...
|
...
|
@@ -488,31 +488,23 @@ func TestBuildCopyDisallowRemote(t *testing.T) {
|
488
|
488
|
// Issue #5270 - ensure we throw a better error than "unexpected EOF"
|
489
|
489
|
// when we can't access files in the context.
|
490
|
490
|
func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
|
491
|
|
- testDirName := "TestBuildWithInaccessibleFilesInContext"
|
492
|
|
-
|
493
|
|
- sourceDirectory := filepath.Join(workingDirectory, "build_tests", testDirName)
|
494
|
|
- buildDirectory, err := ioutil.TempDir("", "test-build-inaccessible-directory")
|
495
|
|
- defer os.RemoveAll(buildDirectory)
|
496
|
|
-
|
497
|
|
- err = copyWithCP(sourceDirectory, buildDirectory)
|
498
|
|
- if err != nil {
|
499
|
|
- t.Fatalf("failed to copy files to temporary directory: %s", err)
|
500
|
|
- }
|
501
|
|
-
|
502
|
|
- buildDirectory = filepath.Join(buildDirectory, testDirName)
|
503
|
491
|
{
|
|
492
|
+ name := "testbuildinaccessiblefiles"
|
|
493
|
+ defer deleteImages(name)
|
|
494
|
+ ctx, err := fakeContext("FROM scratch\nADD . /foo/", map[string]string{"fileWithoutReadAccess": "foo"})
|
|
495
|
+ if err != nil {
|
|
496
|
+ t.Fatal(err)
|
|
497
|
+ }
|
|
498
|
+ defer ctx.Close()
|
504
|
499
|
// This is used to ensure we detect inaccessible files early during build in the cli client
|
505
|
|
- pathToInaccessibleFileBuildDirectory := filepath.Join(buildDirectory, "inaccessiblefile")
|
506
|
|
- pathToFileWithoutReadAccess := filepath.Join(pathToInaccessibleFileBuildDirectory, "fileWithoutReadAccess")
|
|
500
|
+ pathToFileWithoutReadAccess := filepath.Join(ctx.Dir, "fileWithoutReadAccess")
|
507
|
501
|
|
508
|
|
- err := os.Chown(pathToFileWithoutReadAccess, 0, 0)
|
|
502
|
+ err = os.Chown(pathToFileWithoutReadAccess, 0, 0)
|
509
|
503
|
errorOut(err, t, fmt.Sprintf("failed to chown file to root: %s", err))
|
510
|
504
|
err = os.Chmod(pathToFileWithoutReadAccess, 0700)
|
511
|
505
|
errorOut(err, t, fmt.Sprintf("failed to chmod file to 700: %s", err))
|
512
|
|
-
|
513
|
|
- buildCommandStatement := fmt.Sprintf("%s build -t inaccessiblefiles .", dockerBinary)
|
514
|
|
- buildCmd := exec.Command("su", "unprivilegeduser", "-c", buildCommandStatement)
|
515
|
|
- buildCmd.Dir = pathToInaccessibleFileBuildDirectory
|
|
506
|
+ buildCmd := exec.Command("su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name))
|
|
507
|
+ buildCmd.Dir = ctx.Dir
|
516
|
508
|
out, exitCode, err := runCommandWithOutput(buildCmd)
|
517
|
509
|
if err == nil || exitCode == 0 {
|
518
|
510
|
t.Fatalf("build should have failed: %s %s", err, out)
|
...
|
...
|
@@ -528,21 +520,26 @@ func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
|
528
|
528
|
}
|
529
|
529
|
}
|
530
|
530
|
{
|
|
531
|
+ name := "testbuildinaccessibledirectory"
|
|
532
|
+ defer deleteImages(name)
|
|
533
|
+ ctx, err := fakeContext("FROM scratch\nADD . /foo/", map[string]string{"directoryWeCantStat/bar": "foo"})
|
|
534
|
+ if err != nil {
|
|
535
|
+ t.Fatal(err)
|
|
536
|
+ }
|
|
537
|
+ defer ctx.Close()
|
531
|
538
|
// This is used to ensure we detect inaccessible directories early during build in the cli client
|
532
|
|
- pathToInaccessibleDirectoryBuildDirectory := filepath.Join(buildDirectory, "inaccessibledirectory")
|
533
|
|
- pathToDirectoryWithoutReadAccess := filepath.Join(pathToInaccessibleDirectoryBuildDirectory, "directoryWeCantStat")
|
|
539
|
+ pathToDirectoryWithoutReadAccess := filepath.Join(ctx.Dir, "directoryWeCantStat")
|
534
|
540
|
pathToFileInDirectoryWithoutReadAccess := filepath.Join(pathToDirectoryWithoutReadAccess, "bar")
|
535
|
541
|
|
536
|
|
- err := os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
|
542
|
+ err = os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
537
|
543
|
errorOut(err, t, fmt.Sprintf("failed to chown directory to root: %s", err))
|
538
|
544
|
err = os.Chmod(pathToDirectoryWithoutReadAccess, 0444)
|
539
|
545
|
errorOut(err, t, fmt.Sprintf("failed to chmod directory to 755: %s", err))
|
540
|
546
|
err = os.Chmod(pathToFileInDirectoryWithoutReadAccess, 0700)
|
541
|
547
|
errorOut(err, t, fmt.Sprintf("failed to chmod file to 444: %s", err))
|
542
|
548
|
|
543
|
|
- buildCommandStatement := fmt.Sprintf("%s build -t inaccessiblefiles .", dockerBinary)
|
544
|
|
- buildCmd := exec.Command("su", "unprivilegeduser", "-c", buildCommandStatement)
|
545
|
|
- buildCmd.Dir = pathToInaccessibleDirectoryBuildDirectory
|
|
549
|
+ buildCmd := exec.Command("su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name))
|
|
550
|
+ buildCmd.Dir = ctx.Dir
|
546
|
551
|
out, exitCode, err := runCommandWithOutput(buildCmd)
|
547
|
552
|
if err == nil || exitCode == 0 {
|
548
|
553
|
t.Fatalf("build should have failed: %s %s", err, out)
|
...
