Allow admins to specify priviledged plugins by name **and tag** (#4075) (#4076)

2025-01-11 17:18:09 +02:00 · 2024-09-01 23:06:06 +02:00 · 2024-09-01 23:06:06 +02:00 · 4535ef330a
commit 4535ef330a
parent a360563fad
5 changed files with 139 additions and 2 deletions
--- a/docs/docs/30-administration/10-server-config.md
+++ b/docs/docs/30-administration/10-server-config.md
@ -360,6 +360,8 @@ a user can log into Woodpecker, without re-authentication.

 Docker images to run in privileged mode. Only change if you are sure what you do!

+You should specify the tag of your images too, as this enforces exact matches.
+
 <!--
 ### `WOODPECKER_VOLUME`
 > Default: empty
--- a/docs/versioned_docs/version-2.7/30-administration/10-server-config.md
+++ b/docs/versioned_docs/version-2.7/30-administration/10-server-config.md
@ -360,6 +360,8 @@ a user can log into Woodpecker, without re-authentication.

 Docker images to run in privileged mode. Only change if you are sure what you do!

+You should specify the tag of your images too, as this enforces exact matches.
+
 <!--
 ### `WOODPECKER_VOLUME`
 > Default: empty
--- a/pipeline/frontend/yaml/compiler/convert.go
+++ b/pipeline/frontend/yaml/compiler/convert.go
@ -141,7 +141,7 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 		environment[toUpperTarget] = secretValue
 	}

-	if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {
+	if utils.MatchImageDynamic(container.Image, c.escalated...) && container.IsPlugin() {
 		privileged = true
 	}

--- a/pipeline/frontend/yaml/utils/image.go
+++ b/pipeline/frontend/yaml/utils/image.go
@ -14,7 +14,11 @@

 package utils

-import "github.com/distribution/reference"
+import (
+	"strings"
+
+	"github.com/distribution/reference"
+)

 // trimImage returns the short image name without tag.
 func trimImage(name string) string {
@ -57,6 +61,29 @@ func MatchImage(from string, to ...string) bool {
 	return false
 }

+// MatchImageDynamic check if image is in list based on list.
+// If an list entry has a tag specified it only will match if both are the same, else the tag is ignored.
+func MatchImageDynamic(from string, to ...string) bool {
+	fullFrom := expandImage(from)
+	trimFrom := trimImage(from)
+	for _, match := range to {
+		if imageHasTag(match) {
+			if fullFrom == expandImage(match) {
+				return true
+			}
+		} else {
+			if trimFrom == trimImage(match) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func imageHasTag(name string) bool {
+	return strings.Contains(name, ":")
+}
+
 // MatchHostname returns true if the image hostname
 // matches the specified hostname.
 func MatchHostname(image, hostname string) bool {
--- a/pipeline/frontend/yaml/utils/image_test.go
+++ b/pipeline/frontend/yaml/utils/image_test.go
@ -124,6 +124,57 @@ func Test_expandImage(t *testing.T) {
 	}
 }

+func Test_imageHasTag(t *testing.T) {
+	testdata := []struct {
+		from string
+		want bool
+	}{
+		{
+			from: "golang",
+			want: false,
+		},
+		{
+			from: "golang:latest",
+			want: true,
+		},
+		{
+			from: "golang:1.0.0",
+			want: true,
+		},
+		{
+			from: "library/golang",
+			want: false,
+		},
+		{
+			from: "library/golang:latest",
+			want: true,
+		},
+		{
+			from: "library/golang:1.0.0",
+			want: true,
+		},
+		{
+			from: "index.docker.io/library/golang:1.0.0",
+			want: true,
+		},
+		{
+			from: "gcr.io/golang",
+			want: false,
+		},
+		{
+			from: "gcr.io/golang:1.0.0",
+			want: true,
+		},
+		{
+			from: "codeberg.org/6543/hello:latest@2c98dce11f78c2b4e40f513ca82f75035eb8cfa4957a6d8eb3f917ecaf77803",
+			want: true,
+		},
+	}
+	for _, test := range testdata {
+		assert.Equal(t, test.want, imageHasTag(test.from))
+	}
+}
+
 func Test_matchImage(t *testing.T) {
 	testdata := []struct {
 		from, to string
@ -199,12 +250,67 @@ func Test_matchImage(t *testing.T) {
 			to:   "gcr.io/golang",
 			want: false,
 		},
+		{
+			from: "woodpeckerci/plugin-kaniko",
+			to:   "docker.io/woodpeckerci/plugin-kaniko",
+			want: true,
+		},
 	}
 	for _, test := range testdata {
 		assert.Equal(t, test.want, MatchImage(test.from, test.to))
 	}
 }

+func Test_matchImageDynamic(t *testing.T) {
+	testdata := []struct {
+		name, from string
+		to         []string
+		want       bool
+	}{
+		{
+			name: "simple compare",
+			from: "golang",
+			to:   []string{"golang"},
+			want: true,
+		},
+		{
+			name: "compare non-taged image whit list who tag requirement",
+			from: "golang",
+			to:   []string{"golang:v3.0"},
+			want: false,
+		},
+		{
+			name: "compare taged image whit list who tag no requirement",
+			from: "golang:v3.0",
+			to:   []string{"golang"},
+			want: true,
+		},
+		{
+			name: "compare taged image whit list who has image with no tag requirement",
+			from: "golang:1.0",
+			to:   []string{"golang", "golang:2.0"},
+			want: true,
+		},
+		{
+			name: "compare taged image whit list who only has images with tag requirement",
+			from: "golang:1.0",
+			to:   []string{"golang:latest", "golang:2.0"},
+			want: false,
+		},
+		{
+			name: "compare taged image whit list who only has images with tag requirement",
+			from: "golang:1.0",
+			to:   []string{"golang:latest", "golang:1.0"},
+			want: true,
+		},
+	}
+	for _, test := range testdata {
+		if !assert.Equal(t, test.want, MatchImageDynamic(test.from, test.to...)) {
+			t.Logf("test data: '%s' -> '%s'", test.from, test.to)
+		}
+	}
+}
+
 func Test_matchHostname(t *testing.T) {
 	testdata := []struct {
 		image, hostname string