openstack/charm-neutron-openvswitch
Code Issues Proposed changes

Merge "Ensure /etc/neutron/secret.txt is not world readable"

Browse Source
This commit is contained in:
Zuul 2019-10-10 09:10:50 +00:00 committed by Gerrit Code Review
commit 936e543094
2 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hooks/neutron_ovs_context.py
View File

@ -30,6 +30,7 @@ from charmhelpers.core.hookenv import (
from charmhelpers.core.host import ( from charmhelpers.core.host import (
CompareHostReleases, CompareHostReleases,
lsb_release, lsb_release,
write_file,
) )
from charmhelpers.contrib.openstack import context from charmhelpers.contrib.openstack import context
from charmhelpers.contrib.openstack.utils import ( from charmhelpers.contrib.openstack.utils import (
@ -557,9 +558,10 @@ def get_shared_secret():
secret = None secret = None
if not os.path.exists(SHARED_SECRET): if not os.path.exists(SHARED_SECRET):
secret = str(uuid.uuid4()) secret = str(uuid.uuid4())
with open(SHARED_SECRET, 'w') as secret_file: write_file(SHARED_SECRET, secret,
secret_file.write(secret) perms=0o400)
else: else:
os.chmod(SHARED_SECRET, 0o400)
with open(SHARED_SECRET, 'r') as secret_file: with open(SHARED_SECRET, 'r') as secret_file:
secret = secret_file.read().strip() secret = secret_file.read().strip()
return secret return secret

17
unit_tests/test_neutron_ovs_context.py
View File

@ -38,6 +38,7 @@ TO_PATCH = [
'relation_get', 'relation_get',
'related_units', 'related_units',
'lsb_release', 'lsb_release',
'write_file',
] ]
@ -683,15 +684,17 @@ class SharedSecretContext(CharmTestCase):
def test_secret_created_stored(self, _uuid4, _path): def test_secret_created_stored(self, _uuid4, _path):
_path.exists.return_value = False _path.exists.return_value = False
_uuid4.return_value = 'secret_thing' _uuid4.return_value = 'secret_thing'
with patch_open() as (_open, _file):
self.assertEqual(context.get_shared_secret(), self.assertEqual(context.get_shared_secret(),
'secret_thing') 'secret_thing')
_open.assert_called_with( self.write_file.assert_called_once_with(
context.SHARED_SECRET.format('quantum'), 'w') context.SHARED_SECRET,
_file.write.assert_called_with('secret_thing') 'secret_thing',
perms=0o400,
)
@patch('os.chmod')
@patch('os.path') @patch('os.path')
def test_secret_retrieved(self, _path): def test_secret_retrieved(self, _path, _chmod):
_path.exists.return_value = True _path.exists.return_value = True
with patch_open() as (_open, _file): with patch_open() as (_open, _file):
_file.read.return_value = 'secret_thing\n' _file.read.return_value = 'secret_thing\n'
@ -699,6 +702,10 @@ class SharedSecretContext(CharmTestCase):
'secret_thing') 'secret_thing')
_open.assert_called_with( _open.assert_called_with(
context.SHARED_SECRET.format('quantum'), 'r') context.SHARED_SECRET.format('quantum'), 'r')
_chmod.assert_called_once_with(
context.SHARED_SECRET,
0o400
)
@patch.object(context, 'NeutronAPIContext') @patch.object(context, 'NeutronAPIContext')
@patch.object(context, 'get_shared_secret') @patch.object(context, 'get_shared_secret')