From 8f979cf0decc35ef08685b9abb0a69e862867dc7 Mon Sep 17 00:00:00 2001
From: Marek Hulan <mhulan@redhat.com>
Date: Thu, 13 Mar 2014 16:21:04 +0100
Subject: [PATCH] Fix #4648 - store default values securely

---
 lib/kafo/configuration.rb                          |  8 +++++--
 lib/kafo/kafo_configure.rb                         | 26 +++++++++++++++++++++-
 .../lib/puppet/parser/functions/dump_values.rb     |  7 ++++--
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/lib/kafo/configuration.rb b/lib/kafo/configuration.rb
index 057a30c..ab029da 100644
--- a/lib/kafo/configuration.rb
+++ b/lib/kafo/configuration.rb
@@ -1,5 +1,6 @@
 # encoding: UTF-8
 require 'yaml'
+require 'tmpdir'
 require 'kafo/puppet_module'
 require 'kafo/password_manager'
 
@@ -74,8 +75,11 @@ module Kafo
 
     def params_default_values
       @params_default_values ||= begin
+        @logger.debug "Creating tmp dir within #{app[:default_values_dir]}..."
+        temp_dir = Dir.mktmpdir(nil, app[:default_values_dir])
+        KafoConfigure.register_cleanup_path temp_dir
         @logger.info "Parsing default values from puppet modules..."
-        command = PuppetCommand.new("#{includes} dump_values(#{params})").append('2>&1').command
+        command = PuppetCommand.new("$temp_dir=\"#{temp_dir}\" #{includes} dump_values(#{params})").append('2>&1').command
         @logger.debug `#{command}`
         unless $?.exitstatus == 0
           log = app[:log_dir] + '/' + app[:log_name]
@@ -84,7 +88,7 @@ module Kafo
           KafoConfigure.exit(:defaults_error)
         end
         @logger.info "... finished"
-        YAML.load_file(File.join(KafoConfigure.config.app[:default_values_dir], 'default_values.yaml'))
+        YAML.load_file(File.join(temp_dir, 'default_values.yaml'))
       end
     end
 
diff --git a/lib/kafo/kafo_configure.rb b/lib/kafo/kafo_configure.rb
index 2962e75..5b32537 100644
--- a/lib/kafo/kafo_configure.rb
+++ b/lib/kafo/kafo_configure.rb
@@ -17,12 +17,15 @@ module Kafo
   class KafoConfigure < Clamp::Command
     include StringHelper
 
-
     class << self
       attr_accessor :config, :root_dir, :config_file, :gem_root, :temp_config_file,
                     :modules_dir, :kafo_modules_dir, :verbose, :app_options, :logger
       attr_writer :hooking
 
+      def cleanup_paths
+        @cleanup_paths ||= []
+      end
+
       def hooking
         @hooking ||= Hooking.new
       end
@@ -105,6 +108,7 @@ module Kafo
     end
 
     def self.exit(code)
+      cleanup
       @exit_code = translate_exit_code(code)
       throw :exit
     end
@@ -128,6 +132,26 @@ module Kafo
       end
     end
 
+    def self.cleanup
+      # make sure default values are removed from /tmp
+      (self.cleanup_paths + ['/tmp/default_values.yaml']).each do |file|
+        logger.debug "Cleaning #{file}"
+        FileUtils.rm_rf(file)
+      end
+    end
+
+    def self.register_cleanup_path(path)
+      self.cleanup_paths<< path
+    end
+
+    def register_cleanup_path(path)
+      self.class.register_cleanup_path(path)
+    end
+
+    def cleanup_paths
+      self.class.cleanup_paths
+    end
+
     def help
       self.class.help(invocation_path, self)
     end
diff --git a/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb b/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
index 9bbc8cd..a61459f 100644
--- a/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
+++ b/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
@@ -9,7 +9,10 @@ module Puppet::Parser::Functions
       [arg, found_value.nil? ? arg : found_value]
     end
     data = Hash[data]
-    dump_dir = YAML.load_file(lookupvar('kafo_config_file'))[:default_values_dir]
-    File.open("#{dump_dir}/default_values.yaml", 'w') { |file| file.write(YAML.dump(data)) }
+
+    dump_dir = lookupvar('temp_dir')
+    file_name = "#{dump_dir}/default_values.yaml"
+
+    File.open(file_name, File::WRONLY|File::CREAT|File::EXCL, 0600) { |file| file.write(YAML.dump(data)) }
   end
 end
-- 
1.8.3.1