def image(monkeypatch):
monkeypatch.setattr(Image, 'analysis_artifacts', MockAnalysisArtifacts(), raising=True)
img = Image()
img.id = image_id
img.digest = digest
img.user_id = user
return img
def _create_image(artifact_key):
monkeypatch.setattr(
Image,
"analysis_artifacts",
MockAnalysisArtifacts(artifact_key),
raising=True,
)
img = Image()
img.id = image_id
img.digest = digest
img.user_id = user
return img
def alpine_image():
img = Image()
img.distro_name = "alpine"
img.distro_version = "3.10"
img.id = "abc123abc123"
img.analysis_artifacts = []
img.digest = "sha256:abc123abc123"
img.created_at = datetime.datetime.utcnow()
img.last_modified = img.created_at
img.cpes = []
img.docker_data_json = {}
img.dockerfile_contents = ""
img.dockerfile_mode = "guessed"
img.docker_history_json = []
img.packages = []
img.gems = []
img.npms = []
img.state = "analyzed"
img.size = "1000"
img.user_id = "admin"
return img
def test_tag_mapping(self):
test_rules = [
{
# All allowed
"rule": matcher_for_tag(),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": True,
},
{
# All allowed, none provided
"rule": matcher_for_tag(),
"id": "0",
"digest": "sha256:123abc",
"tag": "*/*:*",
"match": True,
},
{
# Case where tag not provided for eval, but rule requires it
"rule": matcher_for_tag(tag="latest"),
"id": "0",
"digest": "sha256:123abc",
"tag": "*/*:*",
"match": False,
},
{
# Registry match failure
"rule": matcher_for_tag(registry="gcr.io"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": False,
},
{
# Repo match failure
"rule": matcher_for_tag(repository="mysql"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": False,
},
{
# Tag match failure
"rule":
matcher_for_tag(registry="docker.io",
repository="mysql",
tag="latest"),
"id":
"0",
"digest":
"sha256:123abc",
"tag":
"docker.io/mysql:alpine",
"match":
False,
},
{
# Wildcard sub match
"rule": matcher_for_tag(tag="*-dev"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:1.8-dev",
"match": True,
},
{
# Registry only match
"rule": matcher_for_tag(registry="docker.io"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": True,
},
{
# Registry & repo match
"rule": matcher_for_tag(registry="docker.io",
repository="nginx"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": True,
},
{
# Docker name handling should happen upstream
"rule":
matcher_for_tag(registry="docker.io",
repository="library/nginx"),
"id":
"0",
"digest":
"sha256:123abc",
"tag":
"docker.io/nginx:latest",
"match":
False,
},
{
# Exact match
"rule":
matcher_for_tag(registry="docker.io",
repository="library/nginx",
tag="latest"),
"id":
"0",
"digest":
"sha256:123abc",
"tag":
"docker.io/library/nginx:latest",
"match":
True,
},
]
for test in test_rules:
rule = PolicyMappingRule(test["rule"])
test_img = Image()
test_img.id = test["id"]
test_img.digest = test["digest"]
m = rule.matches(test_img, tag=test["tag"])
self.assertEqual(
test["match"],
m,
"Failed on: {} with tag {}".format(test["rule"], test["tag"]),
)
def test_id_mapping(self):
test_rules = [
{
# id only specified
"rule": matcher_for_id(id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abc",
"match": True,
},
{
# Registry fail
"rule": matcher_for_id(registry="gcr.io", id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
{
# Repository fail
"rule": matcher_for_id(repository="mysql", id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
{
# Case where no tag provided so default wildcard set
"rule": matcher_for_id(repository="mysql", id="0"),
"tag": "*/*:*",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
{
# ID fail
"rule": matcher_for_id(id="1"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abd",
"match": False,
},
{
# Repository fail
"rule": matcher_for_id(repository="mysql", id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abd",
"match": False,
},
{
# Repository wildcard
"rule": matcher_for_id(id="0"),
"tag": "*/*:*",
"id": "0",
"digest": "sha256:123abc",
