github.com/thriqon/involucro@v1.1.3/integrationtest/permission_problems_test.go (about) 1 // +build linux 2 3 package integrationtest 4 5 import ( 6 "os" 7 "testing" 8 9 "github.com/fsouza/go-dockerclient" 10 "github.com/involucro/involucro/app" 11 ) 12 13 func TestCanWrapFilesOnlyReadableForRoot(t *testing.T) { 14 if testing.Short() { 15 t.SkipNow() 16 } 17 18 if err := os.MkdirAll("test", 0755); err != nil { 19 t.Fatal(err) 20 } 21 22 c, err := docker.NewClientFromEnv() 23 if err != nil { 24 t.Fatal(err) 25 } 26 27 defer func() { 28 app.Main([]string{ 29 "involucro", "-e", "inv.task('x').using('busybox').run('/bin/sh', '-c', 'rm -f /source/test/only_root')", "x", 30 }) 31 c.RemoveImage("inttest/wrap_root") 32 }() 33 34 if err := app.Main([]string{ 35 "involucro", "-e", 36 "inv.task('x').using('busybox').run('/bin/sh', '-c', 'echo FLAG > /source/test/only_root && chmod 0400 /source/test/only_root')", 37 "x", 38 }); err != nil { 39 t.Fatal(err) 40 } 41 42 file, err := os.Open("test/only_root") 43 if err == nil { 44 file.Close() 45 t.Fatal("File opening succeeded") 46 } 47 48 if !os.IsPermission(err) { 49 t.Fatal("Error was not a permission error, but", err) 50 } 51 52 if err := app.Main([]string{ 53 "involucro", "-e", 54 "inv.task('w').wrap('test').inImage('busybox').at('/data').as('inttest/wrap_root')", 55 "w", 56 }); err != nil { 57 t.Fatal(err) 58 } 59 60 assertStdoutContainsFlag([]string{ 61 "-e", 62 "inv.task('x').using('inttest/wrap_root').run('cat', '/data/only_root')", 63 "x", 64 }, "FLAG", t) 65 }