// isOnbuildAllowed checks a list of Docker ONBUILD instructions for // user directives. It ensures that any users specified by the directives // falls within the specified range list of users. func isOnbuildAllowed(directives []string, allowed *user.RangeList) bool { for _, line := range directives { parts := dockerLineDelim.Split(line, 2) if strings.ToLower(parts[0]) != "user" { continue } uname := extractUser(parts[1]) if !user.IsUserAllowed(uname, allowed) { return false } } return true }
func checkAllowedUser(d docker.Docker, config *api.Config, isOnbuild bool) error { if config.AllowedUIDs == nil || config.AllowedUIDs.Empty() { return nil } user, err := d.GetImageUser(config.BuilderImage) if err != nil { return err } if !userutil.IsUserAllowed(user, &config.AllowedUIDs) { return errors.NewBuilderUserNotAllowedError(config.BuilderImage, false) } if isOnbuild { cmds, err := d.GetOnBuild(config.BuilderImage) if err != nil { return err } if !userutil.IsOnbuildAllowed(cmds, &config.AllowedUIDs) { return errors.NewBuilderUserNotAllowedError(config.BuilderImage, true) } } return nil }
// CheckAllowedUser checks if the Docker image contains allowed users // FIXME: @cswong this need better godoc func CheckAllowedUser(d Docker, imageName string, uids user.RangeList, isOnbuild bool) error { if uids == nil || uids.Empty() { return nil } imageUser, err := d.GetImageUser(imageName) if err != nil { return err } if !user.IsUserAllowed(imageUser, &uids) { return errors.NewBuilderUserNotAllowedError(imageName, false) } if isOnbuild { cmds, err := d.GetOnBuild(imageName) if err != nil { return err } if !user.IsOnbuildAllowed(cmds, &uids) { return errors.NewBuilderUserNotAllowedError(imageName, true) } } return nil }