github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_trust_test.go

github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/tests/rkt_trust_test.go (about)

     1  // Copyright 2015 The rkt Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // +build host coreos src kvm
    16  
    17  package main
    18  
    19  import (
    20  	"fmt"
    21  	"os"
    22  	"testing"
    23  
    24  	"github.com/rkt/rkt/tests/testutils"
    25  )
    26  
    27  func runImage(t *testing.T, ctx *testutils.RktRunCtx, imageFile string, expected string, shouldFail bool) {
    28  	cmd := fmt.Sprintf(`%s --debug run --mds-register=false %s`, ctx.Cmd(), imageFile)
    29  	runRktAndCheckOutput(t, cmd, expected, shouldFail)
    30  }
    31  
    32  func TestTrust(t *testing.T) {
    33  	imageFile := patchTestACI("rkt-inspect-trust1.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-prefix.com/my-app")
    34  	defer os.Remove(imageFile)
    35  
    36  	imageFile2 := patchTestACI("rkt-inspect-trust2.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-alternative.com/my-app")
    37  	defer os.Remove(imageFile2)
    38  
    39  	ctx := testutils.NewRktRunCtx()
    40  	defer ctx.Cleanup()
    41  
    42  	t.Logf("Run the non-signed image: it should fail\n")
    43  	runImage(t, ctx, imageFile, "error opening signature file", true)
    44  
    45  	t.Logf("Sign the images\n")
    46  	ascFile := runSignImage(t, imageFile, 1)
    47  	defer os.Remove(ascFile)
    48  	ascFile = runSignImage(t, imageFile2, 1)
    49  	defer os.Remove(ascFile)
    50  
    51  	t.Logf("Run the signed image without trusting the key: it should fail\n")
    52  	runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true)
    53  
    54  	t.Logf("Trust the key with the wrong prefix\n")
    55  	runRktTrust(t, ctx, "wrong-prefix.com/my-app", 1)
    56  
    57  	t.Logf("Run a signed image with the key installed in the wrong prefix: it should fail\n")
    58  	runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true)
    59  
    60  	t.Logf("Trust the key with the correct prefix, but wrong key\n")
    61  	runRktTrust(t, ctx, "rkt-prefix.com/my-app", 2)
    62  
    63  	t.Logf("Run a signed image with the wrong key installed: it should fail\n")
    64  	runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true)
    65  
    66  	t.Logf("Trust the key with the correct prefix\n")
    67  	runRktTrust(t, ctx, "rkt-prefix.com/my-app", 1)
    68  
    69  	t.Logf("Finally, run successfully the signed image\n")
    70  	runImage(t, ctx, imageFile, "Hello", false)
    71  	runImage(t, ctx, imageFile2, "openpgp: signature made by unknown entity", true)
    72  
    73  	t.Logf("Trust the key on unrelated prefixes\n")
    74  	runRktTrust(t, ctx, "foo.com", 1)
    75  	runRktTrust(t, ctx, "example.com/my-app", 1)
    76  
    77  	t.Logf("But still only the first image can be executed\n")
    78  	runImage(t, ctx, imageFile, "Hello", false)
    79  	runImage(t, ctx, imageFile2, "openpgp: signature made by unknown entity", true)
    80  
    81  	t.Logf("Trust the key for all images (rkt trust --root)\n")
    82  	runRktTrust(t, ctx, "", 1)
    83  
    84  	t.Logf("Now both images can be executed\n")
    85  	runImage(t, ctx, imageFile, "Hello", false)
    86  	runImage(t, ctx, imageFile2, "Hello", false)
    87  }