feature/PB 39303

dlen · dlen · commit 5c932f77cd6c · 2025-06-12T17:07:35.000Z
diff --git a/scripts/entrypoint/passbolt/entrypoint-rootless.sh b/scripts/entrypoint/passbolt/entrypoint-rootless.sh
@@ -77,8 +77,9 @@ function migrate_command() {
 function jwt_keys_creation() {
   if [[ $PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED == "true" && (! -f $passbolt_config/jwt/jwt.key || ! -f $passbolt_config/jwt/jwt.pem) ]]; then
     /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys
-    chmod 640 "$passbolt_config/jwt/jwt.key" && chown www-data:www-data "$passbolt_config/jwt/jwt.key"
-    chmod 640 "$passbolt_config/jwt/jwt.pem" && chown www-data:www-data "$passbolt_config/jwt/jwt.pem"
+    chmod 440 "$passbolt_config/jwt/jwt.key" && chown www-data:www-data "$passbolt_config/jwt/jwt.key"
+    chmod 440 "$passbolt_config/jwt/jwt.pem" && chown www-data:www-data "$passbolt_config/jwt/jwt.pem"
+    chmod 550 "$passbolt_config/jwt"
   fi
 }
 
diff --git a/scripts/entrypoint/passbolt/entrypoint.sh b/scripts/entrypoint/passbolt/entrypoint.sh
@@ -76,9 +76,11 @@ function migrate_command() {
 
 function jwt_keys_creation() {
   if [[ $PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED == "true" && (! -f $passbolt_config/jwt/jwt.key || ! -f $passbolt_config/jwt/jwt.pem) ]]; then
+    chmod 770 "$passbolt_config/jwt"
     su -c '/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys' -s /bin/bash www-data
-    chmod 640 "$passbolt_config/jwt/jwt.key" && chown root:www-data "$passbolt_config/jwt/jwt.key"
-    chmod 640 "$passbolt_config/jwt/jwt.pem" && chown root:www-data "$passbolt_config/jwt/jwt.pem"
+    chmod 440 "$passbolt_config/jwt/jwt.key" && chown root:www-data "$passbolt_config/jwt/jwt.key"
+    chmod 440 "$passbolt_config/jwt/jwt.pem" && chown root:www-data "$passbolt_config/jwt/jwt.pem"
+    chmod 550 "$passbolt_config/jwt"
   fi
 }
 
diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb
@@ -176,7 +176,7 @@
   describe 'jwt configuration' do
     it 'should have the correct permissions' do
       expect(file(jwt_conf)).to be_a_directory
-      expect(file(jwt_conf)).to be_mode 770
+      expect(file(jwt_conf)).to be_mode 750
       expect(file(jwt_conf)).to be_owned_by($root_user)
       expect(file(jwt_conf)).to be_grouped_into($config_group)
     end
diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb
@@ -53,7 +53,8 @@
         'DATASOURCES_DEFAULT_PASSWORD=±!@#$%^&*()_+=-}{|:;<>?',
         'DATASOURCES_DEFAULT_USERNAME=passbolt',
         'DATASOURCES_DEFAULT_DATABASE=passbolt',
-        'PASSBOLT_SSL_FORCE=true'
+        'PASSBOLT_SSL_FORCE=true',
+        'PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED=true'
       ],
       'Image' => @image.id,
       'Binds' => $binds
@@ -74,6 +75,8 @@
   let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
   let(:uri)               { '/healthcheck/status.json' }
   let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
+  let(:jwt_conf)          { "#{PASSBOLT_CONFIG_PATH + '/jwt'}" }
+  let(:jwt_key_pair)      { ["#{jwt_conf}/jwt.key", "#{jwt_conf}/jwt.pem"] }
 
   let(:rootless_env_setup) do
     # The sed command needs to create a temporary file on the same directory as the destination file (/etc/cron.d).
@@ -167,6 +170,28 @@
     end
   end
 
+  describe 'jwt configuration' do
+    it 'should have the correct permissions' do
+      expect(file(jwt_conf)).to be_a_directory
+      expect(file(jwt_conf)).to be_mode 550
+      expect(file(jwt_conf)).to be_owned_by($root_user)
+      expect(file(jwt_conf)).to be_grouped_into($config_group)
+    end
+
+    describe 'JWT key file' do
+      it 'should exist' do
+        expect(file("#{jwt_conf}/jwt.key")).to exist
+        expect(file("#{jwt_conf}/jwt.key")).to be_mode 440
+      end
+    end
+
+    describe 'JWT pem file' do
+      it 'should exist' do
+        expect(file("#{jwt_conf}/jwt.pem")).to exist
+        expect(file("#{jwt_conf}/jwt.pem")).to be_mode 440
+      end
+    end
+  end
   describe 'cron service' do
     context 'cron process' do
       it 'is running supervised' do
