Refactor whitelist handling. (#559)

Also speed up stage deletion.
2019-02-13 11:17:56 -06:00 · 2019-02-13 11:17:56 -06:00 · 877abd30ed
parent 8179c47f0d
commit 877abd30ed
4 changed files with 67 additions and 48 deletions
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@ -71,12 +71,5 @@ const (
 	Dockerignore = ".dockerignore"
 )
 // KanikoBuildFiles is the list of files required to build kaniko
 var KanikoBuildFiles = []string{"/kaniko/executor",
 	"/kaniko/ssl/certs/ca-certificates.crt",
 	"/kaniko/docker-credential-gcr",
 	"/kaniko/docker-credential-ecr-login",
 	"/kaniko/.docker/config.json"}
 // ScratchEnvVars are the default environment variables needed for a scratch image.
 var ScratchEnvVars = []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}
--- a/pkg/snapshot/snapshot.go
+++ b/pkg/snapshot/snapshot.go
@ -183,11 +183,7 @@ func (s *Snapshotter) TakeSnapshotFS() (string, error) {
 	timer = timing.Start("Writing tar file")
 	// Now create the tar.
 	for path := range memFs {
-		whitelisted, err := util.CheckWhitelist(path)
+		if util.CheckWhitelist(path) {
 		if err != nil {
 			return "", err
 		}
 		if whitelisted {
 			logrus.Debugf("Not adding %s to layer, as it's whitelisted", path)
 			continue
 		}
--- a/pkg/util/fs_util.go
+++ b/pkg/util/fs_util.go
@ -130,14 +130,17 @@ func GetFSFromImage(root string, img v1.Image) ([]string, error) {
 func DeleteFilesystem() error {
 	logrus.Info("Deleting filesystem...")
 	return filepath.Walk(constants.RootDir, func(path string, info os.FileInfo, _ error) error {
-		whitelisted, err := CheckWhitelist(path)
+		if CheckWhitelist(path) {
-		if err != nil {
+			if info.IsDir() {
-			return err
+				return filepath.SkipDir
-		}
+			}
 		if whitelisted || ChildDirInWhitelist(path, constants.RootDir) {
 			logrus.Debugf("Not deleting %s, as it's whitelisted", path)
 			return nil
 		}
 		if childDirInWhitelist(path) {
 			logrus.Debugf("Not deleting %s, as it contains a whitelisted path", path)
 			return nil
 		}
 		if path == constants.RootDir {
 			return nil
 		}
@ -146,16 +149,9 @@ func DeleteFilesystem() error {
 }
 // ChildDirInWhitelist returns true if there is a child file or directory of the path in the whitelist
-func ChildDirInWhitelist(path, directory string) bool {
+func childDirInWhitelist(path string) bool {
 	for _, d := range constants.KanikoBuildFiles {
 		dirPath := filepath.Join(directory, d)
 		if HasFilepathPrefix(dirPath, path, false) {
 			return true
 		}
 	}
 	for _, d := range whitelist {
-		dirPath := filepath.Join(directory, d.Path)
+		if HasFilepathPrefix(d.Path, path, d.PrefixMatchOnly) {
 		if HasFilepathPrefix(dirPath, path, d.PrefixMatchOnly) {
 			return true
 		}
 	}
@ -190,11 +186,12 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader) error {
 	uid := hdr.Uid
 	gid := hdr.Gid
-	whitelisted, err := CheckWhitelist(path)
+	abs, err := filepath.Abs(path)
 	if err != nil {
 		return err
 	}
-	if whitelisted && !checkWhitelistRoot(dest) {
+
 	if CheckWhitelist(abs) && !checkWhitelistRoot(dest) {
 		logrus.Debugf("Not adding %s because it is whitelisted", path)
 		return nil
 	}
@ -245,11 +242,11 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader) error {
 	case tar.TypeLink:
 		logrus.Debugf("link from %s to %s", hdr.Linkname, path)
-		whitelisted, err := CheckWhitelist(hdr.Linkname)
+		abs, err := filepath.Abs(hdr.Linkname)
 		if err != nil {
 			return err
 		}
-		if whitelisted {
+		if CheckWhitelist(abs) {
 			logrus.Debugf("skipping symlink from %s to %s because %s is whitelisted", hdr.Linkname, path, hdr.Linkname)
 			return nil
 		}
@ -299,19 +296,14 @@ func IsInWhitelist(path string) bool {
 	return false
 }
-func CheckWhitelist(path string) (bool, error) {
+func CheckWhitelist(path string) bool {
 	abs, err := filepath.Abs(path)
 	if err != nil {
 		logrus.Infof("unable to get absolute path for %s", path)
 		return false, err
 	}
 	for _, wl := range whitelist {
-		if HasFilepathPrefix(abs, wl.Path, wl.PrefixMatchOnly) {
+		if HasFilepathPrefix(path, wl.Path, wl.PrefixMatchOnly) {
-			return true, nil
+			return true
 		}
 	}
-	return false, nil
+	return false
 }
 func checkWhitelistRoot(root string) bool {
@ -379,11 +371,7 @@ func RelativeFiles(fp string, root string) ([]string, error) {
 		if err != nil {
 			return err
 		}
-		whitelisted, err := CheckWhitelist(path)
+		if CheckWhitelist(path) && !HasFilepathPrefix(path, root, false) {
 		if err != nil {
 			return err
 		}
 		if whitelisted && !HasFilepathPrefix(path, root, false) {
 			return nil
 		}
 		if err != nil {
--- a/pkg/util/fs_util_test.go
+++ b/pkg/util/fs_util_test.go
@ -227,10 +227,7 @@ func Test_CheckWhitelist(t *testing.T) {
 				whitelist = original
 			}()
 			whitelist = tt.args.whitelist
-			got, err := CheckWhitelist(tt.args.path)
+			got := CheckWhitelist(tt.args.path)
 			if err != nil {
 				t.Fatalf("error checking whitelist: %v", err)
 			}
 			if got != tt.want {
 				t.Errorf("CheckWhitelist() = %v, want %v", got, tt.want)
 			}
@ -596,3 +593,48 @@ func TestCopySymlink(t *testing.T) {
 		})
 	}
 }
 func Test_childDirInWhitelist(t *testing.T) {
 	type args struct {
 		path      string
 		whitelist []WhitelistEntry
 	}
 	tests := []struct {
 		name string
 		args args
 		want bool
 	}{
 		{
 			name: "not in whitelist",
 			args: args{
 				path: "/foo",
 			},
 			want: false,
 		},
 		{
 			name: "child in whitelist",
 			args: args{
 				path: "/foo",
 				whitelist: []WhitelistEntry{
 					{
 						Path: "/foo/bar",
 					},
 				},
 			},
 			want: true,
 		},
 	}
 	oldWhitelist := whitelist
 	defer func() {
 		whitelist = oldWhitelist
 	}()
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			whitelist = tt.args.whitelist
 			if got := childDirInWhitelist(tt.args.path); got != tt.want {
 				t.Errorf("childDirInWhitelist() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }