2017-03-05 07:56:08 +00:00
|
|
|
package linter
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
2021-09-24 11:18:34 +00:00
|
|
|
"github.com/woodpecker-ci/woodpecker/pipeline/frontend/yaml"
|
2017-03-05 07:56:08 +00:00
|
|
|
)
|
|
|
|
|
2017-07-21 21:52:52 +00:00
|
|
|
const (
|
|
|
|
blockClone uint8 = iota
|
|
|
|
blockPipeline
|
|
|
|
blockServices
|
|
|
|
)
|
|
|
|
|
2017-03-05 07:56:08 +00:00
|
|
|
// A Linter lints a pipeline configuration.
|
|
|
|
type Linter struct {
|
|
|
|
trusted bool
|
|
|
|
}
|
|
|
|
|
|
|
|
// New creates a new Linter with options.
|
|
|
|
func New(opts ...Option) *Linter {
|
|
|
|
linter := new(Linter)
|
|
|
|
for _, opt := range opts {
|
|
|
|
opt(linter)
|
|
|
|
}
|
|
|
|
return linter
|
|
|
|
}
|
|
|
|
|
|
|
|
// Lint lints the configuration.
|
|
|
|
func (l *Linter) Lint(c *yaml.Config) error {
|
2017-07-21 21:52:52 +00:00
|
|
|
if len(c.Pipeline.Containers) == 0 {
|
|
|
|
return fmt.Errorf("Invalid or missing pipeline section")
|
|
|
|
}
|
|
|
|
if err := l.lint(c.Clone.Containers, blockClone); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := l.lint(c.Pipeline.Containers, blockPipeline); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := l.lint(c.Services.Containers, blockServices); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2017-03-05 07:56:08 +00:00
|
|
|
|
2017-07-21 21:52:52 +00:00
|
|
|
func (l *Linter) lint(containers []*yaml.Container, block uint8) error {
|
2017-03-05 07:56:08 +00:00
|
|
|
for _, container := range containers {
|
|
|
|
if err := l.lintImage(container); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-11-23 14:36:52 +00:00
|
|
|
if !l.trusted {
|
2017-03-05 07:56:08 +00:00
|
|
|
if err := l.lintTrusted(container); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2017-07-21 21:52:52 +00:00
|
|
|
if block != blockServices && !container.Detached {
|
2017-03-05 07:56:08 +00:00
|
|
|
if err := l.lintEntrypoint(container); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2017-07-21 21:52:52 +00:00
|
|
|
if err := l.lintCommands(container); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-03-05 07:56:08 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (l *Linter) lintImage(c *yaml.Container) error {
|
|
|
|
if len(c.Image) == 0 {
|
|
|
|
return fmt.Errorf("Invalid or missing image")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2017-07-21 21:52:52 +00:00
|
|
|
func (l *Linter) lintCommands(c *yaml.Container) error {
|
|
|
|
if len(c.Commands) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
2021-12-04 15:44:18 +00:00
|
|
|
if len(c.Settings) != 0 {
|
2017-07-21 21:52:52 +00:00
|
|
|
var keys []string
|
2021-12-04 15:44:18 +00:00
|
|
|
for key := range c.Settings {
|
2017-07-21 21:52:52 +00:00
|
|
|
keys = append(keys, key)
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Cannot configure both commands and custom attributes %v", keys)
|
|
|
|
}
|
|
|
|
if len(c.Entrypoint) != 0 {
|
|
|
|
return fmt.Errorf("Cannot configure both commands and entrypoint attributes")
|
|
|
|
}
|
|
|
|
if len(c.Command) != 0 {
|
|
|
|
return fmt.Errorf("Cannot configure both commands and command attributes")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2017-03-05 07:56:08 +00:00
|
|
|
func (l *Linter) lintEntrypoint(c *yaml.Container) error {
|
|
|
|
if len(c.Entrypoint) != 0 {
|
|
|
|
return fmt.Errorf("Cannot override container entrypoint")
|
|
|
|
}
|
|
|
|
if len(c.Command) != 0 {
|
|
|
|
return fmt.Errorf("Cannot override container command")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (l *Linter) lintTrusted(c *yaml.Container) error {
|
|
|
|
if c.Privileged {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use privileged mode")
|
|
|
|
}
|
|
|
|
if c.ShmSize != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to override shm_size")
|
|
|
|
}
|
|
|
|
if len(c.DNS) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use custom dns")
|
|
|
|
}
|
|
|
|
if len(c.DNSSearch) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use dns_search")
|
|
|
|
}
|
|
|
|
if len(c.Devices) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use devices")
|
|
|
|
}
|
|
|
|
if len(c.ExtraHosts) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use extra_hosts")
|
|
|
|
}
|
|
|
|
if len(c.NetworkMode) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use network_mode")
|
|
|
|
}
|
2017-09-08 00:43:33 +00:00
|
|
|
if len(c.IpcMode) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use ipc_mode")
|
|
|
|
}
|
2017-11-17 22:49:01 +00:00
|
|
|
if len(c.Sysctls) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use sysctls")
|
|
|
|
}
|
2017-03-05 07:56:08 +00:00
|
|
|
if c.Networks.Networks != nil && len(c.Networks.Networks) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use networks")
|
|
|
|
}
|
|
|
|
if c.Volumes.Volumes != nil && len(c.Volumes.Volumes) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use volumes")
|
|
|
|
}
|
2017-09-08 00:43:33 +00:00
|
|
|
if len(c.Tmpfs) != 0 {
|
|
|
|
return fmt.Errorf("Insufficient privileges to use tmpfs")
|
|
|
|
}
|
2017-03-05 07:56:08 +00:00
|
|
|
return nil
|
|
|
|
}
|