github.com/thriqon/involucro@v1.1.3/integrationtest/permission_problems_test.go

github.com/thriqon/involucro@v1.1.3/integrationtest/permission_problems_test.go (about)

     1  // +build linux
     2  
     3  package integrationtest
     4  
     5  import (
     6  	"os"
     7  	"testing"
     8  
     9  	"github.com/fsouza/go-dockerclient"
    10  	"github.com/involucro/involucro/app"
    11  )
    12  
    13  func TestCanWrapFilesOnlyReadableForRoot(t *testing.T) {
    14  	if testing.Short() {
    15  		t.SkipNow()
    16  	}
    17  
    18  	if err := os.MkdirAll("test", 0755); err != nil {
    19  		t.Fatal(err)
    20  	}
    21  
    22  	c, err := docker.NewClientFromEnv()
    23  	if err != nil {
    24  		t.Fatal(err)
    25  	}
    26  
    27  	defer func() {
    28  		app.Main([]string{
    29  			"involucro", "-e", "inv.task('x').using('busybox').run('/bin/sh', '-c', 'rm -f /source/test/only_root')", "x",
    30  		})
    31  		c.RemoveImage("inttest/wrap_root")
    32  	}()
    33  
    34  	if err := app.Main([]string{
    35  		"involucro", "-e",
    36  		"inv.task('x').using('busybox').run('/bin/sh', '-c', 'echo FLAG > /source/test/only_root && chmod 0400 /source/test/only_root')",
    37  		"x",
    38  	}); err != nil {
    39  		t.Fatal(err)
    40  	}
    41  
    42  	file, err := os.Open("test/only_root")
    43  	if err == nil {
    44  		file.Close()
    45  		t.Fatal("File opening succeeded")
    46  	}
    47  
    48  	if !os.IsPermission(err) {
    49  		t.Fatal("Error was not a permission error, but", err)
    50  	}
    51  
    52  	if err := app.Main([]string{
    53  		"involucro", "-e",
    54  		"inv.task('w').wrap('test').inImage('busybox').at('/data').as('inttest/wrap_root')",
    55  		"w",
    56  	}); err != nil {
    57  		t.Fatal(err)
    58  	}
    59  
    60  	assertStdoutContainsFlag([]string{
    61  		"-e",
    62  		"inv.task('x').using('inttest/wrap_root').run('cat', '/data/only_root')",
    63  		"x",
    64  	}, "FLAG", t)
    65  }