validation

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 7, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Dns1123LabelFmt string = `[a-z0-9]([-a-z0-9]*[a-z0-9])?`

	DNS1123MaxLength int = 253

	HostnameOrFQDNFmt string = `(` + Dns1123LabelFmt + `\.)*` + hostnameOrFQDNLastLabelFmt
)
View Source 
const (
	OciImageDomainFmt          string = ociDomainCompFmt + `(?:[.]` + ociDomainCompFmt + `)*` + `(?::[0-9]+)?`
	OciImageNameFmt            string = `(?:` + OciImageDomainFmt + `\/)?` + ociNameCompFmt + `(?:\/` + ociNameCompFmt + `)*`
	OciImageTagFmt             string = `[\w][\w.-]{0,127}`
	OciImageDigestFmt          string = `[A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}`
	OciImageReferenceFmt       string = `(` + OciImageNameFmt + `)(?:\:(` + OciImageTagFmt + `))?(?:\@(` + OciImageDigestFmt + `))?`
	OciImageReferenceMaxLength int    = 2048

	// short names (nginx:latest) are forbidden with strict mode
	StrictOciImageNameFmt      string = OciImageDomainFmt + `\/` + ociNameCompFmt + `(?:\/` + ociNameCompFmt + `)*`
	StrictOciImageReferenceFmt string = `(` + StrictOciImageNameFmt + `)(?:\:(` + OciImageTagFmt + `))?(?:\@(` + OciImageDigestFmt + `))?`

	// OCI image reference with a templated tag and optional digest:
	// <name> ":" <templatedTag> [ "@" <digest> ]
	OciImageReferenceWithTemplatesFmt = `(` + OciImageNameFmt + `)(?:\:` + templatedTagFmt + `)(?:\@(` + OciImageDigestFmt + `))?`
)
View Source 
const (
	// as per https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names#naming-branches-and-tags
	GitRevisionFmt string = `[a-zA-Z0-9]([a-zA-Z0-9\.\-\_\/])*`
	// GitHub limits to 255 minus "refs/heads/"
	GitRevisionMaxLength int = 244
)
View Source 
const (
	// SystemD unit pattern supports all allowed formats for unit files and glob searches
	// This includes templated services (e.g., foo@.service, foo@bar.service)
	// and glob patterns (e.g., foo*.service, foo[0-9].service)
	SystemdNameFmt       string = `[0-9a-zA-Z:\-_.\\\[\]!\-\*\?]+(@[0-9a-zA-Z:\-_.\\\[\]!\-\*\?]+)?(\.[a-zA-Z\[\]!\-\*\?]+)?`
	SystemDNameMaxLength int    = 256 // SystemD unit names are limited to 256 characters
)

Variables

View Source 
var (
	GenericNameRegexp    = regexp.MustCompile("^" + Dns1123LabelFmt + "$")
	EnvVarNameRegexp     = regexp.MustCompile("^" + envVarNameFmt + "$")
	HostnameOrFQDNRegexp = regexp.MustCompile("^" + HostnameOrFQDNFmt + "$")
)
View Source 
var (
	OciImageReferenceRegexp              = regexp.MustCompile("^" + OciImageReferenceFmt + "$")
	StrictOciImageReferenceRegexp        = regexp.MustCompile("^" + StrictOciImageReferenceFmt + "$")
	OciImageReferenceWithTemplatesRegexp = regexp.MustCompile("^" + OciImageReferenceWithTemplatesFmt + "$")
)
View Source 
var (
	ErrForbiddenDevicePath = errors.New("forbidden device path")
)
View Source 
var ErrHardCodedContainerName = errors.New("hardcoded container_name")
View Source 
var GitRevisionRegexp = regexp.MustCompile("^" + GitRevisionFmt + "$")
View Source 
var SystemdNameRegexp = regexp.MustCompile("^" + SystemdNameFmt + "$")

Functions

func DenyForbiddenDevicePath added in v1.0.0 

func DenyForbiddenDevicePath(p string) error

DenyForbiddenDevicePath validates that the given device path does not target agent-managed or read-only directories/files that must not be written by config providers. Denied paths:

  • /var/lib/flightctl (and all subpaths)
  • /usr/lib/flightctl (and all subpaths)
  • /etc/flightctl/certs (and all subpaths)
  • /etc/flightctl/config.yaml (file itself)
  • /etc/flightctl/config.yml (file itself)

The check denies the exact file and the roots listed above and any subpath under those roots.

func FormatInvalidError added in v0.4.0 

func FormatInvalidError(input, path, errorMsg string) []error

func ValidateAnnotations 

func ValidateAnnotations(annotations *map[string]string) []error

ValidateAnnotations validates that a set of annotations are valid K8s annotations.

func ValidateBase64Field 

func ValidateBase64Field(s string, path string, maxLen int) []error

func ValidateBearerToken 

func ValidateBearerToken(token *string, path string) []error

func ValidateCSR 

func ValidateCSR(csr []byte) []error

func ValidateCSRUsages 

func ValidateCSRUsages(u *[]string) []error

func ValidateCSRWithTCGSupport added in v0.9.0 

func ValidateCSRWithTCGSupport(csr []byte) []error

func ValidateComposePaths added in v0.6.0 

func ValidateComposePaths(paths []string) error

func ValidateComposeSpec added in v0.6.0 

func ValidateComposeSpec(spec *common.ComposeSpec, opts ...SpecValidatorOpts) []error

