SERVER-86708 Validate permissions on EngFlow Credentials (#19045)

GitOrigin-RevId: 599b42ad87e4093e13df1c0a62e597522924b033
2024-02-15 21:14:52 -08:00 · 2024-02-15 21:14:52 -08:00 · 44b4f027f4
commit 44b4f027f4
parent e6aa822dd4
3 changed files with 20 additions and 2 deletions
--- a/bazel/docs/engflow_credential_setup.md
+++ b/bazel/docs/engflow_credential_setup.md
@ -11,7 +11,7 @@ To install the necessary credentials to enable remote execution, run scons.py wi
 - Go to https://sodalite.cluster.engflow.com/gettingstarted
 - Login with OKTA, then click the "GENERATE AND DOWNLOAD MTLS CERTIFICATE" button
  - (If logging in with OKTA doesn't work) Login with Google using your MongoDB email, then click the "GENERATE AND DOWNLOAD MTLS CERTIFICATE" button
- On your local system, open a shell terminal and, after setting the variables on the first three lines, run:
+- On your local system (usually your MacBook), open a shell terminal and, after setting the variables on the first three lines, run:

        REMOTE_USER=<SSH User from https://spruce.mongodb.com/spawn/host>
        REMOTE_HOST=<DNS Name from https://spruce.mongodb.com/spawn/host>
--- a/buildscripts/setup_engflow_creds.sh
+++ b/buildscripts/setup_engflow_creds.sh
@ -14,5 +14,8 @@ ssh ${REMOTE_USER}@${REMOTE_HOST} "mkdir -p ~/.engflow/creds"
 scp ${ZIP_FILE} ${REMOTE_USER}@${REMOTE_HOST}:~/.engflow/creds
 ssh ${REMOTE_USER}@${REMOTE_HOST} "cd ~/.engflow/creds; unzip -o engflow-mTLS.zip; rm engflow-mTLS.zip"

+ssh ${REMOTE_USER}@${REMOTE_HOST} "sudo chown ${REMOTE_USER}:${REMOTE_USER} /home/${REMOTE_USER}/.engflow/creds/engflow.crt /home/${REMOTE_USER}/.engflow/creds/engflow.key"
+ssh ${REMOTE_USER}@${REMOTE_HOST} "sudo chmod 600 /home/${REMOTE_USER}/.engflow/creds/engflow.crt /home/${REMOTE_USER}/.engflow/creds/engflow.key"
+
 ssh ${REMOTE_USER}@${REMOTE_HOST} "echo \"build --tls_client_certificate=/home/${REMOTE_USER}/.engflow/creds/engflow.crt\" >> ~/.bazelrc"
 ssh ${REMOTE_USER}@${REMOTE_HOST} "echo \"build --tls_client_key=/home/${REMOTE_USER}/.engflow/creds/engflow.key\" >> ~/.bazelrc"
--- a/site_scons/site_tools/integrate_bazel.py
+++ b/site_scons/site_tools/integrate_bazel.py
@ -412,7 +412,7 @@ Please complete the following steps to generate a certificate:
 - Go to https://sodalite.cluster.engflow.com/gettingstarted (Uses mongodbcorp.okta.com auth URL)
 - Login with OKTA, then click the \"GENERATE AND DOWNLOAD MTLS CERTIFICATE\" button
  - (If logging in with OKTA doesn't work) Login with Google using your MongoDB email, then click the "GENERATE AND DOWNLOAD MTLS CERTIFICATE" button
- On your local system, open a terminal and run:
+- On your local system (usually your MacBook), open a terminal and run:

 ZIP_FILE=~/Downloads/engflow-mTLS.zip

@ -420,6 +420,21 @@ curl https://raw.githubusercontent.com/mongodb/mongo/master/buildscripts/setup_e
 chmod +x ./setup_engflow_creds.sh
 ./setup_engflow_creds.sh {getpass.getuser()} {public_hostname} $ZIP_FILE\n""")
        return False
+
+    if not running_in_evergreen and \
+        (not os.access(f"/home/{getpass.getuser()}/.engflow/creds/engflow.crt", os.R_OK) or
+        not os.access(f"/home/{getpass.getuser()}/.engflow/creds/engflow.key", os.R_OK)):
+        print(
+            "Invalid permissions set on ~/.engflow/creds/engflow.crt or ~/.engflow/creds/engflow.key"
+        )
+        print("Please run the following command to fix the permissions:\n")
+        print(
+            f"sudo chown {getpass.getuser()}:{getpass.getuser()} /home/{getpass.getuser()}/.engflow/creds/engflow.crt /home/{getpass.getuser()}/.engflow/creds/engflow.key"
+        )
+        print(
+            f"sudo chmod 600 /home/{getpass.getuser()}/.engflow/creds/engflow.crt /home/{getpass.getuser()}/.engflow/creds/engflow.key"
+        )
+        return False
    return True