CBST2-11: Improve path validation on local Mux keys loader (#300)

Co-authored-by: eltitanb <[email protected]>
Co-authored-by: ltitanb <[email protected]>
Co-authored-by: Joe Clapis <[email protected]>

Author: 3 people

crates/cli/src/docker_init.rs

@@ -256,7 +256,7 @@ pub async fn handle_docker_init(config_path: PathBuf, output_dir: PathBuf) -> Re
 
     if let Some(mux_config) = cb_config.muxes {
         for mux in mux_config.muxes.iter() {
-            if let Some((env_name, actual_path, internal_path)) = mux.loader_env() {
+            if let Some((env_name, actual_path, internal_path)) = mux.loader_env()? {
                 let (key, val) = get_env_val(&env_name, &internal_path);
                 pbs_envs.insert(key, val);
                 pbs_volumes.push(Volumes::Simple(format!("{}:{}:ro", actual_path, internal_path)));

crates/common/src/config/mux.rs

@@ -130,19 +130,29 @@ pub struct MuxConfig {
 
 impl MuxConfig {
     /// Returns the env, actual path, and internal path to use for the file
-    /// loader
-    pub fn loader_env(&self) -> Option<(String, String, String)> {
-        self.loader.as_ref().and_then(|loader| match loader {
+    /// loader. In File mode, validates the mux file prior to returning.   
+    pub fn loader_env(&self) -> eyre::Result<Option<(String, String, String)>> {
+        let Some(loader) = self.loader.as_ref() else {
+            return Ok(None);
+        };
+
+        match loader {
             MuxKeysLoader::File(path_buf) => {
-                let path =
-                    path_buf.to_str().unwrap_or_else(|| panic!("invalid path: {:?}", path_buf));
-                let internal_path = get_mux_path(&self.id);
+                let Some(path) = path_buf.to_str() else {
+                    bail!("invalid path: {:?}", path_buf);
+                };
+
+                let file = load_file(path)?;
+                // make sure we can load the pubkeys correctly
+                let _: Vec<BlsPublicKey> =
+                    serde_json::from_str(&file).wrap_err("failed to parse mux keys file")?;
 
-                Some((get_mux_env(&self.id), path.to_owned(), internal_path))
+                let internal_path = get_mux_path(&self.id);
+                Ok(Some((get_mux_env(&self.id), path.to_owned(), internal_path)))
             }
-            MuxKeysLoader::HTTP { .. } => None,
-            MuxKeysLoader::Registry { .. } => None,
-        })
+            MuxKeysLoader::HTTP { .. } => Ok(None),
+            MuxKeysLoader::Registry { .. } => Ok(None),
+        }
     }
 }