From 14a4f553aa24291443dcf61135fcfe259d038e58 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 22 Nov 2024 13:41:03 +0100 Subject: [PATCH] bake: add wildcard to fs entitlements to allow any paths Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- bake/entitlements.go | 31 ++++++++++++++++++++++++---- bake/entitlements_test.go | 25 +++++++++++++++++++++++ bake/entitlements_unix.go | 26 ------------------------ bake/entitlements_windows.go | 39 ------------------------------------ 4 files changed, 52 insertions(+), 69 deletions(-) delete mode 100644 bake/entitlements_unix.go delete mode 100644 bake/entitlements_windows.go diff --git a/bake/entitlements.go b/bake/entitlements.go index 8fe8b5b634f6..b7160481894f 100644 --- a/bake/entitlements.go +++ b/bake/entitlements.go @@ -326,16 +326,18 @@ func isParentOrEqualPath(p, parent string) bool { } func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error) { - paths, err := evaluateToExistingPaths(paths) + set, allowAny, err := evaluatePaths(set) if err != nil { return nil, err + } else if allowAny { + return nil, nil } - paths, err = dedupPaths(paths) + + paths, err = evaluateToExistingPaths(paths) if err != nil { return nil, err } - - set, err = evaluatePaths(set) + paths, err = dedupPaths(paths) if err != nil { return nil, err } @@ -441,6 +443,27 @@ func removeCommonPaths(in, common []string) []string { return filtered } +func evaluatePaths(in []string) ([]string, bool, error) { + out := make([]string, 0, len(in)) + allowAny := false + for _, p := range in { + if p == "*" { + allowAny = true + continue + } + v, err := filepath.Abs(p) + if err != nil { + return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p) + } + v, err = filepath.EvalSymlinks(v) + if err != nil { + return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p) + } + out = append(out, v) + } + return out, allowAny, nil +} + func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) { m := make(map[string]struct{}, len(in)) for p := range in { diff --git a/bake/entitlements_test.go b/bake/entitlements_test.go index c3ac586f337b..b4b2d9e7c2e8 100644 --- a/bake/entitlements_test.go +++ b/bake/entitlements_test.go @@ -343,6 +343,31 @@ func TestValidateEntitlements(t *testing.T) { conf: EntitlementConf{ FSRead: []string{"/"}, }, + expected: EntitlementConf{ + FSRead: func() []string { + // on windows root (/) is only allowed if it is the same volume as wd + if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) { + return nil + } + // if not, then escapeLink is not allowed + p, err := evaluateToExistingPath(escapeLink) + require.NoError(t, err) + return []string{p} + }(), + }, + }, + { + name: "SecretFromEscapeLinkAllowAny", + opt: build.Options{ + SecretSpecs: []*pb.Secret{ + { + FilePath: escapeLink, + }, + }, + }, + conf: EntitlementConf{ + FSRead: []string{"*"}, + }, expected: EntitlementConf{}, }, } diff --git a/bake/entitlements_unix.go b/bake/entitlements_unix.go deleted file mode 100644 index 660bc6fe6923..000000000000 --- a/bake/entitlements_unix.go +++ /dev/null @@ -1,26 +0,0 @@ -//go:build !windows -// +build !windows - -package bake - -import ( - "path/filepath" - - "github.com/pkg/errors" -) - -func evaluatePaths(in []string) ([]string, error) { - out := make([]string, 0, len(in)) - for _, p := range in { - v, err := filepath.Abs(p) - if err != nil { - return nil, err - } - v, err = filepath.EvalSymlinks(v) - if err != nil { - return nil, errors.Wrapf(err, "failed to evaluate path %q", p) - } - out = append(out, v) - } - return out, nil -} diff --git a/bake/entitlements_windows.go b/bake/entitlements_windows.go deleted file mode 100644 index c1cda8c07389..000000000000 --- a/bake/entitlements_windows.go +++ /dev/null @@ -1,39 +0,0 @@ -package bake - -import ( - "os" - "path/filepath" - - "github.com/pkg/errors" -) - -func evaluatePaths(in []string) ([]string, error) { - out := make([]string, 0, len(in)) - for _, p := range in { - if p == "/" { - out = append(out, getAllVolumes()...) - continue - } - v, err := filepath.Abs(p) - if err != nil { - return nil, err - } - v, err = filepath.EvalSymlinks(v) - if err != nil { - return nil, errors.Wrapf(err, "failed to evaluate path %q", p) - } - out = append(out, v) - } - return out, nil -} - -func getAllVolumes() []string { - var volumes []string - for _, drive := range "ABCDEFGHIJKLMNOPQRSTUVWXYZ" { - p := string(drive) + ":" + string(filepath.Separator) - if _, err := os.Stat(p); !os.IsNotExist(err) { - volumes = append(volumes, p) - } - } - return volumes -}