refactor(stack): stack build process backend only [EE-4342] (#7750)

api/stacks/stackutils/gitops.go

@@ -0,0 +1,47 @@
+package stackutils
+
+import (
+	"fmt"
+
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
+)
+
+var (
+	ErrStackAlreadyExists     = errors.New("A stack already exists with this name")
+	ErrWebhookIDAlreadyExists = errors.New("A webhook ID already exists")
+	ErrInvalidGitCredential   = errors.New("Invalid git credential")
+)
+
+// DownloadGitRepository downloads the target git repository on the disk
+// The first return value represents the commit hash of the downloaded git repository
+func DownloadGitRepository(stackID portainer.StackID, config gittypes.RepoConfig, gitService portainer.GitService, fileService portainer.FileService) (string, error) {
+	username := ""
+	password := ""
+	if config.Authentication != nil {
+		username = config.Authentication.Username
+		password = config.Authentication.Password
+	}
+
+	stackFolder := fmt.Sprintf("%d", stackID)
+	projectPath := fileService.GetStackProjectPath(stackFolder)
+
+	err := gitService.CloneRepository(projectPath, config.URL, config.ReferenceName, username, password)
+	if err != nil {
+		if err == gittypes.ErrAuthenticationFailure {
+			newErr := ErrInvalidGitCredential
+			return "", newErr
+		}
+
+		newErr := fmt.Errorf("unable to clone git repository: %w", err)
+		return "", newErr
+	}
+
+	commitID, err := gitService.LatestCommitID(config.URL, config.ReferenceName, username, password)
+	if err != nil {
+		newErr := fmt.Errorf("unable to fetch git repository id: %w", err)
+		return "", newErr
+	}
+	return commitID, nil
+}

api/stacks/stackutils/util.go

@@ -0,0 +1,39 @@
+package stackutils
+
+import (
+	"fmt"
+	"regexp"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/filesystem"
+)
+
+func UserIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.EndpointID) (bool, error) {
+	isAdmin := user.Role == portainer.AdministratorRole
+
+	return isAdmin, nil
+}
+
+// GetStackFilePaths returns a list of file paths based on stack project path
+func GetStackFilePaths(stack *portainer.Stack, absolute bool) []string {
+	if !absolute {
+		return append([]string{stack.EntryPoint}, stack.AdditionalFiles...)
+	}
+
+	var filePaths []string
+	for _, file := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
+		filePaths = append(filePaths, filesystem.JoinPaths(stack.ProjectPath, file))
+	}
+	return filePaths
+}
+
+// ResourceControlID returns the stack resource control id
+func ResourceControlID(endpointID portainer.EndpointID, name string) string {
+	return fmt.Sprintf("%d_%s", endpointID, name)
+}
+
+// convert string to valid kubernetes label by replacing invalid characters with periods
+func SanitizeLabel(value string) string {
+	re := regexp.MustCompile(`[^A-Za-z0-9\.\-\_]+`)
+	return re.ReplaceAllString(value, ".")
+}

api/stacks/stackutils/util_test.go

@@ -0,0 +1,26 @@
+package stackutils
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_GetStackFilePaths(t *testing.T) {
+	stack := &portainer.Stack{
+		ProjectPath: "/tmp/stack/1",
+		EntryPoint:  "file-one.yml",
+	}
+
+	t.Run("stack doesn't have additional files", func(t *testing.T) {
+		expected := []string{"/tmp/stack/1/file-one.yml"}
+		assert.ElementsMatch(t, expected, GetStackFilePaths(stack, true))
+	})
+
+	t.Run("stack has additional files", func(t *testing.T) {
+		stack.AdditionalFiles = []string{"file-two.yml", "file-three.yml"}
+		expected := []string{"/tmp/stack/1/file-one.yml", "/tmp/stack/1/file-two.yml", "/tmp/stack/1/file-three.yml"}
+		assert.ElementsMatch(t, expected, GetStackFilePaths(stack, true))
+	})
+}

