mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-25 19:56:09 +01:00
Merge pull request #9800 from ninjadq/failure_earlier_of_ca_bundle_permission_check
Failure earlier of ca bundle permission check
This commit is contained in:
commit
6da183d576
@ -96,7 +96,7 @@ log:
|
|||||||
# port: 5140
|
# port: 5140
|
||||||
|
|
||||||
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
|
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
|
||||||
_version: 1.9.0
|
_version: 1.10.0
|
||||||
|
|
||||||
# Uncomment external_database if using external database.
|
# Uncomment external_database if using external database.
|
||||||
# external_database:
|
# external_database:
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
# pylint: disable=no-value-for-parameter
|
# pylint: disable=no-value-for-parameter
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import logging
|
||||||
import click
|
import click
|
||||||
|
|
||||||
from utils.misc import delfile
|
from utils.misc import delfile
|
||||||
from utils.configs import validate, parse_yaml_config
|
from utils.configs import validate, parse_yaml_config
|
||||||
from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key
|
from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key
|
||||||
@ -34,7 +35,9 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
|
|||||||
try:
|
try:
|
||||||
validate(config_dict, notary_mode=with_notary)
|
validate(config_dict, notary_mode=with_notary)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print("Config validation Error: ", e)
|
logging.info('Error happend in config validation...')
|
||||||
|
logging.error(e)
|
||||||
|
sys.exit(-1)
|
||||||
|
|
||||||
prepare_log_configs(config_dict)
|
prepare_log_configs(config_dict)
|
||||||
prepare_nginx(config_dict)
|
prepare_nginx(config_dict)
|
||||||
|
@ -1,12 +1,15 @@
|
|||||||
|
import os
|
||||||
import yaml
|
import yaml
|
||||||
import logging
|
import logging
|
||||||
from g import versions_file_path
|
from g import versions_file_path, host_root_dir, DEFAULT_UID
|
||||||
from .misc import generate_random_string
|
from utils.misc import generate_random_string, owner_can_read, other_can_read
|
||||||
|
|
||||||
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
|
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
|
||||||
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
|
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
|
||||||
default_https_cert_path = '/your/certificate/path'
|
default_https_cert_path = '/your/certificate/path'
|
||||||
default_https_key_path = '/your/certificate/path'
|
default_https_key_path = '/your/certificate/path'
|
||||||
|
|
||||||
|
|
||||||
def validate(conf: dict, **kwargs):
|
def validate(conf: dict, **kwargs):
|
||||||
# hostname validate
|
# hostname validate
|
||||||
if conf.get('hostname') == '127.0.0.1':
|
if conf.get('hostname') == '127.0.0.1':
|
||||||
@ -47,6 +50,21 @@ def validate(conf: dict, **kwargs):
|
|||||||
if storage_provider_config == "":
|
if storage_provider_config == "":
|
||||||
raise Exception(
|
raise Exception(
|
||||||
"Error: no provider configurations are provided for provider %s" % storage_provider_name)
|
"Error: no provider configurations are provided for provider %s" % storage_provider_name)
|
||||||
|
# ca_bundle validate
|
||||||
|
if conf.get('registry_custom_ca_bundle_path'):
|
||||||
|
registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or ''
|
||||||
|
ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path)
|
||||||
|
try:
|
||||||
|
uid = os.stat(ca_bundle_host_path).st_uid
|
||||||
|
st_mode = os.stat(ca_bundle_host_path).st_mode
|
||||||
|
except Exception as e:
|
||||||
|
logging.error(e)
|
||||||
|
raise Exception('Can not get file info')
|
||||||
|
err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path)
|
||||||
|
if uid == DEFAULT_UID and not owner_can_read(st_mode):
|
||||||
|
raise Exception(err_msg)
|
||||||
|
if uid != DEFAULT_UID and not other_can_read(st_mode):
|
||||||
|
raise Exception(err_msg)
|
||||||
|
|
||||||
# Redis validate
|
# Redis validate
|
||||||
redis_host = conf.get("redis_host")
|
redis_host = conf.get("redis_host")
|
||||||
|
@ -140,3 +140,17 @@ def check_permission(path: str, uid:int = None, gid:int = None, mode:int = None)
|
|||||||
if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0:
|
if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0:
|
||||||
return False
|
return False
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def owner_can_read(st_mode: int) -> bool:
|
||||||
|
"""
|
||||||
|
Check if owner have the read permission of this st_mode
|
||||||
|
"""
|
||||||
|
return True if st_mode & 0o400 else False
|
||||||
|
|
||||||
|
|
||||||
|
def other_can_read(st_mode: int) -> bool:
|
||||||
|
"""
|
||||||
|
Check if other user have the read permission of this st_mode
|
||||||
|
"""
|
||||||
|
return True if st_mode & 0o004 else False
|
||||||
|
@ -5,10 +5,14 @@
|
|||||||
hostname: {{ hostname }}
|
hostname: {{ hostname }}
|
||||||
|
|
||||||
# http related config
|
# http related config
|
||||||
{% if http %}
|
{% if http is defined %}
|
||||||
http:
|
http:
|
||||||
# port for http, default is 80. If https enabled, this port will redirect to https port
|
# port for http, default is 80. If https enabled, this port will redirect to https port
|
||||||
port: {{ http.port }}
|
port: {{ http.port }}
|
||||||
|
{% else %}
|
||||||
|
# http:
|
||||||
|
# # port for http, default is 80. If https enabled, this port will redirect to https port
|
||||||
|
# port: 80
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if https is defined %}
|
{% if https is defined %}
|
||||||
|
Loading…
Reference in New Issue
Block a user