/* Copyright 2018 Google LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package executor import ( "bytes" "fmt" "io" "net/http" "net/http/httptest" "os" "path/filepath" "testing" "github.com/GoogleContainerTools/kaniko/pkg/config" "github.com/GoogleContainerTools/kaniko/pkg/util" "github.com/GoogleContainerTools/kaniko/testutil" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/random" "github.com/google/go-containerregistry/pkg/v1/validate" "github.com/spf13/afero" ) func mustTag(t *testing.T, s string) name.Tag { tag, err := name.NewTag(s, name.StrictValidation) if err != nil { t.Fatalf("NewTag: %v", err) } return tag } func TestWriteImageOutputs(t *testing.T) { img, err := random.Image(1024, 3) if err != nil { t.Fatalf("random.Image: %v", err) } d, err := img.Digest() if err != nil { t.Fatalf("Digest: %v", err) } for _, c := range []struct { desc, env string tags []name.Tag want string }{{ desc: "env unset, no output", env: "", }, { desc: "env set, one tag", env: "/foo", tags: []name.Tag{mustTag(t, "gcr.io/foo/bar:latest")}, want: fmt.Sprintf(`{"name":"gcr.io/foo/bar:latest","digest":%q} `, d), }, { desc: "env set, two tags", env: "/foo", tags: []name.Tag{ mustTag(t, "gcr.io/foo/bar:latest"), mustTag(t, "gcr.io/baz/qux:latest"), }, want: fmt.Sprintf(`{"name":"gcr.io/foo/bar:latest","digest":%q} {"name":"gcr.io/baz/qux:latest","digest":%q} `, d, d), }} { t.Run(c.desc, func(t *testing.T) { newOsFs = afero.NewMemMapFs() if c.want == "" { newOsFs = afero.NewReadOnlyFs(newOsFs) // No files should be written. } os.Setenv("BUILDER_OUTPUT", c.env) if err := writeImageOutputs(img, c.tags); err != nil { t.Fatalf("writeImageOutputs: %v", err) } if c.want == "" { return } b, err := afero.ReadFile(newOsFs, filepath.Join(c.env, "images")) if err != nil { t.Fatalf("ReadFile: %v", err) } if got := string(b); got != c.want { t.Fatalf(" got: %s\nwant: %s", got, c.want) } }) } } func TestHeaderAdded(t *testing.T) { tests := []struct { name string upstream string expected string }{{ name: "upstream env variable set", upstream: "skaffold-v0.25.45", expected: "kaniko/unset,skaffold-v0.25.45", }, { name: "upstream env variable not set", expected: "kaniko/unset", }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { rt := &withUserAgent{t: &mockRoundTripper{}} if test.upstream != "" { os.Setenv("UPSTREAM_CLIENT_TYPE", test.upstream) defer func() { os.Unsetenv("UPSTREAM_CLIENT_TYPE") }() } req, err := http.NewRequest("GET", "dummy", nil) //nolint:noctx if err != nil { t.Fatalf("culd not create a req due to %s", err) } resp, err := rt.RoundTrip(req) testutil.CheckError(t, false, err) defer resp.Body.Close() body, err := io.ReadAll(resp.Body) testutil.CheckErrorAndDeepEqual(t, false, err, test.expected, string(body)) }) } } type mockRoundTripper struct { } func (m *mockRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) { ua := r.UserAgent() return &http.Response{Body: io.NopCloser(bytes.NewBufferString(ua))}, nil } func TestOCILayoutPath(t *testing.T) { tmpDir := t.TempDir() image, err := random.Image(1024, 4) if err != nil { t.Fatalf("could not create image: %s", err) } digest, err := image.Digest() if err != nil { t.Fatalf("could not get image digest: %s", err) } want, err := image.Manifest() if err != nil { t.Fatalf("could not get image manifest: %s", err) } opts := config.KanikoOptions{ NoPush: true, OCILayoutPath: tmpDir, } if err := DoPush(image, &opts); err != nil { t.Fatalf("could not push image: %s", err) } layoutIndex, err := layout.ImageIndexFromPath(tmpDir) if err != nil { t.Fatalf("could not get index from layout: %s", err) } testutil.CheckError(t, false, validate.Index(layoutIndex)) layoutImage, err := layoutIndex.Image(digest) if err != nil { t.Fatalf("could not get image from layout: %s", err) } got, err := layoutImage.Manifest() testutil.CheckErrorAndDeepEqual(t, false, err, want, got) } func TestImageNameDigestFile(t *testing.T) { image, err := random.Image(1024, 4) if err != nil { t.Fatalf("could not create image: %s", err) } digest, err := image.Digest() if err != nil { t.Fatalf("could not get image digest: %s", err) } opts := config.KanikoOptions{ NoPush: true, Destinations: []string{"gcr.io/foo/bar:latest", "bob/image"}, ImageNameDigestFile: "tmpFile", } defer os.Remove("tmpFile") if err := DoPush(image, &opts); err != nil { t.Fatalf("could not push image: %s", err) } want := []byte("gcr.io/foo/bar@" + digest.String() + "\nindex.docker.io/bob/image@" + digest.String() + "\n") got, err := os.ReadFile("tmpFile") testutil.CheckErrorAndDeepEqual(t, false, err, want, got) } func TestDoPushWithOpts(t *testing.T) { tarPath := "image.tar" for _, tc := range []struct { name string opts config.KanikoOptions expectedErr bool }{ { name: "no push with tarPath without destinations", opts: config.KanikoOptions{ NoPush: true, TarPath: