Skip to content
This repository was archived by the owner on Jan 9, 2023. It is now read-only.

File permissions validations #355

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

File permissions validations #355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
397d571
Adds file permission validations for id_rsa, ssh_config and vault_roo…
JoshVanL Jun 29, 2018
d5caa32
Check file permissions for non-zero users and groups
JoshVanL Jul 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pkg/tarmak/environment/environment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,10 @@ func (e *Environment) Validate() (result error) {
result = multierror.Append(result, err)
}

if err := e.Vault().Validate(); err != nil {
result = multierror.Append(result, err)
}

return result
}

Expand Down
2 changes: 2 additions & 0 deletions pkg/tarmak/interfaces/interfaces.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ type SSH interface {
PassThrough([]string)
Tunnel(hostname string, destination string, destinationPort int) Tunnel
Execute(host string, cmd string, args []string) (returnCode int, err error)
Validate() error
}

type Tunnel interface {
Expand Down Expand Up @@ -238,6 +239,7 @@ type Vault interface {
RootToken() (string, error)
TunnelFromFQDNs(vaultInternalFQDNs []string, vaultCA string) (VaultTunnel, error)
VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID, vaultUnsealKeyName string) error
Validate() error
}

type InstancePool interface {
Expand Down
29 changes: 29 additions & 0 deletions pkg/tarmak/ssh/ssh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"path/filepath"
"syscall"

"github.com/hashicorp/go-multierror"
"github.com/sirupsen/logrus"

"github.com/jetstack/tarmak/pkg/tarmak/interfaces"
Expand All @@ -32,6 +33,34 @@ func New(tarmak interfaces.Tarmak) *SSH {
return s
}

func (s *SSH) Validate() error {
var result *multierror.Error

for _, path := range []string{
s.tarmak.Cluster().SSHConfigPath(),
s.tarmak.Environment().SSHPrivateKeyPath(),
} {

f, err := os.Stat(path)
if err != nil {
if os.IsNotExist(err) {
continue
}

result = multierror.Append(result, fmt.Errorf("failed to get '%s' file stat: %v", path, err))
continue
}

if (f.Mode() & 0077) != 0 {
err := fmt.Errorf("'%s' does not match permissions (0600): %v", path, f.Mode())
result = multierror.Append(result, err)
continue
}
}

return result.ErrorOrNil()
}

func (s *SSH) WriteConfig(c interfaces.Cluster) error {

hosts, err := c.ListHosts()
Expand Down
15 changes: 8 additions & 7 deletions pkg/tarmak/tarmak.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,20 +281,21 @@ func (t *Tarmak) Version() string {
}

func (t *Tarmak) Validate() error {
var err error
var result error
var result *multierror.Error
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this whole method should just be calling to validateSSHSetup() or something like that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not too sure what you mean by this. tarmak.Validate() should only call to validateSSHSetup?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simonswine


err = t.Cluster().Validate()
if err != nil {
if err := t.Cluster().Validate(); err != nil {
result = multierror.Append(result, err)
}

err = t.Cluster().Environment().Validate()
if err != nil {
if err := t.Cluster().Environment().Validate(); err != nil {
result = multierror.Append(result, err)
}

if err := t.SSH().Validate(); err != nil {
result = multierror.Append(result, err)
}

return result
return result.ErrorOrNil()
}

func (t *Tarmak) Cleanup() {
Expand Down
19 changes: 19 additions & 0 deletions pkg/tarmak/vault/vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,3 +261,22 @@ func (v *Vault) VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID,

return fmt.Errorf("time out verifying that vault cluster is initialiased and unsealed: %s", err)
}

func (v *Vault) Validate() error {

path := v.rootTokenPath()
f, err := os.Stat(path)
if err != nil {
if os.IsNotExist(err) {
return nil
}

return fmt.Errorf("failed to get vault root token '%s' file stat: %v", path, err)
}

if (f.Mode() & 0077) != 0 {
return fmt.Errorf("vault root token file '%s' does not match permissions (0600): %v", path, f.Mode())
}

return nil
}