fix(security): lock down signing-key file permissions

Private JWK files were written under the default umask (observed 0664 — group
and world readable). Create the key directory 0700, chmod private key files
(private_jwks.json, token_jwks.json) to 0600 after they are written, and
refuse to start if a pre-existing private key is group/world accessible.

Tests now use an isolated per-test key directory.

Refs: porchlight-91i

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-08 15:21:27 +02:00
parent cba63280fb
commit c7550cbf09
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
4 changed files with 67 additions and 6 deletions

View file

@ -1,5 +1,6 @@
import re
from collections.abc import AsyncIterator
from pathlib import Path
import pytest
from httpx import ASGITransport, AsyncClient
@ -10,8 +11,13 @@ from porchlight.rate_limit import limiter
@pytest.fixture
def settings() -> Settings:
return Settings(issuer="http://localhost:8000", sqlite_path=":memory:", session_https_only=False)
def settings(tmp_path: Path) -> Settings:
return Settings(
issuer="http://localhost:8000",
sqlite_path=":memory:",
session_https_only=False,
signing_key_path=str(tmp_path / "keys"),
)
@pytest.fixture