diff --git a/pkg/tarmak/environment/environment.go b/pkg/tarmak/environment/environment.go index ab95dd1b0c..960da00d70 100644 --- a/pkg/tarmak/environment/environment.go +++ b/pkg/tarmak/environment/environment.go @@ -287,6 +287,10 @@ func (e *Environment) Validate() (result error) { result = multierror.Append(result, err) } + if err := e.Vault().Validate(); err != nil { + result = multierror.Append(result, err) + } + return result } diff --git a/pkg/tarmak/interfaces/interfaces.go b/pkg/tarmak/interfaces/interfaces.go index 98356d6d79..8a8ef43371 100644 --- a/pkg/tarmak/interfaces/interfaces.go +++ b/pkg/tarmak/interfaces/interfaces.go @@ -203,6 +203,7 @@ type SSH interface { PassThrough([]string) Tunnel(hostname string, destination string, destinationPort int) Tunnel Execute(host string, cmd string, args []string) (returnCode int, err error) + Validate() error } type Tunnel interface { @@ -238,6 +239,7 @@ type Vault interface { RootToken() (string, error) TunnelFromFQDNs(vaultInternalFQDNs []string, vaultCA string) (VaultTunnel, error) VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID, vaultUnsealKeyName string) error + Validate() error } type InstancePool interface { diff --git a/pkg/tarmak/ssh/ssh.go b/pkg/tarmak/ssh/ssh.go index c014e949f7..0928672659 100644 --- a/pkg/tarmak/ssh/ssh.go +++ b/pkg/tarmak/ssh/ssh.go @@ -10,6 +10,7 @@ import ( "path/filepath" "syscall" + "github.com/hashicorp/go-multierror" "github.com/sirupsen/logrus" "github.com/jetstack/tarmak/pkg/tarmak/interfaces" @@ -32,6 +33,34 @@ func New(tarmak interfaces.Tarmak) *SSH { return s } +func (s *SSH) Validate() error { + var result *multierror.Error + + for _, path := range []string{ + s.tarmak.Cluster().SSHConfigPath(), + s.tarmak.Environment().SSHPrivateKeyPath(), + } { + + f, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + continue + } + + result = multierror.Append(result, fmt.Errorf("failed to get '%s' file stat: %v", path, err)) + continue + } + + if (f.Mode() & 0077) != 0 { + err := fmt.Errorf("'%s' does not match permissions (0600): %v", path, f.Mode()) + result = multierror.Append(result, err) + continue + } + } + + return result.ErrorOrNil() +} + func (s *SSH) WriteConfig(c interfaces.Cluster) error { hosts, err := c.ListHosts() diff --git a/pkg/tarmak/tarmak.go b/pkg/tarmak/tarmak.go index da308d02ba..0196693108 100644 --- a/pkg/tarmak/tarmak.go +++ b/pkg/tarmak/tarmak.go @@ -281,20 +281,21 @@ func (t *Tarmak) Version() string { } func (t *Tarmak) Validate() error { - var err error - var result error + var result *multierror.Error - err = t.Cluster().Validate() - if err != nil { + if err := t.Cluster().Validate(); err != nil { result = multierror.Append(result, err) } - err = t.Cluster().Environment().Validate() - if err != nil { + if err := t.Cluster().Environment().Validate(); err != nil { + result = multierror.Append(result, err) + } + + if err := t.SSH().Validate(); err != nil { result = multierror.Append(result, err) } - return result + return result.ErrorOrNil() } func (t *Tarmak) Cleanup() { diff --git a/pkg/tarmak/vault/vault.go b/pkg/tarmak/vault/vault.go index fa08965dc8..2df7869dd8 100644 --- a/pkg/tarmak/vault/vault.go +++ b/pkg/tarmak/vault/vault.go @@ -261,3 +261,22 @@ func (v *Vault) VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID, return fmt.Errorf("time out verifying that vault cluster is initialiased and unsealed: %s", err) } + +func (v *Vault) Validate() error { + + path := v.rootTokenPath() + f, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + return nil + } + + return fmt.Errorf("failed to get vault root token '%s' file stat: %v", path, err) + } + + if (f.Mode() & 0077) != 0 { + return fmt.Errorf("vault root token file '%s' does not match permissions (0600): %v", path, f.Mode()) + } + + return nil +}