docker/buildah
1
0
Fork 0
mirror of https://github.com/containers/buildah.git synced 2025-08-09 10:22:49 +03:00
Code Activity

commit/push: use an everything-allowed policy

Browse Source 
Ignore the global signature policy, which is used to control whether or
not we can trust an image, when we're attempting to commit an image from
a container, or pushing an image.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

Closes: #1579
Approved by: rhatdan
This commit is contained in:
Nalin Dahyabhai
2019-05-08 15:53:05 -04:00
committed by Atomic Bot
parent e9184eaac6
commit c654b18cad
4 changed files with 58 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
commit.go
View File

@@ -106,6 +106,22 @@ type PushOptions struct {
Quiet bool Quiet bool
} }
var (
// commitPolicy bypasses any signing requirements when committing containers to images
commitPolicy = &signature.Policy{
Default: []signature.PolicyRequirement{signature.NewPRReject()},
Transports: map[string]signature.PolicyTransportScopes{
is.Transport.Name(): {
"": []signature.PolicyRequirement{
signature.NewPRInsecureAcceptAnything(),
},
},
},
}
// pushPolicy bypasses any signing requirements when pushing (copying) images from local storage
pushPolicy = commitPolicy
)
// Commit writes the contents of the container, along with its updated // Commit writes the contents of the container, along with its updated
// configuration, to a new image in the specified location, and if we know how, // configuration, to a new image in the specified location, and if we know how,
// add any additional tags that were specified. Returns the ID of the new image // add any additional tags that were specified. Returns the ID of the new image
@@ -141,11 +157,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
return "", nil, "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest)) return "", nil, "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest))
} }
policy, err := signature.DefaultPolicy(systemContext) policyContext, err := signature.NewPolicyContext(commitPolicy)
if err != nil {
return imgID, nil, "", errors.Wrapf(err, "error obtaining default signature policy")
}
policyContext, err := signature.NewPolicyContext(policy)
if err != nil { if err != nil {
return imgID, nil, "", errors.Wrapf(err, "error creating new signature policy context") return imgID, nil, "", errors.Wrapf(err, "error creating new signature policy context")
} }
@@ -280,11 +292,7 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
return nil, "", errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest)) return nil, "", errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest))
} }
policy, err := signature.DefaultPolicy(systemContext) policyContext, err := signature.NewPolicyContext(pushPolicy)
if err != nil {
return nil, "", errors.Wrapf(err, "error obtaining default signature policy")
}
policyContext, err := signature.NewPolicyContext(policy)
if err != nil { if err != nil {
return nil, "", errors.Wrapf(err, "error creating new signature policy context") return nil, "", errors.Wrapf(err, "error creating new signature policy context")
} }

27
tests/bud.bats
View File

@@ -1194,6 +1194,7 @@ load helpers
run_buildah --debug=false bud --signature-policy ${TESTSDIR}/policy.json -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount run_buildah --debug=false bud --signature-policy ${TESTSDIR}/policy.json -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
expect_output --substring "/testdir" expect_output --substring "/testdir"
} }
@test "bud-copy-dot with --layers picks up changed file" { @test "bud-copy-dot with --layers picks up changed file" {
cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers
@@ -1211,3 +1212,29 @@ load helpers
buildah rmi -a -f buildah rmi -a -f
} }
@test "buildah-bud-policy" {
target=foo
# A deny-all policy should prevent us from pulling the base image.
run_buildah '?' bud --signature-policy ${TESTSDIR}/deny.json -t ${target} -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
[ "$status" -ne 0 ]
expect_output --substring 'Source image rejected: Running image .* rejected by policy.'
run_buildah rmi -a -f
# A docker-only policy should allow us to pull the base image and commit.
run_buildah bud --signature-policy ${TESTSDIR}/docker.json -t ${target} -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
# A deny-all policy shouldn't break pushing.
run_buildah push --signature-policy ${TESTSDIR}/deny.json ${target} dir:${TESTDIR}/mount
run_buildah rmi -a -f
# A docker-only policy should allow us to pull the base image first...
run_buildah pull --signature-policy ${TESTSDIR}/docker.json alpine
# ... and since we don't need to pull the base image, a deny-all policy shouldn't break a build.
run_buildah bud --signature-policy ${TESTSDIR}/deny.json -t ${target} -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
# A deny-all policy shouldn't break pushing.
run_buildah push --signature-policy ${TESTSDIR}/deny.json ${target} dir:${TESTDIR}/mount
# A deny-all policy shouldn't break committing directly to other storage.
run_buildah bud --signature-policy ${TESTSDIR}/deny.json -t dir:${TESTDIR}/mount -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
run_buildah rmi -a -f
}

7
tests/deny.json Normal file
View File

@@ -0,0 +1,7 @@
{
"default": [
{
"type": "reject"
}
]
}

6
tests/docker.json Normal file
View File

@@ -0,0 +1,6 @@
{
"default": [ { "type": "reject" } ],
"transports": {
"docker": { "": [ { "type": "insecureAcceptAnything" } ] }
}
}