harness-drone/pkg/yaml/lint.go

145 lines
3.4 KiB
Go

package parser
import (
"fmt"
"path/filepath"
"strings"
common "github.com/drone/drone/pkg/types"
)
// lintRule defines a function that runs lint
// checks against a Yaml Config file. If the rule
// fails it should return an error message.
type lintRule func(*common.Config) error
var lintRules = [...]lintRule{
expectBuild,
expectImage,
expectCommand,
expectTrustedSetup,
expectTrustedClone,
expectTrustedPublish,
expectTrustedDeploy,
expectTrustedNotify,
}
// Lint runs all lint rules against the Yaml Config.
func Lint(c *common.Config) error {
for _, rule := range lintRules {
err := rule(c)
if err != nil {
return err
}
}
return nil
}
// lint rule that fails when no build is defined
func expectBuild(c *common.Config) error {
if c.Build == nil {
return fmt.Errorf("Yaml must define a build section")
}
return nil
}
// lint rule that fails when no build image is defined
func expectImage(c *common.Config) error {
if len(c.Build.Image) == 0 {
return fmt.Errorf("Yaml must define a build image")
}
return nil
}
// lint rule that fails when no build commands are defined
func expectCommand(c *common.Config) error {
if c.Build.Config == nil || c.Build.Config["commands"] == nil {
return fmt.Errorf("Yaml must define build commands")
}
return nil
}
// lint rule that fails when a non-trusted clone plugin is used.
func expectTrustedClone(c *common.Config) error {
if c.Clone != nil && strings.Contains(c.Clone.Image, "/") {
return fmt.Errorf("Yaml must use trusted clone plugins")
}
return nil
}
// lint rule that fails when a non-trusted setup plugin is used.
func expectTrustedSetup(c *common.Config) error {
if c.Setup != nil && strings.Contains(c.Setup.Image, "/") {
return fmt.Errorf("Yaml must use trusted setup plugins")
}
return nil
}
// lint rule that fails when a non-trusted publish plugin is used.
func expectTrustedPublish(c *common.Config) error {
for _, step := range c.Publish {
if strings.Contains(step.Image, "/") {
return fmt.Errorf("Yaml must use trusted publish plugins")
}
}
return nil
}
// lint rule that fails when a non-trusted deploy plugin is used.
func expectTrustedDeploy(c *common.Config) error {
for _, step := range c.Deploy {
if strings.Contains(step.Image, "/") {
return fmt.Errorf("Yaml must use trusted deploy plugins")
}
}
return nil
}
// lint rule that fails when a non-trusted notify plugin is used.
func expectTrustedNotify(c *common.Config) error {
for _, step := range c.Notify {
if strings.Contains(step.Image, "/") {
return fmt.Errorf("Yaml must use trusted notify plugins")
}
}
return nil
}
func LintPlugins(c *common.Config, opts *Opts) error {
if len(opts.Whitelist) == 0 {
return nil
}
var images []string
images = append(images, c.Setup.Image)
images = append(images, c.Clone.Image)
c.Clone.Image = imageName(c.Clone.Image)
for _, step := range c.Publish {
images = append(images, step.Image)
}
for _, step := range c.Deploy {
images = append(images, step.Image)
}
for _, step := range c.Notify {
images = append(images, step.Image)
}
for _, image := range images {
match := false
for _, pattern := range opts.Whitelist {
if pattern == image {
match = true
break
}
ok, err := filepath.Match(pattern, image)
if ok && err == nil {
match = true
break
}
}
if !match {
return fmt.Errorf("Cannot use un-trusted image %s", image)
}
}
return nil
}