enforce restricting secret file permissions to user read/write

Author: jreiberkyle

planet/auth.py

@@ -19,15 +19,16 @@
 import logging
 import os
 import pathlib
+import stat
 import typing
+from typing import Optional
 
 import httpx
 import jwt
 
 from . import http
 from .constants import ENV_API_KEY, PLANET_BASE_URL, SECRET_FILE_PATH
 from .exceptions import AuthException
-from typing import Optional
 
 LOGGER = logging.getLogger(__name__)
 
@@ -226,8 +227,15 @@ def value(self):
 
 class _SecretFile:
 
-    def __init__(self, path):
-        self.path = path
+    def __init__(self, path: typing.Union[str, pathlib.Path]):
+        self.path = pathlib.Path(path)
+
+        self.permissions = stat.S_IRUSR | stat.S_IWUSR  # user rw
+
+        # in sdk versions <=2.0.0, secret file was created with the wrong
+        # permissions, fix this automatically as well as catching the unlikely
+        # cases where the permissions get changed externally
+        self._enforce_permissions()
 
     def write(self, contents: dict):
         try:
@@ -240,11 +248,29 @@ def write(self, contents: dict):
 
     def _write(self, contents: dict):
         LOGGER.debug(f'Writing to {self.path}')
-        with open(self.path, 'w') as fp:
+
+        def opener(path, flags):
+            return os.open(path, flags, self.permissions)
+
+        with open(self.path, 'w', opener=opener) as fp:
             fp.write(json.dumps(contents))
 
     def read(self) -> dict:
         LOGGER.debug(f'Reading from {self.path}')
         with open(self.path, 'r') as fp:
             contents = json.loads(fp.read())
         return contents
+
+    def _enforce_permissions(self):
+        '''if the file's permissions are not what they should be, fix them'''
+        try:
+            # in octal, permissions is the last three bits of the mode
+            file_permissions = self.path.stat().st_mode & 0o777
+            if file_permissions != self.permissions:
+                LOGGER.debug(
+                    f'{self.path} permissions are {oct(file_permissions)}, '
+                    f'should be {oct(self.permissions)}. Fixing.')
+                self.path.chmod(self.permissions)
+        except FileNotFoundError:
+            # just skip it if the secret file doesn't exist
+            pass

tests/unit/test_auth.py

@@ -31,7 +31,7 @@ def test_secretfile_read():
 
 @pytest.fixture
 def secret_path(monkeypatch, tmp_path):
-    secret_path = str(tmp_path / '.test')
+    secret_path = tmp_path / '.test'
     monkeypatch.setattr(auth, 'SECRET_FILE_PATH', secret_path)
     yield secret_path
 
@@ -138,3 +138,19 @@ def test_Auth_store_exists(tmp_path):
 
     with open(secret_path, 'r') as fp:
         assert json.loads(fp.read()) == {"key": "test", "existing": "exists"}
+
+
+def test__SecretFile_permissions_doesnotexist(secret_path):
+    '''No exception is raised if the file doesn't exist'''
+    auth._SecretFile(secret_path)
+
+
+def test__SecretFile_permissions_incorrect(secret_path):
+    '''Incorrect permissions are fixed'''
+    with open(secret_path, 'w') as fp:
+        fp.write('{"existing": "exists"}')
+
+    secret_path.chmod(0o666)
+
+    auth._SecretFile(secret_path)
+    assert secret_path.stat().st_mode & 0o777 == 0o600