generated from kubewarden/go-policy-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
settings.go
121 lines (100 loc) · 3.04 KB
/
settings.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package main
import (
"encoding/json"
mapset "github.com/deckarep/golang-set/v2"
"github.com/kubewarden/gjson"
kubewarden "github.com/kubewarden/policy-sdk-go"
"fmt"
"strings"
)
type Settings struct {
AllowedUnsafeSysctls mapset.Set[string] `json:"allowedUnsafeSysctls"`
ForbiddenSysctls mapset.Set[string] `json:"forbiddenSysctls"`
}
// Builds a new Settings instance starting from a validation
// request payload:
//
// {
// "request": ...,
// "settings": {
// "allowedUnsafeSysctls": [...],
// "forbiddenSysctls": [...]
// }
// }
func NewSettingsFromValidationReq(payload []byte) (Settings, error) {
settingsJson := gjson.GetBytes(payload, "settings")
settings := Settings{}
err := json.Unmarshal([]byte(settingsJson.Raw), &settings)
if err != nil {
return Settings{}, err
}
return settings, nil
}
// Builds a new Settings instance starting from a Settings
// payload:
//
// {
// "allowedUnsafeSysctls": [...],
// "forbiddenSysctls": [...]
// }
func NewSettingsFromValidateSettingsPayload(payload []byte) (Settings, error) {
settings := Settings{}
err := json.Unmarshal(payload, &settings)
if err != nil {
return Settings{}, err
}
return settings, nil
}
func (s *Settings) UnmarshalJSON(data []byte) error {
// This is needed becaus golang-set v2.3.0 has a bug that prevents
// the correct unmarshalling of ThreadUnsafeSet types.
rawSettings := struct {
AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls"`
ForbiddenSysctls []string `json:"forbiddenSysctls"`
}{}
err := json.Unmarshal(data, &rawSettings)
if err != nil {
return err
}
s.AllowedUnsafeSysctls = mapset.NewThreadUnsafeSet(rawSettings.AllowedUnsafeSysctls...)
s.ForbiddenSysctls = mapset.NewThreadUnsafeSet(rawSettings.ForbiddenSysctls...)
return nil
}
func (s *Settings) Valid() (bool, error) {
for _, elem := range s.AllowedUnsafeSysctls.ToSlice() {
if strings.Contains(elem, "*") {
return false,
fmt.Errorf("allowedUnsafeSysctls doesn't accept patterns with `*`")
}
}
for _, elem := range s.ForbiddenSysctls.ToSlice() {
if strings.Contains(elem, "*") &&
!strings.HasSuffix(elem, "*") {
return false,
fmt.Errorf("forbiddenSysctls only accepts patterns with `*` as suffix")
}
}
allowedAndForbidden := s.AllowedUnsafeSysctls.Intersect(s.ForbiddenSysctls)
if allowedAndForbidden.Cardinality() != 0 {
return false,
fmt.Errorf("these sysctls cannot be allowed and forbidden at the same time: %s",
strings.Join(allowedAndForbidden.ToSlice(), ","),
)
}
return true, nil
}
func validateSettings(payload []byte) ([]byte, error) {
logger.Info("validating settings")
settings, err := NewSettingsFromValidateSettingsPayload(payload)
if err != nil {
return kubewarden.RejectSettings(
kubewarden.Message(fmt.Sprintf("provided settings are not valid: %v", err)))
}
valid, err := settings.Valid()
if valid {
return kubewarden.AcceptSettings()
}
logger.Warn("rejecting settings")
return kubewarden.RejectSettings(
kubewarden.Message(fmt.Sprintf("provided settings are not valid: %v", err)))
}