github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/client/allocrunner/taskrunner/validate_hook.go

github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/client/allocrunner/taskrunner/validate_hook.go (about)

     1  package taskrunner
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  
     7  	log "github.com/hashicorp/go-hclog"
     8  	multierror "github.com/hashicorp/go-multierror"
     9  	"github.com/hashicorp/nomad/client/allocrunner/interfaces"
    10  	"github.com/hashicorp/nomad/client/config"
    11  	"github.com/hashicorp/nomad/client/taskenv"
    12  	"github.com/hashicorp/nomad/nomad/structs"
    13  )
    14  
    15  // validateHook validates the task is able to be run.
    16  type validateHook struct {
    17  	config *config.Config
    18  	logger log.Logger
    19  }
    20  
    21  func newValidateHook(config *config.Config, logger log.Logger) *validateHook {
    22  	h := &validateHook{
    23  		config: config,
    24  	}
    25  	h.logger = logger.Named(h.Name())
    26  	return h
    27  }
    28  
    29  func (*validateHook) Name() string {
    30  	return "validate"
    31  }
    32  
    33  func (h *validateHook) Prestart(ctx context.Context, req *interfaces.TaskPrestartRequest, resp *interfaces.TaskPrestartResponse) error {
    34  	if err := validateTask(req.Task, req.TaskEnv, h.config); err != nil {
    35  		return err
    36  	}
    37  
    38  	resp.Done = true
    39  	return nil
    40  }
    41  
    42  func validateTask(task *structs.Task, taskEnv *taskenv.TaskEnv, conf *config.Config) error {
    43  	var mErr multierror.Error
    44  
    45  	// Validate the user
    46  	// COMPAT(1.0) uses inclusive language. blacklist is kept for backward compatilibity.
    47  	unallowedUsers := conf.ReadStringListAlternativeToMapDefault(
    48  		[]string{"user.denylist", "user.blacklist"},
    49  		config.DefaultUserDenylist,
    50  	)
    51  	checkDrivers := conf.ReadStringListToMapDefault("user.checked_drivers", config.DefaultUserCheckedDrivers)
    52  	if _, driverMatch := checkDrivers[task.Driver]; driverMatch {
    53  		if _, unallowed := unallowedUsers[task.User]; unallowed {
    54  			mErr.Errors = append(mErr.Errors, fmt.Errorf("running as user %q is disallowed", task.User))
    55  		}
    56  	}
    57  
    58  	// Validate the Service names once they're interpolated
    59  	for _, service := range task.Services {
    60  		name := taskEnv.ReplaceEnv(service.Name)
    61  		if err := service.ValidateName(name); err != nil {
    62  			mErr.Errors = append(mErr.Errors, fmt.Errorf("service (%s) failed validation: %v", name, err))
    63  		}
    64  	}
    65  
    66  	if len(mErr.Errors) == 1 {
    67  		return mErr.Errors[0]
    68  	}
    69  	return mErr.ErrorOrNil()
    70  }