Merge pull request #15812 from Security-Onion-Solutions/feature/postgres

so-telegraf-cred: make executable and harden error handling
2026-06-12 13:19:22 +02:00 · 2026-04-22 14:31:58 -04:00
parent 2c341e5160 d5c0ec4404
commit fad953b2b3
3 changed files with 32 additions and 7 deletions
@@ -21,11 +21,11 @@ usage() {
 }

 seed_creds_file() {
-    mkdir -p "$(dirname "$CREDS")"
+    mkdir -p "$(dirname "$CREDS")" || return 1
    if [[ ! -f "$CREDS" ]]; then
-        (umask 027 && printf 'telegraf:\n  postgres_creds: {}\n' > "$CREDS")
+        (umask 027 && printf 'telegraf:\n  postgres_creds: {}\n' > "$CREDS") || return 1
        chown socore:socore "$CREDS" 2>/dev/null || true
-        chmod 640 "$CREDS"
+        chmod 640 "$CREDS" || return 1
    fi
 }

@@ -36,7 +36,7 @@ MID=$2
 case "$OP" in
    add)
        SAFE=$(echo "$MID" | tr '.-' '__' | tr '[:upper:]' '[:lower:]')
-        seed_creds_file
+        seed_creds_file || exit 1
        if so-yaml.py get -r "$CREDS" "telegraf.postgres_creds.${MID}.user" >/dev/null 2>&1; then
            exit 0
        fi
@@ -39,9 +39,16 @@ def showUsage(args):


 def loadYaml(filename):
-    file = open(filename, "r")
-    content = file.read()
-    return yaml.safe_load(content)
+    try:
+        with open(filename, "r") as file:
+            content = file.read()
+            return yaml.safe_load(content)
+    except FileNotFoundError:
+        print(f"File not found: {filename}", file=sys.stderr)
+        sys.exit(1)
+    except Exception as e:
+        print(f"Error reading file {filename}: {e}", file=sys.stderr)
+        sys.exit(1)


 def writeYaml(filename, content):
@@ -973,3 +973,21 @@ class TestReplaceListObject(unittest.TestCase):

        expected = "key1:\n- id: '1'\n  status: updated\n- id: '2'\n  status: inactive\n"
        self.assertEqual(actual, expected)
+
+
+class TestLoadYaml(unittest.TestCase):
+
+    def test_load_yaml_missing_file(self):
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                soyaml.loadYaml("/tmp/so-yaml_test-does-not-exist.yaml")
+                sysmock.assert_called_with(1)
+                self.assertIn("File not found:", mock_stderr.getvalue())
+
+    def test_load_yaml_read_error(self):
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                with patch('builtins.open', side_effect=PermissionError("denied")):
+                    soyaml.loadYaml("/tmp/so-yaml_test-unreadable.yaml")
+                    sysmock.assert_called_with(1)
+                    self.assertIn("Error reading file", mock_stderr.getvalue())