integrity: scaffolding for integrity check

This patch adds necessary scaffolding for performing integrity checks,
along with an appropriate instrumentation of operations with files
that must be scrutinized before working with them.

Author: AlgebraicWolf

cli/cmd/root.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/tarantool/tt/cli/integrity"
 	"github.com/tarantool/tt/cli/util"
 
 	"github.com/apex/log"
@@ -132,6 +133,8 @@ func NewCmdRoot() *cobra.Command {
 	rootCmd.Flags().BoolVarP(&cmdCtx.Cli.Verbose, "verbose", "V",
 		false, "Verbose output")
 
+	integrity.RegisterIntegrityCheckFlag(rootCmd.Flags(), &cmdCtx.Cli.IntegrityCheck)
+
 	rootCmd.Flags().SetInterspersed(false)
 
 	rootCmd.AddCommand(
@@ -199,13 +202,32 @@ func InitRoot() {
 	if err := configure.ValidateCliOpts(&cmdCtx.Cli); err != nil {
 		log.Fatal(err.Error())
 	}
+	var err error
 
+	if cmdCtx.Cli.IntegrityCheck != "" {
+		currentDir, err := os.Getwd()
+		if err != nil {
+			log.Fatalf("can't get current dir: %s", err.Error())
+		}
+
+		configPath, _ := util.GetYamlFileName(
+			filepath.Join(currentDir, configure.ConfigName),
+			false,
+		)
+
+		err = integrity.InitializeIntegrityCheck(
+			cmdCtx.Cli.IntegrityCheck,
+			filepath.Dir(configPath),
+		)
+		if err != nil {
+			log.Fatalf("integrity check failed: %s", err)
+		}
+	}
 	// Configure Tarantool CLI.
 	if err := configure.Cli(&cmdCtx); err != nil {
 		log.Fatalf("Failed to configure Tarantool CLI: %s", err)
 	}
 
-	var err error
 	cliOpts, cmdCtx.Cli.ConfigPath, err = configure.GetCliOpts(cmdCtx.Cli.ConfigPath)
 	if err != nil {
 		log.Fatalf("Failed to get Tarantool CLI configuration: %s", err)
@@ -232,5 +254,8 @@ func InitRoot() {
 	}
 
 	// Configure help command.
-	configureHelpCommand(&cmdCtx, rootCmd)
+	err = configureHelpCommand(&cmdCtx, rootCmd)
+	if err != nil {
+		log.Fatalf("Failed to set up help command: %s", err)
+	}
 }

cli/cmd/start.go

@@ -4,12 +4,15 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"strconv"
 	"syscall"
+	"time"
 
 	"github.com/apex/log"
 	"github.com/spf13/cobra"
 	"github.com/tarantool/tt/cli/cmd/internal"
 	"github.com/tarantool/tt/cli/cmdcontext"
+	"github.com/tarantool/tt/cli/integrity"
 	"github.com/tarantool/tt/cli/modules"
 	"github.com/tarantool/tt/cli/process_utils"
 	"github.com/tarantool/tt/cli/running"
@@ -20,6 +23,9 @@ var (
 	// In go, we can't just fork the process (reason - goroutines).
 	// So, for daemonize, we restarts the process with "watchdog" flag.
 	watchdog bool
+	// integrityCheckPeriod is a flag enables periodic integrity checks.
+	// The default period is 1 day.
+	integrityCheckPeriod = 24 * 60 * 60
 )
 
 // NewStartCmd creates start command.
@@ -47,6 +53,8 @@ func NewStartCmd() *cobra.Command {
 	startCmd.Flags().BoolVar(&watchdog, "watchdog", false, "")
 	startCmd.Flags().MarkHidden("watchdog")
 
+	integrity.RegisterIntegrityCheckPeriodFlag(startCmd.Flags(), &integrityCheckPeriod)
+
 	return startCmd
 }
 
@@ -61,9 +69,25 @@ func startWatchdog(ttExecutable string, instance running.InstanceCtx) error {
 		return nil
 	}
 
-	log.Infof("Starting an instance [%s]...", appName)
+	newArgs := []string{}
+	if cmdCtx.Cli.IntegrityCheck != "" {
+		newArgs = append(newArgs, "--integrity-check", cmdCtx.Cli.IntegrityCheck)
+	}
+
+	newArgs = append(newArgs, "start", "--watchdog", appName)
+
+	if cmdCtx.Cli.IntegrityCheck != "" {
+		newArgs = append(newArgs, "--integrity-check-period",
+			strconv.Itoa(integrityCheckPeriod))
+	}
+
+	f, err := integrity.FileRepository.Read(ttExecutable)
+	if err != nil {
+		return err
+	}
+	f.Close()
 
