Remove all default privileged plugins (#4053)

2024-09-25 13:10:13 +00:00 · 2024-09-02 10:41:20 +02:00 · 2024-09-02 10:41:20 +02:00 · 32d1ec7cec
commit 32d1ec7cec
parent 6feab0093f
10 changed files with 22 additions and 28 deletions
--- a/cli/exec/exec.go
+++ b/cli/exec/exec.go
@ -185,9 +185,12 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
 		volumes = append(volumes, repoPath+":"+path.Join(workspaceBase, workspacePath))
 	}
 	privilegedPlugins := c.StringSlice("plugins-privileged")
 	// lint the yaml file
 	err = linter.New(
 		linter.WithTrusted(true),
 		linter.PrivilegedPlugins(privilegedPlugins),
 		linter.WithTrustedClonePlugins(constant.TrustedClonePlugins),
 	).Lint([]*linter.WorkflowConfig{{
 		File:      path.Base(file),
@ -205,7 +208,7 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
 	// compiles the yaml file
 	compiled, err := compiler.New(
 		compiler.WithEscalated(
-			c.StringSlice("privileged")...,
+			privilegedPlugins...,
 		),
 		compiler.WithVolumes(volumes...),
 		compiler.WithWorkspace(
--- a/cli/exec/flags.go
+++ b/cli/exec/flags.go
@ -18,8 +18,6 @@ import (
 	"time"
 	"github.com/urfave/cli/v3"
 	"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
 )
 var flags = []cli.Flag{
@ -58,9 +56,9 @@ var flags = []cli.Flag{
 		Hidden:  true,
 	},
 	&cli.StringSliceFlag{
-		Name:  "privileged",
+		Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
-		Usage: "privileged plugins",
+		Name:    "plugins-privileged",
-		Value: constant.PrivilegedPlugins,
+		Usage:   "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
 	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("WOODPECKER_BACKEND"),
--- a/cli/lint/lint.go
+++ b/cli/lint/lint.go
@ -37,6 +37,11 @@ var Command = &cli.Command{
 	ArgsUsage: "[path/to/.woodpecker.yaml]",
 	Action:    lint,
 	Flags: []cli.Flag{
 		&cli.StringSliceFlag{
 			Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
 			Name:    "plugins-privileged",
 			Usage:   "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
 		},
 		&cli.StringSliceFlag{
 			Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
 			Name:    "plugins-trusted-clone",
@ -106,6 +111,7 @@ func lintFile(_ context.Context, c *cli.Command, file string) error {
 	// TODO: lint multiple files at once to allow checks for sth like "depends_on" to work
 	err = linter.New(
 		linter.WithTrusted(true),
 		linter.PrivilegedPlugins(c.StringSlice("plugins-privileged")),
 		linter.WithTrustedClonePlugins(c.StringSlice("plugins-trusted-clone")),
 	).Lint([]*linter.WorkflowConfig{config})
 	if err != nil {
--- a/cmd/server/flags.go
+++ b/cmd/server/flags.go
@ -160,10 +160,9 @@ var flags = append([]cli.Flag{
 		Value:   time.Hour * 72,
 	},
 	&cli.StringSliceFlag{
-		Sources: cli.EnvVars("WOODPECKER_ESCALATE"),
+		Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
-		Name:    "escalate",
+		Name:    "plugins-privileged",
 		Usage:   "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
 		Value:   constant.PrivilegedPlugins,
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
--- a/cmd/server/setup.go
+++ b/cmd/server/setup.go
@ -224,12 +224,7 @@ func setupEvilGlobals(ctx context.Context, c *cli.Command, s store.Store) error
 	server.Config.Pipeline.Volumes = c.StringSlice("volume")
 	server.Config.WebUI.EnableSwagger = c.Bool("enable-swagger")
 	server.Config.WebUI.SkipVersionCheck = c.Bool("skip-version-check")
-
+	server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("plugins-privileged")
 	// list has default value but should be able to be set to zero
 	server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("escalate")
 	if val, set := os.LookupEnv("WOODPECKER_ESCALATE"); set && val == "" {
 		server.Config.Pipeline.PrivilegedPlugins = []string{}
 	}
 	// prometheus
 	server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token")
--- a/docs/docs/30-administration/10-server-config.md
+++ b/docs/docs/30-administration/10-server-config.md
@ -348,9 +348,7 @@ Context: when someone does log into Woodpecker, a temporary session token is cre
 As long as the session is valid (until it expires or log-out),
 a user can log into Woodpecker, without re-authentication.
-### `WOODPECKER_ESCALATE`
+### `WOODPECKER_PLUGINS_PRIVILEGED`
 > Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
 Docker images to run in privileged mode. Only change if you are sure what you do!
--- a/docs/docs/91-migrations.md
+++ b/docs/docs/91-migrations.md
@ -4,9 +4,10 @@ Some versions need some changes to the server configuration or the pipeline conf
 ## `next`
 - Rename server environment variable `WOODPECKER_ESCALATE` to `WOODPECKER_PLUGINS_PRIVILEGED`
 - Remove all default privileged plugins ([re-add plugins to the list via config if needed](./30-administration/10-server-config.md#woodpecker_plugins_privileged)).
 - `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
 - Check trusted-clone- and privileged-plugins by image name and tag (if tag is set)
 - Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)).
 - Secret filters for plugins now check against tag if specified
 - Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
 - Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use.
--- a/pipeline/frontend/yaml/linter/linter.go
+++ b/pipeline/frontend/yaml/linter/linter.go
@ -168,8 +168,8 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri
 func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error {
 	// lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918
-	if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr") {
+	if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") {
-		msg := "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead"
+		msg := "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED"
 		// check first if user did not add them back
 		if l.privilegedPlugins != nil && !utils.MatchImage(c.Image, *l.privilegedPlugins...) {
 			return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)
--- a/pipeline/frontend/yaml/linter/linter_test.go
+++ b/pipeline/frontend/yaml/linter/linter_test.go
@ -171,7 +171,7 @@ func TestLintErrors(t *testing.T) {
 		},
 		{
 			from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }",
-			want: "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead",
+			want: "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED",
 		},
 		{
 			from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }",
--- a/shared/constant/constant.go
+++ b/shared/constant/constant.go
@ -14,12 +14,6 @@
 package constant
 // PrivilegedPlugins can be changed by 'WOODPECKER_ESCALATE' at runtime.
 var PrivilegedPlugins = []string{
 	"docker.io/woodpeckerci/plugin-docker-buildx",
 	"codeberg.org/woodpecker-plugins/docker-buildx",
 }
 // DefaultConfigOrder represent the priority in witch woodpecker search for a pipeline config by default
 // folders are indicated by supplying a trailing slash.
 var DefaultConfigOrder = [...]string{