1
0
mirror of https://github.com/Tecnativa/docker-socket-proxy synced 2025-01-05 05:10:54 +00:00
docker-socket-proxy/tests/test_service.py

220 lines
6.7 KiB
Python
Raw Normal View History

import logging
2020-11-25 09:19:44 +00:00
import pytest
2020-11-25 07:52:57 +00:00
from plumbum import ProcessExecutionError
from plumbum.cmd import docker
logger = logging.getLogger()
CONTAINER_NAME = "docksockprox_test"
SOCKET_PROXY = "127.0.0.1:2375"
2020-11-25 09:19:44 +00:00
@pytest.fixture(autouse=True)
def build_docker_image():
logger.info("Building docker image...")
docker("build", "-t", "docker-socket-proxy:local", ".")
def _start_proxy(
2020-11-25 07:52:57 +00:00
container_name=CONTAINER_NAME, socket_proxy=SOCKET_PROXY, extra_args=None
):
logger.info(f"Starting {container_name} with args: {extra_args}...")
docker(
"run",
"-d",
2020-11-25 07:52:57 +00:00
"--name",
container_name,
"--privileged",
2020-11-25 07:52:57 +00:00
"-v",
"/var/run/docker.sock:/var/run/docker.sock",
"-p",
f"{socket_proxy}:2375",
extra_args,
2020-11-25 09:19:44 +00:00
"docker-socket-proxy:local",
)
def _stop_and_delete_proxy(
container_name=CONTAINER_NAME,
):
logger.info(f"Removing {container_name}...")
docker(
"rm",
"-f",
container_name,
)
def _query_docker_with_proxy(socket_proxy=SOCKET_PROXY, extra_args=None):
try:
_ret_code, stdout, stderr = docker.run(
(
"--host",
socket_proxy,
extra_args,
)
)
except ProcessExecutionError as result:
stdout = result.stdout
stderr = result.stderr
return stdout + stderr
2020-11-25 08:19:53 +00:00
def _check_permission(assertion, socket_proxy=SOCKET_PROXY, extra_args=None):
if "forbidden" in _query_docker_with_proxy(
socket_proxy=socket_proxy, extra_args=extra_args
):
result = "forbidden"
else:
result = "allowed"
assert result == assertion
def test_default_permissions():
2020-11-25 08:19:53 +00:00
container_name = f"{CONTAINER_NAME}_1"
socket_proxy = "127.0.0.1:2375"
try:
2020-11-25 08:19:53 +00:00
_start_proxy(container_name=container_name, socket_proxy=socket_proxy)
_check_permission("allowed", socket_proxy=socket_proxy, extra_args="version")
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["run", "--rm", "alpine"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["pull", "alpine"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["logs", container_name]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["wait", container_name]
)
_check_permission(
"forbidden",
socket_proxy=socket_proxy,
extra_args=["rm", "-f", container_name],
)
_check_permission(
"forbidden",
socket_proxy=socket_proxy,
extra_args=["restart", container_name],
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["network", "ls"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["config", "ls"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["service", "ls"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["stack", "ls"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["secret", "ls"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["plugin", "ls"]
)
_check_permission("forbidden", socket_proxy=socket_proxy, extra_args=["info"])
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["system", "info"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["build", "."]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["swarm", "init"]
)
2020-11-09 16:34:02 +00:00
finally:
2020-11-25 08:19:53 +00:00
_stop_and_delete_proxy(container_name=container_name)
2020-11-09 16:34:02 +00:00
def test_container_permissions():
2020-11-25 08:19:53 +00:00
container_name = f"{CONTAINER_NAME}_2"
socket_proxy = "127.0.0.1:2376"
2020-11-09 16:34:02 +00:00
try:
2020-11-25 08:19:53 +00:00
_start_proxy(
container_name=container_name,
socket_proxy=socket_proxy,
extra_args=["-e", "CONTAINERS=1"],
)
_check_permission(
"allowed", socket_proxy=socket_proxy, extra_args=["logs", container_name]
)
_check_permission(
"allowed", socket_proxy=socket_proxy, extra_args=["inspect", container_name]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["wait", container_name]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["run", "--rm", "alpine"]
)
_check_permission(
"forbidden",
socket_proxy=socket_proxy,
extra_args=["rm", "-f", container_name],
)
_check_permission(
"forbidden",
socket_proxy=socket_proxy,
extra_args=["restart", container_name],
)
2020-11-09 16:34:02 +00:00
finally:
2020-11-25 08:19:53 +00:00
_stop_and_delete_proxy(container_name=container_name)
2020-11-09 16:34:02 +00:00
def test_post_permissions():
2020-11-25 08:19:53 +00:00
container_name = f"{CONTAINER_NAME}_3"
socket_proxy = "127.0.0.1:2377"
2020-11-09 16:34:02 +00:00
try:
2020-11-25 08:19:53 +00:00
_start_proxy(
container_name=container_name,
socket_proxy=socket_proxy,
extra_args=["-e", "POST=1"],
)
_check_permission(
"forbidden",
socket_proxy=socket_proxy,
extra_args=["rm", "-f", container_name],
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["pull", "alpine"]
)
_check_permission(
"forbidden", socket_proxy=socket_proxy, extra_args=["run", "--rm", "alpine"]
)
_check_permission(
"forbidden",
socket_proxy=socket_proxy,
extra_args=["network", "create", "foobar"],
)
2020-11-09 16:34:02 +00:00
finally:
2020-11-25 08:19:53 +00:00
_stop_and_delete_proxy(container_name=container_name)
2020-11-09 16:34:02 +00:00
def test_network_post_permissions():
2020-11-25 08:19:53 +00:00
container_name = f"{CONTAINER_NAME}_4"
socket_proxy = "127.0.0.1:2378"
2020-11-09 16:34:02 +00:00
try:
2020-11-25 08:19:53 +00:00
_start_proxy(
container_name=container_name,
socket_proxy=socket_proxy,
extra_args=["-e", "POST=1", "-e", "NETWORKS=1"],
)
_check_permission(
"allowed", socket_proxy=socket_proxy, extra_args=["network", "ls"]
)
_check_permission(
"allowed",
socket_proxy=socket_proxy,
extra_args=["network", "create", "foo"],
)
_check_permission(
"allowed", socket_proxy=socket_proxy, extra_args=["network", "rm", "foo"]
)
finally:
2020-11-25 08:19:53 +00:00
_stop_and_delete_proxy(container_name=container_name)