mirror of
ssh://git.janware.com/srv/git/janware/proj/jw-python
synced 2026-01-15 09:53:32 +01:00
Config: Support refuse_mode_mask
refuse_mode_mask can be passed to the constructor and determines which permission bits need to be absent from config file modes if they smell like they contain secrets. Signed-off-by: Jan Lindemann <jan@janware.com>
This commit is contained in:
parent
17ab47e96a
commit
e688cd2364
1 changed files with 18 additions and 16 deletions
|
|
@ -13,7 +13,7 @@ from .log import *
|
||||||
|
|
||||||
class Config(): # export
|
class Config(): # export
|
||||||
|
|
||||||
def __load(self, search_dirs, glob_paths):
|
def __load(self, search_dirs, glob_paths, refuse_mode_mask):
|
||||||
|
|
||||||
def __is_abs(path):
|
def __is_abs(path):
|
||||||
if path is None:
|
if path is None:
|
||||||
|
|
@ -45,18 +45,19 @@ class Config(): # export
|
||||||
paths_buf = []
|
paths_buf = []
|
||||||
tree = stree.read(f, paths_buf=paths_buf)
|
tree = stree.read(f, paths_buf=paths_buf)
|
||||||
assert(len(paths_buf))
|
assert(len(paths_buf))
|
||||||
|
if refuse_mode_mask is not None:
|
||||||
for p in paths_buf:
|
for p in paths_buf:
|
||||||
st = os.stat(p)
|
st = os.stat(p)
|
||||||
if st.st_mode & 0o0077:
|
if st.st_mode & refuse_mode_mask:
|
||||||
for item in tree.child_list():
|
for item in tree.child_list():
|
||||||
if item.content is None:
|
if item.content is None:
|
||||||
continue
|
continue
|
||||||
if not re.search('password|secret', cast(str, item.content), flags=re.IGNORECASE):
|
if not re.search('password|secret', cast(str, item.content), flags=re.IGNORECASE):
|
||||||
continue
|
continue
|
||||||
msg = "Config files define secret, but at least one has file permissions open for group or world"
|
msg = "Config files define secret, but at least one has file permissions open for world"
|
||||||
slog(ERR, f'{msg}:')
|
slog(ERR, f'{msg}:')
|
||||||
for pp in paths_buf:
|
for pp in paths_buf:
|
||||||
slog(ERR, f' {((os.stat(p).st_mode) & 0o7777):o} {pp}')
|
slog(ERR, f' {((os.stat(pp).st_mode) & 0o7777):o} {pp}')
|
||||||
raise Exception(msg)
|
raise Exception(msg)
|
||||||
tree.dump(DEBUG, f)
|
tree.dump(DEBUG, f)
|
||||||
ret.add("", tree)
|
ret.add("", tree)
|
||||||
|
|
@ -64,7 +65,7 @@ class Config(): # export
|
||||||
|
|
||||||
def __init__(self, search_dirs: Optional[list[str]]=None, glob_paths: Optional[list[str]]=None,
|
def __init__(self, search_dirs: Optional[list[str]]=None, glob_paths: Optional[list[str]]=None,
|
||||||
defaults: Optional[Dict[str, str]]=None, tree: Optional[StringTree]=None, parent=None,
|
defaults: Optional[Dict[str, str]]=None, tree: Optional[StringTree]=None, parent=None,
|
||||||
root_section=None) -> None:
|
root_section=None, refuse_mode_mask=0o0027) -> None:
|
||||||
|
|
||||||
self.__parent = parent
|
self.__parent = parent
|
||||||
|
|
||||||
|
|
@ -74,7 +75,8 @@ class Config(): # export
|
||||||
self.__conf = tree
|
self.__conf = tree
|
||||||
else:
|
else:
|
||||||
assert(tree is None)
|
assert(tree is None)
|
||||||
self.__conf = self.__load(search_dirs=search_dirs, glob_paths=glob_paths)
|
self.__conf = self.__load(search_dirs=search_dirs, glob_paths=glob_paths,
|
||||||
|
refuse_mode_mask=refuse_mode_mask)
|
||||||
|
|
||||||
if root_section is not None:
|
if root_section is not None:
|
||||||
tmp = self.__conf.get(root_section)
|
tmp = self.__conf.get(root_section)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue