go/compose-parser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
09b33762ec5310de5077df27c39eb04ce7efbbca
compose-parser/main.go
jake 09b33762ec a lot of progress, WIP
2025-11-11 12:58:06 -05:00

384 lines
8.3 KiB
Go
Raw Blame History

package main
import (
"fmt"
"io"
"log"
"os"
"regexp"
"strings"
"gopkg.in/yaml.v3"
)
const (
PRIVILEGE_OPT = "no-new-privileges=true"
ROOT_USER_GROUP = "1000:1000"
ROOT_USER = "1000"
ROOT_GROUP = "1000"
IM_SO_SORRY = `^(\${{\s*(vars|secrets)\..*}}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):(\${{\s*(vars|secrets)\..*}}|[0-9]+):(\${{\s*(vars|secrets)\..*}}|[0-9]+)`
FATAL IssueLevel = "FATAL"
WARNING IssueLevel = "WARNING"
PASSED IssueLevel = "PASSED"
)
type IssueLevel string
type Issue struct {
Level IssueLevel
Safe bool
Messages []string
}
func (i *Issue) Passed() {
i.Level = PASSED
i.Safe = true
}
func (i *Issue) Warning() {
i.Level = WARNING
i.Safe = true
}
func (i *Issue) Fatal() {
i.Level = FATAL
i.Safe = false
}
type RestartConfig struct {
Condition *string `yaml:"condition"`
Delay *string `yaml:"delay"`
MaxAttempts *int `yaml:"max_attempts"`
Window *string `yaml:"window"`
}
type DeployConfig struct {
Policy *RestartConfig `yaml:"restart_policy"`
}
type ServiceConfig struct {
MemLimit *string `yaml:"mem_limit"`
Cpus *float64 `yaml:"cpus"`
Ports *[]string `yaml:"ports"`
User *string `yaml:"user"`
Deploy *DeployConfig `yaml:"deploy"`
SecOpts *[]string `yaml:"security_opt"`
Privileged *bool `yaml:"privileged"`
}
type Compose struct {
Services map[string]ServiceConfig `yaml:"services"`
}
func main() {
filePath := os.Getenv("COMPOSE_FILE_PATH")
if filePath == "" {
filePath = "compose.yaml"
}
f, err := os.Open(filePath)
if err != nil {
log.Fatal(err)
}
defer f.Close()
fd, err := io.ReadAll(f)
if err != nil {
log.Fatal(err)
}
var data Compose
err = yaml.Unmarshal(fd, &data)
if err != nil {
log.Fatal(err)
}
// type report struct {
// Name string //service name
// //restart policy
// PolicyPresent bool //is it present
// PolicyLevel IssueLevel //how serious
// PolicyIssues []string
// //are ports behind a proxy?
// PortSafe bool
// PortIssues []string
// PortLevel IssueLevel
// //memory limits and cpu
// ResourceSafe bool
// ResourceIssues []string
// ResourceLevel IssueLevel
// //proper security options
// SecurityOptSafe bool
// SecurityOptLevel IssueLevel
// SecurityOptIssues []string
// //are users nonroot
// UserSafe bool
// UserIssues []string
// UserIssueLevel IssueLevel
// }
type NewReport struct {
Name string
Issues []*Issue
}
var issues []NewReport
for name, serviceConf := range data.Services {
rprt := NewReport{
Name: name,
}
i := ResourceCheck(serviceConf)
if i != nil {
rprt.Issues = append(rprt.Issues, i)
}
j := SecurityOptCheck(serviceConf)
if j != nil {
rprt.Issues = append(rprt.Issues, j)
}
k, err := UserCheck(serviceConf)
if err != nil {
log.Fatal(err)
}
if k != nil {
rprt.Issues = append(rprt.Issues, k)
}
l, err := PortCheck(serviceConf)
if err != nil {
log.Fatal(err)
}
if len(l) > 0 {
rprt.Issues = append(rprt.Issues, l...)
