2016-05-09 18:28:49 +00:00
|
|
|
package transform
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/drone/drone/yaml"
|
|
|
|
)
|
|
|
|
|
|
|
|
func Check(c *yaml.Config, trusted bool) error {
|
|
|
|
var images []*yaml.Container
|
|
|
|
images = append(images, c.Pipeline...)
|
|
|
|
images = append(images, c.Services...)
|
|
|
|
|
2016-05-10 05:57:57 +00:00
|
|
|
for _, image := range c.Pipeline {
|
2016-05-09 18:28:49 +00:00
|
|
|
if err := CheckEntrypoint(image); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if trusted {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := CheckTrusted(image); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2016-05-10 05:57:57 +00:00
|
|
|
for _, image := range c.Services {
|
|
|
|
if trusted {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := CheckTrusted(image); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2016-05-09 18:28:49 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// validate the plugin command and entrypoint and return an error
|
|
|
|
// the user attempts to set or override these values.
|
|
|
|
func CheckEntrypoint(c *yaml.Container) error {
|
2016-11-25 09:32:12 +00:00
|
|
|
if c.Detached {
|
|
|
|
return nil
|
|
|
|
}
|
2016-05-09 18:28:49 +00:00
|
|
|
if len(c.Entrypoint) != 0 {
|
|
|
|
return fmt.Errorf("Cannot set plugin Entrypoint")
|
|
|
|
}
|
|
|
|
if len(c.Command) != 0 {
|
|
|
|
return fmt.Errorf("Cannot set plugin Command")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// validate the container configuration and return an error if restricted
|
|
|
|
// configurations are used.
|
|
|
|
func CheckTrusted(c *yaml.Container) error {
|
|
|
|
if c.Privileged {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use privileged mode")
|
|
|
|
}
|
2016-10-07 21:18:46 +00:00
|
|
|
if c.ShmSize != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to override shm_size")
|
|
|
|
}
|
2016-05-09 18:28:49 +00:00
|
|
|
if len(c.DNS) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use custom dns")
|
|
|
|
}
|
|
|
|
if len(c.DNSSearch) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use dns_search")
|
|
|
|
}
|
|
|
|
if len(c.Devices) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use devices")
|
|
|
|
}
|
|
|
|
if len(c.ExtraHosts) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use extra_hosts")
|
|
|
|
}
|
|
|
|
if len(c.Network) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to override the network")
|
|
|
|
}
|
|
|
|
if c.OomKillDisable {
|
|
|
|
return fmt.Errorf("Insufficient privileges to disable oom_kill")
|
|
|
|
}
|
|
|
|
if len(c.Volumes) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use volumes")
|
|
|
|
}
|
|
|
|
if len(c.VolumesFrom) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use volumes_from")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|