status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

cli: consul tls: create private keys with mode 0600 

This applies to

consul tls ca create
consul tls cert create -client
consul tls cert create -server

Closes: #11741
This commit is contained in:
Marco Molteni 2021-12-08 20:16:36 +01:00
parent a031de21c0
commit 8a4b92c176
4 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
command/tls/ca/create/tls_ca_create.go
View File

@ -83,7 +83,7 @@ func (c *cmd) Run(args []string) int {
} }
c.UI.Output("==> Saved " + certFileName) c.UI.Output("==> Saved " + certFileName)
if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0666); err != nil { if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0600); err != nil {
c.UI.Error(err.Error()) c.UI.Error(err.Error())
return 1 return 1
} }

9
command/tls/ca/create/tls_ca_create_test.go
View File

@ -3,6 +3,7 @@ package create
import ( import (
"crypto" "crypto"
"crypto/x509" "crypto/x509"
"io/fs"
"io/ioutil" "io/ioutil"
"os" "os"
"strings" "strings"
@ -120,6 +121,14 @@ func expectFiles(t *testing.T, caPath, keyPath string) (*x509.Certificate, crypt
require.FileExists(t, caPath) require.FileExists(t, caPath)
require.FileExists(t, keyPath) require.FileExists(t, keyPath)
fi, err := os.Stat(keyPath)
if err != nil {
t.Fatal("should not happen", err)
}
if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
}
caData, err := ioutil.ReadFile(caPath) caData, err := ioutil.ReadFile(caPath)
require.NoError(t, err) require.NoError(t, err)
keyData, err := ioutil.ReadFile(keyPath) keyData, err := ioutil.ReadFile(keyPath)

2
command/tls/cert/create/tls_cert_create.go
View File

@ -196,7 +196,7 @@ func (c *cmd) Run(args []string) int {
} }
c.UI.Output("==> Saved " + certFileName) c.UI.Output("==> Saved " + certFileName)
if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0666); err != nil { if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0600); err != nil {
c.UI.Error(err.Error()) c.UI.Error(err.Error())
return 1 return 1
} }

9
command/tls/cert/create/tls_cert_create_test.go
View File

@ -3,6 +3,7 @@ package create
import ( import (
"crypto" "crypto"
"crypto/x509" "crypto/x509"
"io/fs"
"io/ioutil" "io/ioutil"
"net" "net"
"os" "os"
@ -242,6 +243,14 @@ func expectFiles(t *testing.T, certPath, keyPath string) (*x509.Certificate, cry
require.FileExists(t, certPath) require.FileExists(t, certPath)
require.FileExists(t, keyPath) require.FileExists(t, keyPath)
fi, err := os.Stat(keyPath)
if err != nil {
t.Fatal("should not happen", err)
}
if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
}
certData, err := ioutil.ReadFile(certPath) certData, err := ioutil.ReadFile(certPath)
require.NoError(t, err) require.NoError(t, err)
keyData, err := ioutil.ReadFile(keyPath) keyData, err := ioutil.ReadFile(keyPath)