feat(metrics): validate endpoint TLS file permissions

Author: MaurUppi

cmd/run.go

@@ -151,6 +151,9 @@ func Run(log *logrus.Logger, conf *config.Config, externGeoDataDirs []string) (e
 		}(endpointServer, cfg)
 	}
 	endpointCfg := endpointConfigFromGlobal(conf, log)
+	if err = validateEndpointTLSFiles(endpointCfg); err != nil {
+		return fmt.Errorf("invalid endpoint tls config: %w", err)
+	}
 	startEndpointServer(endpointCfg)
 
 	// Serve tproxy TCP/UDP server util signals.
@@ -264,6 +267,16 @@ loop:
 			log.SetOutput(oldLogOutput) // FIXME: THIS IS A HACK.
 			logrus.SetOutput(oldLogOutput)
 
+			newEndpointCfg := endpointConfigFromGlobal(newConf, log)
+			if err = validateEndpointTLSFiles(newEndpointCfg); err != nil {
+				log.WithFields(logrus.Fields{
+					"err": err,
+				}).Errorln("[Reload] Failed to reload")
+				sdnotify.Ready()
+				_ = os.WriteFile(SignalProgressFilePath, append([]byte{consts.ReloadError}, []byte("\n"+err.Error())...), 0644)
+				continue
+			}
+
 			// New control plane.
 			obj := c.EjectBpf()
 			var dnsCache map[string]*control.DnsCache
@@ -315,7 +328,6 @@ loop:
 			}
 			oldC.Close()
 
-			newEndpointCfg := endpointConfigFromGlobal(newConf, log)
 			if endpointConfigChanged(endpointCfg, newEndpointCfg) {
 				if endpointServer != nil {
 					_ = endpointServer.Shutdown(context.Background())
@@ -364,6 +376,42 @@ func endpointConfigChanged(a, b metrics.EndpointConfig) bool {
 	return a != b
 }
 
+func validateEndpointTLSFiles(cfg metrics.EndpointConfig) error {
+	if cfg.TlsCertificate == "" && cfg.TlsKey == "" {
+		return nil
+	}
+	if cfg.TlsCertificate == "" || cfg.TlsKey == "" {
+		return fmt.Errorf("endpoint_tls_certificate and endpoint_tls_key must be configured together")
+	}
+
+	certFile, err := os.Open(cfg.TlsCertificate)
+	if err != nil {
+		return fmt.Errorf("cannot open endpoint_tls_certificate '%s': %w", cfg.TlsCertificate, err)
+	}
+	certFi, err := certFile.Stat()
+	certFile.Close()
+	if err != nil {
+		return fmt.Errorf("cannot stat endpoint_tls_certificate '%s': %w", cfg.TlsCertificate, err)
+	}
+	if err = common.ValidateFilePermissionAllowed(cfg.TlsCertificate, certFi, 0o640, 0o644); err != nil {
+		return fmt.Errorf("invalid endpoint_tls_certificate: %w", err)
+	}
+
+	keyFile, err := os.Open(cfg.TlsKey)
+	if err != nil {
+		return fmt.Errorf("cannot open endpoint_tls_key '%s': %w", cfg.TlsKey, err)
+	}
+	keyFi, err := keyFile.Stat()
+	keyFile.Close()
+	if err != nil {
+		return fmt.Errorf("cannot stat endpoint_tls_key '%s': %w", cfg.TlsKey, err)
+	}
+	if err = common.ValidateFilePermissionAllowed(cfg.TlsKey, keyFi, 0o600); err != nil {
+		return fmt.Errorf("invalid endpoint_tls_key: %w", err)
+	}
+	return nil
+}
+
 func newControlPlane(log *logrus.Logger, bpf interface{}, dnsCache map[string]*control.DnsCache, conf *config.Config, externGeoDataDirs []string) (c *control.ControlPlane, err error) {
 	// Deep copy to prevent modification.
 	conf = deepcopy.Copy(conf).(*config.Config)

common/file_permission.go

@@ -0,0 +1,44 @@
+/*
+ * SPDX-License-Identifier: AGPL-3.0-only
+ * Copyright (c) 2022-2025, daeuniverse Organization <dae@v2raya.org>
+ */
+
+package common
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+)
+
+func ValidateFilePermissionNotTooOpen(path string, fi os.FileInfo) error {
+	if fi.IsDir() {
+		return fmt.Errorf("cannot read a directory: %v", path)
+	}
+	if fi.Mode()&0o037 > 0 {
+		return fmt.Errorf("permissions %04o for '%v' are too open; requires the file is NOT writable by the same group and NOT accessible by others; suggest 0640 or 0600", fi.Mode()&0o777, path)
+	}
+	return nil
+}
+
+func ValidateFilePermissionAllowed(path string, fi os.FileInfo, allowedModes ...os.FileMode) error {
+	if fi.IsDir() {
+		return fmt.Errorf("cannot read a directory: %v", path)
+	}
+	perm := fi.Mode().Perm()
+	for _, mode := range allowedModes {
+		if perm == mode.Perm() {
+			return nil
+		}
+	}
+	if len(allowedModes) == 0 {
+		return fmt.Errorf("permissions %04o for '%v' are invalid", perm, path)
+	}
+	allowed := make([]string, 0, len(allowedModes))
+	for _, mode := range allowedModes {
+		allowed = append(allowed, fmt.Sprintf("%04o", mode.Perm()))
+	}
+	sort.Strings(allowed)
+	return fmt.Errorf("permissions %04o for '%v' are invalid; allowed: %s", perm, path, strings.Join(allowed, ", "))
+}

