open-vault/vault/diagnose/raft_checks.go

package diagnose

import (
	"context"
	"errors"
	"fmt"
	"os"
	"runtime"
	"strings"

	"github.com/hashicorp/vault/physical/raft"
)

const DatabaseFilename = "vault.db"
const owner = "owner"
const group = "group"
const other = "other"

const ownershipTestName = "Check Raft Folder Ownership"
const permissionsTestName = "Check Raft Folder Permissions"
const raftQuorumTestName = "Check For Raft Quorum"

func RaftFileChecks(ctx context.Context, path string) {

	// Note: Stat does not return information about the symlink itself, in the case where we are dealing with one.
	info, err := os.Stat(path)
	if err != nil {
		SpotError(ctx, permissionsTestName, fmt.Errorf("Error computing file permissions: %w.", err))
	}

	if !IsDir(info) {
		SpotError(ctx, ownershipTestName, fmt.Errorf("Error: Raft storage path variable does not point to a folder."))
	}

	if !HasDB(path) {
		SpotWarn(ctx, ownershipTestName, "Raft boltDB file has not been created.")
	}

	hasOnlyOwnerRW, errs := CheckFilePerms(info)
	for _, err := range errs {
		switch {
		case strings.Contains(err, FileIsSymlinkWarning) || strings.Contains(err, FileTooPermissiveWarning):
			SpotWarn(ctx, permissionsTestName, err)
		case strings.Contains(err, FilePermissionsMissingWarning):
			SpotError(ctx, permissionsTestName, errors.New(err))
		}
	}
	ownedByRoot := IsOwnedByRoot(info)
	requiresRoot := ownedByRoot && hasOnlyOwnerRW
	if requiresRoot {
		SpotWarn(ctx, ownershipTestName, "Raft backend files are owned by root and are only accessible as root or with overpermissive file permissions. This prevents Vault from running as a non-privileged user.")
		Advise(ctx, "Please change raft path permissions to allow for non-root access.")
	}

	if runtime.GOOS == "windows" {
		SpotWarn(ctx, permissionsTestName, "Diagnose cannot determine if Vault needs to run as root to open boltDB file. Please check these permissions manually.")
	} else if errs == nil && !requiresRoot {
		SpotOk(ctx, permissionsTestName, "Raft BoltDB file has correct set of permissions.")
	}
}

// RaftStorageQuorum checks that there is an odd number of voters present
// It returns the status message for testing purposes
func RaftStorageQuorum(ctx context.Context, b RaftConfigurableStorageBackend) string {
	var conf *raft.RaftConfigurationResponse
	var err error
	conf, err = b.GetConfigurationOffline()
	if err != nil {
		SpotError(ctx, raftQuorumTestName, fmt.Errorf("Error retrieving server configuration: %w.", err))
		return fmt.Sprintf("Error retrieving server configuration: %s.", err.Error())
	}
	voterCount := 0
	for _, s := range conf.Servers {
		if s.Voter {
			voterCount++
		}
	}
	if voterCount == 1 {
		nonHAWarning := "Only one server node found. Vault is not running in high availability mode."
		SpotWarn(ctx, raftQuorumTestName, nonHAWarning)
		return nonHAWarning
	}
	var warnMsg string
	if voterCount%2 == 0 {
		warnMsg = fmt.Sprintf("%d voters found. Please ensure that Vault has access to an odd number of voter nodes.", voterCount)
		SpotWarn(ctx, raftQuorumTestName, warnMsg)
		return warnMsg
	}
	if voterCount > 7 {
		warnMsg = fmt.Sprintf("Very large cluster detected: %d voters found. ", voterCount)
		SpotWarn(ctx, raftQuorumTestName, warnMsg)
		return warnMsg
	}

	okMsg := fmt.Sprintf("Voter quorum exists: %d voters.", voterCount)
	SpotOk(ctx, raftQuorumTestName, okMsg)
	return okMsg
}
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`package diagnose`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"os"`
			`"runtime"`
			`"strings"`

			`"github.com/hashicorp/vault/physical/raft"`
			`)`

			`const DatabaseFilename = "vault.db"`
			`const owner = "owner"`
			`const group = "group"`
			`const other = "other"`

Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`const ownershipTestName = "Check Raft Folder Ownership"`
			`const permissionsTestName = "Check Raft Folder Permissions"`
			`const raftQuorumTestName = "Check For Raft Quorum"`

Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`func RaftFileChecks(ctx context.Context, path string) {`

			`// Note: Stat does not return information about the symlink itself, in the case where we are dealing with one.`
			`info, err := os.Stat(path)`
			`if err != nil {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotError(ctx, permissionsTestName, fmt.Errorf("Error computing file permissions: %w.", err))`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`}`

			`if !IsDir(info) {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotError(ctx, ownershipTestName, fmt.Errorf("Error: Raft storage path variable does not point to a folder."))`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`}`

			`if !HasDB(path) {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotWarn(ctx, ownershipTestName, "Raft boltDB file has not been created.")`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`}`

			`hasOnlyOwnerRW, errs := CheckFilePerms(info)`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`for _, err := range errs {`
			`switch {`
			`case strings.Contains(err, FileIsSymlinkWarning) \|\| strings.Contains(err, FileTooPermissiveWarning):`
			`SpotWarn(ctx, permissionsTestName, err)`
			`case strings.Contains(err, FilePermissionsMissingWarning):`
			`SpotError(ctx, permissionsTestName, errors.New(err))`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`}`
			`}`
			`ownedByRoot := IsOwnedByRoot(info)`
			`requiresRoot := ownedByRoot && hasOnlyOwnerRW`
			`if requiresRoot {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotWarn(ctx, ownershipTestName, "Raft backend files are owned by root and are only accessible as root or with overpermissive file permissions. This prevents Vault from running as a non-privileged user.")`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`Advise(ctx, "Please change raft path permissions to allow for non-root access.")`
			`}`

			`if runtime.GOOS == "windows" {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotWarn(ctx, permissionsTestName, "Diagnose cannot determine if Vault needs to run as root to open boltDB file. Please check these permissions manually.")`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`} else if errs == nil && !requiresRoot {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotOk(ctx, permissionsTestName, "Raft BoltDB file has correct set of permissions.")`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`}`
			`}`

			`// RaftStorageQuorum checks that there is an odd number of voters present`
			`// It returns the status message for testing purposes`
			`func RaftStorageQuorum(ctx context.Context, b RaftConfigurableStorageBackend) string {`
			`var conf *raft.RaftConfigurationResponse`
			`var err error`
			`conf, err = b.GetConfigurationOffline()`
			`if err != nil {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`SpotError(ctx, raftQuorumTestName, fmt.Errorf("Error retrieving server configuration: %w.", err))`
			`return fmt.Sprintf("Error retrieving server configuration: %s.", err.Error())`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`}`
			`voterCount := 0`
			`for _, s := range conf.Servers {`
			`if s.Voter {`
			`voterCount++`
			`}`
			`}`
			`if voterCount == 1 {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`nonHAWarning := "Only one server node found. Vault is not running in high availability mode."`
			`SpotWarn(ctx, raftQuorumTestName, nonHAWarning)`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`return nonHAWarning`
			`}`
			`var warnMsg string`
			`if voterCount%2 == 0 {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`warnMsg = fmt.Sprintf("%d voters found. Please ensure that Vault has access to an odd number of voter nodes.", voterCount)`
			`SpotWarn(ctx, raftQuorumTestName, warnMsg)`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`return warnMsg`
			`}`
			`if voterCount > 7 {`
Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`warnMsg = fmt.Sprintf("Very large cluster detected: %d voters found. ", voterCount)`
			`SpotWarn(ctx, raftQuorumTestName, warnMsg)`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`return warnMsg`
			`}`

Diagnose Language Pass (#11909) * save * save * save * first round of the diagnose language pass * capitalization * first round of feedback * fix bug in advise * a few more nouns to verbs 2021-07-11 22:44:19 +00:00			`okMsg := fmt.Sprintf("Voter quorum exists: %d voters.", voterCount)`
			`SpotOk(ctx, raftQuorumTestName, okMsg)`
Diagnose checks for raft quorum status and file backend permissions (#11771) * raft file and quorum checks * raft checks * backup * raft file checks test * address comments and add more raft and file and process checks * syntax issues * modularize functions to compile differently on different os * compile raft checks everywhere * more build tag issues * raft-diagnose * correct file permission checks * upgrade tests and add a getConfigOffline test that currently does not work * comment * update file checks method signature on windows * Update physical/raft/raft_test.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * raft tests * add todo comment for windows root ownership * voter count message * raft checks test fixes Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2021-06-17 17:04:21 +00:00			`return okMsg`
			`}`