Exemple #1
0
// isOnbuildAllowed checks a list of Docker ONBUILD instructions for
// user directives. It ensures that any users specified by the directives
// falls within the specified range list of users.
func isOnbuildAllowed(directives []string, allowed *user.RangeList) bool {
	for _, line := range directives {
		parts := dockerLineDelim.Split(line, 2)
		if strings.ToLower(parts[0]) != "user" {
			continue
		}
		uname := extractUser(parts[1])
		if !user.IsUserAllowed(uname, allowed) {
			return false
		}
	}
	return true
}
Exemple #2
0
func checkAllowedUser(d docker.Docker, config *api.Config, isOnbuild bool) error {
	if config.AllowedUIDs == nil || config.AllowedUIDs.Empty() {
		return nil
	}
	user, err := d.GetImageUser(config.BuilderImage)
	if err != nil {
		return err
	}
	if !userutil.IsUserAllowed(user, &config.AllowedUIDs) {
		return errors.NewBuilderUserNotAllowedError(config.BuilderImage, false)
	}
	if isOnbuild {
		cmds, err := d.GetOnBuild(config.BuilderImage)
		if err != nil {
			return err
		}
		if !userutil.IsOnbuildAllowed(cmds, &config.AllowedUIDs) {
			return errors.NewBuilderUserNotAllowedError(config.BuilderImage, true)
		}
	}
	return nil
}
Exemple #3
0
// CheckAllowedUser checks if the Docker image contains allowed users
// FIXME: @cswong this need better godoc
func CheckAllowedUser(d Docker, imageName string, uids user.RangeList, isOnbuild bool) error {
	if uids == nil || uids.Empty() {
		return nil
	}
	imageUser, err := d.GetImageUser(imageName)
	if err != nil {
		return err
	}
	if !user.IsUserAllowed(imageUser, &uids) {
		return errors.NewBuilderUserNotAllowedError(imageName, false)
	}
	if isOnbuild {
		cmds, err := d.GetOnBuild(imageName)
		if err != nil {
			return err
		}
		if !user.IsOnbuildAllowed(cmds, &uids) {
			return errors.NewBuilderUserNotAllowedError(imageName, true)
		}
	}
	return nil
}