parent
91c06522f3
commit
3cf4ee6d66
@ -1,62 +1,78 @@
|
||||
import logging
|
||||
|
||||
import pytest
|
||||
from conftest import proxy
|
||||
from plumbum import ProcessExecutionError
|
||||
from plumbum.cmd import docker
|
||||
|
||||
from .conftest import proxy
|
||||
|
||||
logger = logging.getLogger()
|
||||
|
||||
|
||||
def test_default_permissions(sleeping_container):
|
||||
allowed_calls = (("version",),)
|
||||
forbidden_calls = (
|
||||
("pull", "alpine"),
|
||||
("--rm", "alpine", "--name", sleeping_container),
|
||||
("logs", sleeping_container),
|
||||
("wait", sleeping_container),
|
||||
("rm", "-f", sleeping_container),
|
||||
("restart", sleeping_container),
|
||||
("network", "ls"),
|
||||
("config", "ls"),
|
||||
("service", "ls"),
|
||||
("stack", "ls"),
|
||||
("secret", "ls"),
|
||||
("plugin", "ls"),
|
||||
("info",),
|
||||
("system", "info"),
|
||||
("build", "."),
|
||||
("swarm", "init"),
|
||||
)
|
||||
with proxy():
|
||||
for args in allowed_calls:
|
||||
def _check_permissions(allowed_calls, forbidden_calls):
|
||||
for args in allowed_calls:
|
||||
docker(*args)
|
||||
for args in forbidden_calls:
|
||||
with pytest.raises(ProcessExecutionError):
|
||||
docker(*args)
|
||||
for args in forbidden_calls:
|
||||
with pytest.raises(ProcessExecutionError):
|
||||
docker(*args)
|
||||
|
||||
|
||||
def test_default_permissions():
|
||||
with proxy() as test_container:
|
||||
allowed_calls = (("version",),)
|
||||
forbidden_calls = (
|
||||
("pull", "alpine"),
|
||||
("--rm", "alpine", "--name", test_container),
|
||||
("logs", test_container),
|
||||
("wait", test_container),
|
||||
("rm", "-f", test_container),
|
||||
("restart", test_container),
|
||||
("network", "ls"),
|
||||
("config", "ls"),
|
||||
("service", "ls"),
|
||||
("stack", "ls"),
|
||||
("secret", "ls"),
|
||||
("plugin", "ls"),
|
||||
("info",),
|
||||
("system", "info"),
|
||||
("build", "."),
|
||||
("swarm", "init"),
|
||||
)
|
||||
_check_permissions(allowed_calls, forbidden_calls)
|
||||
|
||||
|
||||
def test_container_permissions():
|
||||
with _docker_proxy(CONTAINERS=1) as (docker, test_container):
|
||||
_query_docker_with_proxy("logs", test_container, allowed=True)
|
||||
_query_docker_with_proxy("inspect", test_container, allowed=True)
|
||||
_query_docker_with_proxy("wait", test_container, allowed=False)
|
||||
_query_docker_with_proxy("run", "--rm", "alpine", allowed=False)
|
||||
_query_docker_with_proxy("rm", "-f", test_container, allowed=False)
|
||||
_query_docker_with_proxy("restart", test_container, allowed=False)
|
||||
with proxy(CONTAINERS=1) as test_container:
|
||||
allowed_calls = [
|
||||
("logs", test_container),
|
||||
("inspect", test_container),
|
||||
]
|
||||
forbidden_calls = [
|
||||
("wait", test_container),
|
||||
("run", "--rm", "alpine"),
|
||||
("rm", "-f", test_container),
|
||||
("restart", test_container),
|
||||
]
|
||||
_check_permissions(allowed_calls, forbidden_calls)
|
||||
|
||||
|
||||
def test_post_permissions():
|
||||
with _docker_proxy(POST=1) as (docker, test_container):
|
||||
_query_docker_with_proxy("rm", "-f", test_container, allowed=False)
|
||||
_query_docker_with_proxy("pull", "alpine", allowed=False)
|
||||
_query_docker_with_proxy("run", "--rm", "alpine", allowed=False)
|
||||
_query_docker_with_proxy("network", "create", "foobar", allowed=False)
|
||||
with proxy(POST=1) as test_container:
|
||||
allowed_calls = []
|
||||
forbidden_calls = [
|
||||
("rm", "-f", test_container),
|
||||
("pull", "alpine"),
|
||||
("run", "--rm", "alpine"),
|
||||
("network", "create", "foobar"),
|
||||
]
|
||||
_check_permissions(allowed_calls, forbidden_calls)
|
||||
|
||||
|
||||
def test_network_post_permissions():
|
||||
with _docker_proxy(POST=1, NETWORKS=1) as (docker, test_container):
|
||||
_query_docker_with_proxy("network", "ls", allowed=True)
|
||||
_query_docker_with_proxy("network", "create", "foo", allowed=True)
|
||||
_query_docker_with_proxy("network", "rm", "foo", allowed=True)
|
||||
with proxy(POST=1, NETWORKS=1):
|
||||
allowed_calls = [
|
||||
("network", "ls"),
|
||||
("network", "create", "foo"),
|
||||
("network", "rm", "foo"),
|
||||
]
|
||||
forbidden_calls = []
|
||||
_check_permissions(allowed_calls, forbidden_calls)
|
||||
|
Loading…
Reference in new issue