154 lines
4.5 KiB
Go
154 lines
4.5 KiB
Go
package transform
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/drone/drone/yaml"
|
|
|
|
"github.com/franela/goblin"
|
|
)
|
|
|
|
func Test_validate(t *testing.T) {
|
|
|
|
g := goblin.Goblin(t)
|
|
g.Describe("validating", func() {
|
|
|
|
g.Describe("privileged attributes", func() {
|
|
|
|
g.It("should not error when trusted build", func() {
|
|
c := newConfig(&yaml.Container{Privileged: true})
|
|
err := Check(c, true)
|
|
|
|
g.Assert(err == nil).IsTrue("error should be nil")
|
|
})
|
|
|
|
g.It("should error when privleged mode", func() {
|
|
c := newConfig(&yaml.Container{
|
|
Privileged: true,
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use privileged mode")
|
|
})
|
|
|
|
g.It("should error when privleged service container", func() {
|
|
c := newConfigService(&yaml.Container{
|
|
Privileged: true,
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use privileged mode")
|
|
})
|
|
|
|
g.It("should error when dns configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
DNS: []string{"8.8.8.8"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use custom dns")
|
|
})
|
|
|
|
g.It("should error when dns_search configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
DNSSearch: []string{"8.8.8.8"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use dns_search")
|
|
})
|
|
|
|
g.It("should error when devices configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
Devices: []string{"/dev/foo"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use devices")
|
|
})
|
|
|
|
g.It("should error when extra_hosts configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
ExtraHosts: []string{"1.2.3.4 foo.com"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use extra_hosts")
|
|
})
|
|
|
|
g.It("should error when network configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
Network: "host",
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to override the network")
|
|
})
|
|
|
|
g.It("should error when oom_kill_disabled configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
OomKillDisable: true,
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to disable oom_kill")
|
|
})
|
|
|
|
g.It("should error when volumes configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
Volumes: []string{"/:/tmp"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use volumes")
|
|
})
|
|
|
|
g.It("should error when volumes_from configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
VolumesFrom: []string{"drone"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Insufficient privileges to use volumes_from")
|
|
})
|
|
})
|
|
|
|
g.Describe("plugin configuration", func() {
|
|
g.It("should error when entrypoint is configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
Entrypoint: []string{"/bin/sh"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Cannot set plugin Entrypoint")
|
|
})
|
|
|
|
g.It("should error when command is configured", func() {
|
|
c := newConfig(&yaml.Container{
|
|
Command: []string{"cat", "/proc/1/status"},
|
|
})
|
|
err := Check(c, false)
|
|
g.Assert(err != nil).IsTrue("error should not be nil")
|
|
g.Assert(err.Error()).Equal("Cannot set plugin Command")
|
|
})
|
|
|
|
g.It("should not error when empty entrypoint, command", func() {
|
|
c := newConfig(&yaml.Container{})
|
|
err := Check(c, false)
|
|
g.Assert(err == nil).IsTrue("error should be nil")
|
|
})
|
|
})
|
|
})
|
|
}
|
|
|
|
func newConfig(container *yaml.Container) *yaml.Config {
|
|
return &yaml.Config{
|
|
Pipeline: []*yaml.Container{container},
|
|
}
|
|
}
|
|
|
|
func newConfigService(container *yaml.Container) *yaml.Config {
|
|
return &yaml.Config{
|
|
Services: []*yaml.Container{container},
|
|
}
|
|
}
|