def _create_image(dockerfile_mode="actual"):
img = Image()
img.id = image_id
img.user_id = user
img.dockerfile_contents = dockerfile_contents
img.dockerfile_mode = dockerfile_mode
return img
def image():
img = Image(
id=image_id,
user_id=user,
)
img.get_packages_by_type = mock_get_packages_by_type
return img
def image(monkeypatch):
monkeypatch.setattr(Image, 'analysis_artifacts', MockAnalysisArtifacts(), raising=True)
img = Image()
img.id = image_id
img.digest = digest
img.user_id = user
return img
def image(monkeypatch):
monkeypatch.setattr(Image,
"analysis_artifacts",
MockAnalysisArtifacts(),
raising=True)
return Image(
id=image_id,
user_id=user,
)
def _create_image(artifact_key):
monkeypatch.setattr(
Image,
"analysis_artifacts",
MockAnalysisArtifacts(artifact_key),
raising=True,
)
img = Image()
img.id = image_id
img.digest = digest
img.user_id = user
return img
def image(monkeypatch):
monkeypatch.setattr(Image,
"analysis_artifacts",
MockAnalysisArtifacts(),
raising=True)
files_json = {
"/fake_private_key": {
"fullpath": "/fake_private_key",
"name": "/fake_private_key",
"mode": 33188,
"permissions": "0o644",
"linkdst_fullpath": None,
"linkdst": None,
"size": 22,
"entry_type": "file",
"is_packaged": False,
"md5_checksum": "f1779b586f2fda64f084fa4cda2749f4",
"sha256_checksum":
"9e6be7f96d6c88338eecb2396e4e7c27d3387fe45e5aa740614e1e292ce65aa7",
"sha1_checksum": "9fada773ed59c05a2c5352e8eee8afa0fda3483e",
"othernames": [],
"suid": None,
},
"/fake_api_key": {
"fullpath": "/fake_api_key",
"name": "/fake_api_key",
"mode": 33188,
"permissions": "0o644",
"linkdst_fullpath": None,
"linkdst": None,
"size": 32,
"entry_type": "file",
"is_packaged": False,
"md5_checksum": "8e67b4af0e9b6598c901f06a74835632",
"sha256_checksum":
"77db45a31c74cf01bb130ab4bc4869d2d03b576c48977f96ae81d4e4912f334b",
"sha1_checksum": "9d819cb21d51d3720fc74e0ee2d8242c7e5bdcf2",
"othernames": [],
"suid": None,
},
}
fs = FilesystemAnalysis(
compressed_file_json=zlib.compress(json.dumps(files_json).encode()),
compression_algorithm="gzip",
)
return Image(id=image_id, user_id=user, fs=fs)
def alpine_image():
img = Image()
img.distro_name = "alpine"
img.distro_version = "3.10"
img.id = "abc123abc123"
img.analysis_artifacts = []
img.digest = "sha256:abc123abc123"
img.created_at = datetime.datetime.utcnow()
img.last_modified = img.created_at
img.cpes = []
img.docker_data_json = {}
img.dockerfile_contents = ""
img.dockerfile_mode = "guessed"
img.docker_history_json = []
img.packages = []
img.gems = []
img.npms = []
img.state = "analyzed"
img.size = "1000"
img.user_id = "admin"
return img
def image():
return Image(
id=image_id,
user_id="user",
size=141455360,
distro_name="debian",
distro_version="10",
like_distro="debian",
docker_data_json={
"Architecture":
"amd64",
"RepoDigests": [
"docker.io/library/nginx@sha256:34f3f875e745861ff8a37552ed7eb4b673544d2c56c7cc58f9a9bec5b4b3530e"
],
"RepoTags": ["docker.io/library/nginx:latest"],
},
layers_json=[
"sha256:bb79b6b2107fea8e8a47133a660b78e3a546998fcf0427be39ac9a0af4a97e90",
"sha256:5a9f1c0027a73bc0e66a469f90e47a59e23ab3472126ed28e6a4e7b1a98d1eb5",
"sha256:b5c20b2b484f5ca9bc9d98dc79f8f1381ee0c063111ea0ddf42d1ae5ea942d50",
"sha256:166a2418f7e86fa48d87bf6807b4e5b35f078acb2ad1cbf10444a7025913c24f",
"sha256:1966ea362d2394e7c5c508ebf3695f039dd3825bd1e7a07449ae530aea3c4cd1",
],
