From 55cb8c53887c081f645cf9853ace4f94f56d99a9 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 15 Feb 2020 15:38:58 +0100
Subject: [PATCH] docker_login: fix permissions for ~/.docker/config.json
 (#67353)

* Fix permissions for ~/.docker/config.json.

* Add changelog, remove debug output.
---
 .../fragments/67353-docker_login-permissions.yml       |  2 ++
 lib/ansible/modules/cloud/docker/docker_login.py       | 10 +++++++---
 .../targets/docker_login/tasks/tests/docker_login.yml  |  6 ++++++
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/67353-docker_login-permissions.yml

diff --git a/changelogs/fragments/67353-docker_login-permissions.yml b/changelogs/fragments/67353-docker_login-permissions.yml
new file mode 100644
index 00000000000..ddb38e0fd4e
--- /dev/null
+++ b/changelogs/fragments/67353-docker_login-permissions.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "docker_login - make sure that ``~/.docker/config.json`` is created with permissions ``0600``."
diff --git a/lib/ansible/modules/cloud/docker/docker_login.py b/lib/ansible/modules/cloud/docker/docker_login.py
index fec48a8acfa..c1a1bad7903 100644
--- a/lib/ansible/modules/cloud/docker/docker_login.py
+++ b/lib/ansible/modules/cloud/docker/docker_login.py
@@ -244,9 +244,13 @@ class DockerFileStore(object):
         dir = os.path.dirname(self._config_path)
         if not os.path.exists(dir):
             os.makedirs(dir)
-        # Write config
-        with open(self._config_path, "w") as f:
-            json.dump(self._config, f, indent=4, sort_keys=True)
+        # Write config; make sure it has permissions 0x600
+        content = json.dumps(self._config, indent=4, sort_keys=True).encode('utf-8')
+        f = os.open(self._config_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+        try:
+            os.write(f, content)
+        finally:
+            os.close(f)
 
     def store(self, server, username, password):
         '''
diff --git a/test/integration/targets/docker_login/tasks/tests/docker_login.yml b/test/integration/targets/docker_login/tasks/tests/docker_login.yml
index a1d12097db9..33aaf08feaa 100644
--- a/test/integration/targets/docker_login/tasks/tests/docker_login.yml
+++ b/test/integration/targets/docker_login/tasks/tests/docker_login.yml
@@ -43,6 +43,11 @@
     state: present
   register: login_2
 
+- name: Get permissions of ~/.docker/config.json
+  stat:
+    path: ~/.docker/config.json
+  register: login_2_stat
+
 - name: Log in (idempotent)
   docker_login:
     registry_url: "{{ registry_frontend_address }}"
@@ -67,6 +72,7 @@
       - login_2 is changed
       - login_3 is not changed
       - login_4 is not changed
+      - login_2_stat.stat.mode == '0600'
 
 - name: Log in again with wrong password (check mode)
   docker_login: