Feature: validate profile file content

tuxerrante · May 10, 2023 · 15da4e4 · 15da4e4
1 parent 689fa39
commit 15da4e4
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -46,13 +46,16 @@ helm upgrade kapparmor --install --atomic --timeout 120s --debug --set image.tag
 ```
 
 ## Known limitations
-- Profiles names are checked on the first line, so if there is some include before that would fail
-- Profile names have to start with 'custom.' and to be equal as the filename containing it
-- There could be issues if you start the daemonsets on "dirty" nodes, where some old custom profiles were left after stopping or uninstalling Kapparmor. E.g: you stop the pods and then redeploy the app with an empty profiles configmap without removing the previous custom profiles: Kapparmor will try to remove the old profiles but it could fail since there is no definition of them anymore.
+- Constraint: Profiles are validated on the "`profile`" keyword presence before of a opening curly bracket `{`.  
+  It must be a [unattached profiles](https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-apparmor-profiles.html#sec-apparmor-profiles-types-unattached).
+- Profile names have to start with 'custom.' and to be equal as the filename containing it.
+- There could be issues if you start the daemonsets on "dirty" nodes, where some old custom profiles were left after stopping or uninstalling Kapparmor.  
+  E.G: By default if you delete a pod all the profiles should be automatically deleted from that node, but the app crashes during the process. 
+
 - Not a limitation relative to this project, but if you deny write access in the /bin folder of a privileged container it could not be deleted by Kubernetes even after 'kubectl delete'. The command will succeed but the pod will stay in Terminating state.
 
 ## ToDo:
-- 🌱 Intercept Term signal and uninstall profiles before the Helm chart deletion completes.
+- [X] Intercept Term signal and uninstall profiles before the Helm chart deletion completes.
 - ⚠️ Implement the [controller-runtime](https://pkg.go.dev/sigs.k8s.io/controller-runtime#section-readme) design pattern through [Kubebuilder](https://book.kubebuilder.io/quick-start.html).
 - 😁 Find funnier quotes for app starting and ending message (David Zucker, Monty Python, Woody Allen...).
 - 🌱 Make the ticker loop thread safe: skip running a new loop if previous run is still ongoing.

diff --git a/charts/kapparmor/Chart.yaml b/charts/kapparmor/Chart.yaml
@@ -7,7 +7,7 @@ kubeVersion: ">= 1.23.0-0"
 
 # Respect spaces and double quotes since this will be validated by the build-app script.
 version: "0.1.3"
-appVersion: "0.1.4"
+appVersion: "0.1.5"
 
 keywords:
   - kubernetes

diff --git a/config/config b/config/config
@@ -1,2 +1,2 @@
-APP_VERSION=0.1.4
+APP_VERSION=0.1.5
 CHART_VERSION=0.1.3
diff --git a/go/src/app/filesystemOperations.go b/go/src/app/filesystemOperations.go
@@ -168,6 +168,16 @@ func IsProfileNameCorrect(directory, filename string) error {
 	}
 	scanner := bufio.NewScanner(fileReader)
 
+	// Validate the syntax
+	// the first index of a curly bracket should be greater than the first occurrence of "profile"
+	fileBytes, err := os.ReadFile(path.Join(directory, filename))
+	checkFatal(err)
+	profileIndex := bytes.Index(fileBytes, []byte("profile"))
+	curlyBracketIndex := bytes.Index(fileBytes, []byte("{"))
+	if curlyBracketIndex < 0 || curlyBracketIndex < profileIndex {
+		return errors.New("couldn't find a { after 'profile' keyword")
+	}
+
 	// Search for line starting with 'profile' word
 	for scanner.Scan() {
 		fileLine := scanner.Text()