From e1bb54d67232c7f9ac6422b366cd1985a8e6f417 Mon Sep 17 00:00:00 2001
From: Moul <moul@moul.re>
Date: Sun, 24 Sep 2023 09:48:12 +0200
Subject: [PATCH] Store revocation file with 600 permission (#481)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add ruff exception since it want it propose to use Path.open()
which doesn’t implement opener

https://github.com/astral-sh/ruff/issues/7620
---
 silkaj/wot/revocation.py          | 13 ++++++++++++-
 tests/unit/wot/test_revocation.py |  5 +++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/silkaj/wot/revocation.py b/silkaj/wot/revocation.py
index 4a24a94b..76a7433b 100644
--- a/silkaj/wot/revocation.py
+++ b/silkaj/wot/revocation.py
@@ -13,6 +13,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Silkaj. If not, see <https://www.gnu.org/licenses/>.
 
+import os
 import sys
 from pathlib import Path
 from typing import Dict
@@ -163,6 +164,10 @@ def create_revocation_doc(_id: Dict, pubkey: str, currency: str) -> Revocation:
     )
 
 
+def opener_user_rw(path, flags):
+    return os.open(path, flags, 0o600)
+
+
 def save_doc(rev_path: Path, content: str, pubkey: str) -> None:
     pubkey_cksum = gen_pubkey_checksum(pubkey)
     # Ask confirmation if the file exists
@@ -175,7 +180,13 @@ gene    rated revocation document corresponding to {pubkey_cksum} public key?",
         else:
             click.echo("Ok, goodbye!")
             sys.exit(SUCCESS_EXIT_STATUS)
-    rev_path.write_text(content, encoding="utf-8")
+    with open(  # noqa: PTH123
+        rev_path,
+        "w",
+        encoding="utf-8",
+        opener=opener_user_rw,
+    ) as fh:
+        fh.write(content)
     click.echo(
         f"Revocation document file stored into `{rev_path}` for following public key: {pubkey_cksum}",
     )
diff --git a/tests/unit/wot/test_revocation.py b/tests/unit/wot/test_revocation.py
index aa48b972..1cdc4b5e 100644
--- a/tests/unit/wot/test_revocation.py
+++ b/tests/unit/wot/test_revocation.py
@@ -871,6 +871,10 @@ def test_save_doc(path, rev_1, rev_2, pubkey, capsys, monkeypatch):
         revocation.save_doc(path, rev_1.signed_raw(), pubkey)
         assert path.is_file()
         assert path.read_text(encoding="utf-8") == rev_1.signed_raw()
+
+        # test file has 600 permission
+        assert oct(path.stat().st_mode)[-3:] == "600"
+
         # test file is overwritten if confirm
         monkeypatch.setattr(click, "confirm", value=conf_true)
         revocation.save_doc(path, rev_2.signed_raw(), pubkey)
@@ -878,6 +882,7 @@ def test_save_doc(path, rev_1, rev_2, pubkey, capsys, monkeypatch):
 for following public key: {gen_pubkey_checksum(pubkey)}"
         assert expected_confirm in capsys.readouterr().out
         assert path.read_text(encoding="utf-8") == rev_2.signed_raw()
+
         # test file is not overwritten if not confirm
         monkeypatch.setattr(click, "confirm", value=conf_false)
         with pytest.raises(SystemExit) as pytest_exit:
-- 
GitLab