api/stacks/stackutils/validation.go

@@ -0,0 +1,98 @@
+package stackutils
+
+import (
+	"time"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/docker/cli/cli/compose/loader"
+	"github.com/docker/cli/cli/compose/types"
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+)
+
+func IsValidStackFile(stackFileContent []byte, securitySettings *portainer.EndpointSecuritySettings) error {
+	composeConfigYAML, err := loader.ParseYAML(stackFileContent)
+	if err != nil {
+		return err
+	}
+
+	composeConfigFile := types.ConfigFile{
+		Config: composeConfigYAML,
+	}
+
+	composeConfigDetails := types.ConfigDetails{
+		ConfigFiles: []types.ConfigFile{composeConfigFile},
+		Environment: map[string]string{},
+	}
+
+	composeConfig, err := loader.Load(composeConfigDetails, func(options *loader.Options) {
+		options.SkipValidation = true
+		options.SkipInterpolation = true
+	})
+	if err != nil {
+		return err
+	}
+
+	for key := range composeConfig.Services {
+		service := composeConfig.Services[key]
+		if !securitySettings.AllowBindMountsForRegularUsers {
+			for _, volume := range service.Volumes {
+				if volume.Type == "bind" {
+					return errors.New("bind-mount disabled for non administrator users")
+				}
+			}
+		}
+
+		if !securitySettings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
+			return errors.New("privileged mode disabled for non administrator users")
+		}
+
+		if !securitySettings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
+			return errors.New("pid host disabled for non administrator users")
+		}
+
+		if !securitySettings.AllowDeviceMappingForRegularUsers && service.Devices != nil && len(service.Devices) > 0 {
+			return errors.New("device mapping disabled for non administrator users")
+		}
+
+		if !securitySettings.AllowSysctlSettingForRegularUsers && service.Sysctls != nil && len(service.Sysctls) > 0 {
+			return errors.New("sysctl setting disabled for non administrator users")
+		}
+
+		if !securitySettings.AllowContainerCapabilitiesForRegularUsers && (len(service.CapAdd) > 0 || len(service.CapDrop) > 0) {
+			return errors.New("container capabilities disabled for non administrator users")
+		}
+	}
+
+	return nil
+}
+
+func ValidateStackAutoUpdate(autoUpdate *portainer.StackAutoUpdate) error {
+	if autoUpdate == nil {
+		return nil
+	}
+	if autoUpdate.Webhook != "" && !govalidator.IsUUID(autoUpdate.Webhook) {
+		return errors.New("invalid Webhook format")
+	}
+	if autoUpdate.Interval != "" {
+		if _, err := time.ParseDuration(autoUpdate.Interval); err != nil {
+			return errors.New("invalid Interval format")
+		}
+	}
+	return nil
+}
+
+func ValidateStackFiles(stack *portainer.Stack, securitySettings *portainer.EndpointSecuritySettings, fileService portainer.FileService) error {
+	for _, file := range GetStackFilePaths(stack, false) {
+		stackContent, err := fileService.GetFileContent(stack.ProjectPath, file)
+		if err != nil {
+			return errors.Wrap(err, "failed to get stack file content")
+		}
+
+		err = IsValidStackFile(stackContent, securitySettings)
+		if err != nil {
+			return errors.Wrap(err, "stack config file is invalid")
+		}
+	}
+	return nil
+}

api/stacks/stackutils/validation_test.go

@@ -0,0 +1,42 @@
+package stackutils
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_ValidateStackAutoUpdate(t *testing.T) {
+	tests := []struct {
+		name    string
+		value   *portainer.StackAutoUpdate
+		wantErr bool
+	}{
+		{
+			name:    "webhook is not a valid UUID",
+			value:   &portainer.StackAutoUpdate{Webhook: "fake-webhook"},
+			wantErr: true,
+		},
+		{
+			name:    "incorrect interval value",
+			value:   &portainer.StackAutoUpdate{Interval: "1dd2hh3mm"},
+			wantErr: true,
+		},
+		{
+			name: "valid auto update",
+			value: &portainer.StackAutoUpdate{
+				Webhook:  "8dce8c2f-9ca1-482b-ad20-271e86536ada",
+				Interval: "5h30m40s10ms",
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateStackAutoUpdate(tt.value)
+			assert.Equalf(t, tt.wantErr, err != nil, "received %+v", err)
+		})
+	}
+}