From 5d6201f9fc97c525913e1aded8edd85de60ab528 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 16 Jan 2019 14:43:54 +0200
Subject: [PATCH] Explicitly set certmonger's CA cert's permissions

We were relying on the default permissions that were being set by the
command that extracts the certificate into a PEM file. This wasn't the
right approach, as it could be too restrictive in some setups.

Here, we explicitly tell puppet to set the appropriate permissions
instead.

Given this is a certificate file, and there's no private key involved,
we can set it as world readable (0644). As folks in the system need to
access the file.

Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
Closes-bug: #1788257
---
 manifests/certmonger/ca/local.pp                 | 7 +++++++
 spec/classes/tripleo_certmonger_ca_local_spec.rb | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/manifests/certmonger/ca/local.pp b/manifests/certmonger/ca/local.pp
index ffdbc961e..21858d155 100644
--- a/manifests/certmonger/ca/local.pp
+++ b/manifests/certmonger/ca/local.pp
@@ -28,12 +28,19 @@ class tripleo::certmonger::ca::local(
   $ca_pkcs12 = '/var/lib/certmonger/local/creds'
   $extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
   $trust_ca_cmd = 'update-ca-trust extract'
+
+  file { "${ca_pem}":
+    ensure => present,
+    mode   => '0644',
+    owner  => 'root',
+  }
   exec { 'extract-and-trust-ca':
     command   => "${extract_cmd} && ${trust_ca_cmd}",
     path      => '/usr/bin',
     unless    => "test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}",
     tries     => 5,
     try_sleep => 1,
+    notify    => File[$ca_pem]
   }
   Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
 }
diff --git a/spec/classes/tripleo_certmonger_ca_local_spec.rb b/spec/classes/tripleo_certmonger_ca_local_spec.rb
index ddb570573..3d4d1e1bd 100644
--- a/spec/classes/tripleo_certmonger_ca_local_spec.rb
+++ b/spec/classes/tripleo_certmonger_ca_local_spec.rb
@@ -37,6 +37,14 @@ describe 'tripleo::certmonger::ca::local' do
         :unless => "test -e #{params[:ca_pem]} && openssl x509 -checkend 0 -noout -in #{params[:ca_pem]}",
       )
     end
+
+    it 'set the correct permissions for the CA certificate file' do
+      is_expected.to contain_file(params[:ca_pem]).with(
+        :ensure => 'present',
+        :mode   => '0644',
+        :owner  => 'root'
+      )
+    end
   end
 
   on_supported_os.each do |os, facts|