send --fix-ssl-permissions to stderr (#15972)

chia/ssl/create_ssl.py

@@ -60,7 +60,7 @@ def ensure_ssl_dirs(dirs: List[Path]):
     """Create SSL dirs with a default 755 mode if necessary"""
     for dir in dirs:
         if not dir.exists():
-            dir.mkdir(mode=0o755)
+            dir.mkdir(mode=0o755, parents=True)
 
 
 def generate_ca_signed_cert(ca_crt: bytes, ca_key: bytes, cert_out: Path, key_out: Path):

chia/util/ssl_check.py

@@ -143,15 +143,18 @@ def check_ssl(root_path: Path) -> None:
     certs_to_check, keys_to_check = get_all_ssl_file_paths(root_path)
     invalid_files = verify_ssl_certs_and_keys(certs_to_check, keys_to_check)
     if len(invalid_files):
-        print("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@")
-        print("@             WARNING: UNPROTECTED SSL FILE!              @")
-        print("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@")
-        for path, actual_permissions, expected_permissions in invalid_files:
-            print(
+        lines = [
+            "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@",
+            "@             WARNING: UNPROTECTED SSL FILE!              @",
+            "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@",
+            *(
                 get_ssl_perm_warning(path, actual_permissions, expected_permissions)
-            )  # lgtm [py/clear-text-logging-sensitive-data]
-        print("One or more SSL files were found with permission issues.")
-        print("Run the following to fix issues: chia init --fix-ssl-permissions")
+                for path, actual_permissions, expected_permissions in invalid_files
+            ),
+            "One or more SSL files were found with permission issues.",
+            "Run the following to fix issues: chia init --fix-ssl-permissions",
+        ]
+        print("\n".join(lines), file=sys.stderr)
 
 
 def check_and_fix_permissions_for_ssl_file(file: Path, mask: int, updated_mode: int) -> Tuple[bool, bool]:

tests/util/test_ssl_check.py

@@ -0,0 +1,31 @@
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import pytest
+
+from chia.ssl.create_ssl import create_all_ssl
+from chia.util.ssl_check import check_ssl
+
+
+def test_check_ssl_stream_with_bad_permissions(
+    capsys: pytest.CaptureFixture[str],
+    root_path_populated_with_config: Path,
+) -> None:
+    with capsys.disabled():
+        create_all_ssl(root_path=root_path_populated_with_config)
+        root_path_populated_with_config.joinpath("config", "ssl", "daemon", "private_daemon.crt").chmod(mode=0o777)
+
+    check_ssl(root_path=root_path_populated_with_config)
+
+    with capsys.disabled():
+        captured = capsys.readouterr()
+        print(f"stdout: {captured.out!r}")
+        print(f"stderr: {captured.err!r}")
+
+        assert captured.out == ""
+        if sys.platform == "win32":
+            assert captured.err == ""
+        else:
+            assert "WARNING: UNPROTECTED SSL FILE!" in captured.err