1021119 - make sure private keys are never world readable

This should prevent similar mistakes in future.

modules/apache/manifests/certs.pp

@@ -34,6 +34,11 @@
     privkey { $apache_ssl_key:
       ensure => present,
       cert => Cert["${::certs::node_fqdn}-ssl"]
+    } ->
+    file { $apache_ssl_key:
+      owner => $apache::params::user,
+      group => $apache::params::group,
+      mode  => '0400';
     }
 
     file { "${apache::params::configdir}/ssl.conf":

modules/certs/lib/puppet/provider/katello_ssl_tool.rb

@@ -175,7 +175,7 @@ def exists?
     end
 
     def create
-      File.open(resource[:path], "w") { |f| f << expected_content }
+      File.open(resource[:path], "w", mode) { |f| f << expected_content }
     end
 
     protected
@@ -198,6 +198,10 @@ def source_path
       raise NotImplementedError
     end
 
+    def mode
+      0644
+    end
+
     def cert_details
       return @cert_details if defined? @cert_details
       if cert_resource = @resource[:cert]

modules/certs/lib/puppet/provider/privkey/katello_ssl_tool.rb

@@ -8,4 +8,8 @@ def source_path
     cert_details[:privkey]
   end
 
+  def mode
+    0400
+  end
+
 end

modules/kafo/manifests/foreman_certs.pp

@@ -36,7 +36,7 @@
 
     file { $client_key:
       owner => "foreman",
-      mode => "400"
+      mode => "0400"
     }
 
     pubkey { $client_ca:

modules/kafo/manifests/foreman_proxy_certs.pp

@@ -36,7 +36,7 @@
 
     file { $proxy_key:
       owner => "foreman-proxy",
-      mode  => "400"
+      mode  => "0400"
     }
 
     pubkey { $proxy_ca:

modules/kafo/manifests/puppet_certs.pp

@@ -36,7 +36,7 @@
 
     file { $client_key:
       owner => "puppet",
-      mode => "400"
+      mode => "0400"
     }
 
     pubkey { $client_ca: