Move the chmod function before the write and flush functions to prevent sensitive information leakage.

Closes-Bug: #2047690 Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844
2024-01-19 21:23:04 +08:00 · 2024-01-19 21:23:04 +08:00 · cb71d19382
parent f6baa6d1ff
commit cb71d19382
1 changed files with 3 additions and 4 deletions
--- a/magnum/conductor/handlers/common/cert_manager.py
+++ b/magnum/conductor/handlers/common/cert_manager.py
@ -189,23 +189,22 @@ def create_client_files(cluster, context=None):
            magnum_cert = get_cluster_magnum_cert(cluster, context)

            ca_file = open(cached_ca_file, "w+")
+            os.chmod(cached_ca_file, 0o600)
            ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate()))
            ca_file.flush()

            key_file = open(cached_key_file, "w+")
+            os.chmod(cached_key_file, 0o600)
            key_file.write(encodeutils.safe_decode(
                magnum_cert.get_decrypted_private_key()))
            key_file.flush()

            cert_file = open(cached_cert_file, "w+")
+            os.chmod(cached_cert_file, 0o600)
            cert_file.write(
                encodeutils.safe_decode(magnum_cert.get_certificate()))
            cert_file.flush()

-            os.chmod(cached_ca_file, 0o600)
-            os.chmod(cached_key_file, 0o600)
-            os.chmod(cached_cert_file, 0o600)
-
        else:
            ca_file = open(cached_ca_file, "r")
            key_file = open(cached_key_file, "r")