Use unified configfile parser for policy.json#711
Conversation
github-actions
Bot
added
common
|
@Luap99 , Hi, could you please check if this PR makes a sense? I also added two questions for parts of code I'm not sure about... |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Just an extremely brief skim.
jankaluza
changed the title
Luap99
left a comment
Luap99
left a comment
There was a problem hiding this comment.
it would be good to if you can squash the re-add SignaturePolicyPath commits, i.e when reviewing this it makes no sense to look at something getting remove to be added again. It also break git bisect most likely when vendoring from another repo.
| } | ||
|
|
||
| if conf.EnvironmentName != "" { | ||
| if conf.EnvironmentName != "" && !conf.DoNotLoadDropInFiles { |
There was a problem hiding this comment.
please add a new test case here for that behavior
There was a problem hiding this comment.
And document that behavior! It’s rather unexpected based on plain reading of the current option (although there is some logic to it).
Probably not, but maybe we’d want s/DoNotLoadDropInFiles/DropInFilesUnsupported/ ?!
There was a problem hiding this comment.
I am in favour of naming it DropInFilesUnsupported, though then I guess we would want to rename DoNotLoadMainFiles as well to MainFilesUnsupported? I suppose we could rename that outside of the scope of this PR if wanted.
There was a problem hiding this comment.
I kind of think of them as different dimensions: “do not load a file at $this path” is more of a directive vs. “the consumer cannot process multiple drop-ins regardless of names” is more of a capability declaration, but that’s a very weak reasoning.
I’m also quite fine with leaving the name as is.
There was a problem hiding this comment.
I would remove that in another PR if possible to not add more unrelated changes to this one if that's fine for you. I added the documentation part, that's good point :-).
| } | ||
|
|
||
| if conf.EnvironmentName != "" { | ||
| if conf.EnvironmentName != "" && !conf.DoNotLoadDropInFiles { |
There was a problem hiding this comment.
And document that behavior! It’s rather unexpected based on plain reading of the current option (although there is some logic to it).
Probably not, but maybe we’d want s/DoNotLoadDropInFiles/DropInFilesUnsupported/ ?!
jankaluza
force-pushed
the
policy.json
branch
3 times, most recently
from
89fd676 to
d9da724
Compare
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
I didn’t carefully read the added tests or think about coverage, I’m hoping for a simpler version first.
There are also a bunch of earlier outstanding review comments.
| // Expected ENOENT errors are already ignored in this function and must not be handled again by callers. | ||
| // The given File options must not be nil and populated with valid options. | ||
| // | ||
| // The _OVERRIDE environment is ignored if DoNotLoadDropInFiles is set. |
There was a problem hiding this comment.
This does not talk about _OVERRIDE so this is a bit of an unexpected place to suddenly go into this detail.
OTOH the EnvironmentName field does not document _OVERRIDE, and I think it should. That might also be a place to add that note.
There was a problem hiding this comment.
This comment is still open, documenting this behavior on the function comment feels odd and duplicated. Having it as part of the struct field comments seem enough.
|
Packit jobs failed. @containers/packit-build please check. |
Luap99
left a comment
Luap99
left a comment
There was a problem hiding this comment.
(commit 3 should be squashed into commit 1 and that one needs WIP stripped)
|
@Luap99 , yeah, I will squash the commits before merge. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Sure, the ErrorIfNotFound approach is (given the signature-side test) fine. We can rework storage/configfile as needed. ACK overall.
Some outstanding nits:
- #711 (comment) (that would not have test coverage, that’s fine)
- #711 (comment)
- #711 (comment)
- #711 (comment)
- please squash, per @Luap99 .
jankaluza
force-pushed
the
policy.json
branch
2 times, most recently
from
f3af7ae to
8aed54b
Compare
| // Expected ENOENT errors are already ignored in this function and must not be handled again by callers. | ||
| // The given File options must not be nil and populated with valid options. | ||
| // | ||
| // The _OVERRIDE environment is ignored if DoNotLoadDropInFiles is set. |
There was a problem hiding this comment.