"match": True,
},
{
# Repository wildcard, fail on digest match
"rule": matcher_for_id(id="1"),
"tag": "*/*:*",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
]
for test in test_rules:
rule = PolicyMappingRule(test["rule"])
test_img = Image()
test_img.id = test["id"]
test_img.digest = test["digest"]
m = rule.matches(test_img, tag=test["tag"])
self.assertEqual(
test["match"],
m,
"Failed on: {} with id {}".format(test["rule"], test["id"]),
)
def test_tag_mapping(self):
test_rules = [
{
# All allowed
'rule': matcher_for_tag(),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': True
},
{
# All allowed, none provided
'rule': matcher_for_tag(),
'id': '0',
'digest': 'sha256:123abc',
'tag': '*/*:*',
'match': True
},
{
# Case where tag not provided for eval, but rule requires it
'rule': matcher_for_tag(tag='latest'),
'id': '0',
'digest': 'sha256:123abc',
'tag': '*/*:*',
'match': False
},
{
# Registry match failure
'rule': matcher_for_tag(registry='gcr.io'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': False
},
{
# Repo match failure
'rule': matcher_for_tag(repository='mysql'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': False
},
{
# Tag match failure
'rule':
matcher_for_tag(registry='docker.io',
repository='mysql',
tag='latest'),
'id':
'0',
'digest':
'sha256:123abc',
'tag':
'docker.io/mysql:alpine',
'match':
False
},
{
# Wildcard sub match
'rule': matcher_for_tag(tag='*-dev'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:1.8-dev',
'match': True
},
{
# Registry only match
'rule': matcher_for_tag(registry='docker.io'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': True
},
{
# Registry & repo match
'rule': matcher_for_tag(registry='docker.io',
repository='nginx'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': True
},
{
# Docker name handling should happen upstream
'rule':
matcher_for_tag(registry='docker.io',
repository='library/nginx'),
'id':
'0',
'digest':
'sha256:123abc',
'tag':
'docker.io/nginx:latest',
'match':
False
},
{
# Exact match
'rule':
matcher_for_tag(registry='docker.io',
repository='library/nginx',
tag='latest'),
'id':
'0',
'digest':
'sha256:123abc',
'tag':
'docker.io/library/nginx:latest',
'match':
True
}
]
for test in test_rules:
rule = PolicyMappingRule(test['rule'])
test_img = Image()
test_img.id = test['id']
test_img.digest = test['digest']
m = rule.matches(test_img, tag=test['tag'])
self.assertEqual(
test['match'], m,
'Failed on: {} with tag {}'.format(test['rule'], test['tag']))
def test_id_mapping(self):
test_rules = [
{
# id only specified
'rule': matcher_for_id(id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abc',
'match': True
},
{
# Registry fail
'rule': matcher_for_id(registry='gcr.io', id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abc',
'match': False
},
{
# Repository fail
'rule': matcher_for_id(repository='mysql', id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abc',
'match': False
},
{
# Case where no tag provided so default wildcard set
'rule': matcher_for_id(repository='mysql', id='0'),
'tag': '*/*:*',
'id': '0',
'digest': 'sha256:123abc',
'match': False
},
{
# ID fail
'rule': matcher_for_id(id='1'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abd',
'match': False
},
{
# Repository fail
'rule': matcher_for_id(repository='mysql', id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abd',
'match': False
},
{
# Repository wildcard
'rule': matcher_for_id(id='0'),
'tag': '*/*:*',
'id': '0',
'digest': 'sha256:123abc',
'match': True
},
{
# Repository wildcard, fail on digest match
'rule': matcher_for_id(id='1'),
'tag': '*/*:*',
'id': '0',
'digest': 'sha256:123abc',
'match': False
}
]
for test in test_rules:
rule = PolicyMappingRule(test['rule'])
test_img = Image()
test_img.id = test['id']
test_img.digest = test['digest']
m = rule.matches(test_img, tag=test['tag'])
self.assertEqual(
test['match'], m,
'Failed on: {} with id {}'.format(test['rule'], test['id']))
