check the permission of ca bundle file

CA bundle need check before use

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2019-11-08 13:28:46 +08:00
parent cecc0fe85a
commit 80c3e76b5a
3 changed files with 39 additions and 4 deletions

View File

@ -1,7 +1,8 @@
# pylint: disable=no-value-for-parameter
import sys
import logging
import click
from utils.misc import delfile
from utils.configs import validate, parse_yaml_config
from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key
@ -34,7 +35,9 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
try:
validate(config_dict, notary_mode=with_notary)
except Exception as e:
print("Config validation Error: ", e)
logging.info('Error happend in config validation...')
logging.error(e)
sys.exit(-1)
prepare_log_configs(config_dict)
prepare_nginx(config_dict)

View File

@ -1,12 +1,15 @@
import os
import yaml
import logging
from g import versions_file_path
from .misc import generate_random_string
from g import versions_file_path, host_root_dir, DEFAULT_UID
from utils.misc import generate_random_string, owner_can_read, other_can_read
default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns
default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns
default_https_cert_path = '/your/certificate/path'
default_https_key_path = '/your/certificate/path'
def validate(conf: dict, **kwargs):
# hostname validate
if conf.get('hostname') == '127.0.0.1':
@ -47,6 +50,21 @@ def validate(conf: dict, **kwargs):
if storage_provider_config == "":
raise Exception(
"Error: no provider configurations are provided for provider %s" % storage_provider_name)
# ca_bundle validate
if conf.get('registry_custom_ca_bundle_path'):
registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or ''
ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path)
try:
uid = os.stat(ca_bundle_host_path).st_uid
st_mode = os.stat(ca_bundle_host_path).st_mode
except Exception as e:
logging.error(e)
raise Exception('Can not get file info')
err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path)
if uid == DEFAULT_UID and not owner_can_read(st_mode):
raise Exception(err_msg)
if uid != DEFAULT_UID and not other_can_read(st_mode):
raise Exception(err_msg)
# Redis validate
redis_host = conf.get("redis_host")

View File

@ -140,3 +140,17 @@ def check_permission(path: str, uid:int = None, gid:int = None, mode:int = None)
if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0:
return False
return True
def owner_can_read(st_mode: int) -> bool:
"""
Check if owner have the read permission of this st_mode
"""
return True if st_mode & 0o400 else False
def other_can_read(st_mode: int) -> bool:
"""
Check if other user have the read permission of this st_mode
"""
return True if st_mode & 0o004 else False