docker_login: fix permissions for ~/.docker/config.json (ansible#67353)

* Fix permissions for ~/.docker/config.json.

* Add changelog, remove debug output.

changelogs/fragments/67353-docker_login-permissions.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- "docker_login - make sure that ``~/.docker/config.json`` is created with permissions ``0600``."

lib/ansible/modules/cloud/docker/docker_login.py

@@ -244,9 +244,13 @@ def _write(self):
         dir = os.path.dirname(self._config_path)
         if not os.path.exists(dir):
             os.makedirs(dir)
-        # Write config
-        with open(self._config_path, "w") as f:
-            json.dump(self._config, f, indent=4, sort_keys=True)
+        # Write config; make sure it has permissions 0x600
+        content = json.dumps(self._config, indent=4, sort_keys=True).encode('utf-8')
+        f = os.open(self._config_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+        try:
+            os.write(f, content)
+        finally:
+            os.close(f)
 
     def store(self, server, username, password):
         '''

test/integration/targets/docker_login/tasks/tests/docker_login.yml

@@ -43,6 +43,11 @@
     state: present
   register: login_2
 
+- name: Get permissions of ~/.docker/config.json
+  stat:
+    path: ~/.docker/config.json
+  register: login_2_stat
+
 - name: Log in (idempotent)
   docker_login:
     registry_url: "{{ registry_frontend_address }}"
@@ -67,6 +72,7 @@
       - login_2 is changed
       - login_3 is not changed
       - login_4 is not changed
+      - login_2_stat.stat.mode == '0600'
 
 - name: Log in again with wrong password (check mode)
   docker_login: