1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
package entitlements
import (
"github.com/pkg/errors"
)
type Entitlement string
const (
EntitlementSecurityInsecure Entitlement = "security.insecure"
EntitlementNetworkHost Entitlement = "network.host"
)
var all = map[Entitlement]struct{}{
EntitlementSecurityInsecure: {},
EntitlementNetworkHost: {},
}
func Parse(s string) (Entitlement, error) {
_, ok := all[Entitlement(s)]
if !ok {
return "", errors.Errorf("unknown entitlement %s", s)
}
return Entitlement(s), nil
}
func WhiteList(allowed, supported []Entitlement) (Set, error) {
m := map[Entitlement]struct{}{}
var supm Set
if supported != nil {
var err error
supm, err = WhiteList(supported, nil)
if err != nil { // should not happen
return nil, err
}
}
for _, e := range allowed {
e, err := Parse(string(e))
if err != nil {
return nil, err
}
if supported != nil {
if !supm.Allowed(e) {
return nil, errors.Errorf("granting entitlement %s is not allowed by build daemon configuration", e)
}
}
m[e] = struct{}{}
}
return Set(m), nil
}
type Set map[Entitlement]struct{}
func (s Set) Allowed(e Entitlement) bool {
_, ok := s[e]
return ok
}
func (s Set) Check(v Values) error {
if v.NetworkHost {
if !s.Allowed(EntitlementNetworkHost) {
return errors.Errorf("%s is not allowed", EntitlementNetworkHost)
}
}
if v.SecurityInsecure {
if !s.Allowed(EntitlementSecurityInsecure) {
return errors.Errorf("%s is not allowed", EntitlementSecurityInsecure)
}
}
return nil
}
type Values struct {
NetworkHost bool
SecurityInsecure bool
}
|
