Move the chmod function before the write and flush functions to preve…

…nt sensitive information leakage. Closes-Bug: #2047690 Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844 (cherry picked from commit cb71d19) (cherry picked from commit 272fd68)
stackhpc · Jan 31, 2024 · 883b40b · 883b40b
1 parent 36cf1c8
commit 883b40b
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/magnum/conductor/handlers/common/cert_manager.py b/magnum/conductor/handlers/common/cert_manager.py
@@ -189,23 +189,22 @@ def create_client_files(cluster, context=None):
             magnum_cert = get_cluster_magnum_cert(cluster, context)
 
             ca_file = open(cached_ca_file, "w+")
+            os.chmod(cached_ca_file, 0o600)
             ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate()))
             ca_file.flush()
 
             key_file = open(cached_key_file, "w+")
+            os.chmod(cached_key_file, 0o600)
             key_file.write(encodeutils.safe_decode(
                 magnum_cert.get_decrypted_private_key()))
             key_file.flush()
 
             cert_file = open(cached_cert_file, "w+")
+            os.chmod(cached_cert_file, 0o600)
             cert_file.write(
                 encodeutils.safe_decode(magnum_cert.get_certificate()))
             cert_file.flush()
 
-            os.chmod(cached_ca_file, 0o600)
-            os.chmod(cached_key_file, 0o600)
-            os.chmod(cached_cert_file, 0o600)
-
         else:
             ca_file = open(cached_ca_file, "r")
             key_file = open(cached_key_file, "r")