From 6470d6dd2c261a74c128004ad1a75e6f134b6691 Mon Sep 17 00:00:00 2001
From: Alex Kavanagh <alex@ajkavanagh.co.uk>
Date: Thu, 5 Apr 2018 19:19:54 +0000
Subject: [PATCH] Change permissions on SSL keys to 640

This tightens up the security on the SSL keys stored in
/etc/apache2/ssl/<service> to be no longer world readable.

Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0
Closes-Bug: #1761305
---
 charmhelpers/contrib/openstack/context.py | 4 ++--
 hooks/keystone_context.py                 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charmhelpers/contrib/openstack/context.py b/charmhelpers/contrib/openstack/context.py
index 6c4497b1..c077ca31 100644
--- a/charmhelpers/contrib/openstack/context.py
+++ b/charmhelpers/contrib/openstack/context.py
@@ -797,9 +797,9 @@ class ApacheSSLContext(OSContextGenerator):
             key_filename = 'key'
 
         write_file(path=os.path.join(ssl_dir, cert_filename),
-                   content=b64decode(cert))
+                   content=b64decode(cert), perms=0o640)
         write_file(path=os.path.join(ssl_dir, key_filename),
-                   content=b64decode(key))
+                   content=b64decode(key), perms=0o640)
 
     def configure_ca(self):
         ca_cert = get_ca_cert()
diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py
index 832431d4..edf138f6 100644
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@@ -94,10 +94,10 @@ class SSLContext(context.ApacheSSLContext):
 
         write_file(path=os.path.join(self.ssl_dir, 'cert_{}'.format(cn)),
                    content=cert, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)
         write_file(path=os.path.join(self.ssl_dir, 'key_{}'.format(cn)),
                    content=key, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)
 
     def configure_ca(self):
         from keystone_utils import (