gopkg.in/openshift/source-to-image.v1@v1.2.0/pkg/docker/util_test.go (about) 1 package docker 2 3 import ( 4 "testing" 5 6 "github.com/openshift/source-to-image/pkg/api/constants" 7 "github.com/openshift/source-to-image/pkg/util/user" 8 ) 9 10 func rangeList(str string) *user.RangeList { 11 l, err := user.ParseRangeList(str) 12 if err != nil { 13 panic(err) 14 } 15 return l 16 } 17 18 func TestCheckAllowedUser(t *testing.T) { 19 tests := []struct { 20 name string 21 allowedUIDs *user.RangeList 22 user string 23 onbuild []string 24 expectErr bool 25 assembleUser string 26 labels map[string]string 27 }{ 28 { 29 name: "AllowedUIDs is not set", 30 allowedUIDs: rangeList(""), 31 user: "root", 32 onbuild: []string{}, 33 expectErr: false, 34 }, 35 { 36 name: "AllowedUIDs is set, non-numeric user", 37 allowedUIDs: rangeList("0"), 38 user: "default", 39 onbuild: []string{}, 40 expectErr: true, 41 }, 42 { 43 name: "AllowedUIDs is set, user 0", 44 allowedUIDs: rangeList("1-"), 45 user: "0", 46 onbuild: []string{}, 47 expectErr: true, 48 }, 49 { 50 name: "AllowedUIDs is set, numeric user, non-numeric onbuild", 51 allowedUIDs: rangeList("1-10,30-"), 52 user: "100", 53 onbuild: []string{"COPY test test", "USER default"}, 54 expectErr: true, 55 }, 56 { 57 name: "AllowedUIDs is set, numeric user, no onbuild user directive", 58 allowedUIDs: rangeList("1-10,30-"), 59 user: "200", 60 onbuild: []string{"VOLUME /data"}, 61 expectErr: false, 62 }, 63 { 64 name: "AllowedUIDs is set, numeric user, onbuild numeric user directive", 65 allowedUIDs: rangeList("200,500-"), 66 user: "200", 67 onbuild: []string{"USER 500", "VOLUME /data"}, 68 expectErr: false, 69 }, 70 { 71 name: "AllowedUIDs is set, numeric user, onbuild user 0", 72 allowedUIDs: rangeList("1-"), 73 user: "200", 74 onbuild: []string{"RUN echo \"hello world\"", "USER 0"}, 75 expectErr: true, 76 }, 77 { 78 name: "AllowedUIDs is set, numeric user, onbuild numeric user directive, upper bound range", 79 allowedUIDs: rangeList("-1000"), 80 user: "80", 81 onbuild: []string{"USER 501", "VOLUME /data"}, 82 expectErr: false, 83 }, 84 { 85 name: "AllowedUIDs is set, numeric user with group", 86 allowedUIDs: rangeList("1-"), 87 user: "5:5000", 88 expectErr: false, 89 }, 90 { 91 name: "AllowedUIDs is set, numeric user with named group", 92 allowedUIDs: rangeList("1-"), 93 user: "5:group", 94 expectErr: false, 95 }, 96 { 97 name: "AllowedUIDs is set, named user with group", 98 allowedUIDs: rangeList("1-"), 99 user: "root:wheel", 100 expectErr: true, 101 }, 102 { 103 name: "AllowedUIDs is set, numeric user, onbuild user with group", 104 allowedUIDs: rangeList("1-"), 105 user: "200", 106 onbuild: []string{"RUN echo \"hello world\"", "USER 10:100"}, 107 expectErr: false, 108 }, 109 { 110 name: "AllowedUIDs is set, numeric user, onbuild named user with group", 111 allowedUIDs: rangeList("1-"), 112 user: "200", 113 onbuild: []string{"RUN echo \"hello world\"", "USER root:wheel"}, 114 expectErr: true, 115 }, 116 { 117 name: "AllowedUIDs is set, numeric user, onbuild user with named group", 118 allowedUIDs: rangeList("1-"), 119 user: "200", 120 onbuild: []string{"RUN echo \"hello world\"", "USER 10:wheel"}, 121 expectErr: false, 122 }, 123 { 124 name: "AllowedUIDs is set, numeric user, assemble user override ok", 125 allowedUIDs: rangeList("1-"), 126 user: "200", 127 assembleUser: "10", 128 expectErr: false, 129 }, 130 { 131 name: "AllowedUIDs is set, numeric user, root assemble user", 132 allowedUIDs: rangeList("1-"), 133 user: "200", 134 assembleUser: "0", 135 expectErr: true, 136 }, 137 { 138 name: "AllowedUIDs is set, numeric user, assemble user label ok", 139 allowedUIDs: rangeList("1-"), 140 user: "200", 141 labels: map[string]string{constants.AssembleUserLabel: "10"}, 142 expectErr: false, 143 }, 144 { 145 name: "AllowedUIDs is set, numeric user, assemble user label root", 146 allowedUIDs: rangeList("1-"), 147 user: "200", 148 labels: map[string]string{constants.AssembleUserLabel: "0"}, 149 expectErr: true, 150 }, 151 { 152 name: "AllowedUIDs is set, root image user, assemble user label ok", 153 allowedUIDs: rangeList("1-"), 154 user: "0", 155 labels: map[string]string{constants.AssembleUserLabel: "10"}, 156 expectErr: false, 157 }, 158 { 159 name: "AllowedUIDs is set, root image user, assemble user override ok", 160 allowedUIDs: rangeList("1-"), 161 user: "0", 162 assembleUser: "10", 163 expectErr: false, 164 }, 165 { 166 name: "AllowedUIDs is set, root image user, onbuild root named user with group, assemble user label ok", 167 allowedUIDs: rangeList("1-"), 168 user: "0", 169 labels: map[string]string{constants.AssembleUserLabel: "10"}, 170 onbuild: []string{"RUN echo \"hello world\"", "USER root:wheel", "RUN echo \"i am gROOT\"", "USER 10"}, 171 expectErr: true, 172 }, 173 { 174 name: "AllowedUIDs is set, root image user, onbuild root named user with group, assemble user override ok", 175 allowedUIDs: rangeList("1-"), 176 user: "0", 177 assembleUser: "10", 178 onbuild: []string{"RUN echo \"hello world\"", "USER root:wheel", "RUN echo \"i am gROOT\"", "USER 10"}, 179 expectErr: true, 180 }, 181 } 182 183 for _, tc := range tests { 184 docker := &FakeDocker{ 185 GetImageUserResult: tc.user, 186 OnBuildResult: tc.onbuild, 187 Labels: tc.labels, 188 } 189 err := CheckAllowedUser(docker, "", *tc.allowedUIDs, len(tc.onbuild) > 0, tc.assembleUser) 190 if err != nil && !tc.expectErr { 191 t.Errorf("%s: unexpected error: %v", tc.name, err) 192 } 193 if err == nil && tc.expectErr { 194 t.Errorf("%s: expected error, but did not get any", tc.name) 195 } 196 } 197 }