yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

run_cmd: print what commands are allowed in if the current command is not in the allow list

Browse Source
This commit is contained in:
Jörg Thalheim
2025-04-16 19:30:02 +02:00
parent ed68a4dde1
commit 56a0b0a994
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
pkgs/clan-cli/clan_cli/nix/__init__.py
View File

@@ -125,15 +125,20 @@ def nix_shell(packages: list[str], cmd: list[str]) -> list[str]:
# lazy loads list of allowed and static programs # lazy loads list of allowed and static programs
class Programs: class Programs:
allowed_programs: list[str] | None = None allowed_programs: set[str] | None = None
static_programs: list[str] | None = None static_programs: set[str] | None = None
@classmethod @classmethod
def is_allowed(cls: type["Programs"], program: str) -> bool: def ensure_allowed(cls: type["Programs"], program: str) -> None:
if cls.allowed_programs is None: if cls.allowed_programs is None:
with (Path(__file__).parent / "allowed-programs.json").open() as f: with (Path(__file__).parent / "allowed-programs.json").open() as f:
cls.allowed_programs = json.load(f) cls.allowed_programs = allowed_programs = set(json.load(f))
return program in cls.allowed_programs else:
allowed_programs = cls.allowed_programs
if program not in allowed_programs:
msg = f"Program not allowed: '{program}', allowed programs are:\n{'\n'.join(allowed_programs)}"
raise ClanError(msg)
@classmethod @classmethod
def is_static(cls: type["Programs"], program: str) -> bool: def is_static(cls: type["Programs"], program: str) -> bool:
@@ -141,7 +146,9 @@ class Programs:
Determines if a program is statically shipped with this clan distribution Determines if a program is statically shipped with this clan distribution
""" """
if cls.static_programs is None: if cls.static_programs is None:
cls.static_programs = os.environ.get("CLAN_STATIC_PROGRAMS", "").split(":") cls.static_programs = set(
os.environ.get("CLAN_STATIC_PROGRAMS", "").split(":")
)
return program in cls.static_programs return program in cls.static_programs
@@ -152,9 +159,7 @@ class Programs:
# - build clan distributions that ship some or all packages (eg. clan-cli-full) # - build clan distributions that ship some or all packages (eg. clan-cli-full)
def run_cmd(programs: list[str], cmd: list[str]) -> list[str]: def run_cmd(programs: list[str], cmd: list[str]) -> list[str]:
for program in programs: for program in programs:
if not Programs.is_allowed(program): Programs.ensure_allowed(program)
msg = f"Program not allowed: {program}"
raise ClanError(msg)
if os.environ.get("IN_NIX_SANDBOX"): if os.environ.get("IN_NIX_SANDBOX"):
return cmd return cmd
missing_packages = [ missing_packages = [