mirror of
https://github.com/moby/moby.git
synced 2025-12-07 19:42:23 +03:00
Rewrite TestBuildWithInaccessibleFilesInContext to not use fixtures
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
This commit is contained in:
Alexandr Morozov
@@ -488,31 +488,23 @@ func TestBuildCopyDisallowRemote(t *testing.T) {
|
||||
// Issue #5270 - ensure we throw a better error than "unexpected EOF"
|
||||
// when we can't access files in the context.
|
||||
func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
|
||||
testDirName := "TestBuildWithInaccessibleFilesInContext"
|
||||
|
||||
sourceDirectory := filepath.Join(workingDirectory, "build_tests", testDirName)
|
||||
buildDirectory, err := ioutil.TempDir("", "test-build-inaccessible-directory")
|
||||
defer os.RemoveAll(buildDirectory)
|
||||
|
||||
err = copyWithCP(sourceDirectory, buildDirectory)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to copy files to temporary directory: %s", err)
|
||||
}
|
||||
|
||||
buildDirectory = filepath.Join(buildDirectory, testDirName)
|
||||
{
|
||||
name := "testbuildinaccessiblefiles"
|
||||
defer deleteImages(name)
|
||||
ctx, err := fakeContext("FROM scratch\nADD . /foo/", map[string]string{"fileWithoutReadAccess": "foo"})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer ctx.Close()
|
||||
// This is used to ensure we detect inaccessible files early during build in the cli client
|
||||
pathToInaccessibleFileBuildDirectory := filepath.Join(buildDirectory, "inaccessiblefile")
|
||||
pathToFileWithoutReadAccess := filepath.Join(pathToInaccessibleFileBuildDirectory, "fileWithoutReadAccess")
|
||||
pathToFileWithoutReadAccess := filepath.Join(ctx.Dir, "fileWithoutReadAccess")
|
||||
|
||||
err := os.Chown(pathToFileWithoutReadAccess, 0, 0)
|
||||
err = os.Chown(pathToFileWithoutReadAccess, 0, 0)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chown file to root: %s", err))
|
||||
err = os.Chmod(pathToFileWithoutReadAccess, 0700)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chmod file to 700: %s", err))
|
||||
|
||||
buildCommandStatement := fmt.Sprintf("%s build -t inaccessiblefiles .", dockerBinary)
|
||||
buildCmd := exec.Command("su", "unprivilegeduser", "-c", buildCommandStatement)
|
||||
buildCmd.Dir = pathToInaccessibleFileBuildDirectory
|
||||
buildCmd := exec.Command("su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name))
|
||||
buildCmd.Dir = ctx.Dir
|
||||
out, exitCode, err := runCommandWithOutput(buildCmd)
|
||||
if err == nil || exitCode == 0 {
|
||||
t.Fatalf("build should have failed: %s %s", err, out)
|
||||
@@ -528,21 +520,26 @@ func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
|
||||
}
|
||||
}
|
||||
{
|
||||
name := "testbuildinaccessibledirectory"
|
||||
defer deleteImages(name)
|
||||
ctx, err := fakeContext("FROM scratch\nADD . /foo/", map[string]string{"directoryWeCantStat/bar": "foo"})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer ctx.Close()
|
||||
// This is used to ensure we detect inaccessible directories early during build in the cli client
|
||||
pathToInaccessibleDirectoryBuildDirectory := filepath.Join(buildDirectory, "inaccessibledirectory")
|
||||
pathToDirectoryWithoutReadAccess := filepath.Join(pathToInaccessibleDirectoryBuildDirectory, "directoryWeCantStat")
|
||||
pathToDirectoryWithoutReadAccess := filepath.Join(ctx.Dir, "directoryWeCantStat")
|
||||
pathToFileInDirectoryWithoutReadAccess := filepath.Join(pathToDirectoryWithoutReadAccess, "bar")
|
||||
|
||||
err := os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
||||
err = os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chown directory to root: %s", err))
|
||||
err = os.Chmod(pathToDirectoryWithoutReadAccess, 0444)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chmod directory to 755: %s", err))
|
||||
err = os.Chmod(pathToFileInDirectoryWithoutReadAccess, 0700)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chmod file to 444: %s", err))
