99 "encoding/base64"
1010 "encoding/json"
1111 "fmt"
12- "strconv"
1312 "strings"
1413 "syscall"
1514
@@ -102,6 +101,14 @@ func (a stringSet) intersect(b stringSet) stringSet {
102101
103102type inputData map [string ]interface {}
104103
104+ func isValidJsonObject (input string ) bool {
105+ type emptyStruct = struct {}
106+
107+ var body emptyStruct
108+ err := json .Unmarshal ([]byte (input ), & body )
109+ return err == nil
110+ }
111+
105112func createRegoEnforcer (base64EncodedPolicy string ,
106113 defaultMounts []oci.Mount ,
107114 privilegedMounts []oci.Mount ,
@@ -114,89 +121,15 @@ func createRegoEnforcer(base64EncodedPolicy string,
114121 return nil , fmt .Errorf ("unable to decode policy from Base64 format: %w" , err )
115122 }
116123
117- // Try to unmarshal the JSON
118-
119- var code string
120- securityPolicy := new (SecurityPolicy )
121- err = json .Unmarshal (rawPolicy , securityPolicy )
122- if err == nil {
123- if securityPolicy .AllowAll {
124- return createOpenDoorEnforcer (base64EncodedPolicy , defaultMounts , privilegedMounts , maxErrorMessageLength )
125- }
126-
127- if osType == "linux" {
128- containers := make ([]* Container , securityPolicy .Containers .Length )
129- for i := 0 ; i < securityPolicy .Containers .Length ; i ++ {
130- index := strconv .Itoa (i )
131- cConf , ok := securityPolicy .Containers .Elements [index ]
132- if ! ok {
133- return nil , fmt .Errorf ("container constraint with index %q not found" , index )
134- }
135- cConf .AllowStdioAccess = true
136- cConf .NoNewPrivileges = false
137- cConf .User = UserConfig {
138- UserIDName : IDNameConfig {Strategy : IDNameStrategyAny },
139- GroupIDNames : []IDNameConfig {{Strategy : IDNameStrategyAny }},
140- Umask : "0022" ,
141- }
142- cConf .SeccompProfileSHA256 = ""
143- containers [i ] = & cConf
144- }
145-
146- code , err = osAwareMarshalRego (
147- securityPolicy .AllowAll ,
148- containers ,
149- nil ,
150- osType ,
151- []ExternalProcessConfig {},
152- []FragmentConfig {},
153- true ,
154- true ,
155- true ,
156- false ,
157- true ,
158- false ,
159- )
160- if err != nil {
161- return nil , fmt .Errorf ("error marshaling the policy to Rego: %w" , err )
162- }
163- } else if osType == "windows" {
164- windows_containers := make ([]* WindowsContainer , securityPolicy .Containers .Length )
165- for i := 0 ; i < securityPolicy .Containers .Length ; i ++ {
166- index := strconv .Itoa (i )
167- cConf , ok := securityPolicy .WindowsContainers .Elements [index ]
168- if ! ok {
169- return nil , fmt .Errorf ("container constraint with index %q not found" , index )
170- }
171- cConf .AllowStdioAccess = true
172- windows_containers [i ] = & cConf
173- }
174-
175- code , err = osAwareMarshalRego (
176- securityPolicy .AllowAll ,
177- nil ,
178- windows_containers ,
179- osType ,
180- []ExternalProcessConfig {},
181- []FragmentConfig {},
182- true ,
183- true ,
184- true ,
185- false ,
186- true ,
187- false ,
188- )
189- if err != nil {
190- return nil , fmt .Errorf ("error marshaling the policy to Rego: %w" , err )
191- }
192- }
193- } else {
194- // this is either a Rego policy or malformed JSON
195- code = string (rawPolicy )
196- }
197-
198- regoPolicy , err := newRegoPolicy (code , defaultMounts , privilegedMounts , osType )
124+ code := string (rawPolicy )
125+ regoPolicy , err := newRegoPolicy (code , defaultMounts , privilegedMounts )
199126 if err != nil {
127+ if isValidJsonObject (code ) {
128+ // Return an user-friendly error message if we get a JSON policy.
129+ // Previously such policy was supported, but we currently only
130+ // support Rego.
131+ return nil , fmt .Errorf ("JSON policy is not supported." )
132+ }
200133 return nil , fmt .Errorf ("error creating Rego policy: %w" , err )
201134 }
202135 regoPolicy .base64policy = base64EncodedPolicy
0 commit comments