From 8d5c65153f295b6838599556b2e0892431b4a3fd Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 20 Mar 2023 20:09:53 -0700 Subject: [PATCH] Add container repository cred permission checks The docker roles perform permission checks to verify that the owner of the credential is okay with a job uploading to a given repo. The container roles document that they perform the same check, but that wasn't implemented. This change implements it. Change-Id: I1fa7ad985664688de76f0fcc280fbfea4f02fb7c --- roles/promote-container-image/tasks/main.yaml | 9 +++++++++ roles/upload-container-image/tasks/main.yaml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/promote-container-image/tasks/main.yaml b/roles/promote-container-image/tasks/main.yaml index 6c5d2886d..8bd84f584 100644 --- a/roles/promote-container-image/tasks/main.yaml +++ b/roles/promote-container-image/tasks/main.yaml @@ -8,6 +8,15 @@ fail: msg: "{{ zj_image.registry }} credentials not found" +- name: Verify repository permission + when: | + not zj_image.repository | regex_search(container_registry_credentials[zj_image.registry].repository) + loop: "{{ container_images }}" + loop_control: + loop_var: zj_image + fail: + msg: "{{ zj_image.repository }} not permitted by {{ container_registry_credentials[zj_image.registry].repository }}" + - name: Log in to registry no_log: true command: >- diff --git a/roles/upload-container-image/tasks/main.yaml b/roles/upload-container-image/tasks/main.yaml index 8faa20d03..a2cfa25ec 100644 --- a/roles/upload-container-image/tasks/main.yaml +++ b/roles/upload-container-image/tasks/main.yaml @@ -8,6 +8,15 @@ fail: msg: "{{ zj_image.registry }} credentials not found" +- name: Verify repository permission + when: | + not zj_image.repository | regex_search(container_registry_credentials[zj_image.registry].repository) + loop: "{{ container_images }}" + loop_control: + loop_var: zj_image + fail: + msg: "{{ zj_image.repository }} not permitted by {{ container_registry_credentials[zj_image.registry].repository }}" + - name: Upload image to container registry loop: "{{ container_images }}" loop_control: