Merge pull request #9800 from ninjadq/failure_earlier_of_ca_bundle_permission_check

Failure earlier of ca bundle permission check

make/harbor.yml

@@ -96,7 +96,7 @@ log:
   #   port: 5140
 
 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
-_version: 1.9.0
+_version: 1.10.0
 
 # Uncomment external_database if using external database.
 # external_database:

make/photon/prepare/main.py

@@ -1,7 +1,8 @@
 # pylint: disable=no-value-for-parameter
 
+import sys
+import logging
 import click
-
 from utils.misc import delfile
 from utils.configs import validate, parse_yaml_config
 from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key
@@ -34,7 +35,9 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
     try:
         validate(config_dict, notary_mode=with_notary)
     except Exception as e:
-        print("Config validation Error: ", e)
+        logging.info('Error happend in config validation...')
+        logging.error(e)
+        sys.exit(-1)
 
     prepare_log_configs(config_dict)
     prepare_nginx(config_dict)

make/photon/prepare/utils/configs.py

@@ -1,12 +1,15 @@
+import os
 import yaml
 import logging
-from g import versions_file_path
-from .misc import generate_random_string
+from g import versions_file_path, host_root_dir, DEFAULT_UID
+from utils.misc import generate_random_string, owner_can_read, other_can_read
 
 default_db_max_idle_conns = 2  # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
 default_db_max_open_conns = 0  # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
 default_https_cert_path = '/your/certificate/path'
 default_https_key_path = '/your/certificate/path'
+
+
 def validate(conf: dict, **kwargs):
     # hostname validate
     if conf.get('hostname') == '127.0.0.1':
@@ -47,6 +50,21 @@ def validate(conf: dict, **kwargs):
         if storage_provider_config == "":
             raise Exception(
                 "Error: no provider configurations are provided for provider %s" % storage_provider_name)
+    # ca_bundle validate
+    if conf.get('registry_custom_ca_bundle_path'):
+        registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or ''
+        ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path)
+        try:
+            uid = os.stat(ca_bundle_host_path).st_uid
+            st_mode = os.stat(ca_bundle_host_path).st_mode
+        except Exception as e:
+            logging.error(e)
+            raise Exception('Can not get file info')
+        err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path)
+        if uid == DEFAULT_UID and not owner_can_read(st_mode):
+            raise Exception(err_msg)
+        if uid != DEFAULT_UID and not other_can_read(st_mode):
+            raise Exception(err_msg)
 
     # Redis validate
     redis_host = conf.get("redis_host")

make/photon/prepare/utils/misc.py

@@ -140,3 +140,17 @@ def check_permission(path: str, uid:int = None, gid:int = None, mode:int = None)
     if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0:
         return False
     return True
+
+
+def owner_can_read(st_mode: int) -> bool:
+    """
+    Check if owner have the read permission of this st_mode
+    """
+    return True if st_mode & 0o400 else False
+
+
+def other_can_read(st_mode: int) -> bool:
+    """
+    Check if other user have the read permission of this st_mode
+    """
+    return True if st_mode & 0o004 else False

tools/migration/cfg/migrator_1_10_0/harbor.yml.jinja

@@ -5,10 +5,14 @@
 hostname: {{ hostname }}
 
 # http related config
-{% if http %}
+{% if http is defined %}
 http:
   # port for http, default is 80. If https enabled, this port will redirect to https port
   port: {{ http.port }}
+{% else %}
+# http:
+#   # port for http, default is 80. If https enabled, this port will redirect to https port
+#   port: 80
 {% endif %}
 
 {% if https is defined %}