tests: update integration test to assert 640 across reboots (#2145)

2 files changed, 31 insertions, 27 deletions

diff --git a/tests/integration_tests/bugs/test_lp1900837.py b/tests/integration_tests/bugs/test_lp1900837.py
deleted file mode 100644
index d9ef18aa..00000000
--- a/tests/integration_tests/bugs/test_lp1900837.py
+++ /dev/null
@@ -1,27 +0,0 @@
-"""Integration test for LP: #1900836.
-
-This test mirrors the reproducing steps from the reported bug: it changes the
-permissions on cloud-init.log to 600 and confirms that they remain 600 after a
-reboot.
-"""
-
-
-def _get_log_perms(client):
-    return client.execute("stat -c %a /var/log/cloud-init.log")
-
-
-class TestLogPermissionsNotResetOnReboot:
-    def test_permissions_unchanged(self, client):
-        # Confirm that the current permissions aren't 600
-        assert "644" == _get_log_perms(client)
-
-        # Set permissions to 600 and confirm our assertion passes pre-reboot
-        client.execute("chmod 600 /var/log/cloud-init.log")
-        assert "600" == _get_log_perms(client)
-
-        # Reboot
-        client.restart()
-        assert client.execute("cloud-init status").ok
-
-        # Check that permissions are not reset on reboot
-        assert "600" == _get_log_perms(client)
diff --git a/tests/integration_tests/bugs/test_lp2013967.py b/tests/integration_tests/bugs/test_lp2013967.py
new file mode 100644
index 00000000..68a6ec5f
--- /dev/null
+++ b/tests/integration_tests/bugs/test_lp2013967.py
@@ -0,0 +1,31 @@
+"""Integration test for LP: #2013967.
+
+Assert cloud-init will explicitly set 640 perms across reboot regardless
+prior permissions. This is to avoid repeated security issues where sensitive
+data has been leaked by various clouds into a world-readable
+/var/log/cloud-init.log. We no longer wish to preserve too permissive
+a set of permissions by cloud-init runtime which were established by
+default log permissions by python's logging setup.
+"""
+
+
+def _get_log_perms(client):
+    return client.execute("stat -c %a /var/log/cloud-init.log")
+
+
+class TestLogPermissionsNotResetOnReboot:
+    def test_permissions_unchanged(self, client):
+        # Confirm that the current permissions aren't 644
+        assert "640" == _get_log_perms(client)
+
+        # Set permissions to 644 and confirm our assertion that
+        # permissions are reset across reboot
+        client.execute("chmod 644 /var/log/cloud-init.log")
+        assert "644" == _get_log_perms(client)
+
+        # Reboot
+        client.restart()
+        assert client.execute("cloud-init status").ok
+
+        # Check that permissions are reset on reboot
+        assert "640" == _get_log_perms(client)