From b0e59971b871c5432c93bbcddfb11edf60c15812 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Mon, 10 Jun 2024 22:05:44 +0900
Subject: [PATCH] Set appropriate ownership/permission to config files

... to avoid making any config files world readable.

Also swift processes do not need write access to these files, thus
write access can be blocked.

Closes-Bug: #2068898
Change-Id: I8b11fbdb0ea0ca814b962dd72b5c1cb4cd201c24
---
 manifests/containerreconciler.pp              | 10 ++++++++++
 manifests/internal_client.pp                  | 11 +++++++++++
 manifests/keymaster.pp                        | 11 +++++++++++
 manifests/memcache.pp                         | 11 +++++++----
 manifests/objectexpirer.pp                    | 10 ++++++++++
 manifests/proxy.pp                            | 12 +++++++++++-
 manifests/proxy/ceilometer.pp                 |  4 ++--
 manifests/storage/drive_audit.pp              | 11 +++++++++++
 manifests/storage/server.pp                   | 13 +++++++++++--
 .../classes/swift_containerreconciler_spec.rb |  7 +++++++
 spec/classes/swift_internal_client_spec.rb    |  7 +++++++
 spec/classes/swift_keymaster_spec.rb          |  7 +++++++
 spec/classes/swift_memcache_spec.rb           | 16 +++++-----------
 spec/classes/swift_objectexpirer_spec.rb      |  7 +++++++
 spec/classes/swift_proxy_ceilometer_spec.rb   |  4 ++--
 spec/classes/swift_proxy_spec.rb              |  7 +++++++
 .../swift_storage_driver_audit_spec.rb        | 14 ++++++++++++++
 spec/defines/swift_storage_server_spec.rb     | 19 +++++++++++++------
 18 files changed, 153 insertions(+), 28 deletions(-)

diff --git a/manifests/containerreconciler.pp b/manifests/containerreconciler.pp
index 0a742df6..93aba8cb 100644
--- a/manifests/containerreconciler.pp
+++ b/manifests/containerreconciler.pp
@@ -138,6 +138,16 @@ class swift::containerreconciler(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/container-reconciler.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/container-reconciler.conf'] -> Swift_container_reconciler_config<||>
+
   # only add memcache servers if 'cache' is included in the pipeline
   if !empty(grep(any2array($pipeline), 'cache')) {
 
diff --git a/manifests/internal_client.pp b/manifests/internal_client.pp
index 9dcd6d8e..dfd950c0 100644
--- a/manifests/internal_client.pp
+++ b/manifests/internal_client.pp
@@ -65,6 +65,7 @@ class swift::internal_client (
 ) inherits swift::params {
 
   include swift::deps
+  include swift::params
 
   if $pipeline[-1] != 'proxy-server' {
     fail('proxy-server must be the last element in pipeline')
@@ -74,6 +75,16 @@ class swift::internal_client (
     purge => $purge_config,
   }
 
+  file { '/etc/swift/internal-client.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/internal-client.conf'] -> Swift_internal_client_config<||>
+
   swift_internal_client_config {
     'DEFAULT/user':                               value => $user;
     'pipeline:main/pipeline':                     value => join($pipeline, ' ');
diff --git a/manifests/keymaster.pp b/manifests/keymaster.pp
index 683a26a3..0d711596 100644
--- a/manifests/keymaster.pp
+++ b/manifests/keymaster.pp
@@ -84,6 +84,17 @@ class swift::keymaster(
 ) {
 
   include swift::deps
+  include swift::params
+
+  file { '/etc/swift/keymaster.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/keymaster.conf'] -> Swift_keymaster_config<||>
 
   swift_keymaster_config {
     'kms_keymaster/api_class':             value => $api_class;
diff --git a/manifests/memcache.pp b/manifests/memcache.pp
index 3f8b89bc..97455966 100644
--- a/manifests/memcache.pp
+++ b/manifests/memcache.pp
@@ -85,11 +85,14 @@ class swift::memcache (
   }
 
   file { '/etc/swift/memcache.conf':
-    ensure => file,
-    owner  => $::swift::params::user,
-    group  => $::swift::params::group,
-    mode   => '0640',
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
   }
+  File['/etc/swift/memcache.conf'] -> Swift_memcache_config<||>
 
