mirror of
https://github.com/project-zot/zot.git
synced 2026-06-16 20:38:08 +08:00
fix(config): warn if cve is used with remote storage driver (#1034)
* fix(config): warn if cve is used with remote storage driver Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> * fix: also check if search is enabled Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> Co-authored-by: Catalin Hofnar <catalin.hofnar@gmail.com>
This commit is contained in:
Ramkumar Chinchani
committed by
GitHub
GitHub
parent
72abab4947
commit
69f0cf6bb4
@@ -637,17 +637,12 @@ func TestServeSearchEnabled(t *testing.T) {
|
||||
logPath, err := runCLIWithConfig(tempDir, content)
|
||||
So(err, ShouldBeNil)
|
||||
// to avoid data race when multiple go routines write to trivy DB instance.
|
||||
WaitTillTrivyDBDownloadStarted(tempDir)
|
||||
defer os.Remove(logPath) // clean up
|
||||
|
||||
substring := "\"Extensions\":{\"Search\":{\"Enable\":true,\"CVE\":{\"UpdateInterval\":86400000000000}},\"Sync\":null,\"Metrics\":null,\"Scrub\":null,\"Lint\":null}" //nolint:lll // gofumpt conflicts with lll
|
||||
substring := "\"Extensions\":{\"Search\":{\"Enable\":true,\"CVE\":null},\"Sync\":null,\"Metrics\":null,\"Scrub\":null,\"Lint\":null}" //nolint:lll // gofumpt conflicts with lll
|
||||
found, err := readLogFileAndSearchString(logPath, substring, readLogFileTimeout)
|
||||
So(found, ShouldBeTrue)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
found, err = readLogFileAndSearchString(logPath, "updating the CVE database", readLogFileTimeout)
|
||||
So(found, ShouldBeTrue)
|
||||
So(err, ShouldBeNil)
|
||||
})
|
||||
}
|
||||
|
||||
@@ -730,17 +725,11 @@ func TestServeSearchEnabledNoCVE(t *testing.T) {
|
||||
logPath, err := runCLIWithConfig(tempDir, content)
|
||||
So(err, ShouldBeNil)
|
||||
defer os.Remove(logPath) // clean up
|
||||
// to avoid data race when multiple go routines write to trivy DB instance.
|
||||
WaitTillTrivyDBDownloadStarted(tempDir)
|
||||
|
||||
substring := "\"Extensions\":{\"Search\":{\"Enable\":true,\"CVE\":{\"UpdateInterval\":86400000000000}},\"Sync\":null,\"Metrics\":null,\"Scrub\":null,\"Lint\":null}" //nolint:lll // gofumpt conflicts with lll
|
||||
substring := "\"Extensions\":{\"Search\":{\"Enable\":true,\"CVE\":null},\"Sync\":null,\"Metrics\":null,\"Scrub\":null,\"Lint\":null}" //nolint:lll // gofumpt conflicts with lll
|
||||
found, err := readLogFileAndSearchString(logPath, substring, readLogFileTimeout)
|
||||
So(found, ShouldBeTrue)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
found, err = readLogFileAndSearchString(logPath, "updating the CVE database", readLogFileTimeout)
|
||||
So(found, ShouldBeTrue)
|
||||
So(err, ShouldBeNil)
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
+26
-4
@@ -306,6 +306,28 @@ func validateCacheConfig(cfg *config.Config) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateExtensionsConfig(cfg *config.Config) error {
|
||||
//nolint:lll
|
||||
if cfg.Storage.StorageDriver != nil && cfg.Extensions != nil && cfg.Extensions.Search != nil &&
|
||||
cfg.Extensions.Search.Enable != nil && *cfg.Extensions.Search.Enable && cfg.Extensions.Search.CVE != nil {
|
||||
log.Warn().Err(errors.ErrBadConfig).Msg("CVE functionality can't be used with remote storage. Please disable CVE")
|
||||
|
||||
return errors.ErrBadConfig
|
||||
}
|
||||
|
||||
for _, subPath := range cfg.Storage.SubPaths {
|
||||
//nolint:lll
|
||||
