mirror of
https://github.com/openfaas/faasd.git
synced 2025-06-10 08:56:47 +00:00
12b5e8ca7f
This commit adds the checks that the namespace supplied by the user has the `openfaas=true` label. Without this check the user can deploy/update/read functions in any namespace using the CLI. The UI is not effected because it calls the listnamesaces endpoint, which has the check for the label Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
153 lines
3.7 KiB
Go
153 lines
3.7 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"log"
|
|
"net/http"
|
|
"os"
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/containerd/containerd"
|
|
"github.com/openfaas/faas-provider/types"
|
|
)
|
|
|
|
const secretFilePermission = 0644
|
|
const secretDirPermission = 0755
|
|
|
|
func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
err := os.MkdirAll(mountPath, secretFilePermission)
|
|
if err != nil {
|
|
log.Printf("Creating path: %s, error: %s\n", mountPath, err)
|
|
}
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Body != nil {
|
|
defer r.Body.Close()
|
|
}
|
|
|
|
switch r.Method {
|
|
case http.MethodGet:
|
|
listSecrets(c, w, r, mountPath)
|
|
case http.MethodPost:
|
|
createSecret(c, w, r, mountPath)
|
|
case http.MethodPut:
|
|
createSecret(c, w, r, mountPath)
|
|
case http.MethodDelete:
|
|
deleteSecret(c, w, r, mountPath)
|
|
default:
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
func listSecrets(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
|
|
|
|
lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
|
|
// Check if namespace exists, and it has the openfaas label
|
|
nsValid, err := validateNamespace(c, lookupNamespace)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if !nsValid {
|
|
http.Error(w, "namespace not valid", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
mountPath = getNamespaceSecretMountPath(mountPath, lookupNamespace)
|
|
|
|
files, err := ioutil.ReadDir(mountPath)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
secrets := []types.Secret{}
|
|
for _, f := range files {
|
|
secrets = append(secrets, types.Secret{Name: f.Name(), Namespace: lookupNamespace})
|
|
}
|
|
|
|
bytesOut, _ := json.Marshal(secrets)
|
|
w.Write(bytesOut)
|
|
}
|
|
|
|
func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
|
|
secret, err := parseSecret(r)
|
|
if err != nil {
|
|
log.Printf("[secret] error %s", err.Error())
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
namespace := getRequestNamespace(secret.Namespace)
|
|
mountPath = getNamespaceSecretMountPath(mountPath, namespace)
|
|
|
|
err = os.MkdirAll(mountPath, secretDirPermission)
|
|
if err != nil {
|
|
log.Printf("[secret] error %s", err.Error())
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
err = ioutil.WriteFile(path.Join(mountPath, secret.Name), []byte(secret.Value), secretFilePermission)
|
|
|
|
if err != nil {
|
|
log.Printf("[secret] error %s", err.Error())
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
|
|
func deleteSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
|
|
secret, err := parseSecret(r)
|
|
if err != nil {
|
|
log.Printf("[secret] error %s", err.Error())
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
namespace := getRequestNamespace(readNamespaceFromQuery(r))
|
|
mountPath = getNamespaceSecretMountPath(mountPath, namespace)
|
|
|
|
err = os.Remove(path.Join(mountPath, secret.Name))
|
|
|
|
if err != nil {
|
|
log.Printf("[secret] error %s", err.Error())
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
|
|
func parseSecret(r *http.Request) (types.Secret, error) {
|
|
secret := types.Secret{}
|
|
bytesOut, err := ioutil.ReadAll(r.Body)
|
|
if err != nil {
|
|
return secret, err
|
|
}
|
|
|
|
err = json.Unmarshal(bytesOut, &secret)
|
|
if err != nil {
|
|
return secret, err
|
|
}
|
|
|
|
if isTraversal(secret.Name) {
|
|
return secret, fmt.Errorf(traverseErrorSt)
|
|
}
|
|
|
|
return secret, err
|
|
}
|
|
|
|
const traverseErrorSt = "directory traversal found in name"
|
|
|
|
func isTraversal(name string) bool {
|
|
return strings.Contains(name, fmt.Sprintf("%s", string(os.PathSeparator))) ||
|
|
strings.Contains(name, "..")
|
|
}
|