|
||||
|
||||
buildCommandStatement := fmt.Sprintf("%s build -t inaccessiblefiles .", dockerBinary)
|
||||
buildCmd := exec.Command("su", "unprivilegeduser", "-c", buildCommandStatement)
|
||||
buildCmd.Dir = pathToInaccessibleDirectoryBuildDirectory
|
||||
buildCmd := exec.Command("su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name))
|
||||
buildCmd.Dir = ctx.Dir
|
||||
out, exitCode, err := runCommandWithOutput(buildCmd)
|
||||
if err == nil || exitCode == 0 {
|
||||
t.Fatalf("build should have failed: %s %s", err, out)
|
||||
@@ -559,41 +556,52 @@ func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
|
||||
|
||||
}
|
||||
{
|
||||
name := "testlinksok"
|
||||
defer deleteImages(name)
|
||||
ctx, err := fakeContext("FROM scratch\nADD . /foo/", nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer ctx.Close()
|
||||
if err := os.Symlink(filepath.Join(ctx.Dir, "g"), "../../../../../../../../../../../../../../../../../../../azA"); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// This is used to ensure we don't follow links when checking if everything in the context is accessible
|
||||
// This test doesn't require that we run commands as an unprivileged user
|
||||
pathToDirectoryWhichContainsLinks := filepath.Join(buildDirectory, "linksdirectory")
|
||||
|
||||
out, exitCode, err := dockerCmdInDir(t, pathToDirectoryWhichContainsLinks, "build", "-t", "testlinksok", ".")
|
||||
if err != nil || exitCode != 0 {
|
||||
t.Fatalf("build should have worked: %s %s", err, out)
|
||||
if _, err := buildImageFromContext(name, ctx, true); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
deleteImages("testlinksok")
|
||||
|
||||
}
|
||||
{
|
||||
name := "testbuildignoredinaccessible"
|
||||
defer deleteImages(name)
|
||||
ctx, err := fakeContext("FROM scratch\nADD . /foo/",
|
||||
map[string]string{
|
||||
"directoryWeCantStat/bar": "foo",
|
||||
".dockerignore": "directoryWeCantStat",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer ctx.Close()
|
||||
// This is used to ensure we don't try to add inaccessible files when they are ignored by a .dockerignore pattern
|
||||
pathToInaccessibleDirectoryBuildDirectory := filepath.Join(buildDirectory, "ignoredinaccessible")
|
||||
pathToDirectoryWithoutReadAccess := filepath.Join(pathToInaccessibleDirectoryBuildDirectory, "directoryWeCantStat")
|
||||
pathToDirectoryWithoutReadAccess := filepath.Join(ctx.Dir, "directoryWeCantStat")
|
||||
pathToFileInDirectoryWithoutReadAccess := filepath.Join(pathToDirectoryWithoutReadAccess, "bar")
|
||||
err := os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
||||
err = os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chown directory to root: %s", err))
|
||||
err = os.Chmod(pathToDirectoryWithoutReadAccess, 0444)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chmod directory to 755: %s", err))
|
||||
err = os.Chmod(pathToFileInDirectoryWithoutReadAccess, 0700)
|
||||
errorOut(err, t, fmt.Sprintf("failed to chmod file to 444: %s", err))
|
||||
|
||||
buildCommandStatement := fmt.Sprintf("%s build -t ignoredinaccessible .", dockerBinary)
|
||||
buildCmd := exec.Command("su", "unprivilegeduser", "-c", buildCommandStatement)
|
||||
buildCmd.Dir = pathToInaccessibleDirectoryBuildDirectory
|
||||
buildCmd := exec.Command("su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name))
|
||||
buildCmd.Dir = ctx.Dir
|
||||
out, exitCode, err := runCommandWithOutput(buildCmd)
|
||||
if err != nil || exitCode != 0 {
|
||||
t.Fatalf("build should have worked: %s %s", err, out)
|
||||
}
|
||||
deleteImages("ignoredinaccessible")
|
||||
|
||||
}
|
||||
deleteImages("inaccessiblefiles")
|
||||
logDone("build - ADD from context with inaccessible files must fail")
|
||||
logDone("build - ADD from context with accessible links must work")
|
||||
logDone("build - ADD from context with ignored inaccessible files must work")
|
||||
|
||||
Reference in New Issue
Block a user