From 4b2dfd8f90304f318dfb418333fd38d653391537 Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Tue, 9 Jul 2019 16:15:45 +1000
Subject: [PATCH] DCD-418: Limit permissions on the systemd unit and move DB
 params to the environment.

---
 roles/product_startup/molecule/default/tests/test_default.py | 3 +++
 roles/product_startup/tasks/main.yml                         | 3 +++
 roles/synchrony_config/tasks/main.yml                        | 2 +-
 roles/synchrony_config/templates/atl.synchrony.j2            | 5 +++--
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/roles/product_startup/molecule/default/tests/test_default.py b/roles/product_startup/molecule/default/tests/test_default.py
index f01d546..3beccfe 100644
--- a/roles/product_startup/molecule/default/tests/test_default.py
+++ b/roles/product_startup/molecule/default/tests/test_default.py
@@ -9,3 +9,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 def test_service_file(host):
     f = host.file('/etc/systemd/system/jira-software.service')
     assert f.contains("^ExecStart=/opt/atlassian/jira-software/current/bin/start-jira.sh -fg$")
+    assert f.user == 'root'
+    assert f.user == 'root'
+    assert f.mode == 0o0640
diff --git a/roles/product_startup/tasks/main.yml b/roles/product_startup/tasks/main.yml
index 4922627..706bee3 100644
--- a/roles/product_startup/tasks/main.yml
+++ b/roles/product_startup/tasks/main.yml
@@ -4,6 +4,9 @@
   template:
     src: "product.service.j2"
     dest: "/etc/systemd/system/{{ atl_systemd_service_name }}"
+    owner: root
+    group: root
+    mode: 0640
   notify:
     - Enable Product
     - Restart Product
diff --git a/roles/synchrony_config/tasks/main.yml b/roles/synchrony_config/tasks/main.yml
index 330fe6d..966e84f 100644
--- a/roles/synchrony_config/tasks/main.yml
+++ b/roles/synchrony_config/tasks/main.yml
@@ -12,4 +12,4 @@
     src: "atl.synchrony.j2"
     dest: "/etc/atl.synchrony"
     group: "{{ atl_product_user }}"
-    mode: "0640"    
+    mode: "0640"
diff --git a/roles/synchrony_config/templates/atl.synchrony.j2 b/roles/synchrony_config/templates/atl.synchrony.j2
index 96c7ae2..e340fa3 100644
--- a/roles/synchrony_config/templates/atl.synchrony.j2
+++ b/roles/synchrony_config/templates/atl.synchrony.j2
@@ -9,11 +9,12 @@ ATL_SYNCHRONY_JAR_PATH="{{ atl_product_installation_current }}/confluence/WEB-IN
 AWS_EC2_PRIVATE_IP="{{ atl_local_ipv4 }}"
 _RUNJAVA="{{ atl_product_installation_current }}/jre/bin/java"
 
+SYNCHRONY_DATABASE_USERNAME="{{ atl_jdbc_user }}"
+SYNCHRONY_DATABASE_PASSWORD="{{ atl_jdbc_password }}"
+
 ATL_SYNCHRONY_JVM_PROPERTIES="{{ atl_synchrony_stack_space }} {{ atl_synchrony_memory }} \
  -Dsynchrony.cluster.impl=hazelcast-btf \
  -Dsynchrony.database.url={{ atl_jdbc_url }} \
- -Dsynchrony.database.username={{ atl_jdbc_user }} \
- -Dsynchrony.database.password={{ atl_jdbc_password }} \
  -Dsynchrony.bind={{ atl_local_ipv4 }} \
  -Dsynchrony.cluster.bind={{ atl_local_ipv4 }} \
  -Dcluster.interfaces={{ atl_local_ipv4 }} \