|
...
|
@@ -559,41 +556,52 @@ func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
|
559
|
559
|
|
560
|
560
|
}
|
561
|
561
|
{
|
|
562
|
+ name := "testlinksok"
|
|
563
|
+ defer deleteImages(name)
|
|
564
|
+ ctx, err := fakeContext("FROM scratch\nADD . /foo/", nil)
|
|
565
|
+ if err != nil {
|
|
566
|
+ t.Fatal(err)
|
|
567
|
+ }
|
|
568
|
+ defer ctx.Close()
|
|
569
|
+ if err := os.Symlink(filepath.Join(ctx.Dir, "g"), "../../../../../../../../../../../../../../../../../../../azA"); err != nil {
|
|
570
|
+ t.Fatal(err)
|
|
571
|
+ }
|
562
|
572
|
// This is used to ensure we don't follow links when checking if everything in the context is accessible
|
563
|
573
|
// This test doesn't require that we run commands as an unprivileged user
|
564
|
|
- pathToDirectoryWhichContainsLinks := filepath.Join(buildDirectory, "linksdirectory")
|
565
|
|
-
|
566
|
|
- out, exitCode, err := dockerCmdInDir(t, pathToDirectoryWhichContainsLinks, "build", "-t", "testlinksok", ".")
|
567
|
|
- if err != nil || exitCode != 0 {
|
568
|
|
- t.Fatalf("build should have worked: %s %s", err, out)
|
|
574
|
+ if _, err := buildImageFromContext(name, ctx, true); err != nil {
|
|
575
|
+ t.Fatal(err)
|
569
|
576
|
}
|
570
|
|
-
|
571
|
|
- deleteImages("testlinksok")
|
572
|
|
-
|
573
|
577
|
}
|
574
|
578
|
{
|
|
579
|
+ name := "testbuildignoredinaccessible"
|
|
580
|
+ defer deleteImages(name)
|
|
581
|
+ ctx, err := fakeContext("FROM scratch\nADD . /foo/",
|
|
582
|
+ map[string]string{
|
|
583
|
+ "directoryWeCantStat/bar": "foo",
|
|
584
|
+ ".dockerignore": "directoryWeCantStat",
|
|
585
|
+ })
|
|
586
|
+ if err != nil {
|
|
587
|
+ t.Fatal(err)
|
|
588
|
+ }
|
|
589
|
+ defer ctx.Close()
|
575
|
590
|
// This is used to ensure we don't try to add inaccessible files when they are ignored by a .dockerignore pattern
|
576
|
|
- pathToInaccessibleDirectoryBuildDirectory := filepath.Join(buildDirectory, "ignoredinaccessible")
|
577
|
|
- pathToDirectoryWithoutReadAccess := filepath.Join(pathToInaccessibleDirectoryBuildDirectory, "directoryWeCantStat")
|
|
591
|
+ pathToDirectoryWithoutReadAccess := filepath.Join(ctx.Dir, "directoryWeCantStat")
|
578
|
592
|
pathToFileInDirectoryWithoutReadAccess := filepath.Join(pathToDirectoryWithoutReadAccess, "bar")
|
579
|
|
- err := os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
|
593
|
+ err = os.Chown(pathToDirectoryWithoutReadAccess, 0, 0)
|
580
|
594
|
errorOut(err, t, fmt.Sprintf("failed to chown directory to root: %s", err))
|
581
|
595
|
err = os.Chmod(pathToDirectoryWithoutReadAccess, 0444)
|
582
|
596
|
errorOut(err, t, fmt.Sprintf("failed to chmod directory to 755: %s", err))
|
583
|
597
|
err = os.Chmod(pathToFileInDirectoryWithoutReadAccess, 0700)
|
584
|
598
|
errorOut(err, t, fmt.Sprintf("failed to chmod file to 444: %s", err))
|
585
|
599
|
|
586
|
|
- buildCommandStatement := fmt.Sprintf("%s build -t ignoredinaccessible .", dockerBinary)
|
587
|
|
- buildCmd := exec.Command("su", "unprivilegeduser", "-c", buildCommandStatement)
|
588
|
|
- buildCmd.Dir = pathToInaccessibleDirectoryBuildDirectory
|
|
600
|
+ buildCmd := exec.Command("su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name))
|
|
601
|
+ buildCmd.Dir = ctx.Dir
|
589
|
602
|
out, exitCode, err := runCommandWithOutput(buildCmd)
|
590
|
603
|
if err != nil || exitCode != 0 {
|
591
|
604
|
t.Fatalf("build should have worked: %s %s", err, out)
|
592
|
605
|
}
|
593
|
|
- deleteImages("ignoredinaccessible")
|
594
|
606
|
|
595
|
607
|
}
|
596
|
|
- deleteImages("inaccessiblefiles")
|
597
|
608
|
logDone("build - ADD from context with inaccessible files must fail")
|
598
|
609
|
logDone("build - ADD from context with accessible links must work")
|
599
|
610
|
logDone("build - ADD from context with ignored inaccessible files must work")
|