Move the chmod function before the write and flush functions to prevent sensitive information leakage.

lujiefsi · waipeng · commit 312aa6a86ac8 · 2024-01-31T21:33:43.000+11:00
Closes-Bug: #2047690 Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844 (cherry picked from commit cb71d19) (cherry picked from commit 272fd68) (cherry picked from commit 883b40b) (cherry picked from commit e79907c)
diff --git a/magnum/conductor/handlers/common/cert_manager.py b/magnum/conductor/handlers/common/cert_manager.py
@@ -189,23 +189,22 @@ def create_client_files(cluster, context=None):
             magnum_cert = get_cluster_magnum_cert(cluster, context)
 
             ca_file = open(cached_ca_file, "w+")
+            os.chmod(cached_ca_file, 0o600)
             ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate()))
             ca_file.flush()
 
             key_file = open(cached_key_file, "w+")
+            os.chmod(cached_key_file, 0o600)
             key_file.write(encodeutils.safe_decode(
                 magnum_cert.get_decrypted_private_key()))
             key_file.flush()
 
             cert_file = open(cached_cert_file, "w+")
+            os.chmod(cached_cert_file, 0o600)
             cert_file.write(
                 encodeutils.safe_decode(magnum_cert.get_certificate()))
             cert_file.flush()
 
-            os.chmod(cached_ca_file, 0o600)
-            os.chmod(cached_key_file, 0o600)
-            os.chmod(cached_cert_file, 0o600)
-
         else:
             ca_file = open(cached_ca_file, "r")
             key_file = open(cached_key_file, "r")
