Merge pull request #11781 from marco-m/private-key-0600-permission

cli: consul tls: create private keys with mode 0600
This commit is contained in:
Daniel Nephin 2021-12-21 17:29:14 -05:00 committed by GitHub
commit 1eb3178468
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 23 additions and 2 deletions

3
.changelog/11781.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
cli: when creating a private key, save the file with mode 0600 so that only the user has read permission.
```

View File

@ -83,7 +83,7 @@ func (c *cmd) Run(args []string) int {
}
c.UI.Output("==> Saved " + certFileName)
if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0666); err != nil {
if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0600); err != nil {
c.UI.Error(err.Error())
return 1
}

View File

@ -3,6 +3,7 @@ package create
import (
"crypto"
"crypto/x509"
"io/fs"
"io/ioutil"
"os"
"strings"
@ -120,6 +121,14 @@ func expectFiles(t *testing.T, caPath, keyPath string) (*x509.Certificate, crypt
require.FileExists(t, caPath)
require.FileExists(t, keyPath)
fi, err := os.Stat(keyPath)
if err != nil {
t.Fatal("should not happen", err)
}
if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
}
caData, err := ioutil.ReadFile(caPath)
require.NoError(t, err)
keyData, err := ioutil.ReadFile(keyPath)

View File

@ -196,7 +196,7 @@ func (c *cmd) Run(args []string) int {
}
c.UI.Output("==> Saved " + certFileName)
if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0666); err != nil {
if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0600); err != nil {
c.UI.Error(err.Error())
return 1
}

View File

@ -3,6 +3,7 @@ package create
import (
"crypto"
"crypto/x509"
"io/fs"
"io/ioutil"
"net"
"os"
@ -242,6 +243,14 @@ func expectFiles(t *testing.T, certPath, keyPath string) (*x509.Certificate, cry
require.FileExists(t, certPath)
require.FileExists(t, keyPath)
fi, err := os.Stat(keyPath)
if err != nil {
t.Fatal("should not happen", err)
}
if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
}
certData, err := ioutil.ReadFile(certPath)
require.NoError(t, err)
keyData, err := ioutil.ReadFile(keyPath)