)
def image(monkeypatch):
monkeypatch.setattr(Image,
"analysis_artifacts",
MockAnalysisArtifacts(),
raising=True)
files_json = {
"/bin": {
"fullpath": "/bin",
"name": "/bin",
"mode": 16877,
"permissions": "0o755",
"linkdst_fullpath": None,
"linkdst": None,
"size": 0,
"entry_type": "dir",
"is_packaged": True,
"md5_checksum": "79f65df590b25155a587461aeb79eeb1",
"sha256_checksum":
"a4a080992560315f59b75c62e458181c00fe5c3b962f5b2b64297badbfbc12c7",
"sha1_checksum": "a523ce63d9556ba950ebb81609faf00de04dd1a7",
"othernames": [],
"suid": None,
},
"/bin/arch": {
"fullpath": "/bin/arch",
"name": "/bin/arch",
"mode": 41471,
"permissions": "0o777",
"linkdst_fullpath": "/bin/busybox",
"linkdst": "/bin/busybox",
"size": 12,
"entry_type": "slink",
"is_packaged": False,
"md5_checksum": "87ac152a3e02d3a6a84d129422611f85",
"sha256_checksum":
"480bddf71ef05659c5405f65f139e49b99122175f0163d281d471f0a368aad7c",
"sha1_checksum": "8d05b5d4a9ea76ec570b17e1f77ccd65a55937d9",
"othernames": [],
"suid": None,
},
"/usr/bin/test": {
"fullpath": "/usr/bin/test",
"name": "/usr/bin/test",
"mode": 3072,
"permissions": "0o777",
"linkdst_fullpath": "/bin/busybox",
"linkdst": "/bin/busybox",
"size": 12,
"entry_type": "slink",
"is_packaged": False,
"md5_checksum": "DIRECTORY_OR_OTHER",
"sha256_checksum": "DIRECTORY_OR_OTHER",
"sha1_checksum": "DIRECTORY_OR_OTHER",
"othernames": [],
"suid": None,
},
"/usr/share/apk/keys": {
"fullpath": "/usr/share/apk/keys",
"name": "/usr/share/apk/keys",
"mode": 3072,
"permissions": "0o755",
"linkdst_fullpath": None,
"linkdst": None,
"size": 0,
"entry_type": "dir",
"is_packaged": True,
"md5_checksum": "DIRECTORY_OR_OTHER",
"sha256_checksum": "DIRECTORY_OR_OTHER",
"sha1_checksum": "DIRECTORY_OR_OTHER",
"othernames": [],
"suid": None,
},
"/fake_private_key": {
"fullpath": "/fake_aws_key",
"name": "/fake_aws_key",
"mode": 33188,
"permissions": "0o644",
"linkdst_fullpath": None,
"linkdst": None,
"size": 22,
"entry_type": "file",
"is_packaged": False,
"md5_checksum": "f1779b586f2fda64f084fa4cda2749f4",
"sha256_checksum":
"9e6be7f96d6c88338eecb2396e4e7c27d3387fe45e5aa740614e1e292ce65aa7",
"sha1_checksum": "9fada773ed59c05a2c5352e8eee8afa0fda3483e",
"othernames": [],
"suid": None,
},
"/fake_api_key": {
"fullpath": "/fake_api_key",
"name": "/fake_api_key",
"mode": 33188,
"permissions": "0o644",
"linkdst_fullpath": None,
"linkdst": None,
"size": 32,
"entry_type": "file",
"is_packaged": False,
"md5_checksum": "8e67b4af0e9b6598c901f06a74835632",
"sha256_checksum":
"77db45a31c74cf01bb130ab4bc4869d2d03b576c48977f96ae81d4e4912f334b",
"sha1_checksum": "9d819cb21d51d3720fc74e0ee2d8242c7e5bdcf2",
"othernames": [],
"suid": None,
},
}
fs = FilesystemAnalysis(
compressed_file_json=zlib.compress(json.dumps(files_json).encode()),
compression_algorithm="gzip",
)
return Image(id="image_id", user_id="user", fs=fs)
def image(packages):
return Image(id="image_id", user_id="user", packages=packages)
def test_tag_mapping(self):
test_rules = [
{
# All allowed
"rule": matcher_for_tag(),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": True,
},
{
# All allowed, none provided
"rule": matcher_for_tag(),
"id": "0",
"digest": "sha256:123abc",
"tag": "*/*:*",
"match": True,
},
{
# Case where tag not provided for eval, but rule requires it
"rule": matcher_for_tag(tag="latest"),
"id": "0",
