github.com/coreos/rocket@v1.30.1-0.20200224141603-171c416fac02/rkt/flag/secflags.go (about) 1 // Copyright 2015 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package flag 16 17 import ( 18 "strings" 19 20 pkgflag "github.com/rkt/rkt/pkg/flag" 21 ) 22 23 const ( 24 insecureNone = 0 25 insecureImage = 1 << (iota - 1) 26 insecureTLS 27 insecureOnDisk // ignored, left for backwards compatibility 28 insecureHTTP 29 insecurePubKey 30 insecureCapabilities 31 insecurePaths 32 insecureSeccomp 33 34 insecureAllFetch = (insecureImage | insecureTLS | insecureHTTP | insecurePubKey) 35 insecureAllRun = (insecureCapabilities | insecurePaths | insecureSeccomp) 36 insecureAll = (insecureAllFetch | insecureAllRun) 37 ) 38 39 var ( 40 insecureOptions = []string{ 41 "none", 42 "image", 43 "tls", 44 "ondisk", 45 "http", 46 "pubkey", 47 "capabilities", 48 "paths", 49 "seccomp", 50 "all-fetch", 51 "all-run", 52 "all", 53 } 54 55 insecureOptionsMap = map[string]int{ 56 insecureOptions[0]: insecureNone, 57 insecureOptions[1]: insecureImage, 58 insecureOptions[2]: insecureTLS, 59 insecureOptions[3]: insecureOnDisk, 60 insecureOptions[4]: insecureHTTP, 61 insecureOptions[5]: insecurePubKey, 62 insecureOptions[6]: insecureCapabilities, 63 insecureOptions[7]: insecurePaths, 64 insecureOptions[8]: insecureSeccomp, 65 insecureOptions[9]: insecureAllFetch, 66 insecureOptions[10]: insecureAllRun, 67 insecureOptions[11]: insecureAll, 68 } 69 ) 70 71 type SecFlags struct { 72 *pkgflag.BitFlags 73 } 74 75 func NewSecFlagsFromValue(val int) (*SecFlags, error) { 76 sf := &SecFlags{ 77 &pkgflag.BitFlags{Flags: val}, 78 } 79 80 return sf, nil 81 } 82 83 func NewSecFlags(defOpts string) (*SecFlags, error) { 84 bf, err := pkgflag.NewBitFlags(insecureOptions, defOpts, insecureOptionsMap) 85 if err != nil { 86 return nil, err 87 } 88 // Ignore ondisk 89 bf.Flags = bf.Flags &^ insecureOnDisk 90 91 sf := &SecFlags{ 92 BitFlags: bf, 93 } 94 return sf, nil 95 } 96 97 func (sf *SecFlags) SkipImageCheck() bool { 98 return sf.HasFlag(insecureImage) 99 } 100 101 func (sf *SecFlags) SkipTLSCheck() bool { 102 return sf.HasFlag(insecureTLS) 103 } 104 105 func (sf *SecFlags) AllowHTTP() bool { 106 return sf.HasFlag(insecureHTTP) 107 } 108 109 func (sf *SecFlags) ConsiderInsecurePubKeys() bool { 110 return sf.HasFlag(insecurePubKey) 111 } 112 113 func (sf *SecFlags) SkipCapabilities() bool { 114 return sf.HasFlag(insecureCapabilities) 115 } 116 117 func (sf *SecFlags) SkipPaths() bool { 118 return sf.HasFlag(insecurePaths) 119 } 120 121 func (sf *SecFlags) SkipSeccomp() bool { 122 return sf.HasFlag(insecureSeccomp) 123 } 124 125 func (sf *SecFlags) SkipAllSecurityChecks() bool { 126 return sf.HasFlag(insecureAll) 127 } 128 129 func (sf *SecFlags) SkipAnySecurityChecks() bool { 130 return sf.Flags != 0 131 } 132 133 func (sf *SecFlags) Value() int { 134 return sf.Flags 135 } 136 137 func (sf *SecFlags) String() string { 138 opts := []string{} 139 140 for optstr, opt := range insecureOptionsMap { 141 if sf.HasFlag(opt) { 142 if opt == insecureNone || opt == insecureAll { 143 continue 144 } 145 opts = append(opts, optstr) 146 } 147 } 148 149 if len(opts) == 0 { 150 return "none" 151 } 152 153 return strings.Join(opts, ",") 154 }