jetstack · JoshVanL · Jun 29, 2018 · Jul 9, 2018 · simonswine · Jul 6, 2018
diff --git a/pkg/tarmak/environment/environment.go b/pkg/tarmak/environment/environment.go
@@ -287,6 +287,10 @@ func (e *Environment) Validate() (result error) {
 		result = multierror.Append(result, err)
 	}
 
+	if err := e.Vault().Validate(); err != nil {
+		result = multierror.Append(result, err)
+	}
+
 	return result
 }
 

diff --git a/pkg/tarmak/interfaces/interfaces.go b/pkg/tarmak/interfaces/interfaces.go
@@ -203,6 +203,7 @@ type SSH interface {
 	PassThrough([]string)
 	Tunnel(hostname string, destination string, destinationPort int) Tunnel
 	Execute(host string, cmd string, args []string) (returnCode int, err error)
+	Validate() error
 }
 
 type Tunnel interface {
@@ -238,6 +239,7 @@ type Vault interface {
 	RootToken() (string, error)
 	TunnelFromFQDNs(vaultInternalFQDNs []string, vaultCA string) (VaultTunnel, error)
 	VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID, vaultUnsealKeyName string) error
+	Validate() error
 }
 
 type InstancePool interface {

diff --git a/pkg/tarmak/ssh/ssh.go b/pkg/tarmak/ssh/ssh.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"syscall"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/sirupsen/logrus"
 
 	"github.com/jetstack/tarmak/pkg/tarmak/interfaces"
@@ -32,6 +33,34 @@ func New(tarmak interfaces.Tarmak) *SSH {
 	return s
 }
 
+func (s *SSH) Validate() error {
+	var result *multierror.Error
+
+	for _, path := range []string{
+		s.tarmak.Cluster().SSHConfigPath(),
+		s.tarmak.Environment().SSHPrivateKeyPath(),
+	} {
+
+		f, err := os.Stat(path)
+		if err != nil {
+			if os.IsNotExist(err) {
+				continue
+			}
+
+			result = multierror.Append(result, fmt.Errorf("failed to get '%s' file stat: %v", path, err))
+			continue
+		}
+
+		if f.Mode() != os.FileMode(0600) {
+			err := fmt.Errorf("'%s' does not match permissions (0600): %v", path, f.Mode())
+			result = multierror.Append(result, err)
+			continue
+		}
+	}
+
+	return result.ErrorOrNil()
+}
+
 func (s *SSH) WriteConfig(c interfaces.Cluster) error {
 
 	hosts, err := c.ListHosts()

diff --git a/pkg/tarmak/tarmak.go b/pkg/tarmak/tarmak.go
@@ -281,20 +281,21 @@ func (t *Tarmak) Version() string {
 }
 
 func (t *Tarmak) Validate() error {
-	var err error
-	var result error
+	var result *multierror.Error
 
-	err = t.Cluster().Validate()
-	if err != nil {
+	if err := t.Cluster().Validate(); err != nil {
 		result = multierror.Append(result, err)
 	}
 
-	err = t.Cluster().Environment().Validate()
-	if err != nil {
+	if err := t.Cluster().Environment().Validate(); err != nil {
+		result = multierror.Append(result, err)
+	}
+
+	if err := t.SSH().Validate(); err != nil {
 		result = multierror.Append(result, err)
 	}
 
-	return result
+	return result.ErrorOrNil()
 }
 
 func (t *Tarmak) Cleanup() {

diff --git a/pkg/tarmak/vault/vault.go b/pkg/tarmak/vault/vault.go
@@ -261,3 +261,22 @@ func (v *Vault) VerifyInitFromFQDNs(instances []string, vaultCA, vaultKMSKeyID,
 
 	return fmt.Errorf("time out verifying that vault cluster is initialiased and unsealed: %s", err)
 }
+
+func (v *Vault) Validate() error {
+
+	path := v.rootTokenPath()
+	f, err := os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+
+		return fmt.Errorf("failed to get vault root token '%s' file stat: %v", path, err)
+	}
+
+	if f.Mode() != os.FileMode(0600) {
+		return fmt.Errorf("vault root token file '%s' does not match permissions (0600): %v", path, f.Mode())
+	}
+
+	return nil
+}