From a8167c1e9d6a0f64f5d34ea2e649a9b5b006e55c Mon Sep 17 00:00:00 2001
From: Jacob Massey <jacob@jacobmassey.com>
Date: Sun, 6 Aug 2017 17:53:58 -0400
Subject: [PATCH] Set read/write owner permissions when .aws/credentials file
 is saved

---
 .../configCredentials/awsConfigCredentials.js    | 11 +++++++++++
 .../awsConfigCredentials.test.js                 | 16 ++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/lib/plugins/aws/configCredentials/awsConfigCredentials.js b/lib/plugins/aws/configCredentials/awsConfigCredentials.js
index 03b960a99..ea53216e8 100644
--- a/lib/plugins/aws/configCredentials/awsConfigCredentials.js
+++ b/lib/plugins/aws/configCredentials/awsConfigCredentials.js
@@ -1,7 +1,9 @@
 'use strict';
 
 const BbPromise = require('bluebird');
+const constants = require('constants');
 const path = require('path');
+const fs = require('fs');
 const fse = require('fs-extra');
 const os = require('os');
 const _ = require('lodash');
@@ -148,6 +150,15 @@ class AwsConfigCredentials {
 
     return this.serverless.utils.writeFile(this.credentialsFilePath, updatedCredsFileContent)
       .then(() => {
+        // set file permissions to only readable/writable by owner (equivalent to 'chmod 600')
+        // Note: `chmod` doesn't behave as intended on Windows, so skip if we're on Windows.
+        if (os.platform() !== 'win32') {
+          fs.chmodSync(
+            this.credentialsFilePath,
+            (fs.constants || constants).S_IRUSR | (fs.constants || constants).S_IWUSR
+          );
+        }
+
         this.serverless.cli.log(
           `Success! Your AWS access keys were stored under the "${this.options.profile}" profile.`);
       });
diff --git a/lib/plugins/aws/configCredentials/awsConfigCredentials.test.js b/lib/plugins/aws/configCredentials/awsConfigCredentials.test.js
index 21838e178..8a9561158 100644
--- a/lib/plugins/aws/configCredentials/awsConfigCredentials.test.js
+++ b/lib/plugins/aws/configCredentials/awsConfigCredentials.test.js
@@ -2,6 +2,7 @@
 
 const expect = require('chai').expect;
 const sinon = require('sinon');
+const constants = require('constants');
 const fs = require('fs');
 const fse = require('fs-extra');
 const os = require('os');
@@ -215,6 +216,21 @@ describe('AwsConfigCredentials', () => {
         expect(lineByLineContent[2]).to.equal('aws_secret_access_key = my-profile-secret');
       });
     });
+
+    if (os.platform() !== 'win32') {
+      it('should set the permissions of the credentials file to be owner-only read/write', () =>
+        awsConfigCredentials.configureCredentials().then(() => {
+          const fileMode = fs.statSync(credentialsFilePath).mode;
+          const filePermissions = fileMode & ~(fs.constants || constants).S_IFMT;
+
+          const readableByOwnerPermission = (fs.constants || constants).S_IRUSR;
+          const writableByOwnerPermission = (fs.constants || constants).S_IWUSR;
+          const expectedFilePermissions = readableByOwnerPermission | writableByOwnerPermission;
+
+          expect(filePermissions).to.equal(expectedFilePermissions);
+        })
+      );
+    }
   });
 
   describe('#getCredentials()', () => {