fix(client): set cookies.txt readable only by current user

Author: mboersma

client/deis.py

@@ -164,6 +164,8 @@ def request(self, *args, **kwargs):
             kwargs['headers'] = {'Referer': url}
         response = super(Session, self).request(*args, **kwargs)
         self.cookies.save()
+        # set ~/.deis/cookies.txt readable only by its owner
+        os.chmod(self.cookies.filename, 0600)
         return response
 
 
@@ -176,8 +178,9 @@ class Settings(dict):
 
     def __init__(self):
         path = os.path.expanduser('~/.deis')
-        if not os.path.exists(path):
-            os.mkdir(path)
+        # Create the $HOME/.deis dir if it doesn't exist
+        if not os.path.isdir(path):
+            os.mkdir(path, 0700)
         self._path = os.path.join(path, 'client.yaml')
         if not os.path.exists(self._path):
             with open(self._path, 'w') as f:

tests/integration_test.go

@@ -3,6 +3,8 @@
 package tests
 
 import (
+	"os"
+	"os/user"
 	"testing"
 
 	"github.com/deis/deis/tests/utils"
@@ -27,10 +29,25 @@ func TestGlobal(t *testing.T) {
 func cookieTest(t *testing.T, params *utils.DeisTestConfig) {
 	// Regression test for https://github.com/deis/deis/pull/1136
 	// Ensure that cookies are cleared on auth:register and auth:cancel
+	user, err := user.Current()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cookieJar := user.HomeDir + "/.deis/cookies.txt"
 	utils.Execute(t, authRegisterCmd, params, false, "")
-	cmd := "cat ~/.deis/cookies.txt"
+	cmd := "cat " + cookieJar
 	utils.CheckList(t, cmd, params, "csrftoken", false)
 	utils.CheckList(t, cmd, params, "sessionid", false)
+	info, err := os.Stat(cookieJar)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mode := info.Mode().String()
+	expected := "-rw-------"
+	if mode != expected {
+		t.Fatalf("%s has wrong mode:\n   current: %s\n  expected: %s",
+			cookieJar, mode, expected)
+	}
 	utils.AuthCancel(t, params)
 	utils.CheckList(t, cmd, params, "csrftoken", true)
 	utils.CheckList(t, cmd, params, "sessionid", true)