Skip to content

Add validation of cert file path #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Add validation of cert file path #195

Changes from 6 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
da47ac4
fix: validate file path
n4mlz Aug 20, 2025
267e7b5
fix: file path validation
n4mlz Aug 20, 2025
3c3286d
fix: file path validation
n4mlz Aug 20, 2025
f99c5ab
fix: file path validation
n4mlz Aug 20, 2025
171d368
fix: file permission validation logic
n4mlz Aug 20, 2025
928c709
refactor
n4mlz Aug 20, 2025
f76f764
fix: skip validation if uning local cert
n4mlz Aug 21, 2025
c0dc6db
fix: bug
n4mlz Aug 21, 2025
7d93680
revert: local certificate loading logic
n4mlz Aug 25, 2025
6d3cf88
refactor: improve local certificate validation logic
n4mlz Aug 25, 2025
1e953d2
refactor: move file validation logic to a new package
n4mlz Aug 25, 2025
9007e9d
refactor: rename file validation functions for clarity
n4mlz Aug 25, 2025
71adb89
fix: correct variable assignment for local file identity in certifica…
n4mlz Aug 25, 2025
57e0768
chore: add license header to validate-file-path.go
n4mlz Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions pkg/certificate/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ package certificate
import (
"context"
"fmt"
"os"
"path/filepath"
"sync"
"time"

Expand All @@ -26,6 +28,7 @@ import (
"github.com/AthenZ/k8s-athenz-sia/v3/third_party/log"
"github.com/AthenZ/k8s-athenz-sia/v3/third_party/util"
"github.com/cenkalti/backoff"
"golang.org/x/sys/unix"
)

type certService struct {
Expand Down Expand Up @@ -71,6 +74,52 @@ func New(ctx context.Context, idCfg *config.IdentityConfig) (daemon.Daemon, erro
var localFileKeyPEM []byte
var localFileIdentity *InstanceIdentity

// validate file
isValidFile := func(file_path string) error {
dir_path := filepath.Dir(file_path)
var target_path string
_, file_err := os.Stat(file_path)
_, dir_err := os.Stat(dir_path)

if file_err == nil {
// validate file path
target_path = file_path
} else if os.IsNotExist(file_err) && dir_err == nil {
// validate dir path
target_path = dir_path
} else {
return fmt.Errorf("file path not exist: %w, %w", file_err, dir_err)
}

err := unix.Access(target_path, unix.W_OK)
if err != nil {
return fmt.Errorf("file permission error: %w", err)
}

return nil
}

// validate files
isValidFiles := func() error {
for _, certFile := range idCfg.ServiceCert.CopperArgos.Cert.Paths {
err := isValidFile(certFile)
if err != nil {
return err
}
}
for _, keyFile := range idCfg.ServiceCert.CopperArgos.Key.Paths {
err := isValidFile(keyFile)
if err != nil {
return err
}
}
err := isValidFile(idCfg.CaCertFile)
if err != nil {
return err
}
return nil
}

// Write files to local file system
writeFiles := func() error {
w := util.NewWriter()
Expand Down Expand Up @@ -209,6 +258,11 @@ func New(ctx context.Context, idCfg *config.IdentityConfig) (daemon.Daemon, erro
}

run := func() error {
err := isValidFiles()
if err != nil {
return err
}

if idCfg.ServiceCert.CopperArgos.Use {
log.Infof("Attempting to request x509 certificate to identity provider[%s]...", idCfg.ServiceCert.CopperArgos.Provider)

Expand Down