Merge pull request #148 from TheOneAboveAllTitan/issues/147

nemesifier · web-flow · commit 4e7bd81ec6a7 · 2020-03-28T10:39:27.000-05:00
[x509] Added dedicated file mode for generated x509 certificates #147
diff --git a/netjsonconfig/backends/openvpn/openvpn.py b/netjsonconfig/backends/openvpn/openvpn.py
@@ -1,4 +1,4 @@
-from ...schema import DEFAULT_FILE_MODE
+from ...schema import X509_FILE_MODE
 from ..base.backend import BaseBackend
 from . import converters
 from .parser import OpenVpnParser, config_suffix, vpn_pattern
@@ -121,15 +121,15 @@ def _auto_client_files(cls, client, ca_path=None, ca_contents=None, cert_path=No
             client['ca'] = ca_path
             files.append(dict(path=ca_path,
                               contents=ca_contents,
-                              mode=DEFAULT_FILE_MODE))
+                              mode=X509_FILE_MODE))
         if cert_path and cert_contents:
             client['cert'] = cert_path
             files.append(dict(path=cert_path,
                               contents=cert_contents,
-                              mode=DEFAULT_FILE_MODE))
+                              mode=X509_FILE_MODE))
         if key_path and key_contents:
             client['key'] = key_path
             files.append(dict(path=key_path,
                               contents=key_contents,
-                              mode=DEFAULT_FILE_MODE,))
+                              mode=X509_FILE_MODE,))
         return files
diff --git a/netjsonconfig/schema.py b/netjsonconfig/schema.py
@@ -7,6 +7,7 @@
 from .countries import countries
 
 DEFAULT_FILE_MODE = '0644'
+X509_FILE_MODE = '0600'
 MAC_PATTERN = '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})'
 MAC_PATTERN_BLANK = '^({0}|)$'.format(MAC_PATTERN)
 
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
@@ -586,17 +586,17 @@ def test_auto_client_complex(self):
 # ---------- files ---------- #
 
 # path: {{ca_path_1}}
-# mode: 0644
+# mode: 0600
 
 {{ca_contents_1}}
 
 # path: {{cert_path_1}}
-# mode: 0644
+# mode: 0600
 
 {{cert_contents_1}}
 
 # path: {{key_path_1}}
-# mode: 0644
+# mode: 0600
 
 {{key_contents_1}}
 
diff --git a/tests/openwisp/test_backend.py b/tests/openwisp/test_backend.py
@@ -107,12 +107,12 @@ class TestBackend(unittest.TestCase, _TabsMixin):
         "files": [
             {
                 "path": "/openvpn/x509/ca_1_service.pem",
-                "mode": "0644",
+                "mode": "0600",
                 "contents": "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----\n"  # noqa
             },
             {
                 "path": "/openvpn/x509/l2vpn_client_2693.pem",
-                "mode": "0644",
+                "mode": "0600",
                 "contents": "-----BEGIN CERTIFICATE-----\ntest==\n-----END CERTIFICATE-----\n-----BEGIN RSA PRIVATE KEY-----\ntest\n-----END RSA PRIVATE KEY-----\n"  # noqa
             }
         ]

Original file line number	Diff line number	Diff line change
`@@ -107,12 +107,12 @@ class TestBackend(unittest.TestCase, _TabsMixin):`
`107`	`107`	`"files": [`
`108`	`108`	`{`
`109`	`109`	`"path": "/openvpn/x509/ca_1_service.pem",`
`110`		`- "mode": "0644",`
	`110`	`+ "mode": "0600",`
`111`	`111`	`"contents": "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----\n" # noqa`
`112`	`112`	`},`
`113`	`113`	`{`
`114`	`114`	`"path": "/openvpn/x509/l2vpn_client_2693.pem",`
`115`		`- "mode": "0644",`
	`115`	`+ "mode": "0600",`
`116`	`116`	`"contents": "-----BEGIN CERTIFICATE-----\ntest==\n-----END CERTIFICATE-----\n-----BEGIN RSA PRIVATE KEY-----\ntest\n-----END RSA PRIVATE KEY-----\n" # noqa`
`117`	`117`	`}`
`118`	`118`	`]`