Return-Path: X-Original-To: apmail-ambari-commits-archive@www.apache.org Delivered-To: apmail-ambari-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 381E619B76 for ; Thu, 21 Apr 2016 20:29:31 +0000 (UTC) Received: (qmail 41159 invoked by uid 500); 21 Apr 2016 20:29:31 -0000 Delivered-To: apmail-ambari-commits-archive@ambari.apache.org Received: (qmail 41131 invoked by uid 500); 21 Apr 2016 20:29:31 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 41122 invoked by uid 99); 21 Apr 2016 20:29:31 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Apr 2016 20:29:31 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 033C7DFDE0; Thu, 21 Apr 2016 20:29:31 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: alejandro@apache.org To: commits@ambari.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: ambari git commit: AMBARI-15496. /var/lib/ambari-agent/cache/cluster_configuration/configurations.json file contains various passwords in plain text in world readable file (Shantanu Mundkur via alejandro) Date: Thu, 21 Apr 2016 20:29:31 +0000 (UTC) Repository: ambari Updated Branches: refs/heads/trunk 04f7d5c3e -> 360fcfeb8 AMBARI-15496. /var/lib/ambari-agent/cache/cluster_configuration/configurations.json file contains various passwords in plain text in world readable file (Shantanu Mundkur via alejandro) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/360fcfeb Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/360fcfeb Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/360fcfeb Branch: refs/heads/trunk Commit: 360fcfeb82d45cb0db0ce3e857ab2ac327d7ca99 Parents: 04f7d5c Author: Alejandro Fernandez Authored: Thu Apr 21 13:29:12 2016 -0700 Committer: Alejandro Fernandez Committed: Thu Apr 21 13:29:12 2016 -0700 ---------------------------------------------------------------------- .../python/ambari_agent/ClusterConfiguration.py | 2 +- .../src/test/python/ambari_agent/TestAlerts.py | 17 +++++++++++---- .../TestClusterConfigurationCache.py | 22 +++++++++++++------- 3 files changed, 28 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/360fcfeb/ambari-agent/src/main/python/ambari_agent/ClusterConfiguration.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/main/python/ambari_agent/ClusterConfiguration.py b/ambari-agent/src/main/python/ambari_agent/ClusterConfiguration.py index 8d3b6f0..72b87be 100644 --- a/ambari-agent/src/main/python/ambari_agent/ClusterConfiguration.py +++ b/ambari-agent/src/main/python/ambari_agent/ClusterConfiguration.py @@ -129,7 +129,7 @@ class ClusterConfiguration(): self.__file_lock.acquire() try: - with open(self.__config_json_file, 'w') as f: + with os.fdopen(os.open(self.__config_json_file, os.O_WRONLY | os.O_CREAT, 0o600), "w") as f: json.dump(self.__configurations, f, indent=2) except Exception, exception : logger.exception("Unable to update configurations for cluster {0}".format(cluster_name)) http://git-wip-us.apache.org/repos/asf/ambari/blob/360fcfeb/ambari-agent/src/test/python/ambari_agent/TestAlerts.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/test/python/ambari_agent/TestAlerts.py b/ambari-agent/src/test/python/ambari_agent/TestAlerts.py index cdc960b..e114daa 100644 --- a/ambari-agent/src/test/python/ambari_agent/TestAlerts.py +++ b/ambari-agent/src/test/python/ambari_agent/TestAlerts.py @@ -49,6 +49,7 @@ class TestAlerts(TestCase): def setUp(self): # save original open() method for later use self.original_open = open + self.original_osfdopen = os.fdopen self.config = AmbariConfig() def tearDown(self): @@ -1280,15 +1281,16 @@ class TestAlerts(TestCase): return cluster_configuration - def __update_cluster_configuration(self, cluster_configuration, configuration): + @patch("os.open") + @patch("os.fdopen") + def __update_cluster_configuration(self, cluster_configuration, configuration, osfdopen_mock, osopen_mock): """ Updates the configuration cache, using as mock file as the disk based cache so that a file is not created during tests :return: """ - with patch("__builtin__.open") as open_mock: - open_mock.side_effect = self.open_side_effect - cluster_configuration._update_configurations("c1", configuration) + osfdopen_mock.side_effect = self.osfdopen_side_effect + cluster_configuration._update_configurations("c1", configuration) def open_side_effect(self, file, mode): @@ -1298,6 +1300,13 @@ class TestAlerts(TestCase): else: return self.original_open(file, mode) + def osfdopen_side_effect(self, fd, mode): + if mode == 'w': + file_mock = MagicMock() + return file_mock + else: + return self.original_open(file, mode) + def _get_script_alert_definition(self): return { http://git-wip-us.apache.org/repos/asf/ambari/blob/360fcfeb/ambari-agent/src/test/python/ambari_agent/TestClusterConfigurationCache.py ---------------------------------------------------------------------- diff --git a/ambari-agent/src/test/python/ambari_agent/TestClusterConfigurationCache.py b/ambari-agent/src/test/python/ambari_agent/TestClusterConfigurationCache.py index e82fca2..a418f6d 100644 --- a/ambari-agent/src/test/python/ambari_agent/TestClusterConfigurationCache.py +++ b/ambari-agent/src/test/python/ambari_agent/TestClusterConfigurationCache.py @@ -28,6 +28,9 @@ from unittest import TestCase class TestClusterConfigurationCache(TestCase): + o_flags = os.O_WRONLY | os.O_CREAT + perms = 0o600 + def setUp(self): # save original open() method for later use self.original_open = open @@ -64,8 +67,11 @@ class TestClusterConfigurationCache(TestCase): { 'bar': 'rendered-bar', 'baz' : 'rendered-baz' } } - file_mock = self.__update_cluster_configuration(cluster_configuration, configuration) - file_mock.assert_called_with(os.sep + "foo" + os.sep + "bar" + os.sep + "baz" + os.sep + "configurations.json", 'w') + osopen_mock, osfdopen_mock = self.__update_cluster_configuration(cluster_configuration, configuration) + osopen_mock.assert_called_with(os.sep + "foo" + os.sep + "bar" + os.sep + "baz" + os.sep + "configurations.json", + TestClusterConfigurationCache.o_flags, + TestClusterConfigurationCache.perms); + osfdopen_mock.assert_called_with(11, "w") json_dump_mock.assert_called_with({'c1': {'foo-site': {'baz': 'rendered-baz', 'bar': 'rendered-bar'}}}, ANY, indent=2) pass @@ -82,18 +88,18 @@ class TestClusterConfigurationCache(TestCase): return cluster_configuration - def __update_cluster_configuration(self, cluster_configuration, configuration): + @patch("os.open") + @patch("os.fdopen") + def __update_cluster_configuration(self, cluster_configuration, configuration, osfdopen_mock, osopen_mock): """ Updates the configuration cache, using as mock file as the disk based cache so that a file is not created during tests :return: """ - with patch("__builtin__.open") as open_mock: - open_mock.side_effect = self.open_side_effect - cluster_configuration._update_configurations("c1", configuration) - - return open_mock + osopen_mock.return_value = 11 + cluster_configuration._update_configurations("c1", configuration) + return osopen_mock, osfdopen_mock def open_side_effect(self, file, mode): if mode == 'w':