commit fe590c4e28e28f611162f5766681d6396d6fd59b
author Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com> Tue Dec 10 12:33:50 2019 +0100
committer Zbigniew Kurzynski <zbigniew.kurzynski@intel.com> Thu Dec 12 13:54:04 2019 +0100
tree 8ca34fa5d42abbbfbb034fefb7afe680e29ec023
parent 667286e4f7dc31a9ab786307092919901adccbb5

Limit access permissions for authority cert directory.

This patch is about limit access permissions for authority certificates
directory. Additionally this patch fixes UTs issues catched here:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/26835
and disscussed here:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/27810

Tested:
 1) All UTs passed.
 2) Manually checked access permissions:
    root@intel-obmc:~# ls -al /etc/ssl/certs
    drwx------    4 root     root            80 Dec  10 12:31 .
    drwxr-xr-x    3 root     root            80 Dec  10 12:31 ..
    drwx------    2 root     root            40 Dec  10 12:31 authority
    drwx------    2 root     root            60 Dec  10 12:31 https

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I63c698fa776aec01eed44e91ebbae956e707d52d
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>

certs_manager.cpp

diff --git a/certs_manager.cpp b/certs_manager.cpp
index 6469f2a..ca6f356 100644
--- a/certs_manager.cpp
+++ b/certs_manager.cpp
@@ -33,17 +33,28 @@
     unitToRestart(std::move(unit)), certInstallPath(std::move(installPath)),
     certParentInstallPath(fs::path(certInstallPath).parent_path())
 {
-    // create parent certificate path if not existing
+    // Create certificate directory if not existing.
+    // Set correct certificate directory permitions.
+    fs::path certDirectory;
     try
     {
-        if (!fs::exists(certParentInstallPath))
+        if (certType == AUTHORITY)
         {
-            fs::create_directories(certParentInstallPath);
+            certDirectory = certInstallPath;
         }
+        else
+        {
+            certDirectory = certParentInstallPath;
+        }
+
+        if (!fs::exists(certDirectory))
+        {
+            fs::create_directories(certDirectory);
+        }
+
         auto permission = fs::perms::owner_read | fs::perms::owner_write |
                           fs::perms::owner_exec;
-        fs::permissions(certParentInstallPath, permission,
-                        fs::perm_options::replace);
+        fs::permissions(certDirectory, permission, fs::perm_options::replace);
     }
     catch (fs::filesystem_error& e)
     {
@@ -567,10 +578,7 @@
 
     if (certType == phosphor::certs::AUTHORITY)
     {
-        // Create directory
-        fs::create_directories(certInstallPath);
-
-        // Check if above created proper path
+        // Check whether install path is a directory.
         if (!fs::is_directory(certInstallPath))
         {
             log<level::ERR>("Certificate installation path exists and it is "

test/certs_manager_test.cpp

diff --git a/test/certs_manager_test.cpp b/test/certs_manager_test.cpp
index 95f7191..4a3c6a4 100644
--- a/test/certs_manager_test.cpp
+++ b/test/certs_manager_test.cpp
@@ -37,7 +37,8 @@
         {
             throw std::bad_alloc();
         }
-        certDir = dirPtr;
+        certDir = std::string(dirPtr) + "/certs";
+        fs::create_directories(certDir);
 
         createNewCertificate();
     }
@@ -552,7 +553,8 @@
         {
             throw std::bad_alloc();
         }
-        certDir = dirPtr;
+        certDir = std::string(dirPtr) + "/certs";
+        fs::create_directories(certDir);
         certificateFile = "cert.pem";
         keyFile = "key.pem";
         std::string cmd = "openssl req -x509 -sha256 -newkey rsa:2048 ";