prysmaticlabs · rauljordan · Feb 15, 2021 · Feb 12, 2021 · Feb 12, 2021 · Feb 15, 2021
@@ -104,6 +104,16 @@ func HasDir(dirPath string) (bool, error) {
 	return info.IsDir(), err
 }
 
+// HasReadWritePermissions checks if file at a path has proper
+// 0600 permissions set.
+func HasReadWritePermissions(itemPath string) (bool, error) {
+	info, err := os.Stat(itemPath)
+	if err != nil {
+		return false, err
+	}
+	return info.Mode() == params.BeaconIoConfig().ReadWritePermissions, nil
+}
+
 // FileExists returns true if a file is not a directory and exists
 // at the specified path.
 func FileExists(filename string) bool {

@@ -280,3 +280,52 @@ func tmpDirWithContents(t *testing.T) (string, []string) {
 	sort.Strings(fnames)
 	return dir, fnames
 }
+
+func TestHasReadWritePermissions(t *testing.T) {
+	type args struct {
+		itemPath string
+		perms    os.FileMode
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    bool
+		wantErr bool
+	}{
+		{
+			name: "0600 permissions returns true",
+			args: args{
+				itemPath: "somefile",
+				perms:    params.BeaconIoConfig().ReadWritePermissions,
+			},
+			want: true,
+		},
+		{
+			name: "other permissions returns false",
+			args: args{
+				itemPath: "somefile2",
+				perms:    params.BeaconIoConfig().ReadWriteExecutePermissions,
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fullPath := filepath.Join(os.TempDir(), tt.args.itemPath)
+			require.NoError(t, ioutil.WriteFile(fullPath, []byte("foo"), tt.args.perms))
+			t.Cleanup(func() {
+				if err := os.RemoveAll(fullPath); err != nil {
+					t.Fatalf("Could not delete temp dir: %v", err)
+				}
+			})
+			got, err := fileutil.HasReadWritePermissions(fullPath)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("HasReadWritePermissions() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("HasReadWritePermissions() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
@@ -260,13 +260,12 @@ func (c *ValidatorClient) initializeFromCLI(cliCtx *cli.Context) error {
 func (c *ValidatorClient) initializeForWeb(cliCtx *cli.Context) error {
 	var keyManager keymanager.IKeymanager
 	var err error
-	walletDir := cliCtx.String(flags.WalletDirFlag.Name)
-	defaultWalletPasswordFilePath := filepath.Join(walletDir, wallet.DefaultWalletPasswordFile)
-	if fileutil.FileExists(defaultWalletPasswordFilePath) {
-		if err := cliCtx.Set(flags.WalletPasswordFileFlag.Name, defaultWalletPasswordFilePath); err != nil {
-			return errors.Wrap(err, "could not set default wallet password file path")
-		}
+
+	// Read the wallet password file from the cli context.
+	if err = setWalletPasswordFilePath(cliCtx); err != nil {
+		return errors.Wrap(err, "could not read wallet password file")
 	}
+
 	// Read the wallet from the specified path.
 	w, err := wallet.OpenWalletOrElseCli(cliCtx, func(cliCtx *cli.Context) (*wallet.Wallet, error) {
 		return nil, nil
@@ -513,6 +512,30 @@ func (c *ValidatorClient) registerRPCGatewayService(cliCtx *cli.Context) error {
 	return c.services.RegisterService(gatewaySrv)
 }
 
+func setWalletPasswordFilePath(cliCtx *cli.Context) error {
+	walletDir := cliCtx.String(flags.WalletDirFlag.Name)
+	defaultWalletPasswordFilePath := filepath.Join(walletDir, wallet.DefaultWalletPasswordFile)
+	if fileutil.FileExists(defaultWalletPasswordFilePath) {
+		// Ensure file has proper permissions.
+		hasPerms, err := fileutil.HasReadWritePermissions(defaultWalletPasswordFilePath)
+		if err != nil {
+			return err
+		}
+		if !hasPerms {
+			return fmt.Errorf(
+				"wallet password file %s does not have proper 0600 permissions",
+				defaultWalletPasswordFilePath,
+			)
+		}
+
+		// Set the filepath into the cli context.
+		if err := cliCtx.Set(flags.WalletPasswordFileFlag.Name, defaultWalletPasswordFilePath); err != nil {
+			return errors.Wrap(err, "could not set default wallet password file path")
+		}
+	}
+	return nil
+}
+
 func clearDB(ctx context.Context, dataDir string, force bool) error {
 	var err error
 	clearDBConfirmed := force