Merge pull request #188 from flyingcircusio/certificate-user

`ssl.Certificate`: Set proper ACL for non-let's encrypt certificates.
flyingcircusio · Aug 12, 2024 · 5853e28 · 5853e28
2 parents 8b32241 + caddf51
commit 5853e28
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/CHANGES.d/20240812_145407_cz_certificate_user.md b/CHANGES.d/20240812_145407_cz_certificate_user.md
@@ -0,0 +1 @@
+- `ssl.Certificate`: Set proper ACL for non-let's encrypt certificates.
diff --git a/src/batou_ext/ssl.py b/src/batou_ext/ssl.py
@@ -11,6 +11,8 @@
 import pkg_resources
 import six
 
+from .acl import ACL
+
 
 class Certificate(batou.component.Component):
     """SSL certificate management using let's encrypt -- or not
@@ -132,12 +134,21 @@ def configure(self):
                 sensitive_data=True,
             )
             self += self.key_file
+            self += ACL(
+                self.key_file.path,
+                ruleset=[
+                    "user::rw-",
+                    f"user:{self.granted_user}:r--",
+                    "group::---",
+                    "mask::r--",
+                    "other::---",
+                ],
+            )
 
             if self.trusted_crt_content:
                 self.trusted_file = batou.lib.file.File(
                     "{}/{}.trust.crt".format(self.workdir, self.domain),
                     content=self.trusted_crt_content,
-                    mode=0o600,
                 )
                 self += self.trusted_file
                 self.trusted = self.trusted_file.path
@@ -257,7 +268,6 @@ def update(self):
 
 
 class ActivateLetsEncrypt(batou.component.Component):
-
     cert: Certificate = None
 
     def verify(self):
@@ -275,7 +285,6 @@ def namevar_for_breadcrumb(self):
 
 
 class CertificateCheck(batou.component.Component):
-
     namevar = "public_name"
     warning_days = 25
     critical_days = 14