More aggressive checking of AWS key quality upon startup in the GATK

public/java/src/org/broadinstitute/sting/gatk/GenomeAnalysisEngine.java

@@ -47,6 +47,7 @@ import org.broadinstitute.sting.gatk.io.OutputTracker;
 import org.broadinstitute.sting.gatk.io.stubs.Stub;
 import org.broadinstitute.sting.gatk.iterators.ReadTransformer;
 import org.broadinstitute.sting.gatk.iterators.ReadTransformersMode;
+import org.broadinstitute.sting.gatk.phonehome.GATKRunReport;
 import org.broadinstitute.sting.gatk.refdata.tracks.RMDTrackBuilder;
 import org.broadinstitute.sting.gatk.refdata.utils.RMDTriplet;
 import org.broadinstitute.sting.gatk.resourcemanagement.ThreadAllocation;
@@ -222,6 +223,9 @@ public class GenomeAnalysisEngine {
      * @return the value of this traversal.
      */
     public Object execute() {
+        // first thing is to make sure the AWS keys can be decrypted
+        GATKRunReport.checkAWSAreValid();
+
         //HeapSizeMonitor monitor = new HeapSizeMonitor();
         //monitor.start();
         setStartTime(new java.util.Date());

public/java/src/org/broadinstitute/sting/gatk/phonehome/GATKRunReport.java

@@ -73,6 +73,9 @@ import java.util.zip.GZIPOutputStream;
  * GATK run report database.
  */
 public class GATKRunReport {
+    protected final static String AWS_ACCESS_KEY_MD5 = "c0f0afa1ff5ba41d9bf216cfcdbf26bf";
+    protected final static String AWS_SECRET_KEY_MD5 = "db2f13b3a7c98ad24e28783733ec4a62";
+
     /**
      * The root file system directory where we keep common report data
      */
@@ -358,6 +361,28 @@ public class GATKRunReport {
         return getAWSKey("GATK_AWS_secret.key");
     }
 
+    /**
+     * Check that the AWS keys can be decrypted and are what we expect them to be
+     *
+     * @throws ReviewedStingException if anything goes wrong
+     */
+    public static void checkAWSAreValid() {
+        try {
+            final String accessKeyMD5 = Utils.calcMD5(getAWSAccessKey());
+            final String secretKeyMD5 = Utils.calcMD5(getAWSSecretKey());
+
+            if ( ! AWS_ACCESS_KEY_MD5.equals(accessKeyMD5) ) {
+                throw new ReviewedStingException("Invalid AWS access key found, expected MD5 " + AWS_ACCESS_KEY_MD5 + " but got " + accessKeyMD5);
+            }
+            if ( ! AWS_SECRET_KEY_MD5.equals(secretKeyMD5) ) {
+                throw new ReviewedStingException("Invalid AWS secret key found, expected MD5 " + AWS_SECRET_KEY_MD5 + " but got " + secretKeyMD5);
+            }
+
+        } catch ( Exception e ) {
+            throw new ReviewedStingException("Couldn't decrypt AWS keys, something is wrong with the GATK distribution");
+        }
+    }
+
     private class S3PutRunnable implements Runnable {
 
         public AtomicBoolean isSuccess;

public/java/test/org/broadinstitute/sting/gatk/phonehome/GATKRunReportUnitTest.java

@@ -36,12 +36,12 @@ import java.security.NoSuchAlgorithmException;
 public class GATKRunReportUnitTest extends BaseTest {
     @Test
     public void testAccessKey() throws Exception {
-        testAWSKey(GATKRunReport.getAWSAccessKey(), "c0f0afa1ff5ba41d9bf216cfcdbf26bf");
+        testAWSKey(GATKRunReport.getAWSAccessKey(), GATKRunReport.AWS_ACCESS_KEY_MD5);
     }
 
     @Test
     public void testSecretKey() throws Exception {
-        testAWSKey(GATKRunReport.getAWSSecretKey(), "db2f13b3a7c98ad24e28783733ec4a62");
+        testAWSKey(GATKRunReport.getAWSSecretKey(), GATKRunReport.AWS_SECRET_KEY_MD5);
     }
 
     private void testAWSKey(final String accessKey, final String expectedMD5) throws Exception {