   swift_memcache_config {
     'memcache/memcache_servers':               value => join(any2array($memcache_servers), ',');
diff --git a/manifests/objectexpirer.pp b/manifests/objectexpirer.pp
index 309b8c0c..db3dd656 100644
--- a/manifests/objectexpirer.pp
+++ b/manifests/objectexpirer.pp
@@ -152,6 +152,16 @@ class swift::objectexpirer(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/object-expirer.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/object-expirer.conf'] -> Swift_object_expirer_config<||>
+
   if $pipeline[-1] != 'proxy-server' {
     fail('proxy-server must be the last element in pipeline')
   }
diff --git a/manifests/proxy.pp b/manifests/proxy.pp
index 6f7365d5..5637a190 100644
--- a/manifests/proxy.pp
+++ b/manifests/proxy.pp
@@ -225,11 +225,21 @@ class swift::proxy(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/proxy-server.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/proxy-server.conf'] -> Swift_proxy_config<||>
+
   swift_proxy_config {
     'DEFAULT/bind_port':                           value => $port;
     'DEFAULT/bind_ip':                             value => $proxy_local_net_ip;
     'DEFAULT/workers':                             value => $workers;
-    'DEFAULT/user':                                value => 'swift';
+    'DEFAULT/user':                                value => $::swift::params::user;
     'DEFAULT/log_name':                            value => $log_name;
     'DEFAULT/log_facility':                        value => $log_facility;
     'DEFAULT/log_level':                           value => $log_level;
diff --git a/manifests/proxy/ceilometer.pp b/manifests/proxy/ceilometer.pp
index 5e269805..0da10ab0 100644
--- a/manifests/proxy/ceilometer.pp
+++ b/manifests/proxy/ceilometer.pp
@@ -215,8 +215,8 @@ class swift::proxy::ceilometer(
   }
 
   file { '/etc/swift/ceilometer.conf':
-    ensure  => present,
-    owner   => $::swift::params::user,
+    ensure  => 'file',
+    owner   => 'root',
     group   => $::swift::params::group,
     mode    => '0640',
     require => Anchor['swift::config::begin'],
diff --git a/manifests/storage/drive_audit.pp b/manifests/storage/drive_audit.pp
index 3dae850c..e4ca9667 100644
--- a/manifests/storage/drive_audit.pp
+++ b/manifests/storage/drive_audit.pp
@@ -130,6 +130,17 @@ class swift::storage::drive_audit(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/drive-audit.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/drive-audit.conf'] -> Swift_drive_audit_config<||>
+
+
   swift_drive_audit_config {
     'drive-audit/log_name'    : value => $log_name;
     'drive-audit/log_facility': value => $log_facility;
diff --git a/manifests/storage/server.pp b/manifests/storage/server.pp
index a7c73d12..c5bc7275 100644
--- a/manifests/storage/server.pp
+++ b/manifests/storage/server.pp
@@ -407,8 +407,8 @@ define swift::storage::server(
       %>"), ',')
 
   file { $config_file_full_path:
-    ensure => present,
-    owner  => pick($owner, $::swift::params::user),
+    ensure => 'file',
+    owner  => 'root',
     group  => pick($group, $::swift::params::group),
     mode   => '0640',
     tag    => 'swift-config-file',
@@ -553,6 +553,15 @@ define swift::storage::server(
           'container-sharder/log_name'    => {'ensure' => absent},
         }
       }
+
+      file { '/etc/swift/container-sync-realms.conf':
+        ensure => 'file',
+        owner  => 'root',
+        group  => pick($group, $::swift::params::group),
+        mode   => '0640',
+        tag    => 'swift-config-file',
+      }
+      File['/etc/swift/container-sync-realms.conf'] -> Swift_container_sync_realms_config<||>
     }
     'object': {
       $type_opts = {
diff --git a/spec/classes/swift_containerreconciler_spec.rb b/spec/classes/swift_containerreconciler_spec.rb
index cc36667c..b8d3d919 100644
--- a/spec/classes/swift_containerreconciler_spec.rb
+++ b/spec/classes/swift_containerreconciler_spec.rb
@@ -12,6 +12,13 @@ describe 'swift::containerreconciler' do
 
   shared_examples 'swift::container::reconciler' do
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/container-reconciler.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'configures container-reconciler.conf' do
         is_expected.to contain_swift_container_reconciler_config(
           'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')
diff --git a/spec/classes/swift_internal_client_spec.rb b/spec/classes/swift_internal_client_spec.rb
index a53c1a8c..18841003 100644
--- a/spec/classes/swift_internal_client_spec.rb
+++ b/spec/classes/swift_internal_client_spec.rb
@@ -12,6 +12,13 @@ describe 'swift::internal_client' do
     end
 
