Skip to content

Commit 6d80e70

Browse files
tonistiigitonistiigi
committed
tests: add tests checking combinations of --policy flag
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
1 parent 071ce55 commit 6d80e70

1 file changed

Lines changed: 149 additions & 0 deletions

File tree

tests/policy_build.go

Lines changed: 149 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ var policyBuildTests = []func(t *testing.T, sb integration.Sandbox){
2525
testBuildPolicyImageName,
2626
testBuildPolicyEnv,
2727
testBuildPolicyHTTP,
28+
testBuildPolicyConfigFlags,
2829
}
2930

3031
func testBuildPolicyAllow(t *testing.T, sb integration.Sandbox) {
@@ -723,3 +724,151 @@ decision := {"allow": allow}
723724
})
724725
}
725726
}
727+
728+
func testBuildPolicyConfigFlags(t *testing.T, sb integration.Sandbox) {
729+
skipNoCompatBuildKit(t, sb, ">= 0.26.0-0", "policy input requires BuildKit v0.26.0+")
730+
731+
dockerfile := []byte("FROM busybox:latest\nRUN echo policy-flags\n")
732+
defaultPolicy := []byte(`
733+
package docker
734+
735+
default allow = false
736+
737+
allow if input.env.args["DEFAULT_OK"] == "1"
738+
739+
decision := {"allow": allow}
740+
`)
741+
extraPolicy := []byte(`
742+
package docker
743+
744+
default allow = false
745+
746+
allow if input.env.labels["com.example.extra"] == "1"
747+
748+
decision := {"allow": allow}
749+
`)
750+
denyPolicy := []byte(`
751+
package docker
752+
753+
default allow = false
754+
755+
decision := {"allow": allow}
756+
`)
757+
758+
t.Run("additional-policy-requires-default", func(t *testing.T) {
759+
dir := tmpdir(
760+
t,
761+
fstest.CreateFile("Dockerfile", dockerfile, 0600),
762+
fstest.CreateFile("Dockerfile.rego", defaultPolicy, 0600),
763+
fstest.CreateFile("extra.rego", extraPolicy, 0600),
764+
)
765+
extraPath := filepath.Join(dir, "extra.rego")
766+
767+
cmd := buildxCmd(sb, withDir(dir), withArgs(
768+
"build",
769+
"--progress=plain",
770+
"--policy", "filename="+extraPath,
771+
"--build-arg", "DEFAULT_OK=1",
772+
"--label", "com.example.extra=1",
773+
"--output=type=cacheonly",
774+
dir,
775+
))
776+
out, err := cmd.CombinedOutput()
777+
require.NoError(t, err, string(out))
778+
779+
cmd = buildxCmd(sb, withDir(dir), withArgs(
780+
"build",
781+
"--progress=plain",
782+
"--policy", "filename="+extraPath,
783+
"--label", "com.example.extra=1",
784+
"--output=type=cacheonly",
785+
dir,
786+
))
787+
out, err = cmd.CombinedOutput()
788+
require.Error(t, err, string(out))
789+
require.Contains(t, string(out), "not allowed by policy")
790+
791+
cmd = buildxCmd(sb, withDir(dir), withArgs(
792+
"build",
793+
"--progress=plain",
794+
"--policy", "filename="+extraPath,
795+
"--build-arg", "DEFAULT_OK=1",
796+
"--output=type=cacheonly",
797+
dir,
798+
))
799+
out, err = cmd.CombinedOutput()
800+
require.Error(t, err, string(out))
801+
require.Contains(t, string(out), "not allowed by policy")
802+
})
803+
804+
t.Run("reset-ignores-default", func(t *testing.T) {
805+
dir := tmpdir(
806+
t,
807+
fstest.CreateFile("Dockerfile", dockerfile, 0600),
808+
fstest.CreateFile("Dockerfile.rego", defaultPolicy, 0600),
809+
fstest.CreateFile("extra.rego", extraPolicy, 0600),
810+
)
811+
extraPath := filepath.Join(dir, "extra.rego")
812+
813+
cmd := buildxCmd(sb, withDir(dir), withArgs(
814+
"build",
815+
"--progress=plain",
816+
"--policy", "reset=true,filename="+extraPath,
817+
"--label", "com.example.extra=1",
818+
"--output=type=cacheonly",
819+
dir,
820+
))
821+
out, err := cmd.CombinedOutput()
822+
require.NoError(t, err, string(out))
823+
824+
cmd = buildxCmd(sb, withDir(dir), withArgs(
825+
"build",
826+
"--progress=plain",
827+
"--policy", "reset=true,filename="+extraPath,
828+
"--output=type=cacheonly",
829+
dir,
830+
))
831+
out, err = cmd.CombinedOutput()
832+
require.Error(t, err, string(out))
833+
require.Contains(t, string(out), "not allowed by policy")
834+
})
835+
836+
t.Run("disabled-skips-default", func(t *testing.T) {
837+
dir := tmpdir(
838+
t,
839+
fstest.CreateFile("Dockerfile", dockerfile, 0600),
840+
fstest.CreateFile("Dockerfile.rego", denyPolicy, 0600),
841+
)
842+
843+
cmd := buildxCmd(sb, withDir(dir), withArgs(
844+
"build",
845+
"--progress=plain",
846+
"--policy", "disabled=true",
847+
"--output=type=cacheonly",
848+
dir,
849+
))
850+
out, err := cmd.CombinedOutput()
851+
require.NoError(t, err, string(out))
852+
})
853+
854+
t.Run("disabled-cannot-combine-with-extra", func(t *testing.T) {
855+
dir := tmpdir(
856+
t,
857+
fstest.CreateFile("Dockerfile", dockerfile, 0600),
858+
fstest.CreateFile("extra.rego", denyPolicy, 0600),
859+
)
860+
extraPath := filepath.Join(dir, "extra.rego")
861+
862+
cmd := buildxCmd(sb, withDir(dir), withArgs(
863+
"build",
864+
"--progress=plain",
865+
"--policy", "filename="+extraPath,
866+
"--policy", "disabled=true",
867+
"--output=type=cacheonly",
868+
dir,
869+
))
870+
out, err := cmd.CombinedOutput()
871+
require.Error(t, err, string(out))
872+
require.Contains(t, string(out), "disabled policy cannot be combined with other policy flags")
873+
})
874+
}

0 commit comments

Comments
 (0)