mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-22 08:38:03 +01:00
check the permission of ca bundle file
CA bundle need check before use Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
cecc0fe85a
commit
80c3e76b5a
@ -1,7 +1,8 @@
|
||||
# pylint: disable=no-value-for-parameter
|
||||
|
||||
import sys
|
||||
import logging
|
||||
import click
|
||||
|
||||
from utils.misc import delfile
|
||||
from utils.configs import validate, parse_yaml_config
|
||||
from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key
|
||||
@ -34,7 +35,9 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
|
||||
try:
|
||||
validate(config_dict, notary_mode=with_notary)
|
||||
except Exception as e:
|
||||
print("Config validation Error: ", e)
|
||||
logging.info('Error happend in config validation...')
|
||||
logging.error(e)
|
||||
sys.exit(-1)
|
||||
|
||||
prepare_log_configs(config_dict)
|
||||
prepare_nginx(config_dict)
|
||||
|
@ -1,12 +1,15 @@
|
||||
import os
|
||||
import yaml
|
||||
import logging
|
||||
from g import versions_file_path
|
||||
from .misc import generate_random_string
|
||||
from g import versions_file_path, host_root_dir, DEFAULT_UID
|
||||
from utils.misc import generate_random_string, owner_can_read, other_can_read
|
||||
|
||||
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
|
||||
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
|
||||
default_https_cert_path = '/your/certificate/path'
|
||||
default_https_key_path = '/your/certificate/path'
|
||||
|
||||
|
||||
def validate(conf: dict, **kwargs):
|
||||
# hostname validate
|
||||
if conf.get('hostname') == '127.0.0.1':
|
||||
@ -47,6 +50,21 @@ def validate(conf: dict, **kwargs):
|
||||
if storage_provider_config == "":
|
||||
raise Exception(
|
||||
"Error: no provider configurations are provided for provider %s" % storage_provider_name)
|
||||
# ca_bundle validate
|
||||
if conf.get('registry_custom_ca_bundle_path'):
|
||||
registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or ''
|
||||
ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path)
|
||||
try:
|
||||
uid = os.stat(ca_bundle_host_path).st_uid
|
||||
st_mode = os.stat(ca_bundle_host_path).st_mode
|
||||
except Exception as e:
|
||||
logging.error(e)
|
||||
raise Exception('Can not get file info')
|
||||
err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path)
|
||||
if uid == DEFAULT_UID and not owner_can_read(st_mode):
|
||||
raise Exception(err_msg)
|
||||
if uid != DEFAULT_UID and not other_can_read(st_mode):
|
||||
raise Exception(err_msg)
|
||||
|
||||
# Redis validate
|
||||
redis_host = conf.get("redis_host")
|
||||
|
@ -140,3 +140,17 @@ def check_permission(path: str, uid:int = None, gid:int = None, mode:int = None)
|
||||
if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
def owner_can_read(st_mode: int) -> bool:
|
||||
"""
|
||||
Check if owner have the read permission of this st_mode
|
||||
"""
|
||||
return True if st_mode & 0o400 else False
|
||||
|
||||
|
||||
def other_can_read(st_mode: int) -> bool:
|
||||
"""
|
||||
Check if other user have the read permission of this st_mode
|
||||
"""
|
||||
return True if st_mode & 0o004 else False
|
||||
|
Loading…
Reference in New Issue
Block a user