talos

1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4

5
package extensions
6

7
import (
8
	"fmt"
9
	"io/fs"
10
	"os"
11
	"path/filepath"
12
	"strings"
13

14
	"github.com/blang/semver/v4"
15

16
	"github.com/siderolabs/talos/pkg/machinery/version"
17
)
18

19
// Validate the extension: compatibility, contents, etc.
20
func (ext *Extension) Validate() error {
21
	if err := ext.validateConstraints(); err != nil {
22
		return err
23
	}
24

25
	return ext.validateContents()
26
}
27

28
func (ext *Extension) validateConstraints() error {
29
	constraint := ext.Manifest.Metadata.Compatibility.Talos.Version
30

31
	if constraint != "" {
32
		talosVersion, err := semver.ParseTolerant(version.Tag)
33
		if err != nil {
34
			return err
35
		}
36

37
		versionConstraint, err := semver.ParseRange(trim(constraint))
38
		if err != nil {
39
			return fmt.Errorf("error parsing Talos version constraint: %w", err)
40
		}
41

42
		if !versionConstraint(coreVersion(talosVersion)) {
43
			return fmt.Errorf("version constraint %s can't be satisfied with Talos version %s", constraint, talosVersion)
44
		}
45
	}
46

47
	return nil
48
}
49

50
// trim removes 'v' symbol anywhere in string if it's located before the number.
51
func trim(constraint string) string {
52
	for i := 0; i < len(constraint); i++ {
53
		if constraint[i] == 'v' && i+1 < len(constraint) && constraint[i+1] >= '0' && constraint[i+1] <= '9' {
54
			constraint = constraint[:i] + constraint[i+1:]
55
		}
56
	}
57

58
	return constraint
59
}
60

61
func coreVersion(talosVersion semver.Version) semver.Version {
62
	return semver.Version{
63
		Major: talosVersion.Major,
64
		Minor: talosVersion.Minor,
65
		Patch: talosVersion.Patch,
66
	}
67
}
68

69
//nolint:gocyclo
70
func (ext *Extension) validateContents() error {
71
	return filepath.WalkDir(ext.rootfsPath, func(path string, d fs.DirEntry, err error) error {
72
		if err != nil {
73
			return err
74
		}
75

76
		itemPath, err := filepath.Rel(ext.rootfsPath, path)
77
		if err != nil {
78
			return err
79
		}
80

81
		itemPath = filepath.Join("/", itemPath)
82

83
		// check for -------w-
84
		if d.Type().Perm()&0o002 > 0 {
85
			return fmt.Errorf("world-writeable files are not allowed: %q", itemPath)
86
		}
87

88
		// no special files
89
		if !d.IsDir() && !d.Type().IsRegular() && d.Type().Type() != os.ModeSymlink {
90
			return fmt.Errorf("special files are not allowed: %q", itemPath)
91
		}
92

93
		// regular file: check for file path being whitelisted
94
		if !d.IsDir() {
95
			allowed := false
96

97
			for _, allowedPath := range AllowedPaths {
98
				if strings.HasPrefix(itemPath, allowedPath) {
99
					_, err = filepath.Rel(allowedPath, itemPath)
100
					if err == nil {
101
						allowed = true
102

103
						break
104
					}
105
				}
106
			}
107

108
			if !allowed {
109
				return fmt.Errorf("path %q is not allowed in extensions", itemPath)
110
			}
111
		}
112

113
		return nil
114
	})
115
}
116