"digest": "sha256:123abc",
"tag": "*/*:*",
"match": False,
},
{
# Registry match failure
"rule": matcher_for_tag(registry="gcr.io"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": False,
},
{
# Repo match failure
"rule": matcher_for_tag(repository="mysql"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": False,
},
{
# Tag match failure
"rule":
matcher_for_tag(registry="docker.io",
repository="mysql",
tag="latest"),
"id":
"0",
"digest":
"sha256:123abc",
"tag":
"docker.io/mysql:alpine",
"match":
False,
},
{
# Wildcard sub match
"rule": matcher_for_tag(tag="*-dev"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:1.8-dev",
"match": True,
},
{
# Registry only match
"rule": matcher_for_tag(registry="docker.io"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": True,
},
{
# Registry & repo match
"rule": matcher_for_tag(registry="docker.io",
repository="nginx"),
"id": "0",
"digest": "sha256:123abc",
"tag": "docker.io/nginx:latest",
"match": True,
},
{
# Docker name handling should happen upstream
"rule":
matcher_for_tag(registry="docker.io",
repository="library/nginx"),
"id":
"0",
"digest":
"sha256:123abc",
"tag":
"docker.io/nginx:latest",
"match":
False,
},
{
# Exact match
"rule":
matcher_for_tag(registry="docker.io",
repository="library/nginx",
tag="latest"),
"id":
"0",
"digest":
"sha256:123abc",
"tag":
"docker.io/library/nginx:latest",
"match":
True,
},
]
for test in test_rules:
rule = PolicyMappingRule(test["rule"])
test_img = Image()
test_img.id = test["id"]
test_img.digest = test["digest"]
m = rule.matches(test_img, tag=test["tag"])
self.assertEqual(
test["match"],
m,
"Failed on: {} with tag {}".format(test["rule"], test["tag"]),
)
def test_id_mapping(self):
test_rules = [
{
# id only specified
"rule": matcher_for_id(id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abc",
"match": True,
},
{
# Registry fail
"rule": matcher_for_id(registry="gcr.io", id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
{
# Repository fail
"rule": matcher_for_id(repository="mysql", id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
{
# Case where no tag provided so default wildcard set
"rule": matcher_for_id(repository="mysql", id="0"),
"tag": "*/*:*",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
{
# ID fail
"rule": matcher_for_id(id="1"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abd",
"match": False,
},
{
# Repository fail
"rule": matcher_for_id(repository="mysql", id="0"),
"tag": "docker.io/nginx:latest",
"id": "0",
"digest": "sha256:123abd",
"match": False,
},
{
# Repository wildcard
"rule": matcher_for_id(id="0"),
"tag": "*/*:*",
"id": "0",
"digest": "sha256:123abc",
"match": True,
},
{
# Repository wildcard, fail on digest match
"rule": matcher_for_id(id="1"),
"tag": "*/*:*",
"id": "0",
"digest": "sha256:123abc",
"match": False,
},
]
for test in test_rules:
rule = PolicyMappingRule(test["rule"])
test_img = Image()
test_img.id = test["id"]
test_img.digest = test["digest"]
m = rule.matches(test_img, tag=test["tag"])
self.assertEqual(
test["match"],
m,
"Failed on: {} with id {}".format(test["rule"], test["id"]),
)
def test_tag_mapping(self):
test_rules = [
{
# All allowed
'rule': matcher_for_tag(),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': True
},
{
# All allowed, none provided
'rule': matcher_for_tag(),
'id': '0',
'digest': 'sha256:123abc',
