forked from harness/gitness
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validate_test.go
154 lines (131 loc) · 4.52 KB
/
validate_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package transform
import (
"testing"
"github.com/drone/drone/yaml"
"github.com/franela/goblin"
)
func Test_validate(t *testing.T) {
g := goblin.Goblin(t)
g.Describe("validating", func() {
g.Describe("privileged attributes", func() {
g.It("should not error when trusted build", func() {
c := newConfig(&yaml.Container{Privileged: true})
err := Check(c, true)
g.Assert(err == nil).IsTrue("error should be nil")
})
g.It("should error when privleged mode", func() {
c := newConfig(&yaml.Container{
Privileged: true,
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use privileged mode")
})
g.It("should error when privleged service container", func() {
c := newConfigService(&yaml.Container{
Privileged: true,
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use privileged mode")
})
g.It("should error when dns configured", func() {
c := newConfig(&yaml.Container{
DNS: []string{"8.8.8.8"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use custom dns")
})
g.It("should error when dns_search configured", func() {
c := newConfig(&yaml.Container{
DNSSearch: []string{"8.8.8.8"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use dns_search")
})
g.It("should error when devices configured", func() {
c := newConfig(&yaml.Container{
Devices: []string{"/dev/foo"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use devices")
})
g.It("should error when extra_hosts configured", func() {
c := newConfig(&yaml.Container{
ExtraHosts: []string{"1.2.3.4 foo.com"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use extra_hosts")
})
g.It("should error when network configured", func() {
c := newConfig(&yaml.Container{
Network: "host",
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to override the network")
})
g.It("should error when oom_kill_disabled configured", func() {
c := newConfig(&yaml.Container{
OomKillDisable: true,
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to disable oom_kill")
})
g.It("should error when volumes configured", func() {
c := newConfig(&yaml.Container{
Volumes: []string{"/:/tmp"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use volumes")
})
g.It("should error when volumes_from configured", func() {
c := newConfig(&yaml.Container{
VolumesFrom: []string{"drone"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Insufficient privileges to use volumes_from")
})
})
g.Describe("plugin configuration", func() {
g.It("should error when entrypoint is configured", func() {
c := newConfig(&yaml.Container{
Entrypoint: []string{"/bin/sh"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Cannot set plugin Entrypoint")
})
g.It("should error when command is configured", func() {
c := newConfig(&yaml.Container{
Command: []string{"cat", "/proc/1/status"},
})
err := Check(c, false)
g.Assert(err != nil).IsTrue("error should not be nil")
g.Assert(err.Error()).Equal("Cannot set plugin Command")
})
g.It("should not error when empty entrypoint, command", func() {
c := newConfig(&yaml.Container{})
err := Check(c, false)
g.Assert(err == nil).IsTrue("error should be nil")
})
})
})
}
func newConfig(container *yaml.Container) *yaml.Config {
return &yaml.Config{
Pipeline: []*yaml.Container{container},
}
}
func newConfigService(container *yaml.Container) *yaml.Config {
return &yaml.Config{
Services: []*yaml.Container{container},
}
}