common/file_permission_test.go

@@ -0,0 +1,66 @@
+/*
+ * SPDX-License-Identifier: AGPL-3.0-only
+ * Copyright (c) 2022-2025, daeuniverse Organization <dae@v2raya.org>
+ */
+
+package common
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func writeTempFile(t *testing.T, mode os.FileMode) (string, os.FileInfo) {
+	t.Helper()
+	dir := t.TempDir()
+	path := filepath.Join(dir, "x")
+	if err := os.WriteFile(path, []byte("x"), 0o600); err != nil {
+		t.Fatalf("write temp file: %v", err)
+	}
+	if err := os.Chmod(path, mode); err != nil {
+		t.Fatalf("chmod temp file: %v", err)
+	}
+	fi, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("stat temp file: %v", err)
+	}
+	return path, fi
+}
+
+func TestValidateFilePermissionNotTooOpen(t *testing.T) {
+	_, fi0600 := writeTempFile(t, 0o600)
+	if err := ValidateFilePermissionNotTooOpen("test-0600", fi0600); err != nil {
+		t.Fatalf("0600 should pass: %v", err)
+	}
+
+	_, fi0640 := writeTempFile(t, 0o640)
+	if err := ValidateFilePermissionNotTooOpen("test-0640", fi0640); err != nil {
+		t.Fatalf("0640 should pass: %v", err)
+	}
+
+	_, fi0644 := writeTempFile(t, 0o644)
+	if err := ValidateFilePermissionNotTooOpen("test-0644", fi0644); err == nil {
+		t.Fatal("0644 should fail as too open")
+	}
+}
+
+func TestValidateFilePermissionAllowed(t *testing.T) {
+	_, fi0600 := writeTempFile(t, 0o600)
+	if err := ValidateFilePermissionAllowed("key", fi0600, 0o600); err != nil {
+		t.Fatalf("0600 should pass for key: %v", err)
+	}
+	if err := ValidateFilePermissionAllowed("key", fi0600, 0o640, 0o644); err == nil {
+		t.Fatal("0600 should fail for cert-only allowed modes")
+	}
+
+	_, fi0640 := writeTempFile(t, 0o640)
+	if err := ValidateFilePermissionAllowed("cert", fi0640, 0o640, 0o644); err != nil {
+		t.Fatalf("0640 should pass for cert: %v", err)
+	}
+
+	_, fi0644 := writeTempFile(t, 0o644)
+	if err := ValidateFilePermissionAllowed("cert", fi0644, 0o640, 0o644); err != nil {
+		t.Fatalf("0644 should pass for cert: %v", err)
+	}
+}

common/subscription/subscription.go

@@ -112,11 +112,8 @@ func ResolveFile(u *url.URL, configDir string) (b []byte, err error) {
 	if err != nil {
 		return nil, err
 	}
-	if fi.IsDir() {
-		return nil, fmt.Errorf("subscription file cannot be a directory: %v", path)
-	}
-	if fi.Mode()&0037 > 0 {
-		return nil, fmt.Errorf("permissions %04o for '%v' are too open; requires the file is NOT writable by the same group and NOT accessible by others; suggest 0640 or 0600", fi.Mode()&0777, path)
+	if err = common.ValidateFilePermissionNotTooOpen(path, fi); err != nil {
+		return nil, err
 	}
 	// Resolve the first line instruction.
 	fReader := bufio.NewReader(f)

config/config_merger.go

@@ -71,11 +71,8 @@ func (m *Merger) readEntry(entry string) (err error) {
 	if err != nil {
 		return err
 	}
-	if fi.IsDir() {
-		return fmt.Errorf("cannot include a directory: %v", entry)
-	}
-	if fi.Mode()&0037 > 0 {
-		return fmt.Errorf("permissions %04o for '%v' are too open; requires the file is NOT writable by the same group and NOT accessible by others; suggest 0640 or 0600", fi.Mode()&0777, entry)
+	if err = common.ValidateFilePermissionNotTooOpen(entry, fi); err != nil {
+		return err
 	}
 	// Read and parse.
 	b, err := io.ReadAll(f)