}
m := PolicyCheck(serviceConf)
if m != nil {
rprt.Issues = append(rprt.Issues, m)
}
issues = append(issues, rprt)
}
for _, p := range issues {
fmt.Println(p.Name)
for _, x := range p.Issues {
fmt.Println(*x)
}
}
}
func ResourceCheck(srv ServiceConfig) *Issue {
i := &Issue{}
if srv.Cpus == nil {
i.Warning()
i.Messages = append(i.Messages, "there is no cpu limit set for the service")
}
if srv.MemLimit == nil {
i.Warning()
i.Messages = append(i.Messages, "there is no memory limit set for the service")
}
if srv.Cpus == nil && srv.MemLimit == nil {
i.Fatal()
i.Messages = append(i.Messages, "there are no resource limits set for the service")
}
i.Passed()
i.Messages = append(i.Messages, "resource limits configuration is safe")
return i
}
func PrivilegedCheck(srv ServiceConfig) *Issue {
i := &Issue{}
if srv.Privileged == nil {
i.Passed()
i.Messages = append(i.Messages, "no privileged flag set")
return i
}
if *srv.Privileged == true {
i.Fatal()
i.Messages = append(i.Messages, "privileged flag is set to true")
return i
}
i.Passed()
i.Messages = append(i.Messages, "privileged flag is set to false")
return i
}
func SecurityOptCheck(srv ServiceConfig) *Issue {
i := &Issue{}
if srv.SecOpts == nil {
i.Fatal()
i.Messages = append(i.Messages, "set no-new-privileges=true on the service security_opts")
return i
}
for _, opt := range *srv.SecOpts {
if strings.EqualFold(opt, PRIVILEGE_OPT) {
i.Passed()
i.Messages = append(i.Messages, "security option are safe")
return i
}
}
i.Fatal()
i.Messages = append(i.Messages, "set no-new-privileges=true on the container security_opts")
return i
}
func PortCheck(srv ServiceConfig) ([]*Issue, error) {
il := []*Issue{}
if srv.Ports == nil {
i := &Issue{}
i.Passed()
i.Messages = append(i.Messages, "no ports exposed")
il = append(il, i)
return il, nil
}
for _, prt := range *srv.Ports {
i := &Issue{}
m, err := regexp.Match(`^[0-9]*:[0-9]*`, []byte(prt))
if err != nil {
return nil, err
}
if m {
i.Fatal()
i.Messages = append(i.Messages, fmt.Sprintf("%s is fully exposed", prt))
il = append(il, i)
continue
}
m2, err := regexp.Match(IM_SO_SORRY, []byte(prt))
if err != nil {
return nil, err
}
if m2 {
i.Passed()
i.Messages = append(i.Messages, fmt.Sprintf("%s is safe", prt))
il = append(il, i)
continue
} else {
i.Warning()
i.Messages = append(i.Messages, fmt.Sprintf("unable to parse port configuration for %s", prt))
il = append(il, i)
continue
}
}
return il, nil
}
func UserCheck(srv ServiceConfig) (*Issue, error) {
i := &Issue{}
if srv.User == nil {
i.Warning()
i.Messages = append(i.Messages, "no user is specified in the compose file")
return i, nil
}
mtch, err := regexp.Match("[0-9]*:[0-9]*", []byte(*srv.User))
if err != nil {
return nil, err
}
if mtch {
if strings.EqualFold(ROOT_USER_GROUP, *srv.User) {
i.Fatal()
i.Messages = append(i.Messages, "a root user set in the compose file")
} else {
i.Passed()
i.Messages = append(i.Messages, "user configuration is safe")
}
return i, nil
} else {
users := strings.Split(*srv.User, ":")
if len(users) != 2 {
i.Fatal()
i.Messages = append(i.Messages, "user value seems misconfigured, check compose file")
return i, nil
}
//shoutouts and/or blame should go to: https://regex101.com/ -- seems like a cool tool, but time will tell
leftUser, err := regexp.Match(`(?m)\${{\s*(vars|secrets)\..*}}`, []byte(users[0]))
if err != nil {
return nil, err
}
rightUser, err := regexp.Match(`(?m)\${{\s*(vars|secrets)\..*}}`, []byte(users[1]))
if err != nil {
return nil, err
}
if leftUser && rightUser {
i.Passed()
i.Messages = append(i.Messages, "user configuration is safe")
return i, nil
}
if leftUser {
if strings.EqualFold(users[1], ROOT_GROUP) {
i.Warning()
i.Messages = append(i.Messages, "a root user is present in configuration")
} else {
i.Passed()
i.Messages = append(i.Messages, "user configuration is safe")
}
return i, nil
}
if rightUser {
if strings.EqualFold(users[0], ROOT_USER) {
i.Warning()
i.Messages = append(i.Messages, "a root user is present in configuration")
} else {
i.Passed()
i.Messages = append(i.Messages, "user configuration is safe")
}
return i, nil
}
}
i.Fatal()
i.Messages = append(i.Messages, "unable to parse user configuration")
return i, nil
}
func PolicyCheck(srv ServiceConfig) *Issue {
i := &Issue{}
if srv.Deploy != nil {
if srv.Deploy.Policy != nil {
if srv.Deploy.Policy.Condition != nil {
if srv.Deploy.Policy.MaxAttempts != nil {
i.Passed()
i.Messages = append(i.Messages, "restart policy configuration is safe")
return i
} else {
i.Warning()
i.Messages = append(i.Messages, "no max_attempts value set on restart policy container could death loop")
return i
}
} else {
i.Fatal()
i.Messages = append(i.Messages, "no restart condition is set on the container")
return i
}
} else {
i.Fatal()
i.Messages = append(i.Messages, "no restart policy is set on the container")
return i
}
}
i.Fatal()
i.Messages = append(i.Messages, "no restart policy is set on the container")
return i
}
Reference in New Issue View Git Blame Copy Permalink