-	newArgs := []string{"start", "--watchdog", appName}
+	log.Infof("Starting an instance [%s]...", appName)
 
 	wdCmd := exec.Command(ttExecutable, newArgs...)
 	// Set new pgid for watchdog process, so it will not be killed after a session is closed.
@@ -113,7 +137,13 @@ func internalStartModule(cmdCtx *cmdcontext.CmdCtx, args []string) error {
 		return nil
 	}
 
-	if err := running.Start(cmdCtx, &runningCtx.Instances[0]); err != nil {
+	checkPeriod := time.Duration(0)
+
+	if cmdCtx.Cli.IntegrityCheck != "" && integrityCheckPeriod > 0 {
+		checkPeriod = time.Duration(integrityCheckPeriod * int(time.Second))
+	}
+
+	if err := running.Start(cmdCtx, &runningCtx.Instances[0], checkPeriod); err != nil {
 		return err
 	}
 	return nil

cli/cmdcontext/cmdcontext.go

@@ -5,6 +5,7 @@ import (
 	"os/exec"
 	"strings"
 
+	"github.com/tarantool/tt/cli/integrity"
 	"github.com/tarantool/tt/cli/version"
 )
 
@@ -16,6 +17,9 @@ type CmdCtx struct {
 	Cli CliCtx
 	// CommandName contains name of the command.
 	CommandName string
+	// FileRepository is used for reading files that require
+	// integrity control.
+	FileRepository integrity.Repository
 }
 
 // TarantoolCli describes tarantool executable.
@@ -80,4 +84,6 @@ type CliCtx struct {
 	Verbose bool
 	// TarantoolCli is current tarantool cli.
 	TarantoolCli TarantoolCli
+	// IntegrityCheck is a public key used for integrity check.
+	IntegrityCheck string
 }

cli/configure/configure.go

@@ -13,6 +13,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/tarantool/tt/cli/cmdcontext"
 	"github.com/tarantool/tt/cli/config"
+	"github.com/tarantool/tt/cli/integrity"
 	"github.com/tarantool/tt/cli/modules"
 	"github.com/tarantool/tt/cli/util"
 )
@@ -195,8 +196,14 @@ func GetCliOpts(configurePath string) (*config.CliOpts, string, error) {
 	var cfg *config.CliOpts = GetDefaultCliOpts()
 	// Config could not be processed.
 	configPath, err := util.GetYamlFileName(configurePath, true)
+	// Before loading configure file, we'll initialize integrity checking.
 	if err == nil {
 		// Config file is found, load it.
+		f, err := integrity.FileRepository.Read(configPath)
+		if err != nil {
+			return nil, "", fmt.Errorf("failed to validate integrity of %q: %w", configPath, err)
+		}
+		f.Close()
 		rawConfigOpts, err := util.ParseYAML(configPath)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to parse Tarantool CLI configuration: %s", err)
@@ -524,6 +531,13 @@ func configureLocalCli(cmdCtx *cmdcontext.CmdCtx) error {
 					`found tt binary in local directory "%s" isn't executable: %s`, launchDir, err)
 			}
 
+			// Before switching to local cli, we shall check its integrity.
+			f, err := integrity.FileRepository.Read(localCli)
+			if err != nil {
+				return err
+			}
+			f.Close()
+
 			// We are not using the "RunExec" function because we have no reason to have several
 			// "tt" processes. Moreover, it looks strange when we start "tt", which starts "tt",
 			// which starts tarantool or some external module.

cli/integrity/dummy_repository.go

@@ -0,0 +1,27 @@
+package integrity
+
+import (
+	"io"
+	"os"
+)
+
+// dummyRepository implements repository with no checks performed.
+type dummyRepository struct{}
+
+// AddHash is a stub of method used to add hashing algorithm in the
+// proper implementation.
+func (dummyRepository) AddHash(hasher any) {}
+
+// Add is a stub of method used to add file with hashes to a repository.
+func (dummyRepository) Add(path string) error { return nil }
+
+// Read opens the supplied file.
+func (dummyRepository) Read(path string) (io.ReadCloser, error) {
+	return os.Open(path)
+}
+
+// ValidateAll doesn't do anything since dummyRepository does not implement
+// validation.
+func (dummyRepository) ValidateAll() error { return nil }
+
+var _ Repository = dummyRepository{}

cli/integrity/integrity.go

@@ -6,6 +6,10 @@ import (
 	"github.com/spf13/pflag"
 )
 
