woodpecker/yaml/transform/validate.go

80 lines
1.9 KiB
Go
Raw Normal View History

2016-05-09 18:28:49 +00:00
package transform
import (
"fmt"
"github.com/drone/drone/yaml"
)
func Check(c *yaml.Config, trusted bool) error {
var images []*yaml.Container
images = append(images, c.Pipeline...)
images = append(images, c.Services...)
2016-05-10 05:57:57 +00:00
for _, image := range c.Pipeline {
2016-05-09 18:28:49 +00:00
if err := CheckEntrypoint(image); err != nil {
return err
}
if trusted {
continue
}
if err := CheckTrusted(image); err != nil {
return err
}
}
2016-05-10 05:57:57 +00:00
for _, image := range c.Services {
if trusted {
continue
}
if err := CheckTrusted(image); err != nil {
return err
}
}
2016-05-09 18:28:49 +00:00
return nil
}
// validate the plugin command and entrypoint and return an error
// the user attempts to set or override these values.
func CheckEntrypoint(c *yaml.Container) error {
if len(c.Entrypoint) != 0 {
return fmt.Errorf("Cannot set plugin Entrypoint")
}
if len(c.Command) != 0 {
return fmt.Errorf("Cannot set plugin Command")
}
return nil
}
// validate the container configuration and return an error if restricted
// configurations are used.
func CheckTrusted(c *yaml.Container) error {
if c.Privileged {
return fmt.Errorf("Insufficient privileges to use privileged mode")
}
if len(c.DNS) != 0 {
return fmt.Errorf("Insufficient privileges to use custom dns")
}
if len(c.DNSSearch) != 0 {
return fmt.Errorf("Insufficient privileges to use dns_search")
}
if len(c.Devices) != 0 {
return fmt.Errorf("Insufficient privileges to use devices")
}
if len(c.ExtraHosts) != 0 {
return fmt.Errorf("Insufficient privileges to use extra_hosts")
}
if len(c.Network) != 0 {
return fmt.Errorf("Insufficient privileges to override the network")
}
if c.OomKillDisable {
return fmt.Errorf("Insufficient privileges to disable oom_kill")
}
if len(c.Volumes) != 0 {
return fmt.Errorf("Insufficient privileges to use volumes")
}
if len(c.VolumesFrom) != 0 {
return fmt.Errorf("Insufficient privileges to use volumes_from")
}
return nil
}