This comment is still open, documenting this behavior on the function comment feels odd and duplicated. Having it as part of the struct field comments seem enough.
jankaluza
force-pushed
the
policy.json
branch
2 times, most recently
from
5a468c3 to
c9bb623
Compare
|
@Luap99 , I fixed the issues you've pointed out. |
|
I have not checked buildah. I'll do that first thing tomorrow morning. |
|
@Luap99, I've added one more commit. |
|
| } | ||
|
|
||
| if conf.ErrorIfNotFound && !foundAny { | ||
| yield(nil, fmt.Errorf("%w: no %s file found; searched paths: %q", ErrConfigFileNotFound, configFileName, usedPaths)) |
There was a problem hiding this comment.
I’m not asking for any change, just noting the possibility: If you want ErrConfigFileNotFound to be used without using any part of its error text, it is possible to use %.0w with Errorf.
| By default, the policy is read from `$XDG_CONFIG_HOME/containers/policy.json` (or from `$HOME/.config/containers/policy.json` if `$XDG_CONFIG_HOME` is unset), if it exists; otherwise from `/etc/containers/policy.json`; otherwise from `/usr/share/containers/policy.json`. Applications performing verification may allow using a different policy instead. | ||
|
|
||
| If `CONTAINERS_POLICY_JSON` is set, it specifies the policy file to use, | ||
| unless overridden by application-specific configuration. |
There was a problem hiding this comment.
(Absolutely non-blocking: This works fine.
“the policy is read from $CONTAINERS_POLICY_JSON if set; otherwise from $HOME … ; … /usr/share…. Applications … may allow using a different policy instead” might be a simpler way to say the same thing, representing this as a single linear order, and not repeating the application-specific part.
Also, pre-existing, maybe s/may allow using/may choose to use.)
|
@mtrmac , thanks for the review. I've fixed the blocking lint issue. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Thanks, LGTM for this repo.
Are the unknowns in containers/podman#28508 resolved enough that we don’t need to block here? If so, please go ahead and merge.
|
@mheon is working on a clean container-libs@main vendor in podman right now, we should wait for that before merging here as there are test fixes we need to land first. Also this PR has not been rebased onto main in a while, if you force push it is best to always rebase against upstream main to avoid any unexpected issues post merge (stuff that does not show up as git conflict). I don't think there is anything to worry about here but it is a good habit to rebase. |
|
Right — I don’t think there is anything either, but I think we did find the old base causing a Buildah test failure. |
Replace custom path resolution with configfile.Read and remove legacy SignaturePolicyPath defaults and helpers. Fixes: containers#207 Fixes: containers#202 Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This commit introduces `File.ErrorIfNotFound`. If it is true, the Read returns an error which contains all the paths it tried when searching for a config file. It uses this in DefaultPolicy() to include the searched paths in the error message when no policy file is found. The useless policy_paths_*.go files are removed. Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Return an error if multiple policy files are encountered, which should not happen with configfile.Read. Update tests to use full Policy comparisons and cover nil/empty SystemContext cases. Clarify CONTAINERS_POLICY_JSON and *_OVERRIDE behavior in docs. Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Introduce ErrConfigFileNotFound error. This can be used by API caller to detect the File not found error and handle this situation. Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
|
Rebased. |
|
Please update your podman/buildah PRs with the code from main to unblock others. |
3 participants
This PR switches
policy.jsonloading to the unifiedstorage/pkg/configfileparser instead of maintaining separate lookup logic in image/signature.The
SignaturePolicyPathsupport is preserved, so explicit callers continue to work as before. The policy loader also now uses CONTAINERS_POLICY_JSON for environment-based override. TheCONTAINERS_POLICY_JSON_OVERRIDEremains ignored for policy.json because drop-in loading is disabled for that this configuration file.It also extends the
configfileAPI to return the paths it searched. This is showed to users when there is no policy.json found.Fixes: #207
Fixes: #202