Check for filesystem permissions on startup

LEDfan · LEDfan · commit 68f8139b6a02 · 2025-06-24T13:08:31.000+02:00
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/FileManager.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/FileManager.kt
@@ -21,13 +21,15 @@
 package eu.openanalytics.shinyproxyoperator
 
 import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.IO
 import kotlinx.coroutines.withContext
 import java.nio.file.Files
 import java.nio.file.Path
 import java.nio.file.attribute.PosixFilePermission
 import kotlin.io.path.ExperimentalPathApi
 import kotlin.io.path.deleteRecursively
 import kotlin.io.path.exists
+import java.nio.file.AccessDeniedException
 
 class FileManager {
 
@@ -69,8 +71,12 @@ class FileManager {
     }
 
     fun createDirectories(path: Path) {
-        if (!Files.exists(path)) {
-            Files.createDirectories(path)
+        try {
+            if (!Files.exists(path)) {
+                Files.createDirectories(path)
+            }
+        } catch (_: AccessDeniedException) {
+            throw InternalException("Missing read/write permission for directory '$path'!");
         }
     }
 
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/InternalException.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/InternalException.kt
@@ -0,0 +1,24 @@
+/*
+ * ShinyProxy-Operator
+ *
+ * Copyright (C) 2021-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.shinyproxyoperator
+
+// exception for which no stack trace should be printed
+class InternalException(msg: String) : Exception(msg)
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt
@@ -31,6 +31,7 @@ import eu.openanalytics.shinyproxyoperator.Config
 import eu.openanalytics.shinyproxyoperator.FileManager
 import eu.openanalytics.shinyproxyoperator.IOrchestrator
 import eu.openanalytics.shinyproxyoperator.IShinyProxySource
+import eu.openanalytics.shinyproxyoperator.InternalException
 import eu.openanalytics.shinyproxyoperator.LabelFactory
 import eu.openanalytics.shinyproxyoperator.event.ShinyProxyEvent
 import eu.openanalytics.shinyproxyoperator.impl.docker.monitoring.MonitoringConfig
@@ -48,6 +49,7 @@ import kotlinx.coroutines.withContext
 import org.apache.commons.lang3.RandomStringUtils
 import org.mandas.docker.client.DockerClient
 import org.mandas.docker.client.builder.jersey.JerseyDockerClientBuilder
+import org.mandas.docker.client.exceptions.DockerException
 import org.mandas.docker.client.messages.ContainerConfig
 import org.mandas.docker.client.messages.HostConfig
 import org.mandas.docker.client.messages.LogConfig
@@ -93,13 +95,32 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
     private val logFilesCleaner: LogFilesCleaner
 
     init {
+        if (!Files.exists(dataDir)) {
+            throw InternalException("The data directory doesn't exist: '$dataDir'!")
+        }
+        if (!Files.isReadable(dataDir)) {
+            throw InternalException("Missing read permission for the data directory: '$dataDir'!");
+        }
+        if (!Files.isWritable(dataDir)) {
+            throw InternalException("Missing write permission for the data directory: '$dataDir'!");
+        }
         objectMapper.registerKotlinModule()
         objectMapper.propertyNamingStrategy = PropertyNamingStrategies.KEBAB_CASE
         dockerClient = JerseyDockerClientBuilder()
             .fromEnv()
             .uri("unix://" + dockerSocket)
             .readTimeoutMillis(0) // no timeout, needed for startContainer and logs, #32606
             .build()
+        // test Docker permissions
+        try {
+            dockerClient.listImages()
+        } catch (e: DockerException) {
+            if (e.message?.contains("permission denied", ignoreCase = true) == true) {
+                throw InternalException("No permission to access Docker daemon, check the mount of the socket and the 'SPO_DOCKER_GID' environment variable.");
+            }
+            throw e
+        }
+
         dataDirUid = getDatadirUId()
         caddyConfig = CaddyConfig(dockerClient, dataDir, config)
         dockerActions = DockerActions(dockerClient, config)
@@ -525,7 +546,7 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
             logger.info { "Owner of data dir is '$owner'" }
             return owner
         } catch (e: Exception) {
-            logger.warn(e) { "Failed to determine owner of data dir - failling back to user 1000" }
+            logger.warn(e) { "Failed to determine owner of data dir - falling back to user 1000" }
             return 1000
         }
     }
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/source/FileSource.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/source/FileSource.kt
@@ -28,6 +28,7 @@ import com.fasterxml.jackson.module.kotlin.readValue
 import eu.openanalytics.shinyproxyoperator.Config
 import eu.openanalytics.shinyproxyoperator.IEventController
 import eu.openanalytics.shinyproxyoperator.IShinyProxySource
+import eu.openanalytics.shinyproxyoperator.InternalException
 import eu.openanalytics.shinyproxyoperator.event.ShinyProxyEvent
 import eu.openanalytics.shinyproxyoperator.event.ShinyProxyEventType
 import eu.openanalytics.shinyproxyoperator.impl.docker.DockerOrchestrator
@@ -39,6 +40,7 @@ import kotlinx.coroutines.runBlocking
 import org.apache.commons.io.FileUtils
 import org.apache.commons.io.filefilter.DirectoryFileFilter
 import org.apache.commons.io.filefilter.RegexFileFilter
+import java.nio.file.Files
 import java.nio.file.Path
 import java.util.*
 import kotlin.concurrent.timer
@@ -63,6 +65,9 @@ class FileSource(
 
     override suspend fun init() {
         objectMapper.enable(DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY)
+        if (!Files.isReadable(inputDir)) {
+            throw InternalException("Missing read permission for the input '$inputDir' directory!");
+        }
         runOnce()
         logger.info { "FileSource ready" }
     }
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/main.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/main.kt
@@ -54,8 +54,11 @@ suspend fun main() {
             logger.info { "Starting ShinyProxy Operator" }
             operator.run()
         }
+    } catch (exception: InternalException) {
+        logger.warn { "Exception: ${exception.message}" }
+        exitProcess(1)
     } catch (exception: Exception) {
-        logger.warn { "Exception : ${exception.message}" }
+        logger.warn { "Exception: ${exception.message}" }
         exception.printStackTrace()
         exitProcess(1)
     }

Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,11 @@ suspend fun main() {`
`54`	`54`	`logger.info { "Starting ShinyProxy Operator" }`
`55`	`55`	`operator.run()`
`56`	`56`	`}`
	`57`	`+ } catch (exception: InternalException) {`
	`58`	`+ logger.warn { "Exception: ${exception.message}" }`
	`59`	`+ exitProcess(1)`
`57`	`60`	`} catch (exception: Exception) {`
`58`		`- logger.warn { "Exception : ${exception.message}" }`
	`61`	`+ logger.warn { "Exception: ${exception.message}" }`
`59`	`62`	`exception.printStackTrace()`
`60`	`63`	`exitProcess(1)`
`61`	`64`	`}`