-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
buildkitd: Frontend restriction support
This commit adds [frontend."dockerfile.v0"] and [frontend."gateway.v0"] buildkitd.toml configuration sections. Each frontend can individually be disabled by setting `enabled = false` (both frontends are enabled by default). The [frontend."gateway.v0"] section has an `allowedSources` setting. If `allowedSources` is empty (the default), all gateway sources are allowed. Otherwise, only sources that match the patterns in this list will be allowed. Patterns are matched using <https://pkg.go.dev/github.com/moby/buildkit/util/wildcard>. Note that implicit references to docker.io should not be used in the patterns since matching occurs on a fully expanded image name (for example "docker/dockerfile" expands to "docker.io/docker/dockerfile"). Change-Id: Ia484401709ef6c13cf3e5a2e4d0e1c6bd0c47d13 Signed-off-by: Ahmon Dancy <adancy@wikimedia.org>
- Loading branch information
Ahmon Dancy
committed
May 8, 2024
1 parent
51d85d7
commit 85a6178
Showing
5 changed files
with
151 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package gateway | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestCheckSourceIsAllowed(t *testing.T) { | ||
makeGatewayFrontend := func(sources []string) (*gatewayFrontend, error) { | ||
gw, err := NewGatewayFrontend(nil, sources) | ||
if err != nil { | ||
return nil, err | ||
} | ||
gw1 := gw.(*gatewayFrontend) | ||
return gw1, nil | ||
} | ||
|
||
var gw *gatewayFrontend | ||
var err error | ||
|
||
// no restrictions | ||
gw, err = makeGatewayFrontend([]string{}) | ||
assert.NoError(t, err) | ||
err = gw.checkSourceIsAllowed("anything") | ||
assert.NoError(t, err) | ||
|
||
gw, err = makeGatewayFrontend([]string{"docker-registry.wikimedia.org/repos/releng/blubber/buildkit"}) | ||
assert.NoError(t, err) | ||
err = gw.checkSourceIsAllowed("docker-registry.wikimedia.org/repos/releng/blubber/buildkit") | ||
assert.NoError(t, err) | ||
err = gw.checkSourceIsAllowed("docker-registry.wikimedia.org/repos/releng/blubber/buildkit:v1.2.3") | ||
assert.NoError(t, err) | ||
err = gw.checkSourceIsAllowed("docker-registry.wikimedia.org/something-else") | ||
assert.Error(t, err) | ||
|
||
gw, err = makeGatewayFrontend([]string{"implicit-docker-io-reference", "docker/dockerfile"}) | ||
assert.NoError(t, err) | ||
// This source will be rejected because after parsing it becomes | ||
// "docker.io/library/implicit-docker-io-reference" which does not match | ||
// the allowed source of "implicit-docker-io-reference". | ||
err = gw.checkSourceIsAllowed("implicit-docker-io-reference") | ||
assert.Error(t, err) | ||
// "docker/dockerfile" expands to "docker.io/docker/dockerfile", so no match here. | ||
err = gw.checkSourceIsAllowed("docker/dockerfile") | ||
assert.Error(t, err) | ||
|
||
gw, err = makeGatewayFrontend([]string{"docker-registry.wikimedia.org/*"}) | ||
assert.NoError(t, err) | ||
err = gw.checkSourceIsAllowed("docker-registry.wikimedia.org/something-else") | ||
assert.NoError(t, err) | ||
err = gw.checkSourceIsAllowed("docker-registry.wikimedia.org/topdir/below") | ||
assert.NoError(t, err) | ||
|
||
_, err = makeGatewayFrontend([]string{"docker-registry.wikimedia.org/**"}) // Invalid wildcard | ||
assert.Error(t, err) | ||
} |