+var FileRepository Repository = dummyRepository{}
+
+var HashesName = ""
+
 // Signer implements high-level API for package signing.
 type Signer interface {
 	// Sign generates data to sign a package.
@@ -20,3 +24,16 @@ func NewSigner(path string) (Signer, error) {
 // RegisterWithIntegrityFlag is a noop function that is intended to add
 // flags to `tt pack` command.
 func RegisterWithIntegrityFlag(flagset *pflag.FlagSet, dst *string) {}
+
+// RegisterIntegrityCheckFlag is a noop function that is intended to add
+// root flag enabling integrity checks.
+func RegisterIntegrityCheckFlag(flagset *pflag.FlagSet, dst *string) {}
+
+// RegisterIntegrityCheckPeriodFlag is a noop function that is intended to
+// add flag specifying how often should integrity checks run in watchdog.
+func RegisterIntegrityCheckPeriodFlag(flagset *pflag.FlagSet, dst *int) {}
+
+// InitializeIntegrityCheck is a noop setup of integrity checking.
+func InitializeIntegrityCheck(publicKeyPath string, configDir string) error {
+	return errors.New("integrity checks should never be initialized in ce")
+}

cli/integrity/integrity_test.go

@@ -32,6 +32,42 @@ func TestNewSigner(t *testing.T) {
 	}
 }
 
+func InitializeIntegrityCheck(t *testing.T) {
+	testCases := []struct {
+		name          string
+		publicKeyPath string
+		configDir     string
+	}{
+		{
+			name:          "Empty key and config path",
+			publicKeyPath: "",
+			configDir:     "",
+		},
+		{
+			name:          "Arbitrary key path, empty config path",
+			publicKeyPath: "public.pem",
+			configDir:     "",
+		},
+		{
+			name:          "Empty key path, arbitrary config path",
+			publicKeyPath: "",
+			configDir:     "app",
+		},
+		{
+			name:          "Arbitrary key and config path",
+			publicKeyPath: "public.pem",
+			configDir:     "app",
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			err := integrity.InitializeIntegrityCheck(testCase.publicKeyPath, testCase.configDir)
+			require.EqualError(t, err, "integrity checks should never be initialized in ce", "an error should be produced")
+		})
+	}
+}
+
 func TestRegisterWithIntegritySigner(t *testing.T) {
 	someStr := ""
 
@@ -73,3 +109,87 @@ func TestRegisterWithIntegritySigner(t *testing.T) {
 		})
 	}
 }
+
+func TestRegisterIntegrityCheckFlag(t *testing.T) {
+	someStr := ""
+
+	testCases := []struct {
+		name    string
+		flagSet *pflag.FlagSet
+		dst     *string
+	}{
+		{
+			name:    "Empty flagSet and dst",
+			flagSet: nil,
+			dst:     nil,
+		},
+		{
+			name:    "Empty dst",
+			flagSet: &pflag.FlagSet{},
+			dst:     nil,
+		},
+		{
+			name:    "Empty flagSet",
+			flagSet: nil,
+			dst:     &someStr,
+		},
+		{
+			name:    "Nothing empty",
+			flagSet: &pflag.FlagSet{},
+			dst:     nil,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			integrity.RegisterIntegrityCheckFlag(testCase.flagSet, testCase.dst)
+
+			if testCase.flagSet != nil {
+				require.False(t, testCase.flagSet.HasFlags(),
+					"command must not be modified")
+			}
+		})
+	}
+}
+
+func TestRegisterIntegrityCheckPeriodFlag(t *testing.T) {
+	someInt := 0
+
+	testCases := []struct {
+		name    string
+		flagSet *pflag.FlagSet
+		dst     *int
+	}{
+		{
+			name:    "Empty flagSet and dst",
+			flagSet: nil,
+			dst:     nil,
+		},
+		{
+			name:    "Empty dst",
+			flagSet: &pflag.FlagSet{},
+			dst:     nil,
+		},
+		{
+			name:    "Empty flagSet",
+			flagSet: nil,
+			dst:     &someInt,
+		},
+		{
+			name:    "Nothing empty",
+			flagSet: &pflag.FlagSet{},
+			dst:     nil,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			integrity.RegisterIntegrityCheckPeriodFlag(testCase.flagSet, testCase.dst)
+
+			if testCase.flagSet != nil {
+				require.False(t, testCase.flagSet.HasFlags(),
+					"command must not be modified")
+			}
+		})
+	}
+}