island: Add config validation to IslandConfigOptions

monkey/monkey_island/cc/server_setup.py

@@ -26,7 +26,7 @@ from monkey_island.cc.server_utils.island_logger import reset_logger, setup_logg
 from monkey_island.cc.services.initialize import initialize_services  # noqa: E402
 from monkey_island.cc.services.reporting.exporter_init import populate_exporter_list  # noqa: E402
 from monkey_island.cc.services.utils.network_utils import local_ip_addresses  # noqa: E402
-from monkey_island.cc.setup.certificate_setup import setup_certificate  # noqa: E402
+from monkey_island.cc.setup import island_config_options  # noqa: E402
 from monkey_island.cc.setup.island_config_options import IslandConfigOptions  # noqa: E402
 from monkey_island.cc.setup.mongo.database_initializer import init_collections  # noqa: E402
 from monkey_island.cc.setup.mongo.mongo_setup import (  # noqa: E402
@@ -43,6 +43,8 @@ def run_monkey_island():
     island_args = parse_cli_args()
     config_options, server_config_path = _setup_data_dir(island_args)
 
+    _exit_on_invalid_config_options(config_options)
+
     _configure_logging(config_options)
     _initialize_globals(config_options, server_config_path)
 
@@ -66,6 +68,14 @@ def _setup_data_dir(island_args: IslandCmdArgs) -> Tuple[IslandConfigOptions, st
         exit(1)
 
 
+def _exit_on_invalid_config_options(config_options: IslandConfigOptions):
+    try:
+        island_config_options.raise_on_invalid_options(config_options)
+    except Exception as ex:
+        print(f"Configuration error: {ex}")
+        exit(1)
+
+
 def _configure_logging(config_options):
     reset_logger()
     setup_logging(config_options.data_dir, config_options.log_level)
@@ -82,8 +92,6 @@ def _start_island_server(should_setup_only, config_options: IslandConfigOptions)
     populate_exporter_list()
     app = init_app(MONGO_URL)
 
-    crt_path, key_path = setup_certificate(config_options.crt_path, config_options.key_path)
-
     init_collections()
 
     if should_setup_only:
@@ -92,14 +100,23 @@ def _start_island_server(should_setup_only, config_options: IslandConfigOptions)
 
     bootloader_server_thread = _start_bootloader_server()
 
+    logger.info(
+        f"Using certificate path: {config_options.crt_path}, and key path: "
+        "{config_options.key_path}."
+    )
+
     if env_singleton.env.is_debug():
-        app.run(host="0.0.0.0", debug=True, ssl_context=(crt_path, key_path))
+        app.run(
+            host="0.0.0.0",
+            debug=True,
+            ssl_context=(config_options.crt_path, config_options.key_path),
+        )
     else:
         http_server = WSGIServer(
             ("0.0.0.0", env_singleton.env.get_island_port()),
             app,
-            certfile=crt_path,
+            certfile=config_options.crt_path,
-            keyfile=key_path,
+            keyfile=config_options.key_path,
         )
         _log_init_info()
         http_server.serve_forever()

monkey/monkey_island/cc/services/utils/file_handling.py

@@ -1,16 +0,0 @@
-import os
-
-from common.utils.exceptions import InsecurePermissionsError
-from monkey_island.cc.server_utils.file_utils import has_expected_permissions
-
-
-def ensure_file_existence(file: str) -> None:
-    if not os.path.exists(file):
-        raise FileNotFoundError(f"File not found at {file}. Exiting.")
-
-
-def ensure_file_permissions(file: str) -> None:
-    if not has_expected_permissions(path=file, expected_permissions="0o400"):
-        raise InsecurePermissionsError(
-            f"{file} has insecure permissions. Required permissions: 400. Exiting."
-        )

monkey/monkey_island/cc/setup/certificate_setup.py

@@ -1,18 +0,0 @@
-import logging
-
-from monkey_island.cc.services.utils.file_handling import (
-    ensure_file_existence,
-    ensure_file_permissions,
-)
-
-logger = logging.getLogger(__name__)
-
-
-def setup_certificate(crt_path: str, key_path: str) -> (str, str):
-    for file in [crt_path, key_path]:
-        ensure_file_existence(file)
-        ensure_file_permissions(file)
-
-    logger.info(f"Using certificate path: {crt_path}, and key path: {key_path}.")
-
-    return crt_path, key_path

monkey/monkey_island/cc/setup/island_config_options.py

@@ -1,5 +1,8 @@
 from __future__ import annotations
 
+import os
+
+from common.utils.exceptions import InsecurePermissionsError
 from monkey_island.cc.server_utils.consts import (
     DEFAULT_CERTIFICATE_PATHS,
     DEFAULT_CRT_PATH,
@@ -8,7 +11,7 @@ from monkey_island.cc.server_utils.consts import (
     DEFAULT_LOG_LEVEL,
     DEFAULT_START_MONGO_DB,
 )
-from monkey_island.cc.server_utils.file_utils import expand_path
+from monkey_island.cc.server_utils.file_utils import expand_path, has_expected_permissions
 
 
 class IslandConfigOptions:
@@ -31,3 +34,23 @@ class IslandConfigOptions:
                 "ssl_certificate_key_file", DEFAULT_KEY_PATH
             )
         )
+
+
+def raise_on_invalid_options(options: IslandConfigOptions):
+    _raise_if_not_isfile(options.crt_path)
+    _raise_if_incorrect_permissions(options.crt_path, 0o400)
+
+    _raise_if_not_isfile(options.key_path)
+    _raise_if_incorrect_permissions(options.key_path, 0o400)
+
+
+def _raise_if_not_isfile(f: str):
+    if not os.path.isfile(f):
+        raise FileNotFoundError(f"{f} does not exist or is not a regular file.")
+
+
+def _raise_if_incorrect_permissions(f: str, expected_permissions: int):
+    if not has_expected_permissions(f, expected_permissions):
+        raise InsecurePermissionsError(
+            f"The file {f} has incorrect permissions. Expected: {oct(expected_permissions)}"
+        )