From 397d571d4451d3bfa1192bbf116fd4114eca60a1 Mon Sep 17 00:00:00 2001 From: JoshVanL Date: Fri, 29 Jun 2018 12:08:40 +0100 Subject: [PATCH 1/2] Adds file permission validations for id_rsa, ssh_config and vault_root_token --- pkg/tarmak/environment/environment.go | 4 ++++ pkg/tarmak/interfaces/interfaces.go | 2 ++ pkg/tarmak/ssh/ssh.go | 29 +++++++++++++++++++++++++++ pkg/tarmak/tarmak.go | 15 +++++++------- pkg/tarmak/vault/vault.go | 19 ++++++++++++++++++ 5 files changed, 62 insertions(+), 7 deletions(-) diff --git a/pkg/tarmak/environment/environment.go b/pkg/tarmak/environment/environment.go index ab95dd1b0c..960da00d70 100644 --- a/pkg/tarmak/environment/environment.go +++ b/pkg/tarmak/environment/environment.go @@ -287,6 +287,10 @@ func (e *Environment) Validate() (result error) { result = multierror.Append(result, err) } + if err := e.Vault().Validate(); err != nil { + result = multierror.Append(result, err) + } + return result } diff --git a/pkg/tarmak/interfaces/interfaces.go b/pkg/tarmak/interfaces/interfaces.go index 98356d6d79..8a8ef43371 100644 --- a/pkg/tarmak/interfaces/interfaces.go +++ b/pkg/tarmak/interfaces/interfaces.go @@ -203,6 +203,7 @@ type SSH interface { PassThrough([]string) Tunnel(hostname string, destination string, destinationPort int) Tunnel Execute(host string, cmd string, args []string) (returnCode int, err error) + Validate() error } type Tunnel interface { @@ -238,6 +239,7 @@ type Vault interface { RootToken() (string, error) TunnelFromFQDNs(vaultInternalFQDNs []string, vaultCA string) (VaultTunnel, error) VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID, vaultUnsealKeyName string) error + Validate() error } type InstancePool interface { diff --git a/pkg/tarmak/ssh/ssh.go b/pkg/tarmak/ssh/ssh.go index c014e949f7..95c8ea0b7d 100644 --- a/pkg/tarmak/ssh/ssh.go +++ b/pkg/tarmak/ssh/ssh.go @@ -10,6 +10,7 @@ import ( "path/filepath" "syscall" + "github.com/hashicorp/go-multierror" "github.com/sirupsen/logrus" "github.com/jetstack/tarmak/pkg/tarmak/interfaces" @@ -32,6 +33,34 @@ func New(tarmak interfaces.Tarmak) *SSH { return s } +func (s *SSH) Validate() error { + var result *multierror.Error + + for _, path := range []string{ + s.tarmak.Cluster().SSHConfigPath(), + s.tarmak.Environment().SSHPrivateKeyPath(), + } { + + f, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + continue + } + + result = multierror.Append(result, fmt.Errorf("failed to get '%s' file stat: %v", path, err)) + continue + } + + if f.Mode() != os.FileMode(0600) { + err := fmt.Errorf("'%s' does not match permissions (0600): %v", path, f.Mode()) + result = multierror.Append(result, err) + continue + } + } + + return result.ErrorOrNil() +} + func (s *SSH) WriteConfig(c interfaces.Cluster) error { hosts, err := c.ListHosts() diff --git a/pkg/tarmak/tarmak.go b/pkg/tarmak/tarmak.go index da308d02ba..0196693108 100644 --- a/pkg/tarmak/tarmak.go +++ b/pkg/tarmak/tarmak.go @@ -281,20 +281,21 @@ func (t *Tarmak) Version() string { } func (t *Tarmak) Validate() error { - var err error - var result error + var result *multierror.Error - err = t.Cluster().Validate() - if err != nil { + if err := t.Cluster().Validate(); err != nil { result = multierror.Append(result, err) } - err = t.Cluster().Environment().Validate() - if err != nil { + if err := t.Cluster().Environment().Validate(); err != nil { + result = multierror.Append(result, err) + } + + if err := t.SSH().Validate(); err != nil { result = multierror.Append(result, err) } - return result + return result.ErrorOrNil() } func (t *Tarmak) Cleanup() { diff --git a/pkg/tarmak/vault/vault.go b/pkg/tarmak/vault/vault.go index fa08965dc8..7845153fef 100644 --- a/pkg/tarmak/vault/vault.go +++ b/pkg/tarmak/vault/vault.go @@ -261,3 +261,22 @@ func (v *Vault) VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID, return fmt.Errorf("time out verifying that vault cluster is initialiased and unsealed: %s", err) } + +func (v *Vault) Validate() error { + + path := v.rootTokenPath() + f, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + return nil + } + + return fmt.Errorf("failed to get vault root token '%s' file stat: %v", path, err) + } + + if f.Mode() != os.FileMode(0600) { + return fmt.Errorf("vault root token file '%s' does not match permissions (0600): %v", path, f.Mode()) + } + + return nil +} From d5caa32996247afa01a65d4c8c00ce70df6e75dc Mon Sep 17 00:00:00 2001 From: JoshVanL Date: Mon, 9 Jul 2018 14:19:38 +0100 Subject: [PATCH 2/2] Check file permissions for non-zero users and groups --- pkg/tarmak/ssh/ssh.go | 2 +- pkg/tarmak/vault/vault.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/tarmak/ssh/ssh.go b/pkg/tarmak/ssh/ssh.go index 95c8ea0b7d..0928672659 100644 --- a/pkg/tarmak/ssh/ssh.go +++ b/pkg/tarmak/ssh/ssh.go @@ -51,7 +51,7 @@ func (s *SSH) Validate() error { continue } - if f.Mode() != os.FileMode(0600) { + if (f.Mode() & 0077) != 0 { err := fmt.Errorf("'%s' does not match permissions (0600): %v", path, f.Mode()) result = multierror.Append(result, err) continue diff --git a/pkg/tarmak/vault/vault.go b/pkg/tarmak/vault/vault.go index 7845153fef..2df7869dd8 100644 --- a/pkg/tarmak/vault/vault.go +++ b/pkg/tarmak/vault/vault.go @@ -274,7 +274,7 @@ func (v *Vault) Validate() error { return fmt.Errorf("failed to get vault root token '%s' file stat: %v", path, err) } - if f.Mode() != os.FileMode(0600) { + if (f.Mode() & 0077) != 0 { return fmt.Errorf("vault root token file '%s' does not match permissions (0600): %v", path, f.Mode()) }