a8620cfd8d
Some secrets are being created with undesirable permissions. Upon
inspection it was noticed that in general Pegleg is creating files,
then changing permissions after the fact. This leads to a small
window where the permissions on a file are overly permissive.
This patchset:
1. Sets default umask of 0o027 (640 permissions for files)
2. Explicitly adds the open flag ('r', 'w' etc.) to all open() calls.
3. Replaces sys.stdout.write calls with click.echo() calls to be more
in line with the rest of the project.
4. Re-orders methods that write so that data is always first, and the
path is always second.
5. Updates unit tests.
6. Adds unit tests for testing directory and file permissions.
7. Minor style changes.
Change-Id: I0c154aa311ea371940fd24b0aabf58fffaf1d231
145 lines
4.3 KiB
Python
145 lines
4.3 KiB
Python
# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import logging
|
|
import os
|
|
|
|
import mock
|
|
import pytest
|
|
import yaml
|
|
|
|
from pegleg import config
|
|
from pegleg.engine import bundle
|
|
from pegleg.engine.exceptions import GenesisBundleEncryptionException
|
|
from pegleg.engine.exceptions import GenesisBundleGenerateException
|
|
from pegleg.engine.util import files
|
|
|
|
from tests.unit.fixtures import temp_path
|
|
|
|
SITE_DEFINITION = """
|
|
---
|
|
# High-level pegleg site definition file
|
|
schema: pegleg/SiteDefinition/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
# NEWSITE-CHANGEME: Replace with the site name
|
|
name: test_site
|
|
storagePolicy: cleartext
|
|
data:
|
|
# The type layer this site will delpoy with. Type layer is found in the
|
|
# type folder.
|
|
site_type: foundry
|
|
...
|
|
|
|
"""
|
|
|
|
SITE_CONFIG_DATA = """
|
|
---
|
|
schema: promenade/EncryptionPolicy/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: encryption-policy
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: cleartext
|
|
data:
|
|
scripts:
|
|
genesis:
|
|
gpg: {}
|
|
join:
|
|
gpg: {}
|
|
---
|
|
schema: deckhand/LayeringPolicy/v1
|
|
metadata:
|
|
schema: metadata/Control/v1
|
|
name: layering-policy
|
|
data:
|
|
layerOrder:
|
|
- global
|
|
- type
|
|
- site
|
|
---
|
|
schema: deckhand/Passphrase/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: ceph_swift_keystone_password
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: cleartext
|
|
data: ABAgagajajkb839215387
|
|
...
|
|
"""
|
|
|
|
|
|
@mock.patch.dict(
|
|
os.environ, {
|
|
'PEGLEG_PASSPHRASE': 'ytrr89erARAiPE34692iwUMvWqqBvC',
|
|
'PEGLEG_SALT': 'MySecretSalt1234567890]['
|
|
})
|
|
def test_no_encryption_key(temp_path):
|
|
# Write the test data to temp file
|
|
config_data = list(yaml.safe_load_all(SITE_CONFIG_DATA))
|
|
base_config_dir = os.path.join(temp_path, 'config_dir')
|
|
config.set_site_repo(base_config_dir)
|
|
config_dir = os.path.join(base_config_dir, 'site', 'test_site')
|
|
|
|
config_path = os.path.join(config_dir, 'config_file.yaml')
|
|
build_dir = os.path.join(temp_path, 'build_dir')
|
|
os.makedirs(config_dir)
|
|
|
|
files.write(config_data, config_path)
|
|
files.write(yaml.safe_load_all(SITE_DEFINITION),
|
|
os.path.join(config_dir, "site-definition.yaml"))
|
|
|
|
with pytest.raises(GenesisBundleEncryptionException,
|
|
match=r'.*no encryption policy or key is specified.*'):
|
|
bundle.build_genesis(build_path=build_dir,
|
|
encryption_key=None,
|
|
validators=False,
|
|
debug=logging.ERROR,
|
|
site_name="test_site")
|
|
|
|
|
|
@mock.patch.dict(
|
|
os.environ, {
|
|
'PEGLEG_PASSPHRASE': 'ytrr89erARAiPE34692iwUMvWqqBvC',
|
|
'PEGLEG_SALT': 'MySecretSalt1234567890]['
|
|
})
|
|
def test_failed_deckhand_validation(temp_path):
|
|
# Write the test data to temp file
|
|
config_data = list(yaml.safe_load_all(SITE_CONFIG_DATA))
|
|
base_config_dir = os.path.join(temp_path, 'config_dir')
|
|
config.set_site_repo(base_config_dir)
|
|
config_dir = os.path.join(base_config_dir, 'site', 'test_site')
|
|
|
|
config_path = os.path.join(config_dir, 'config_file.yaml')
|
|
build_dir = os.path.join(temp_path, 'build_dir')
|
|
os.makedirs(config_dir)
|
|
files.write(config_data, config_path)
|
|
files.write(yaml.safe_load_all(SITE_DEFINITION),
|
|
os.path.join(config_dir, "site-definition.yaml"))
|
|
key = 'MyverYSecretEncryptionKey382803'
|
|
with pytest.raises(GenesisBundleGenerateException,
|
|
match=r'.*failed on deckhand validation.*'):
|
|
bundle.build_genesis(build_path=build_dir,
|
|
encryption_key=key,
|
|
validators=False,
|
|
debug=logging.ERROR,
|
|
site_name="test_site")
|