'tag': '*/*:*',
'match': True
},
{
# Case where tag not provided for eval, but rule requires it
'rule': matcher_for_tag(tag='latest'),
'id': '0',
'digest': 'sha256:123abc',
'tag': '*/*:*',
'match': False
},
{
# Registry match failure
'rule': matcher_for_tag(registry='gcr.io'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': False
},
{
# Repo match failure
'rule': matcher_for_tag(repository='mysql'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': False
},
{
# Tag match failure
'rule':
matcher_for_tag(registry='docker.io',
repository='mysql',
tag='latest'),
'id':
'0',
'digest':
'sha256:123abc',
'tag':
'docker.io/mysql:alpine',
'match':
False
},
{
# Wildcard sub match
'rule': matcher_for_tag(tag='*-dev'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:1.8-dev',
'match': True
},
{
# Registry only match
'rule': matcher_for_tag(registry='docker.io'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': True
},
{
# Registry & repo match
'rule': matcher_for_tag(registry='docker.io',
repository='nginx'),
'id': '0',
'digest': 'sha256:123abc',
'tag': 'docker.io/nginx:latest',
'match': True
},
{
# Docker name handling should happen upstream
'rule':
matcher_for_tag(registry='docker.io',
repository='library/nginx'),
'id':
'0',
'digest':
'sha256:123abc',
'tag':
'docker.io/nginx:latest',
'match':
False
},
{
# Exact match
'rule':
matcher_for_tag(registry='docker.io',
repository='library/nginx',
tag='latest'),
'id':
'0',
'digest':
'sha256:123abc',
'tag':
'docker.io/library/nginx:latest',
'match':
True
}
]
for test in test_rules:
rule = PolicyMappingRule(test['rule'])
test_img = Image()
test_img.id = test['id']
test_img.digest = test['digest']
m = rule.matches(test_img, tag=test['tag'])
self.assertEqual(
test['match'], m,
'Failed on: {} with tag {}'.format(test['rule'], test['tag']))
def test_id_mapping(self):
test_rules = [
{
# id only specified
'rule': matcher_for_id(id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abc',
'match': True
},
{
# Registry fail
'rule': matcher_for_id(registry='gcr.io', id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abc',
'match': False
},
{
# Repository fail
'rule': matcher_for_id(repository='mysql', id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abc',
'match': False
},
{
# Case where no tag provided so default wildcard set
'rule': matcher_for_id(repository='mysql', id='0'),
'tag': '*/*:*',
'id': '0',
'digest': 'sha256:123abc',
'match': False
},
{
# ID fail
'rule': matcher_for_id(id='1'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abd',
'match': False
},
{
# Repository fail
'rule': matcher_for_id(repository='mysql', id='0'),
'tag': 'docker.io/nginx:latest',
'id': '0',
'digest': 'sha256:123abd',
'match': False
},
{
# Repository wildcard
'rule': matcher_for_id(id='0'),
'tag': '*/*:*',
'id': '0',
'digest': 'sha256:123abc',
'match': True
},
{
# Repository wildcard, fail on digest match
'rule': matcher_for_id(id='1'),
'tag': '*/*:*',
'id': '0',
'digest': 'sha256:123abc',
'match': False
}
]
for test in test_rules:
rule = PolicyMappingRule(test['rule'])
test_img = Image()
test_img.id = test['id']
test_img.digest = test['digest']
m = rule.matches(test_img, tag=test['tag'])
self.assertEqual(
test['match'], m,
'Failed on: {} with id {}'.format(test['rule'], test['id']))
def image():
return Image(id=image_id, user_id=user)
