193 lines
4.3 KiB
Bash
193 lines
4.3 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
# This tests various expected error scenarios when pulling bad content
|
|
|
|
load helpers
|
|
|
|
host="localregistry:6666"
|
|
base="malevolent-test"
|
|
|
|
function setup() {
|
|
tempImage $base:latest
|
|
}
|
|
|
|
@test "Test malevolent proxy pass through" {
|
|
docker_t tag $base:latest $host/$base/nochange:latest
|
|
run docker_t push $host/$base/nochange:latest
|
|
echo $output
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
run docker_t pull $host/$base/nochange:latest
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "Test malevolent image name change" {
|
|
imagename="$host/$base/rename"
|
|
image="$imagename:lastest"
|
|
docker_t tag $base:latest $image
|
|
run docker_t push $image
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
# Pull attempt should fail to verify manifest digest
|
|
run docker_t pull "$imagename@$digest"
|
|
echo "$output"
|
|
[ "$status" -ne 0 ]
|
|
}
|
|
|
|
@test "Test malevolent altered layer" {
|
|
image="$host/$base/addfile:latest"
|
|
tempImage $image
|
|
run docker_t push $image
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
# Remove image to ensure layer is pulled and digest verified
|
|
docker_t rmi -f $image
|
|
|
|
run docker_t pull $image
|
|
echo "$output"
|
|
[ "$status" -ne 0 ]
|
|
}
|
|
|
|
@test "Test malevolent altered layer (by digest)" {
|
|
imagename="$host/$base/addfile"
|
|
image="$imagename:latest"
|
|
tempImage $image
|
|
run docker_t push $image
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
# Remove image to ensure layer is pulled and digest verified
|
|
docker_t rmi -f $image
|
|
|
|
run docker_t pull "$imagename@$digest"
|
|
echo "$output"
|
|
[ "$status" -ne 0 ]
|
|
}
|
|
|
|
@test "Test malevolent poisoned images" {
|
|
truncid="777cf9284131"
|
|
poison="${truncid}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
|
|
image1="$host/$base/image1/poison:$poison"
|
|
tempImage $image1
|
|
run docker_t push $image1
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
image2="$host/$base/image2/poison:$poison"
|
|
tempImage $image2
|
|
run docker_t push $image2
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
|
|
# Remove image to ensure layer is pulled and digest verified
|
|
docker_t rmi -f $image1
|
|
docker_t rmi -f $image2
|
|
|
|
run docker_t pull $image1
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
run docker_t pull $image2
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
|
|
# Test if there are multiple images
|
|
run docker_t images
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
|
|
# Test images have same ID and not the poison
|
|
id1=$(docker_t inspect --format="{{.Id}}" $image1)
|
|
id2=$(docker_t inspect --format="{{.Id}}" $image2)
|
|
|
|
# Remove old images
|
|
docker_t rmi -f $image1
|
|
docker_t rmi -f $image2
|
|
|
|
[ "$id1" != "$id2" ]
|
|
|
|
[ "$id1" != "$truncid" ]
|
|
|
|
[ "$id2" != "$truncid" ]
|
|
}
|
|
|
|
@test "Test malevolent altered identical images" {
|
|
truncid1="777cf9284131"
|
|
poison1="${truncid1}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
|
|
truncid2="888cf9284131"
|
|
poison2="${truncid2}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa64"
|
|
|
|
image1="$host/$base/image1/alteredid:$poison1"
|
|
tempImage $image1
|
|
run docker_t push $image1
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
image2="$host/$base/image2/alteredid:$poison2"
|
|
docker_t tag $image1 $image2
|
|
run docker_t push $image2
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
|
|
# Remove image to ensure layer is pulled and digest verified
|
|
docker_t rmi -f $image1
|
|
docker_t rmi -f $image2
|
|
|
|
run docker_t pull $image1
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
run docker_t pull $image2
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
|
|
# Test if there are multiple images
|
|
run docker_t images
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
|
|
# Test images have same ID and not the poison
|
|
id1=$(docker_t inspect --format="{{.Id}}" $image1)
|
|
id2=$(docker_t inspect --format="{{.Id}}" $image2)
|
|
|
|
# Remove old images
|
|
docker_t rmi -f $image1
|
|
docker_t rmi -f $image2
|
|
|
|
[ "$id1" == "$id2" ]
|
|
|
|
[ "$id1" != "$truncid1" ]
|
|
|
|
[ "$id2" != "$truncid2" ]
|
|
}
|
|
|
|
@test "Test malevolent resumeable pull" {
|
|
version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
|
|
version_check registry "$GOLEM_DISTRIBUTION_VERSION" "2.3.0"
|
|
|
|
imagename="$host/$base/resumeable"
|
|
image="$imagename:latest"
|
|
tempImage $image
|
|
run docker_t push $image
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
has_digest "$output"
|
|
|
|
# Remove image to ensure layer is pulled and digest verified
|
|
docker_t rmi -f $image
|
|
|
|
run docker_t pull "$imagename@$digest"
|
|
echo "$output"
|
|
[ "$status" -eq 0 ]
|
|
}
|