Set permissions on JSON files (#2093)

* Set 600 premissions on json files

* Add test

* Fix local tar tests

* Fix tar test in action

* Use pytest fixture for tmp_path in tests

* remove not needed things

supervisor/utils/json.py

@@ -18,6 +18,7 @@ def write_json_file(jsonfile: Path, data: Any) -> None:
     """Write a JSON file."""
     try:
         jsonfile.write_text(json.dumps(data, indent=2))
+        jsonfile.chmod(0o600)
     except (OSError, ValueError, TypeError) as err:
         _LOGGER.error("Can't write %s: %s", jsonfile, err)
         raise JsonFileError() from err

tests/test_core_state.py

@@ -1,6 +1,5 @@
 """Testing handling with CoreState."""
 from pathlib import Path
-from tempfile import TemporaryDirectory
 from unittest.mock import patch
 
 import pytest
@@ -11,12 +10,10 @@ from supervisor.const import CoreState
 
 
 @pytest.fixture
-def run_dir():
+def run_dir(tmp_path):
     """Fixture to inject hassio env."""
-    with patch(
+    with patch("supervisor.core.RUN_SUPERVISOR_STATE") as mock_run:
-        "supervisor.core.RUN_SUPERVISOR_STATE"
+        tmp_state = Path(tmp_path, "supervisor")
-    ) as mock_run, TemporaryDirectory() as tmp_run:
-        tmp_state = Path(tmp_run, "supervisor")
         mock_run.write_text = tmp_state.write_text
         yield tmp_state
 

tests/utils/test_json.py

@@ -0,0 +1,20 @@
+"""test json."""
+from supervisor.utils.json import write_json_file
+
+
+def test_file_permissions(tmp_path):
+    """Test file permissions."""
+    tempfile = tmp_path / "test.json"
+    write_json_file(tempfile, {"test": "data"})
+    assert tempfile.is_file()
+    assert oct(tempfile.stat().st_mode)[-3:] == "600"
+
+
+def test_new_file_permissions(tmp_path):
+    """Test file permissions."""
+    tempfile = tmp_path / "test.json"
+    tempfile.write_text("test")
+    assert oct(tempfile.stat().st_mode)[-3:] != "600"
+
+    write_json_file(tempfile, {"test": "data"})
+    assert oct(tempfile.stat().st_mode)[-3:] == "600"

tests/utils/test_tarfile.py

@@ -2,7 +2,6 @@
 import os
 from pathlib import Path, PurePath
 import shutil
-from tempfile import TemporaryDirectory
 
 import attr
 
@@ -70,18 +69,15 @@ def test_is_exclude_by_filter_bad():
         assert _is_excluded_by_filter(path_object, filter_list) is True
 
 
-def test_create_pure_tar():
+def test_create_pure_tar(tmp_path):
     """Test to create a tar file without encryption."""
-    with TemporaryDirectory() as temp_dir:
-        temp = Path(temp_dir)
-
     # Prepair test folder
-        temp_orig = temp.joinpath("orig")
+    temp_orig = tmp_path.joinpath("orig")
     fixture_data = Path(__file__).parents[1].joinpath("fixtures/tar_data")
     shutil.copytree(fixture_data, temp_orig, symlinks=True)
 
     # Create Tarfile
-        temp_tar = temp.joinpath("backup.tar")
+    temp_tar = tmp_path.joinpath("backup.tar")
     with SecureTarFile(temp_tar, "w") as tar_file:
         atomic_contents_add(
             tar_file,
@@ -93,7 +89,7 @@ def test_create_pure_tar():
     assert temp_tar.exists()
 
     # Restore
-        temp_new = temp.joinpath("new")
+    temp_new = tmp_path.joinpath("new")
     with SecureTarFile(temp_tar, "r") as tar_file:
         tar_file.extractall(path=temp_new, members=tar_file)
 
@@ -101,23 +97,26 @@ def test_create_pure_tar():
     assert temp_new.joinpath("test_symlink").is_symlink()
     assert temp_new.joinpath("test1").is_dir()
     assert temp_new.joinpath("test1/script.sh").is_file()
-        assert temp_new.joinpath("test1/script.sh").stat().st_mode == 33261
+
+    # 775 is correct for local, but in GitHub action it's 755, both is fine
+    assert oct(temp_new.joinpath("test1/script.sh").stat().st_mode)[-3:] in [
+        "755",
+        "775",
+    ]
     assert temp_new.joinpath("README.md").is_file()
 
 
-def test_create_ecrypted_tar():
+def test_create_ecrypted_tar(tmp_path):
     """Test to create a tar file with encryption."""
-    with TemporaryDirectory() as temp_dir:
-        temp = Path(temp_dir)
     key = os.urandom(16)
 
     # Prepair test folder
-        temp_orig = temp.joinpath("orig")
+    temp_orig = tmp_path.joinpath("orig")
     fixture_data = Path(__file__).parents[1].joinpath("fixtures/tar_data")
     shutil.copytree(fixture_data, temp_orig, symlinks=True)
 
     # Create Tarfile
-        temp_tar = temp.joinpath("backup.tar")
+    temp_tar = tmp_path.joinpath("backup.tar")
     with SecureTarFile(temp_tar, "w", key=key) as tar_file:
         atomic_contents_add(
             tar_file,
@@ -129,7 +128,7 @@ def test_create_ecrypted_tar():
     assert temp_tar.exists()
 
     # Restore
-        temp_new = temp.joinpath("new")
+    temp_new = tmp_path.joinpath("new")
     with SecureTarFile(temp_tar, "r", key=key) as tar_file:
         tar_file.extractall(path=temp_new, members=tar_file)
 
@@ -137,5 +136,10 @@ def test_create_ecrypted_tar():
     assert temp_new.joinpath("test_symlink").is_symlink()
     assert temp_new.joinpath("test1").is_dir()
     assert temp_new.joinpath("test1/script.sh").is_file()
-        assert temp_new.joinpath("test1/script.sh").stat().st_mode == 33261
+
+    # 775 is correct for local, but in GitHub action it's 755, both is fine
+    assert oct(temp_new.joinpath("test1/script.sh").stat().st_mode)[-3:] in [
+        "755",
+        "775",
+    ]
     assert temp_new.joinpath("README.md").is_file()