Skip to content

Commit

Permalink
bake: add wildcard to fs entitlements to allow any paths
Browse files Browse the repository at this point in the history 
Signed-off-by: CrazyMax <[email protected]>
  • Loading branch information
@crazy-max
crazy-max committed Nov 25, 2024
1 parent 17eff25 commit 14a4f55
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 69 deletions.
31 changes: 27 additions & 4 deletions bake/entitlements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,16 +326,18 @@ func isParentOrEqualPath(p, parent string) bool {
}

func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error) {
paths, err := evaluateToExistingPaths(paths)
set, allowAny, err := evaluatePaths(set)
if err != nil {
return nil, err
} else if allowAny {
return nil, nil
}
paths, err = dedupPaths(paths)

paths, err = evaluateToExistingPaths(paths)
if err != nil {
return nil, err
}

set, err = evaluatePaths(set)
paths, err = dedupPaths(paths)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -441,6 +443,27 @@ func removeCommonPaths(in, common []string) []string {
return filtered
}

func evaluatePaths(in []string) ([]string, bool, error) {
out := make([]string, 0, len(in))
allowAny := false
for _, p := range in {
if p == "*" {
allowAny = true
continue
}
v, err := filepath.Abs(p)
if err != nil {
return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
}
v, err = filepath.EvalSymlinks(v)
if err != nil {
return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
}
out = append(out, v)
}
return out, allowAny, nil
}

func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) {
m := make(map[string]struct{}, len(in))
for p := range in {
Expand Down
25 changes: 25 additions & 0 deletions bake/entitlements_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,31 @@ func TestValidateEntitlements(t *testing.T) {
conf: EntitlementConf{
FSRead: []string{"/"},
},
expected: EntitlementConf{
FSRead: func() []string {
// on windows root (/) is only allowed if it is the same volume as wd
if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) {
return nil
}
// if not, then escapeLink is not allowed
p, err := evaluateToExistingPath(escapeLink)
require.NoError(t, err)
return []string{p}
}(),
},
},
{
name: "SecretFromEscapeLinkAllowAny",
opt: build.Options{
SecretSpecs: []*pb.Secret{
{
FilePath: escapeLink,
},
},
},
conf: EntitlementConf{
FSRead: []string{"*"},
},
expected: EntitlementConf{},
},
}
Expand Down
26 changes: 0 additions & 26 deletions bake/entitlements_unix.go
View file

This file was deleted.

39 changes: 0 additions & 39 deletions bake/entitlements_windows.go
View file

This file was deleted.

0 comments on commit 14a4f55

Please sign in to comment.