ValidateComposeSpec verifies the ComposeSpec for common issues. Images are validated with strict reference checking unless overwritten with a SpecValidatorOpts

func ValidateExpirationSeconds 

func ValidateExpirationSeconds(e *int32) []error

TODO: this should log a warning if less than minExpirationSeconds using the configured logger

func ValidateFileOrDirectoryPath added in v0.4.0 

func ValidateFileOrDirectoryPath(s *string, path string) []error

func ValidateFilePath added in v0.3.0 

func ValidateFilePath(s *string, path string) []error

func ValidateGenericName 

func ValidateGenericName(name *string, path string) []error

func ValidateGitRevision 

func ValidateGitRevision(name *string, path string) []error

func ValidateHostnameOrFQDN added in v1.0.0 

func ValidateHostnameOrFQDN(name *string, path string) []error

func ValidateLabels 

func ValidateLabels(labels *map[string]string) []error

ValidateLabels validates that a set of labels are valid K8s labels.

func ValidateLabelsWithPath 

func ValidateLabelsWithPath(labels *map[string]string, path string) []error

ValidateLabelsWithPath validates that a set of labels are valid K8s labels, with fieldPath being the path to the label field.

func ValidateLinuxFileMode added in v0.3.0 

func ValidateLinuxFileMode(m *int, path string) []error

func ValidateLinuxUserGroup added in v0.3.0 

func ValidateLinuxUserGroup(s *string, path string) []error

func ValidateOciImageReference 

func ValidateOciImageReference(s *string, path string) []error

Validates an OCI image reference.

func ValidateOciImageReferenceStrict added in v0.6.0 

func ValidateOciImageReferenceStrict(s *string, path string) []error

Validates an OCI image reference in strict mode. This mode forbids short names (nginx:latest) and requires a domain name.

func ValidateOciImageReferenceWithTemplates added in v1.0.0 

func ValidateOciImageReferenceWithTemplates(s *string, path string) []error

Validates an OCI image reference that can contain template parameters.

func ValidateQuadletCrossReferences added in v1.0.0 

func ValidateQuadletCrossReferences(specs map[string]*common.QuadletReferences) []error

ValidateQuadletCrossReferences validates that all quadlet file references within an application actually exist in the application's defined files. This ensures that quadlet files don't reference other quadlet files that aren't part of the same application (since applications are namespaced).

func ValidateQuadletNames added in v1.0.0 

func ValidateQuadletNames(specs map[string]*common.QuadletReferences) []error

ValidateQuadletNames ensures custom quadlet names are unique.

func ValidateQuadletPaths added in v1.0.0 

func ValidateQuadletPaths(paths []string) error

ValidateQuadletPaths validates a list of paths for inline quadlet applications

func ValidateQuadletSpec added in v1.0.0 

func ValidateQuadletSpec(spec *common.QuadletReferences, path string, opts ...SpecValidatorOpts) []error

ValidateQuadletSpec verifies the Quadlet spec for common issues. Images are validated with strict reference checking unless overwritten with a SpecValidatorOpts

func ValidateRelativePath added in v0.6.0 

func ValidateRelativePath(s *string, path string, maxLength int) []error

func ValidateResourceName 

func ValidateResourceName(name *string) []error

ValidateResourceName validates that metadata.name is not empty and is a valid name in K8s.

func ValidateResourceNameReference added in v0.2.0 

func ValidateResourceNameReference(name *string, path string) []error

ValidateResourceRef validates that metadata.name is not empty and is a valid name in K8s.

func ValidateResourceOwner added in v0.6.0 

func ValidateResourceOwner(owner *string, kind *string) []error

ValidateResourceOwner validates that metadata.owner is not empty and is a valid reference.

func ValidateSignerName 

func ValidateSignerName(s string) []error

Currently every request is sent to the only signer, named "ca" and defined in cmd/flightctl-api/main.go

func ValidateStandaloneConfig added in v1.0.0 

func ValidateStandaloneConfig(config *standalone.Config) []error

func ValidateString 

func ValidateString(s *string, path string, minLen int, maxLen int, patternRegexp *regexp.Regexp, patternFmt string, patternExample ...string) []error

ValidateString validates that a string has a length between minLen and maxLen, and matches the provided pattern.

func ValidateStringMap added in v0.3.0 

func ValidateStringMap(m *map[string]string, path string, minLen int, maxLen int, keyPatternRegexp, valuePatternRegexp *regexp.Regexp, patternFmt string, patternExample ...string) []error

ValidateStringMap validates that the k,v elements in a map are correctly defined as a string.

func ValidateSystemdName added in v0.9.0 

func ValidateSystemdName(name *string, path string) []error

Types

type ComposePathType added in v0.6.0 

type ComposePathType int
const (
	InvalidCompose ComposePathType = iota
	BaseCompose
	OverrideCompose
)

type ImageValidationFn added in v1.0.2 

type ImageValidationFn func(*string, string) []error

ImageValidationFn defines a function for validating an image reference defined in an application's spec

type SpecValidatorOpts added in v1.0.2 

type SpecValidatorOpts func(*specValidatorOpts)

func WithSpecImageValidator added in v1.0.2 

func WithSpecImageValidator(fn ImageValidationFn) SpecValidatorOpts

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.