Set permissions on JSON files (#2093)

* Set 600 premissions on json files * Add test * Fix local tar tests * Fix tar test in action * Use pytest fixture for tmp_path in tests * remove not needed things
2025-07-08 01:36:29 +00:00 · 2020-10-05 15:14:09 +02:00 · 2020-10-05 15:14:09 +02:00 · f35b6d0b00
commit f35b6d0b00
parent 8d75583a07
4 changed files with 84 additions and 62 deletions
--- a/supervisor/utils/json.py
+++ b/supervisor/utils/json.py
@ -18,6 +18,7 @@ def write_json_file(jsonfile: Path, data: Any) -> None:
    """Write a JSON file."""
    try:
        jsonfile.write_text(json.dumps(data, indent=2))
+        jsonfile.chmod(0o600)
    except (OSError, ValueError, TypeError) as err:
        _LOGGER.error("Can't write %s: %s", jsonfile, err)
        raise JsonFileError() from err
--- a/tests/test_core_state.py
+++ b/tests/test_core_state.py
@ -1,6 +1,5 @@
 """Testing handling with CoreState."""
 from pathlib import Path
-from tempfile import TemporaryDirectory
 from unittest.mock import patch

 import pytest
@ -11,12 +10,10 @@ from supervisor.const import CoreState


@pytest.fixture
-def run_dir():
+def run_dir(tmp_path):
    """Fixture to inject hassio env."""
-    with patch(
-        "supervisor.core.RUN_SUPERVISOR_STATE"
-    ) as mock_run, TemporaryDirectory() as tmp_run:
-        tmp_state = Path(tmp_run, "supervisor")
+    with patch("supervisor.core.RUN_SUPERVISOR_STATE") as mock_run:
+        tmp_state = Path(tmp_path, "supervisor")
        mock_run.write_text = tmp_state.write_text
        yield tmp_state

--- a/tests/utils/test_json.py
+++ b/tests/utils/test_json.py
@ -0,0 +1,20 @@
+"""test json."""
+from supervisor.utils.json import write_json_file
+
+
+def test_file_permissions(tmp_path):
+    """Test file permissions."""
+    tempfile = tmp_path / "test.json"
+    write_json_file(tempfile, {"test": "data"})
+    assert tempfile.is_file()
+    assert oct(tempfile.stat().st_mode)[-3:] == "600"
+
+
+def test_new_file_permissions(tmp_path):
+    """Test file permissions."""
+    tempfile = tmp_path / "test.json"
+    tempfile.write_text("test")
+    assert oct(tempfile.stat().st_mode)[-3:] != "600"
+
+    write_json_file(tempfile, {"test": "data"})
+    assert oct(tempfile.stat().st_mode)[-3:] == "600"
--- a/tests/utils/test_tarfile.py
+++ b/tests/utils/test_tarfile.py
@ -2,7 +2,6 @@
 import os
 from pathlib import Path, PurePath
 import shutil
-from tempfile import TemporaryDirectory

 import attr

@ -70,72 +69,77 @@ def test_is_exclude_by_filter_bad():
        assert _is_excluded_by_filter(path_object, filter_list) is True


-def test_create_pure_tar():
+def test_create_pure_tar(tmp_path):
    """Test to create a tar file without encryption."""
-    with TemporaryDirectory() as temp_dir:
-        temp = Path(temp_dir)
+    # Prepair test folder
+    temp_orig = tmp_path.joinpath("orig")
+    fixture_data = Path(__file__).parents[1].joinpath("fixtures/tar_data")
+    shutil.copytree(fixture_data, temp_orig, symlinks=True)

-        # Prepair test folder
-        temp_orig = temp.joinpath("orig")
-        fixture_data = Path(__file__).parents[1].joinpath("fixtures/tar_data")
-        shutil.copytree(fixture_data, temp_orig, symlinks=True)
+    # Create Tarfile
+    temp_tar = tmp_path.joinpath("backup.tar")
+    with SecureTarFile(temp_tar, "w") as tar_file:
+        atomic_contents_add(
+            tar_file,
+            temp_orig,
+            excludes=[],
+            arcname=".",
+        )

