feat: define environment variable for docker hub namespace restrictions

Author: lbarberi1927

.env

@@ -41,5 +41,6 @@ GOOGLE_ARTIFACT_UPLOADER_KEY_FILE=anymal-grand-tour-3b7a5d0c8ef4.json
 # can be left empty if you don't want to use docker hub
 DOCKER_HUB_USERNAME=
 DOCKER_HUB_PASSWORD=
+VITE_DOCKER_HUB_NAMESPACE=
 
 ARTIFACTS_UPLOADER_IMAGE=rslethz/grandtour-datasets:artifact-uploader-latest

backend/src/services/action.service.ts

@@ -100,11 +100,16 @@ export class ActionService {
         data: CreateTemplateDto,
         auth: AuthHeader,
     ): Promise<ActionTemplateDto> {
-        //if (!data.dockerImage.startsWith('rslethz/')) {
-        //    throw new ConflictException(
-        //        'Only images from the rslethz namespace are allowed',
-        //    );
-        //}
+        const dockerhub_namespace = process.env['VITE_DOCKER_HUB_NAMESPACE'];
+        // assert that we only run images from a specified namespace
+        if (
+            dockerhub_namespace !== undefined &&
+            !data.dockerImage.startsWith(dockerhub_namespace)
+        ) {
+            throw new ConflictException(
+                `Only images from the ${dockerhub_namespace} namespace are allowed`,
+            );
+        }
         const exists = await this.actionTemplateRepository.exists({
             where: {
                 name: data.name,

common/environment.ts

@@ -190,4 +190,12 @@ export default {
     get VITE_USE_FAKE_OAUTH_FOR_DEVELOPMENT(): boolean {
         return asBoolean(process.env['VITE_USE_FAKE_OAUTH_FOR_DEVELOPMENT']);
     },
+
+    /**
+     * @returns Docker Hub namespace for image validation (optional)
+     * @example rslethz/
+     */
+    get DOCKER_HUB_NAMESPACE(): string {
+        return process.env['VITE_DOCKER_HUB_NAMESPACE'] ?? '';
+    },
 };

frontend/src/components/action-configuration.vue

@@ -515,16 +515,20 @@ async function submitAnalysis() {
         });
         return;
     }
-    //if (!editingTemplate.value.imageName.startsWith('rslethz/')) {
-    //    Notify.create({
-    //        group: false,
-    //        message: 'The image name must start with "rslethz/"',
-    //        color: 'negative',
-    //        position: 'bottom',
-    //        timeout: 2000,
-    //    });
-    //    return;
-    //}
+    const dockerhubNamespace = import.meta.env.VITE_DOCKER_HUB_NAMESPACE;
+    if (
+        dockerhubNamespace &&
+        !editingTemplate.value.imageName.startsWith(`${dockerhubNamespace}`)
+    ) {
+        Notify.create({
+            group: false,
+            message: `The image name must start with "${dockerhubNamespace}/"`,
+            color: 'negative',
+            position: 'bottom',
+            timeout: 2000,
+        });
+        return;
+    }
 
     // post: the input should be valid now
     let template = editingTemplate.value;

queueConsumer/src/actions/services/docker-daemon.service.ts

@@ -303,12 +303,16 @@ export class DockerDaemon {
 
     @tracing()
     private async getImage(dockerImage: string) {
-        // assert that we only run rslethz images
-        //if (!dockerImage.startsWith('rslethz/')) {
-        //    throw new Error(
-        //        'Only images from the rslethz organization are allowed',
-        //    );
-        //}
+        const dockerhub_namespace = process.env['VITE_DOCKER_HUB_NAMESPACE'];
+        // assert that we only run images from a specified namespace
+        if (
+            dockerhub_namespace !== undefined &&
+            !dockerImage.startsWith(dockerhub_namespace)
+        ) {
+            throw new Error(
+                `Only images from the ${dockerhub_namespace} namespace are allowed`,
+            );
+        }
 
         // check if docker socket is available
         if (!this.docker || !(await this.docker.ping())) {