if subPath.StorageDriver != nil && cfg.Extensions != nil && cfg.Extensions.Search != nil &&
|
||||
cfg.Extensions.Search.Enable != nil && *cfg.Extensions.Search.Enable && cfg.Extensions.Search.CVE != nil {
|
||||
log.Warn().Err(errors.ErrBadConfig).Msg("CVE functionality can't be used with remote storage. Please disable CVE")
|
||||
|
||||
return errors.ErrBadConfig
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateConfiguration(config *config.Config) error {
|
||||
if err := validateHTTP(config); err != nil {
|
||||
return err
|
||||
@@ -331,6 +353,10 @@ func validateConfiguration(config *config.Config) error {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := validateExtensionsConfig(config); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// check authorization config, it should have basic auth enabled or ldap
|
||||
if config.HTTP.RawAccessControl != nil {
|
||||
// checking for anonymous policy only authorization config: no users, no policies but anonymous policy
|
||||
@@ -449,10 +475,6 @@ func applyDefaultValues(config *config.Config, viperInstance *viper.Viper) {
|
||||
if config.Extensions.Search.Enable == nil {
|
||||
config.Extensions.Search.Enable = &defaultVal
|
||||
}
|
||||
|
||||
if config.Extensions.Search.CVE == nil {
|
||||
config.Extensions.Search.CVE = &extconf.CVEConfig{UpdateInterval: 24 * time.Hour} //nolint: gomnd
|
||||
}
|
||||
}
|
||||
|
||||
if config.Extensions.Metrics != nil {
|
||||
|
||||
@@ -112,6 +112,84 @@ func TestVerify(t *testing.T) {
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
|
||||
})
|
||||
|
||||
Convey("Test verify CVE warn for remote storage", t, func(c C) {
|
||||
tmpfile, err := os.CreateTemp("", "zot-test*.json")
|
||||
So(err, ShouldBeNil)
|
||||
defer os.Remove(tmpfile.Name()) // clean up
|
||||
|
||||
content := []byte(`{
|
||||
"storage":{
|
||||
"rootDirectory":"/tmp/zot",
|
||||
"dedupe":true,
|
||||
"remoteCache":false,
|
||||
"storageDriver":{
|
||||
"name":"s3",
|
||||
"rootdirectory":"/zot",
|
||||
"region":"us-east-2",
|
||||
"bucket":"zot-storage",
|
||||
"secure":true,
|
||||
"skipverify":false
|
||||
}
|
||||
},
|
||||
"http":{
|
||||
"address":"127.0.0.1",
|
||||
"port":"8080"
|
||||
},
|
||||
"extensions":{
|
||||
"search": {
|
||||
"enable": true,
|
||||
"cve": {
|
||||
"updateInterval": "24h"
|
||||
}
|
||||
}
|
||||
}
|
||||
}`)
|
||||
err = os.WriteFile(tmpfile.Name(), content, 0o0600)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
|
||||
|
||||
content = []byte(`{
|
||||
"storage":{
|
||||
"rootDirectory":"/tmp/zot",
|
||||
"dedupe":true,
|
||||
"remoteCache":false,
|
||||
"subPaths":{
|
||||
"/a": {
|
||||
"rootDirectory": "/tmp/zot1",
|
||||
"dedupe": false,
|
||||
"storageDriver":{
|
||||
"name":"s3",
|
||||
"rootdirectory":"/zot-a",
|
||||
"region":"us-east-2",
|
||||
"bucket":"zot-storage",
|
||||
"secure":true,
|
||||
"skipverify":false
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"http":{
|
||||
"address":"127.0.0.1",
|
||||
"port":"8080"
|
||||
},
|
||||
"extensions":{
|
||||
"search": {
|
||||
"enable": true,
|
||||
"cve": {
|
||||
"updateInterval": "24h"
|
||||
}
|
||||
}
|
||||
}
|
||||
}`)
|
||||
err = os.WriteFile(tmpfile.Name(), content, 0o0600)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
|
||||
})
|
||||
|
||||
Convey("Test cached db config", t, func(c C) {
|
||||
tmpfile, err := os.CreateTemp("", "zot-test*.json")
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
Reference in New Issue
Block a user