Merge pull request #9800 from ninjadq/failure_earlier_of_ca_bundle_permission_check

Failure earlier of ca bundle permission check
This commit is contained in:
Wang Yan 2019-11-11 14:09:21 +08:00 committed by GitHub
commit 6da183d576
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 45 additions and 6 deletions

View File

@ -96,7 +96,7 @@ log:
# port: 5140 # port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 1.9.0 _version: 1.10.0
# Uncomment external_database if using external database. # Uncomment external_database if using external database.
# external_database: # external_database:

View File

@ -1,7 +1,8 @@
# pylint: disable=no-value-for-parameter # pylint: disable=no-value-for-parameter
import sys
import logging
import click import click
from utils.misc import delfile from utils.misc import delfile
from utils.configs import validate, parse_yaml_config from utils.configs import validate, parse_yaml_config
from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key
@ -34,7 +35,9 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
try: try:
validate(config_dict, notary_mode=with_notary) validate(config_dict, notary_mode=with_notary)
except Exception as e: except Exception as e:
print("Config validation Error: ", e) logging.info('Error happend in config validation...')
logging.error(e)
sys.exit(-1)
prepare_log_configs(config_dict) prepare_log_configs(config_dict)
prepare_nginx(config_dict) prepare_nginx(config_dict)

View File

@ -1,12 +1,15 @@
import os
import yaml import yaml
import logging import logging
from g import versions_file_path from g import versions_file_path, host_root_dir, DEFAULT_UID
from .misc import generate_random_string from utils.misc import generate_random_string, owner_can_read, other_can_read
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
default_https_cert_path = '/your/certificate/path' default_https_cert_path = '/your/certificate/path'
default_https_key_path = '/your/certificate/path' default_https_key_path = '/your/certificate/path'
def validate(conf: dict, **kwargs): def validate(conf: dict, **kwargs):
# hostname validate # hostname validate
if conf.get('hostname') == '127.0.0.1': if conf.get('hostname') == '127.0.0.1':
@ -47,6 +50,21 @@ def validate(conf: dict, **kwargs):
if storage_provider_config == "": if storage_provider_config == "":
raise Exception( raise Exception(
"Error: no provider configurations are provided for provider %s" % storage_provider_name) "Error: no provider configurations are provided for provider %s" % storage_provider_name)
# ca_bundle validate
if conf.get('registry_custom_ca_bundle_path'):
registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or ''
ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path)
try:
uid = os.stat(ca_bundle_host_path).st_uid
st_mode = os.stat(ca_bundle_host_path).st_mode
except Exception as e:
logging.error(e)
raise Exception('Can not get file info')
err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path)
if uid == DEFAULT_UID and not owner_can_read(st_mode):
raise Exception(err_msg)
if uid != DEFAULT_UID and not other_can_read(st_mode):
raise Exception(err_msg)
# Redis validate # Redis validate
redis_host = conf.get("redis_host") redis_host = conf.get("redis_host")

View File

@ -140,3 +140,17 @@ def check_permission(path: str, uid:int = None, gid:int = None, mode:int = None)
if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0: if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0:
return False return False
return True return True
def owner_can_read(st_mode: int) -> bool:
"""
Check if owner have the read permission of this st_mode
"""
return True if st_mode & 0o400 else False
def other_can_read(st_mode: int) -> bool:
"""
Check if other user have the read permission of this st_mode
"""
return True if st_mode & 0o004 else False

View File

@ -5,10 +5,14 @@
hostname: {{ hostname }} hostname: {{ hostname }}
# http related config # http related config
{% if http %} {% if http is defined %}
http: http:
# port for http, default is 80. If https enabled, this port will redirect to https port # port for http, default is 80. If https enabled, this port will redirect to https port
port: {{ http.port }} port: {{ http.port }}
{% else %}
# http:
# # port for http, default is 80. If https enabled, this port will redirect to https port
# port: 80
{% endif %} {% endif %}
{% if https is defined %} {% if https is defined %}