...

Text file src/github.com/docker/distribution/contrib/docker-integration/malevolent.bats

Documentation: github.com/docker/distribution/contrib/docker-integration 

     1#!/usr/bin/env bats
     2
     3# This tests various expected error scenarios when pulling bad content
     4
     5load helpers
     6
     7host="localregistry:6666"
     8base="malevolent-test"
     9
    10function setup() {
    11	tempImage $base:latest
    12}
    13
    14@test "Test malevolent proxy pass through" {
    15	docker_t tag $base:latest $host/$base/nochange:latest
    16	run docker_t push $host/$base/nochange:latest
    17	echo $output
    18	[ "$status" -eq 0 ]
    19	has_digest "$output"
    20
    21	run docker_t pull $host/$base/nochange:latest
    22	echo "$output"
    23	[ "$status" -eq 0 ]
    24}
    25
    26@test "Test malevolent image name change" {
    27	imagename="$host/$base/rename"
    28	image="$imagename:lastest"
    29	docker_t tag $base:latest $image
    30	run docker_t push $image
    31	[ "$status" -eq 0 ]
    32	has_digest "$output"
    33
    34	# Pull attempt should fail to verify manifest digest
    35	run docker_t pull "$imagename@$digest"
    36	echo "$output"
    37	[ "$status" -ne 0 ]
    38}
    39
    40@test "Test malevolent altered layer" {
    41	image="$host/$base/addfile:latest"
    42	tempImage $image
    43	run docker_t push $image
    44	echo "$output"
    45	[ "$status" -eq 0 ]
    46	has_digest "$output"
    47
    48	# Remove image to ensure layer is pulled and digest verified
    49	docker_t rmi -f $image
    50
    51	run docker_t pull $image
    52	echo "$output"
    53	[ "$status" -ne 0 ]
    54}
    55
    56@test "Test malevolent altered layer (by digest)" {
    57	imagename="$host/$base/addfile"
    58	image="$imagename:latest"
    59	tempImage $image
    60	run docker_t push $image
    61	echo "$output"
    62	[ "$status" -eq 0 ]
    63	has_digest "$output"
    64
    65	# Remove image to ensure layer is pulled and digest verified
    66	docker_t rmi -f $image
    67
    68	run docker_t pull "$imagename@$digest"
    69	echo "$output"
    70	[ "$status" -ne 0 ]
    71}
    72
    73@test "Test malevolent poisoned images" {
    74        truncid="777cf9284131"
    75	poison="${truncid}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
    76	image1="$host/$base/image1/poison:$poison"
    77	tempImage $image1
    78	run docker_t push $image1
    79	echo "$output"
    80	[ "$status" -eq 0 ]
    81	has_digest "$output"
    82
    83	image2="$host/$base/image2/poison:$poison"
    84	tempImage $image2
    85	run docker_t push $image2
    86	echo "$output"
    87	[ "$status" -eq 0 ]
    88	has_digest "$output"
    89
    90
    91	# Remove image to ensure layer is pulled and digest verified
    92	docker_t rmi -f $image1
    93	docker_t rmi -f $image2
    94
    95	run docker_t pull $image1
    96	echo "$output"
    97	[ "$status" -eq 0 ]
    98	run docker_t pull $image2
    99	echo "$output"
   100	[ "$status" -eq 0 ]
   101
   102	# Test if there are multiple images
   103	run docker_t images
   104	echo "$output"
   105	[ "$status" -eq 0 ]
   106
   107	# Test images have same ID and not the poison
   108	id1=$(docker_t inspect --format="{{.Id}}" $image1)
   109	id2=$(docker_t inspect --format="{{.Id}}" $image2)
   110
   111	# Remove old images
   112	docker_t rmi -f $image1
   113	docker_t rmi -f $image2
   114
   115	[ "$id1" != "$id2" ]
   116
   117	[ "$id1" != "$truncid" ]
   118
   119	[ "$id2" != "$truncid" ]
   120}
   121
   122@test "Test malevolent altered identical images" {
   123        truncid1="777cf9284131"
   124	poison1="${truncid1}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
   125        truncid2="888cf9284131"
   126	poison2="${truncid2}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa64"
   127
   128	image1="$host/$base/image1/alteredid:$poison1"
   129	tempImage $image1
   130	run docker_t push $image1
   131	echo "$output"
   132	[ "$status" -eq 0 ]
   133	has_digest "$output"
   134
   135	image2="$host/$base/image2/alteredid:$poison2"
   136	docker_t tag $image1 $image2
   137	run docker_t push $image2
   138	echo "$output"
   139	[ "$status" -eq 0 ]
   140	has_digest "$output"
   141
   142
   143	# Remove image to ensure layer is pulled and digest verified
   144	docker_t rmi -f $image1
   145	docker_t rmi -f $image2
   146
   147	run docker_t pull $image1
   148	echo "$output"
   149	[ "$status" -eq 0 ]
   150	run docker_t pull $image2
   151	echo "$output"
   152	[ "$status" -eq 0 ]
   153
   154	# Test if there are multiple images
   155	run docker_t images
   156	echo "$output"
   157	[ "$status" -eq 0 ]
   158
   159	# Test images have same ID and not the poison
   160	id1=$(docker_t inspect --format="{{.Id}}" $image1)
   161	id2=$(docker_t inspect --format="{{.Id}}" $image2)
   162
   163	# Remove old images
   164	docker_t rmi -f $image1
   165	docker_t rmi -f $image2
   166
   167	[ "$id1" == "$id2" ]
   168
   169	[ "$id1" != "$truncid1" ]
   170
   171	[ "$id2" != "$truncid2" ]
   172}
   173
   174@test "Test malevolent resumeable pull" {
   175	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
   176	version_check registry "$GOLEM_DISTRIBUTION_VERSION" "2.3.0"
   177
   178	imagename="$host/$base/resumeable"
   179	image="$imagename:latest"
   180	tempImage $image
   181	run docker_t push $image
   182	echo "$output"
   183	[ "$status" -eq 0 ]
   184	has_digest "$output"
   185
   186	# Remove image to ensure layer is pulled and digest verified
   187	docker_t rmi -f $image
   188
   189	run docker_t pull "$imagename@$digest"
   190	echo "$output"
   191	[ "$status" -eq 0 ]
   192}

View as plain text