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/internal-client.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'should configure default values' do
         should contain_swift_internal_client_config('DEFAULT/user').with_value('swift')
         should contain_swift_internal_client_config('pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')
diff --git a/spec/classes/swift_keymaster_spec.rb b/spec/classes/swift_keymaster_spec.rb
index a7590f95..085df383 100644
--- a/spec/classes/swift_keymaster_spec.rb
+++ b/spec/classes/swift_keymaster_spec.rb
@@ -9,6 +9,13 @@ describe 'swift::keymaster' do
     end
 
     context "when using default parameters" do
+      it { is_expected.to contain_file('/etc/swift/keymaster.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'configures keymaster options' do
         is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('<SERVICE DEFAULT>')
diff --git a/spec/classes/swift_memcache_spec.rb b/spec/classes/swift_memcache_spec.rb
index 0fcb34ab..21ed5c72 100644
--- a/spec/classes/swift_memcache_spec.rb
+++ b/spec/classes/swift_memcache_spec.rb
@@ -4,17 +4,11 @@ describe 'swift::memcache' do
   shared_examples 'swift::memcache' do
 
     describe 'when using default parameters' do
-
-      let :file_defaults do
-        {
-          :owner   => 'swift',
-          :group   => 'swift',
-          :mode    => '0640',
-        }
-      end
-
-      it {is_expected.to contain_file('/etc/swift/memcache.conf').with(
-         {:ensure => 'file'}.merge(file_defaults)
+      it { is_expected.to contain_file('/etc/swift/memcache.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
       )}
 
       it { is_expected.to contain_swift_memcache_config(
diff --git a/spec/classes/swift_objectexpirer_spec.rb b/spec/classes/swift_objectexpirer_spec.rb
index 8da580aa..7a1809e2 100644
--- a/spec/classes/swift_objectexpirer_spec.rb
+++ b/spec/classes/swift_objectexpirer_spec.rb
@@ -12,6 +12,13 @@ describe 'swift::objectexpirer' do
 
   shared_examples 'swift::objectexpirer' do
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/object-expirer.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'configures object-expirer.conf' do
         is_expected.to contain_swift_object_expirer_config(
           'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')
diff --git a/spec/classes/swift_proxy_ceilometer_spec.rb b/spec/classes/swift_proxy_ceilometer_spec.rb
index d0b203a2..3c502f19 100644
--- a/spec/classes/swift_proxy_ceilometer_spec.rb
+++ b/spec/classes/swift_proxy_ceilometer_spec.rb
@@ -34,8 +34,8 @@ describe 'swift::proxy::ceilometer' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/ceilometer.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
       )}
diff --git a/spec/classes/swift_proxy_spec.rb b/spec/classes/swift_proxy_spec.rb
index 06467a61..0dc23c8e 100644
--- a/spec/classes/swift_proxy_spec.rb
+++ b/spec/classes/swift_proxy_spec.rb
@@ -46,6 +46,13 @@ describe 'swift::proxy' do
           :tag       => ['swift-service', 'swift-proxy-service'],
         )}
 
+        it { is_expected.to contain_file('/etc/swift/proxy-server.conf').with(
+          :ensure => 'file',
+          :owner  => 'root',
+          :group  => 'swift',
+          :mode   => '0640',
+        )}
+
         it { should contain_service('swift-proxy-server').that_subscribes_to('Anchor[swift::service::begin]') }
         it { should contain_service('swift-proxy-server').that_notifies('Anchor[swift::service::end]') }
         it { should contain_swift_proxy_config('DEFAULT/bind_port').with_value('8080') }
diff --git a/spec/classes/swift_storage_driver_audit_spec.rb b/spec/classes/swift_storage_driver_audit_spec.rb
index 4b567968..f0806c3a 100644
--- a/spec/classes/swift_storage_driver_audit_spec.rb
+++ b/spec/classes/swift_storage_driver_audit_spec.rb
@@ -4,6 +4,13 @@ describe 'swift::storage::drive_audit' do
   shared_examples 'swift::storage::drive_audit' do
 
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/drive-audit.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'should configure default values' do
         should contain_swift_drive_audit_config('drive-audit/log_name').with_value('drive-audit')
         should contain_swift_drive_audit_config('drive-audit/log_facility').with_value('LOG_LOCAL2')
@@ -52,6 +59,13 @@ describe 'swift::storage::drive_audit' do
         }
       end
 
+      it { is_expected.to contain_file('/etc/swift/drive-audit.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'should configure the given values' do
         should contain_swift_drive_audit_config('drive-audit/user').with_value('alt_swift')
         should contain_swift_drive_audit_config('drive-audit/device_dir').with_value('/opt/swift')
diff --git a/spec/defines/swift_storage_server_spec.rb b/spec/defines/swift_storage_server_spec.rb
index 5ebecba4..a63ba386 100644
--- a/spec/defines/swift_storage_server_spec.rb
+++ b/spec/defines/swift_storage_server_spec.rb
@@ -58,8 +58,8 @@ describe 'swift::storage::server' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
         :tag    => 'swift-config-file'
@@ -241,8 +241,15 @@ describe 'swift::storage::server' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+      it { is_expected.to contain_file('/etc/swift/container-sync-realms.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
         :tag    => 'swift-config-file'
@@ -435,8 +442,8 @@ describe 'swift::storage::server' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
         :tag    => 'swift-config-file'