MAAS

Merge ~r00ta/maas:lp-2026802 into maas:master

  1. Git
  2. lp:~r00ta/maas
  3. lp-2026802
  4. Merge into master
Proposed by Jacopo Rota
Status: Merged
Approved by: Jacopo Rota
Approved revision: 06e64fcd915665ae9e3127787f5eee3b48d875ca
Merge reported by: MAAS Lander
Merged at revision: not available
Proposed branch: ~r00ta/maas:lp-2026802
Merge into: maas:master
Diff against target: 26 lines (+6/-1)
2 files modified
src/provisioningserver/utils/env.py (+1/-1)
src/tests/provisioningserver/utils/test_env.py (+5/-0)
Reviewer Review Type Date Requested Status
MAAS Lander Approve
Adam Collard (community) Approve
Review via email: mp+446480@code.launchpad.net

Commit message

Fix rack secret permissions

Description of the change

This MP aims to fix https://bugs.launchpad.net/maas/+bug/2026802 .

In particular, with 44ff8e0feca45b2c67f9e9fc9dd932c683011831 we refactored the way we store secrets on the filesystems and we started using the function `atomic_write` from `utils/fs.py`. But by default that function creates the file with `0o600` permissions, while for the secrets we need `0o640`.

To post a comment you must log in.
Revision history for this message
Adam Collard (adam-collard) :
review: Approve
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp-2026802 lp:~r00ta/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: 06e64fcd915665ae9e3127787f5eee3b48d875ca

review: Approve
Revision history for this message
MAAS Lander (maas-lander) wrote :

LANDING
-b lp-2026802 lp:~r00ta/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED BUILD
LOG: http://maas-ci.internal:8080/job/maas-tester/2951/console

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/provisioningserver/utils/env.py b/src/provisioningserver/utils/env.py
2index 4ea40f8..f0c32a0 100644
3--- a/src/provisioningserver/utils/env.py
4+++ b/src/provisioningserver/utils/env.py
5@@ -80,7 +80,7 @@ class FileBackedValue:
6 else:
7 # ensure the parent dirs exist
8 self.path.parent.mkdir(exist_ok=True)
9- atomic_write(value.encode("ascii"), self.path)
10+ atomic_write(value.encode("ascii"), self.path, mode=0o640)
11 self._value = value
12
13 def _normalise_value(self, value: Optional[str]) -> Optional[str]:
14diff --git a/src/tests/provisioningserver/utils/test_env.py b/src/tests/provisioningserver/utils/test_env.py
15index dba8b77..f123f4a 100644
16--- a/src/tests/provisioningserver/utils/test_env.py
17+++ b/src/tests/provisioningserver/utils/test_env.py
18@@ -198,3 +198,8 @@ class TestFileBackedValue:
19 file_value.path.write_text("new content")
20 # the file is read again
21 assert file_value.get() == "new content"
22+
23+ def test_set_default_permission(self, factory, file_value):
24+ factory.make_name("contents")
25+ file_value.set("content")
26+ assert (file_value.path.stat().st_mode & 0o777) == 0o640

Subscribers

People subscribed via source and target branches