               |  1 +
 spec/defines/swift_storage_server_spec.rb | 24 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/manifests/storage/server.pp b/manifests/storage/server.pp
index 06d4db4d..afe53520 100644
--- a/manifests/storage/server.pp
+++ b/manifests/storage/server.pp
@@ -423,6 +423,7 @@ define swift::storage::server(
     ensure  => present,
     owner   => pick($owner, $::swift::params::user),
     group   => pick($group, $::swift::params::group),
+    mode    => '0640'
     replace => false,
     tag     => 'swift-config-file',
     before  => $required_middlewares,
diff --git a/spec/defines/swift_storage_server_spec.rb b/spec/defines/swift_storage_server_spec.rb
index 7a3c0e3b..5ebecba4 100644
--- a/spec/defines/swift_storage_server_spec.rb
+++ b/spec/defines/swift_storage_server_spec.rb
@@ -57,6 +57,14 @@ describe 'swift::storage::server' do
         :read_only       => false,
       )}
 
+      it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
       it {
         is_expected.to contain_swift_account_config('DEFAULT/devices').with_value('/srv/node')
         is_expected.to contain_swift_account_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@@ -232,6 +240,14 @@ describe 'swift::storage::server' do
         :read_only       => false,
       )}
 
+      it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
       it {
         is_expected.to contain_swift_container_config('DEFAULT/devices').with_value('/srv/node')
         is_expected.to contain_swift_container_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@@ -418,6 +434,14 @@ describe 'swift::storage::server' do
         :read_only       => false,
       )}
 
+      it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
       it {
         is_expected.to contain_swift_object_config('DEFAULT/devices').with_value('/srv/node')
         is_expected.to contain_swift_object_config('DEFAULT/bind_ip').with_value('10.0.0.1')