Add default permissions for certificate, chain, and private key installation

Currently we specify this throughout all the ansible vars that specify input to the PKI role, but in almost all cases the permissions are defined by the `type`, if it is present. Change-Id: Iec65c9078fda14ff15151c1f7d48d35325adab12 Signed-off-by: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
2025-08-18 19:08:04 +01:00
parent fc7db02074
commit 7cff89ee71
4 changed files with 15 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -163,3 +163,10 @@ pki_cert_mode: "0644"
 pki_cert_dir_mode: "0755"
 pki_key_mode: "0600"
 pki_key_dir_mode: "0700"
+
+# permissions used when files are installed on the target
+pki_file_mode:
+  certificate: "{{ pki_cert_mode }}"
+  certificate_chain: "{{ pki_cert_mode }}"
+  ca_bundle: "{{ pki_cert_mode }}"
+  private_key: "{{ pki_key_mode }}"
--- a/molecule/default/group_vars/all.yml
+++ b/molecule/default/group_vars/all.yml
@@ -161,25 +161,21 @@ pki_install_certificates:
    type: "certificate"
    owner: "root"
    group: "root"
-    mode: "0644"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_chain_name_1_dest }}"
    type: "certificate_chain"
    owner: "root"
    group: "root"
-    mode: "0640"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_ca_bundle_name_1_dest }}"
    type: "ca_bundle"
    owner: "root"
    group: "root"
-    mode: "0640"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_key_name_1_dest }}"
    type: "private_key"
    owner: "root"
    group: "root"
-    mode: "0640"

 # Custom certificate installation search pattern
 pki_search_install_certificates_pattern: "foo_install_certificates_"
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -96,8 +96,11 @@
          - ca_bundle_1_stat.stat.exists
          - key_1_stat.stat.exists
          - cert_name_1_stat.stat.exists
+          - cert_name_1_stat.stat.mode == "0644"
          - chain_name_1_stat.stat.exists
+          - chain_name_1_stat.stat.mode == "0644"
          - key_name_1_stat.stat.exists
+          - key_name_1_stat.stat.mode == "0600"
          - cert_2_stat.stat.exists
          - chain_2_stat.stat.exists
          - ca_bundle_2_stat.stat.exists
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@@ -51,7 +51,7 @@
  ansible.builtin.file:
    path: "{{ install }}"
    state: directory
-    mode: "0755"
+    mode: "{{ pki_cert_dir_mode }}"
  loop: "{{ _cert_slurp.results | map(attribute='item') | map(attribute='dest') | map('dirname') | unique }}"
  loop_control:
    loop_var: install
@@ -60,7 +60,7 @@
    loop_label:
      path: "{{ install }}"
      state: directory
-      mode: "0755"
+      mode: "{{ pki_cert_dir_mode }}"

 - name: Install Server certificates to targets
  ansible.builtin.copy:
@@ -68,17 +68,18 @@
    dest: "{{ install.item.dest }}"
    owner: "{{ install.item.owner | default(omit) }}"
    group: "{{ install.item.group | default(omit) }}"
-    mode: "{{ install.item.mode | default('0644') }}"
+    mode: "{{ _mode }}"
  loop: "{{ _cert_slurp.results }}"
  loop_control:
    loop_var: install
    label: "{{ loop_label | to_json }}"
  vars:
+    _mode : "{{ install.item.mode | d(pki_file_mode[install.item.type | d('certificate')]) }}"
    loop_label:
      dest: "{{ install.item.dest }}"
      owner: "{{ install.item.owner | default(omit) }}"
      group: "{{ install.item.group | default('omit') }}"
-      mode: "{{ install.item.mode | default('0644') }}"
+      mode: "{{ _mode }}"
  ignore_errors: "{{ ansible_check_mode }}"
  notify:
    - "{{ pki_handler_cert_installed }}"