From faf58ca9edcc0aa565ad7846f51a1be0220b8619 Mon Sep 17 00:00:00 2001
From: Reuben Miller <reuben.d.miller@gmail.com>
Date: Wed, 11 Oct 2023 14:09:05 +1000
Subject: [PATCH 1/2] add system tests to verify the c8y bridge permissions and
 ownership

Signed-off-by: Reuben Miller <reuben.d.miller@gmail.com>
---
 .../tests/tedge_connect/tedge_connect_test.robot   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tests/RobotFramework/tests/tedge_connect/tedge_connect_test.robot b/tests/RobotFramework/tests/tedge_connect/tedge_connect_test.robot
index 81710ca2146..9b9d5beeb42 100644
--- a/tests/RobotFramework/tests/tedge_connect/tedge_connect_test.robot
+++ b/tests/RobotFramework/tests/tedge_connect/tedge_connect_test.robot
@@ -16,6 +16,13 @@ tedge_connect_test_positive
     ${output}=    Execute Command    sudo tedge connect c8y --test
     Should Contain    ${output}    Connection check to c8y cloud is successful.
 
+Non-root users should be able to read the mosquitto configuration files #2154
+    [Tags]    \#2154
+    Execute Command    sudo tedge connect c8y || true
+    Should Have File Permissions    /etc/tedge/mosquitto-conf/tedge-mosquitto.conf    644 root:root
+    Should Have File Permissions    /etc/tedge/mosquitto-conf/c8y-bridge.conf    644 root:root
+
+
 tedge_connect_test_negative
     Execute Command    sudo tedge disconnect c8y
     ${output}=    Execute Command    sudo tedge connect c8y --test    exp_exit_code=1    stdout=${False}    stderr=${True}
@@ -32,3 +39,10 @@ tedge_disconnect_test_sm_services
     Should Contain    ${output}    Cumulocity Bridge successfully disconnected!
     Should Contain    ${output}    tedge-agent service successfully stopped and disabled!
     Should Contain    ${output}    tedge-mapper-c8y service successfully stopped and disabled!
+
+*** Keywords ***
+
+Should Have File Permissions
+    [Arguments]    ${file}    ${expected_permissions}
+    ${FILE_MODE_OWNERSHIP}=    Execute Command    stat -c '%a %U:%G' ${file}    strip=${True}
+    Should Be Equal    ${FILE_MODE_OWNERSHIP}    ${expected_permissions}    msg=Unexpected file permissions/ownership of ${file}

From 753537c37fc3ecfe9b3a666c95ccb1ff3807f4a9 Mon Sep 17 00:00:00 2001
From: Krzysztof Piotrowski <krzysztof.piotrowski@inetum.com>
Date: Thu, 12 Oct 2023 22:48:10 +0000
Subject: [PATCH 2/2] Set permissions of bridge config to 644

Signed-off-by: Krzysztof Piotrowski <krzysztof.piotrowski@inetum.com>
---
 crates/core/tedge/src/cli/connect/command.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/core/tedge/src/cli/connect/command.rs b/crates/core/tedge/src/cli/connect/command.rs
index bfc200b6d81..f0f1e2421fe 100644
--- a/crates/core/tedge/src/cli/connect/command.rs
+++ b/crates/core/tedge/src/cli/connect/command.rs
@@ -571,7 +571,7 @@ fn write_bridge_config_to_file(
     common_draft.persist()?;
 
     let config_path = get_bridge_config_file_path(config_location, bridge_config);
-    let mut config_draft = DraftFile::new(config_path)?;
+    let mut config_draft = DraftFile::new(config_path)?.with_mode(0o644);
     bridge_config.serialize(&mut config_draft)?;
     config_draft.persist()?;