-        # Create Tarfile
-        temp_tar = temp.joinpath("backup.tar")
-        with SecureTarFile(temp_tar, "w") as tar_file:
-            atomic_contents_add(
-                tar_file,
-                temp_orig,
-                excludes=[],
-                arcname=".",
-            )
+    assert temp_tar.exists()

-        assert temp_tar.exists()
+    # Restore
+    temp_new = tmp_path.joinpath("new")
+    with SecureTarFile(temp_tar, "r") as tar_file:
+        tar_file.extractall(path=temp_new, members=tar_file)

-        # Restore
-        temp_new = temp.joinpath("new")
-        with SecureTarFile(temp_tar, "r") as tar_file:
-            tar_file.extractall(path=temp_new, members=tar_file)
+    assert temp_new.is_dir()
+    assert temp_new.joinpath("test_symlink").is_symlink()
+    assert temp_new.joinpath("test1").is_dir()
+    assert temp_new.joinpath("test1/script.sh").is_file()

-        assert temp_new.is_dir()
-        assert temp_new.joinpath("test_symlink").is_symlink()
-        assert temp_new.joinpath("test1").is_dir()
-        assert temp_new.joinpath("test1/script.sh").is_file()
-        assert temp_new.joinpath("test1/script.sh").stat().st_mode == 33261
-        assert temp_new.joinpath("README.md").is_file()
+    # 775 is correct for local, but in GitHub action it's 755, both is fine
+    assert oct(temp_new.joinpath("test1/script.sh").stat().st_mode)[-3:] in [
+        "755",
+        "775",
+    ]
+    assert temp_new.joinpath("README.md").is_file()


-def test_create_ecrypted_tar():
+def test_create_ecrypted_tar(tmp_path):
    """Test to create a tar file with encryption."""
-    with TemporaryDirectory() as temp_dir:
-        temp = Path(temp_dir)
-        key = os.urandom(16)
+    key = os.urandom(16)

-        # Prepair test folder
-        temp_orig = temp.joinpath("orig")
-        fixture_data = Path(__file__).parents[1].joinpath("fixtures/tar_data")
-        shutil.copytree(fixture_data, temp_orig, symlinks=True)
+    # Prepair test folder
+    temp_orig = tmp_path.joinpath("orig")
+    fixture_data = Path(__file__).parents[1].joinpath("fixtures/tar_data")
+    shutil.copytree(fixture_data, temp_orig, symlinks=True)

-        # Create Tarfile
-        temp_tar = temp.joinpath("backup.tar")
-        with SecureTarFile(temp_tar, "w", key=key) as tar_file:
-            atomic_contents_add(
-                tar_file,
-                temp_orig,
-                excludes=[],
-                arcname=".",
-            )
+    # Create Tarfile
+    temp_tar = tmp_path.joinpath("backup.tar")
+    with SecureTarFile(temp_tar, "w", key=key) as tar_file:
+        atomic_contents_add(
+            tar_file,
+            temp_orig,
+            excludes=[],
+            arcname=".",
+        )

-        assert temp_tar.exists()
+    assert temp_tar.exists()

-        # Restore
-        temp_new = temp.joinpath("new")
-        with SecureTarFile(temp_tar, "r", key=key) as tar_file:
-            tar_file.extractall(path=temp_new, members=tar_file)
+    # Restore
+    temp_new = tmp_path.joinpath("new")
+    with SecureTarFile(temp_tar, "r", key=key) as tar_file:
+        tar_file.extractall(path=temp_new, members=tar_file)

-        assert temp_new.is_dir()
-        assert temp_new.joinpath("test_symlink").is_symlink()
-        assert temp_new.joinpath("test1").is_dir()
-        assert temp_new.joinpath("test1/script.sh").is_file()
-        assert temp_new.joinpath("test1/script.sh").stat().st_mode == 33261
-        assert temp_new.joinpath("README.md").is_file()
+    assert temp_new.is_dir()
+    assert temp_new.joinpath("test_symlink").is_symlink()
+    assert temp_new.joinpath("test1").is_dir()
+    assert temp_new.joinpath("test1/script.sh").is_file()
+
+    # 775 is correct for local, but in GitHub action it's 755, both is fine
+    assert oct(temp_new.joinpath("test1/script.sh").stat().st_mode)[-3:] in [
+        "755",
+        "775",
+    ]
+    assert temp_new.joinpath("README.md").is_file()