diff --git a/cli/exec/exec.go b/cli/exec/exec.go index c59df519f..c705de267 100644 --- a/cli/exec/exec.go +++ b/cli/exec/exec.go @@ -185,9 +185,12 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax volumes = append(volumes, repoPath+":"+path.Join(workspaceBase, workspacePath)) } + privilegedPlugins := c.StringSlice("plugins-privileged") + // lint the yaml file err = linter.New( linter.WithTrusted(true), + linter.PrivilegedPlugins(privilegedPlugins), linter.WithTrustedClonePlugins(constant.TrustedClonePlugins), ).Lint([]*linter.WorkflowConfig{{ File: path.Base(file), @@ -205,7 +208,7 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax // compiles the yaml file compiled, err := compiler.New( compiler.WithEscalated( - c.StringSlice("privileged")..., + privilegedPlugins..., ), compiler.WithVolumes(volumes...), compiler.WithWorkspace( diff --git a/cli/exec/flags.go b/cli/exec/flags.go index 3b0c5d295..c41111d3e 100644 --- a/cli/exec/flags.go +++ b/cli/exec/flags.go @@ -18,8 +18,6 @@ import ( "time" "github.com/urfave/cli/v3" - - "go.woodpecker-ci.org/woodpecker/v2/shared/constant" ) var flags = []cli.Flag{ @@ -58,9 +56,9 @@ var flags = []cli.Flag{ Hidden: true, }, &cli.StringSliceFlag{ - Name: "privileged", - Usage: "privileged plugins", - Value: constant.PrivilegedPlugins, + Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"), + Name: "plugins-privileged", + Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none", }, &cli.StringFlag{ Sources: cli.EnvVars("WOODPECKER_BACKEND"), diff --git a/cli/lint/lint.go b/cli/lint/lint.go index 0f324f14c..973e9ec89 100644 --- a/cli/lint/lint.go +++ b/cli/lint/lint.go @@ -37,6 +37,11 @@ var Command = &cli.Command{ ArgsUsage: "[path/to/.woodpecker.yaml]", Action: lint, Flags: []cli.Flag{ + &cli.StringSliceFlag{ + Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"), + Name: "plugins-privileged", + Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none", + }, &cli.StringSliceFlag{ Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"), Name: "plugins-trusted-clone", @@ -106,6 +111,7 @@ func lintFile(_ context.Context, c *cli.Command, file string) error { // TODO: lint multiple files at once to allow checks for sth like "depends_on" to work err = linter.New( linter.WithTrusted(true), + linter.PrivilegedPlugins(c.StringSlice("plugins-privileged")), linter.WithTrustedClonePlugins(c.StringSlice("plugins-trusted-clone")), ).Lint([]*linter.WorkflowConfig{config}) if err != nil { diff --git a/cmd/server/flags.go b/cmd/server/flags.go index f29071d98..18023e207 100644 --- a/cmd/server/flags.go +++ b/cmd/server/flags.go @@ -160,10 +160,9 @@ var flags = append([]cli.Flag{ Value: time.Hour * 72, }, &cli.StringSliceFlag{ - Sources: cli.EnvVars("WOODPECKER_ESCALATE"), - Name: "escalate", + Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"), + Name: "plugins-privileged", Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none", - Value: constant.PrivilegedPlugins, }, &cli.StringSliceFlag{ Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"), diff --git a/cmd/server/setup.go b/cmd/server/setup.go index 3b67c0ca6..f221aebc7 100644 --- a/cmd/server/setup.go +++ b/cmd/server/setup.go @@ -224,12 +224,7 @@ func setupEvilGlobals(ctx context.Context, c *cli.Command, s store.Store) error server.Config.Pipeline.Volumes = c.StringSlice("volume") server.Config.WebUI.EnableSwagger = c.Bool("enable-swagger") server.Config.WebUI.SkipVersionCheck = c.Bool("skip-version-check") - - // list has default value but should be able to be set to zero - server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("escalate") - if val, set := os.LookupEnv("WOODPECKER_ESCALATE"); set && val == "" { - server.Config.Pipeline.PrivilegedPlugins = []string{} - } + server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("plugins-privileged") // prometheus server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token") diff --git a/docs/docs/30-administration/10-server-config.md b/docs/docs/30-administration/10-server-config.md index 631a96f27..c7f544e25 100644 --- a/docs/docs/30-administration/10-server-config.md +++ b/docs/docs/30-administration/10-server-config.md @@ -348,9 +348,7 @@ Context: when someone does log into Woodpecker, a temporary session token is cre As long as the session is valid (until it expires or log-out), a user can log into Woodpecker, without re-authentication. -### `WOODPECKER_ESCALATE` - -> Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go) +### `WOODPECKER_PLUGINS_PRIVILEGED` Docker images to run in privileged mode. Only change if you are sure what you do! diff --git a/docs/docs/91-migrations.md b/docs/docs/91-migrations.md index f111ea4a4..c001d9548 100644 --- a/docs/docs/91-migrations.md +++ b/docs/docs/91-migrations.md @@ -4,9 +4,10 @@ Some versions need some changes to the server configuration or the pipeline conf ## `next` +- Rename server environment variable `WOODPECKER_ESCALATE` to `WOODPECKER_PLUGINS_PRIVILEGED` +- Remove all default privileged plugins ([re-add plugins to the list via config if needed](./30-administration/10-server-config.md#woodpecker_plugins_privileged)). - `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN` - Check trusted-clone- and privileged-plugins by image name and tag (if tag is set) -- Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)). - Secret filters for plugins now check against tag if specified - Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST` - Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use. diff --git a/pipeline/frontend/yaml/linter/linter.go b/pipeline/frontend/yaml/linter/linter.go index e3830c311..6e3ddde94 100644 --- a/pipeline/frontend/yaml/linter/linter.go +++ b/pipeline/frontend/yaml/linter/linter.go @@ -168,8 +168,8 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error { // lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918 - if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr") { - msg := "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead" + if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") { + msg := "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED" // check first if user did not add them back if l.privilegedPlugins != nil && !utils.MatchImage(c.Image, *l.privilegedPlugins...) { return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false) diff --git a/pipeline/frontend/yaml/linter/linter_test.go b/pipeline/frontend/yaml/linter/linter_test.go index 23a5cf383..354b6b4b7 100644 --- a/pipeline/frontend/yaml/linter/linter_test.go +++ b/pipeline/frontend/yaml/linter/linter_test.go @@ -171,7 +171,7 @@ func TestLintErrors(t *testing.T) { }, { from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }", - want: "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead", + want: "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED", }, { from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }", diff --git a/shared/constant/constant.go b/shared/constant/constant.go index d4560bb45..1d060bfeb 100644 --- a/shared/constant/constant.go +++ b/shared/constant/constant.go @@ -14,12 +14,6 @@ package constant -// PrivilegedPlugins can be changed by 'WOODPECKER_ESCALATE' at runtime. -var PrivilegedPlugins = []string{ - "docker.io/woodpeckerci/plugin-docker-buildx", - "codeberg.org/woodpecker-plugins/docker-buildx", -} - // DefaultConfigOrder represent the priority in witch woodpecker search for a pipeline config by default // folders are indicated by supplying a trailing slash. var DefaultConfigOrder = [...]string{