cluster: unique validator_keys dir

cluster/helpers.go

@@ -10,6 +10,8 @@
 	"io"
 	"math"
 	"net/http"
+	"os"
+	"path"
 	"strings"
 	"time"
 
@@ -57,6 +59,29 @@
 	return res, nil
 }
 
+// CreateValidatorKeysDir creates a new directory for validator keys.
+// If the directory "validator_keys" exists, it checks if the directory
+// is empty.
+func CreateValidatorKeysDir(parentDir string) (string, error) {
+	vkdir := path.Join(parentDir, "validator_keys")
+	err := os.Mkdir(vkdir, os.ModePerm)
+	if err == nil {
+		return vkdir, nil
+	}
+	if !os.IsExist(err) {
+		return "", errors.Wrap(err, "mkdir", z.Str("path", vkdir))
+	}
+	files, err := os.ReadDir(vkdir)
+	if err != nil {
+		return "", errors.Wrap(err, "readdir", z.Str("path", vkdir))
+	}
+	if len(files) == 0 {
+		return vkdir, nil
+	}
+
+	return "", errors.New("directory not empty", z.Str("path", vkdir))
+}
+
 // uuid returns a random uuid.
 func uuid(random io.Reader) string {
 	b := make([]byte, 16)

cluster/helpers_internal_test.go

@@ -8,6 +8,8 @@ import (
 	"math/rand"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path"
 	"strings"
 	"testing"
 
@@ -130,3 +132,31 @@ func TestFetchDefinition(t *testing.T) {
 		})
 	}
 }
+
+func TestCreateValidatorKeysDir(t *testing.T) {
+	tmp := t.TempDir()
+
+	// First attempt must succeed.
+	dir, err := CreateValidatorKeysDir(tmp)
+	require.NoError(t, err)
+	require.True(t, strings.HasPrefix(dir, tmp))
+	require.True(t, strings.HasSuffix(dir, "validator_keys"))
+
+	// Second attempt shall succeed as long as the dir is empty.
+	dir, err = CreateValidatorKeysDir(tmp)
+	require.NoError(t, err)
+	require.True(t, strings.HasPrefix(dir, tmp))
+	require.True(t, strings.HasSuffix(dir, "validator_keys"))
+
+	// Create a file in the directory to make it non-empty.
+	err = os.WriteFile(path.Join(dir, "file"), []byte("data"), 0o644)
+	require.NoError(t, err)
+	_, err = CreateValidatorKeysDir(tmp)
+	require.ErrorContains(t, err, "directory not empty")
+
+	t.Run("mkdir error", func(t *testing.T) {
+		// Parent directory does not exist
+		_, err := CreateValidatorKeysDir(path.Join(tmp, "nonexistent"))
+		require.ErrorContains(t, err, "mkdir")
+	})
+}

cmd/createcluster.go

@@ -758,9 +758,9 @@
 			secrets = append(secrets, shares[i])
 		}
 
-		keysDir := path.Join(nodeDir(clusterDir, i), "/validator_keys")
-		if err := os.MkdirAll(keysDir, 0o755); err != nil {
-			return errors.Wrap(err, "mkdir validator_keys")
+		keysDir, err := cluster.CreateValidatorKeysDir(nodeDir(clusterDir, i))
+		if err != nil {
+			return err
 		}
 
 		if insecureKeys {

dkg/disk.go

@@ -130,10 +130,9 @@
 		secrets = append(secrets, s.SecretShare)
 	}
 
-	keysDir := path.Join(conf.DataDir, "/validator_keys")
-
-	if err := os.Mkdir(keysDir, os.ModePerm); err != nil {
-		return errors.Wrap(err, "mkdir /validator_keys")
+	keysDir, err := cluster.CreateValidatorKeysDir(conf.DataDir)
+	if err != nil {
+		return err
 	}
 
 	storeKeysFunc := keystore.StoreKeys