diff --git a/cri/v1alpha1/cri_utils_test.go b/cri/v1alpha1/cri_utils_test.go index 804b088aa..c3c03020c 100644 --- a/cri/v1alpha1/cri_utils_test.go +++ b/cri/v1alpha1/cri_utils_test.go @@ -5,6 +5,7 @@ import ( "fmt" "reflect" "sort" + "strconv" "strings" "testing" "time" @@ -756,6 +757,197 @@ func Test_modifyContainerNamespaceOptions(t *testing.T) { } } +func Test_modifyHostConfig(t *testing.T) { + supplementalGroups := []int64{1, 2, 3} + groupAdd := []string{} + for _, group := range supplementalGroups { + groupAdd = append(groupAdd, strconv.FormatInt(group, 10)) + } + + type args struct { + sc *runtime.LinuxContainerSecurityContext + hostConfig *apitypes.HostConfig + } + tests := []struct { + name string + args args + wantHostConfig *apitypes.HostConfig + wantErr error + }{ + { + name: "Normal Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + SecurityOpt: []string{"no-new-privileges"}, + }, + wantErr: nil, + }, + { + name: "SupplementalGroups Nil Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + SecurityOpt: []string{"no-new-privileges"}, + }, + wantErr: nil, + }, + { + name: "Capabilities Nil Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + SecurityOpt: []string{"no-new-privileges"}, + }, + wantErr: nil, + }, + { + name: "GetSeccompSecurityOpts Err Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: "foo", + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + }, + wantErr: fmt.Errorf("failed to generate seccomp security options: %v", fmt.Errorf("undefault profile %q should prefix with %q", "foo", mgr.ProfileNamePrefix)), + }, + { + name: "GetAppArmorSecurityOpts Err Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: "foo", + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + }, + wantErr: fmt.Errorf("failed to generate appArmor security options: %v", fmt.Errorf("undefault profile name should prefix with %q", mgr.ProfileNamePrefix)), + }, + { + name: "NoNewPrivs False Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: false, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + }, + wantErr: nil, + }, + { + name: "Nil Test", + args: args{ + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{}, + wantErr: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := modifyHostConfig(tt.args.sc, tt.args.hostConfig) + if !reflect.DeepEqual(tt.args.hostConfig, tt.wantHostConfig) { + t.Errorf("modifyHostConfig() hostConfig = %v, wantHostConfig %v", tt.args.hostConfig, tt.wantHostConfig) + return + } + if !reflect.DeepEqual(err, tt.wantErr) { + t.Errorf("modifyHostConfig() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + func Test_applyContainerSecurityContext(t *testing.T) { type args struct { lc *runtime.LinuxContainerConfig diff --git a/cri/v1alpha2/cri_utils_test.go b/cri/v1alpha2/cri_utils_test.go index 501928c95..146262d5e 100644 --- a/cri/v1alpha2/cri_utils_test.go +++ b/cri/v1alpha2/cri_utils_test.go @@ -1,8 +1,10 @@ package v1alpha2 import ( + "context" "fmt" "reflect" + "strconv" "strings" "testing" "time" @@ -14,7 +16,6 @@ import ( "github.com/cri-o/ocicni/pkg/ocicni" "github.com/stretchr/testify/assert" - "golang.org/x/net/context" ) var ( @@ -743,6 +744,197 @@ func Test_modifyContainerNamespaceOptions(t *testing.T) { } } +func Test_modifyHostConfig(t *testing.T) { + supplementalGroups := []int64{1, 2, 3} + groupAdd := []string{} + for _, group := range supplementalGroups { + groupAdd = append(groupAdd, strconv.FormatInt(group, 10)) + } + + type args struct { + sc *runtime.LinuxContainerSecurityContext + hostConfig *apitypes.HostConfig + } + tests := []struct { + name string + args args + wantHostConfig *apitypes.HostConfig + wantErr error + }{ + { + name: "Normal Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + SecurityOpt: []string{"no-new-privileges"}, + }, + wantErr: nil, + }, + { + name: "SupplementalGroups Nil Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + SecurityOpt: []string{"no-new-privileges"}, + }, + wantErr: nil, + }, + { + name: "Capabilities Nil Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + SecurityOpt: []string{"no-new-privileges"}, + }, + wantErr: nil, + }, + { + name: "GetSeccompSecurityOpts Err Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: "foo", + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + }, + wantErr: fmt.Errorf("failed to generate seccomp security options: %v", fmt.Errorf("undefault profile %q should prefix with %q", "foo", mgr.ProfileNamePrefix)), + }, + { + name: "GetAppArmorSecurityOpts Err Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: "foo", + NoNewPrivs: true, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + }, + wantErr: fmt.Errorf("failed to generate appArmor security options: %v", fmt.Errorf("undefault profile name should prefix with %q", mgr.ProfileNamePrefix)), + }, + { + name: "NoNewPrivs False Test", + args: args{ + sc: &runtime.LinuxContainerSecurityContext{ + SupplementalGroups: supplementalGroups, + Privileged: true, + ReadonlyRootfs: true, + Capabilities: &runtime.Capability{ + AddCapabilities: []string{"fooAdd1", "fooAdd2"}, + DropCapabilities: []string{"fooDrop1", "fooDrop2"}, + }, + SeccompProfilePath: mgr.ProfileDockerDefault, + ApparmorProfile: mgr.ProfileRuntimeDefault, + NoNewPrivs: false, + }, + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{ + GroupAdd: groupAdd, + Privileged: true, + ReadonlyRootfs: true, + CapAdd: []string{"fooAdd1", "fooAdd2"}, + CapDrop: []string{"fooDrop1", "fooDrop2"}, + }, + wantErr: nil, + }, + { + name: "Nil Test", + args: args{ + hostConfig: &apitypes.HostConfig{}, + }, + wantHostConfig: &apitypes.HostConfig{}, + wantErr: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := modifyHostConfig(tt.args.sc, tt.args.hostConfig) + if !reflect.DeepEqual(tt.args.hostConfig, tt.wantHostConfig) { + t.Errorf("modifyHostConfig() hostConfig = %v, wantHostConfig %v", tt.args.hostConfig, tt.wantHostConfig) + return + } + if !reflect.DeepEqual(err, tt.wantErr) { + t.Errorf("modifyHostConfig() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + func Test_applyContainerSecurityContext(t *testing.T) { type args struct { lc *runtime.LinuxContainerConfig