| #!/usr/bin/env bats |
| |
| # This tests various expected error scenarios when pulling bad content |
| |
| load helpers |
| |
| host="localregistry:6666" |
| base="malevolent-test" |
| |
| function setup() { |
| tempImage $base:latest |
| } |
| |
| @test "Test malevolent proxy pass through" { |
| docker_t tag $base:latest $host/$base/nochange:latest |
| run docker_t push $host/$base/nochange:latest |
| echo $output |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| run docker_t pull $host/$base/nochange:latest |
| echo "$output" |
| [ "$status" -eq 0 ] |
| } |
| |
| @test "Test malevolent image name change" { |
| imagename="$host/$base/rename" |
| image="$imagename:lastest" |
| docker_t tag $base:latest $image |
| run docker_t push $image |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| # Pull attempt should fail to verify manifest digest |
| run docker_t pull "$imagename@$digest" |
| echo "$output" |
| [ "$status" -ne 0 ] |
| } |
| |
| @test "Test malevolent altered layer" { |
| image="$host/$base/addfile:latest" |
| tempImage $image |
| run docker_t push $image |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| # Remove image to ensure layer is pulled and digest verified |
| docker_t rmi -f $image |
| |
| run docker_t pull $image |
| echo "$output" |
| [ "$status" -ne 0 ] |
| } |
| |
| @test "Test malevolent altered layer (by digest)" { |
| imagename="$host/$base/addfile" |
| image="$imagename:latest" |
| tempImage $image |
| run docker_t push $image |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| # Remove image to ensure layer is pulled and digest verified |
| docker_t rmi -f $image |
| |
| run docker_t pull "$imagename@$digest" |
| echo "$output" |
| [ "$status" -ne 0 ] |
| } |
| |
| @test "Test malevolent poisoned images" { |
| truncid="777cf9284131" |
| poison="${truncid}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32" |
| image1="$host/$base/image1/poison:$poison" |
| tempImage $image1 |
| run docker_t push $image1 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| image2="$host/$base/image2/poison:$poison" |
| tempImage $image2 |
| run docker_t push $image2 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| |
| # Remove image to ensure layer is pulled and digest verified |
| docker_t rmi -f $image1 |
| docker_t rmi -f $image2 |
| |
| run docker_t pull $image1 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| run docker_t pull $image2 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| |
| # Test if there are multiple images |
| run docker_t images |
| echo "$output" |
| [ "$status" -eq 0 ] |
| |
| # Test images have same ID and not the poison |
| id1=$(docker_t inspect --format="{{.Id}}" $image1) |
| id2=$(docker_t inspect --format="{{.Id}}" $image2) |
| |
| # Remove old images |
| docker_t rmi -f $image1 |
| docker_t rmi -f $image2 |
| |
| [ "$id1" != "$id2" ] |
| |
| [ "$id1" != "$truncid" ] |
| |
| [ "$id2" != "$truncid" ] |
| } |
| |
| @test "Test malevolent altered identical images" { |
| truncid1="777cf9284131" |
| poison1="${truncid1}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32" |
| truncid2="888cf9284131" |
| poison2="${truncid2}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa64" |
| |
| image1="$host/$base/image1/alteredid:$poison1" |
| tempImage $image1 |
| run docker_t push $image1 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| image2="$host/$base/image2/alteredid:$poison2" |
| docker_t tag $image1 $image2 |
| run docker_t push $image2 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| |
| # Remove image to ensure layer is pulled and digest verified |
| docker_t rmi -f $image1 |
| docker_t rmi -f $image2 |
| |
| run docker_t pull $image1 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| run docker_t pull $image2 |
| echo "$output" |
| [ "$status" -eq 0 ] |
| |
| # Test if there are multiple images |
| run docker_t images |
| echo "$output" |
| [ "$status" -eq 0 ] |
| |
| # Test images have same ID and not the poison |
| id1=$(docker_t inspect --format="{{.Id}}" $image1) |
| id2=$(docker_t inspect --format="{{.Id}}" $image2) |
| |
| # Remove old images |
| docker_t rmi -f $image1 |
| docker_t rmi -f $image2 |
| |
| [ "$id1" == "$id2" ] |
| |
| [ "$id1" != "$truncid1" ] |
| |
| [ "$id2" != "$truncid2" ] |
| } |
| |
| @test "Test malevolent resumeable pull" { |
| version_check docker "$GOLEM_DIND_VERSION" "1.11.0" |
| version_check registry "$GOLEM_DISTRIBUTION_VERSION" "2.3.0" |
| |
| imagename="$host/$base/resumeable" |
| image="$imagename:latest" |
| tempImage $image |
| run docker_t push $image |
| echo "$output" |
| [ "$status" -eq 0 ] |
| has_digest "$output" |
| |
| # Remove image to ensure layer is pulled and digest verified |
| docker_t rmi -f $image |
| |
| run docker_t pull "$imagename@$digest" |
| echo "$output" |
| [ "$status" -eq 0 ] |
| } |