Merge pull request mattfinlayson#43 from trumant/cert_perms

mattfinlayson · mattfinlayson · commit 5079f4edfab1 · 2015-08-04T09:42:34.000-07:00
Certs and key should not be world readable
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -50,17 +50,32 @@
 
 - name: create TLS key
   no_log: True
-  copy: content="{{ consul_tls_key }}" dest="{{ consul_key_file }}" owner={{consul_user}} group={{consul_group}}
+  copy: >
+    content="{{ consul_tls_key }}"
+    dest="{{ consul_key_file }}"
+    owner={{consul_user}}
+    group={{consul_group}}
+    mode=0600
   when: consul_tls_key is defined
 
 - name: create TLS cert
   no_log: True
-  copy: content="{{ consul_tls_cert }}" dest="{{ consul_cert_file }}" owner={{consul_user}} group={{consul_group}}
+  copy: >
+    content="{{ consul_tls_cert }}"
+    dest="{{ consul_cert_file }}"
+    owner={{consul_user}}
+    group={{consul_group}}
+    mode=0600
   when: consul_tls_cert is defined
 
 - name: create TLS root CA cert
   no_log: True
-  copy: content="{{ consul_tls_ca_cert }}" dest="{{ consul_ca_file }}" owner={{consul_user}} group={{consul_group}}
+  copy: >
+    content="{{ consul_tls_ca_cert }}"
+    dest="{{ consul_ca_file }}"
+    owner={{consul_user}}
+    group={{consul_group}}
+    mode=0600
   when: consul_tls_ca_cert is defined
 
 - name: set ownership
diff --git a/test/integration/tls/serverspec/consul_tls_spec.rb b/test/integration/tls/serverspec/consul_tls_spec.rb
@@ -11,6 +11,7 @@
     describe file("/opt/consul/cert/#{file}") do
       it { should be_file }
       it { should be_owned_by('consul') }
+      it { should be_mode 600 }
     end
   end
 
