Merge pull request #2812 from crazy-max/bake-win-fs-ent

bake: add wildcard to fs entitlements to allow any paths

bake/entitlements.go

@@ -326,7 +326,14 @@ func isParentOrEqualPath(p, parent string) bool {
 }
 
 func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error) {
-	paths, err := evaluateToExistingPaths(paths)
+	set, allowAny, err := evaluatePaths(set)
+	if err != nil {
+		return nil, err
+	} else if allowAny {
+		return nil, nil
+	}
+
+	paths, err = evaluateToExistingPaths(paths)
 	if err != nil {
 		return nil, err
 	}
@@ -335,11 +342,6 @@ func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error)
 		return nil, err
 	}
 
-	set, err = evaluatePaths(set)
-	if err != nil {
-		return nil, err
-	}
-
 	out := make([]string, 0, len(paths))
 loop0:
 	for p := range paths {
@@ -441,6 +443,27 @@ func removeCommonPaths(in, common []string) []string {
 	return filtered
 }
 
+func evaluatePaths(in []string) ([]string, bool, error) {
+	out := make([]string, 0, len(in))
+	allowAny := false
+	for _, p := range in {
+		if p == "*" {
+			allowAny = true
+			continue
+		}
+		v, err := filepath.Abs(p)
+		if err != nil {
+			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
+		}
+		v, err = filepath.EvalSymlinks(v)
+		if err != nil {
+			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
+		}
+		out = append(out, v)
+	}
+	return out, allowAny, nil
+}
+
 func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) {
 	m := make(map[string]struct{}, len(in))
 	for p := range in {

bake/entitlements_test.go

@@ -350,6 +350,33 @@ func TestValidateEntitlements(t *testing.T) {
 			conf: EntitlementConf{
 				FSRead: []string{"/"},
 			},
+			expected: EntitlementConf{
+				FSRead: func() []string {
+					// on windows root (/) is only allowed if it is the same volume as wd
+					if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) {
+						return nil
+					}
+					// if not, then escapeLink is not allowed
+					exp, err := evaluateToExistingPath(escapeLink)
+					require.NoError(t, err)
+					exp, err = filepath.EvalSymlinks(exp)
+					require.NoError(t, err)
+					return []string{exp}
+				}(),
+			},
+		},
+		{
+			name: "SecretFromEscapeLinkAllowAny",
+			opt: build.Options{
+				SecretSpecs: []*pb.Secret{
+					{
+						FilePath: escapeLink,
+					},
+				},
+			},
+			conf: EntitlementConf{
+				FSRead: []string{"*"},
+			},
 			expected: EntitlementConf{},
 		},
 	}

bake/entitlements_unix.go

@@ -1,26 +0,0 @@
-//go:build !windows
-// +build !windows
-
-package bake
-
-import (
-	"path/filepath"
-
-	"github.com/pkg/errors"
-)
-
-func evaluatePaths(in []string) ([]string, error) {
-	out := make([]string, 0, len(in))
-	for _, p := range in {
-		v, err := filepath.Abs(p)
-		if err != nil {
-			return nil, err
-		}
-		v, err = filepath.EvalSymlinks(v)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
-		}
-		out = append(out, v)
-	}
-	return out, nil
-}

bake/entitlements_windows.go

@@ -1,39 +0,0 @@
-package bake
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/pkg/errors"
-)
-
-func evaluatePaths(in []string) ([]string, error) {
-	out := make([]string, 0, len(in))
-	for _, p := range in {
-		if p == "/" {
-			out = append(out, getAllVolumes()...)
-			continue
-		}
-		v, err := filepath.Abs(p)
-		if err != nil {
-			return nil, err
-		}
-		v, err = filepath.EvalSymlinks(v)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
-		}
-		out = append(out, v)
-	}
-	return out, nil
-}
-
-func getAllVolumes() []string {
-	var volumes []string
-	for _, drive := range "ABCDEFGHIJKLMNOPQRSTUVWXYZ" {
-		p := string(drive) + ":" + string(filepath.Separator)
-		if _, err := os.Stat(p); !os.IsNotExist(err) {
-			volumes = append(volumes, p)
-		}
-	}
-	return volumes
-}