tarPath, }, expectedErr: false, }, { name: "no push with tarPath with destinations", opts: config.KanikoOptions{ NoPush: true, TarPath: tarPath, Destinations: []string{"image"}, }, expectedErr: false, }, { name: "no push with tarPath with destinations empty", opts: config.KanikoOptions{ NoPush: true, TarPath: tarPath, Destinations: []string{}, }, expectedErr: false, }, { name: "tarPath with destinations empty", opts: config.KanikoOptions{ NoPush: false, TarPath: tarPath, Destinations: []string{}, }, expectedErr: true, }} { t.Run(tc.name, func(t *testing.T) { image, err := random.Image(1024, 4) if err != nil { t.Fatalf("could not create image: %s", err) } defer os.Remove("image.tar") err = DoPush(image, &tc.opts) if err != nil { if !tc.expectedErr { t.Errorf("unexpected error with opts: could not push image: %s", err) } } else { if tc.expectedErr { t.Error("expected error with opts not found") } } }) } } func TestImageNameTagDigestFile(t *testing.T) { image, err := random.Image(1024, 4) if err != nil { t.Fatalf("could not create image: %s", err) } digest, err := image.Digest() if err != nil { t.Fatalf("could not get image digest: %s", err) } opts := config.KanikoOptions{ NoPush: true, Destinations: []string{"gcr.io/foo/bar:123", "bob/image"}, ImageNameTagDigestFile: "tmpFile", } defer os.Remove("tmpFile") if err := DoPush(image, &opts); err != nil { t.Fatalf("could not push image: %s", err) } want := []byte("gcr.io/foo/bar:123@" + digest.String() + "\nindex.docker.io/bob/image:latest@" + digest.String() + "\n") got, err := os.ReadFile("tmpFile") testutil.CheckErrorAndDeepEqual(t, false, err, want, got) } var checkPushPermsCallCount = 0 func resetCalledCount() { checkPushPermsCallCount = 0 } func fakeCheckPushPermission(ref name.Reference, kc authn.Keychain, t http.RoundTripper) error { checkPushPermsCallCount++ return nil } func TestCheckPushPermissions(t *testing.T) { tests := []struct { description string cacheRepo string checkPushPermsExpectedCallCount int destinations []string existingConfig bool noPush bool noPushCache bool }{ {description: "a gcr image without config", destinations: []string{"gcr.io/test-image"}, checkPushPermsExpectedCallCount: 1}, {description: "a gcr image with config", destinations: []string{"gcr.io/test-image"}, existingConfig: true, checkPushPermsExpectedCallCount: 1}, {description: "a pkg.dev image without config", destinations: []string{"us-docker.pkg.dev/test-image"}, checkPushPermsExpectedCallCount: 1}, {description: "a pkg.dev image with config", destinations: []string{"us-docker.pkg.dev/test-image"}, existingConfig: true, checkPushPermsExpectedCallCount: 1}, {description: "localhost registry without config", destinations: []string{"localhost:5000/test-image"}, checkPushPermsExpectedCallCount: 1}, {description: "localhost registry with config", destinations: []string{"localhost:5000/test-image"}, existingConfig: true, checkPushPermsExpectedCallCount: 1}, {description: "any other registry", destinations: []string{"notgcr.io/test-image"}, checkPushPermsExpectedCallCount: 1}, { description: "multiple destinations pushed to different registry", destinations: []string{ "us-central1-docker.pkg.dev/prj/test-image", "us-west-docker.pkg.dev/prj/test-image", }, checkPushPermsExpectedCallCount: 2, }, { description: "same image names with different tags", destinations: []string{ "us-central1-docker.pkg.dev/prj/test-image:tag1", "us-central1-docker.pkg.dev/prj/test-image:tag2", }, checkPushPermsExpectedCallCount: 1, }, { description: "same destination image multiple times", destinations: []string{ "us-central1-docker.pkg.dev/prj/test-image", "us-central1-docker.pkg.dev/prj/test-image", }, checkPushPermsExpectedCallCount: 1, }, { description: "no push and no push cache", destinations: []string{"us-central1-docker.pkg.dev/prj/test-image"}, checkPushPermsExpectedCallCount: 0, noPush: true, noPushCache: true, }, { description: "no push and push cache", destinations: []string{"us-central1-docker.pkg.dev/prj/test-image"}, cacheRepo: "us-central1-docker.pkg.dev/prj/cache-image", checkPushPermsExpectedCallCount: 1, noPush: true, }, { description: "no push and cache repo is OCI image layout", destinations: []string{"us-central1-docker.pkg.dev/prj/test-image"}, cacheRepo: "oci:/some-layout-path", checkPushPermsExpectedCallCount: 0, noPush: true, }, } checkRemotePushPermission = fakeCheckPushPermission for _, test := range tests { t.Run(test.description, func(t *testing.T) { resetCalledCount() newOsFs = afero.NewMemMapFs() opts := config.KanikoOptions{ CacheRepo: test.cacheRepo, Destinations: test.destinations, NoPush: test.noPush, NoPushCache: test.noPushCache, } if test.existingConfig { afero.WriteFile(newOsFs, util.DockerConfLocation(), []byte(""), os.FileMode(0644)) defer newOsFs.Remove(util.DockerConfLocation()) } CheckPushPermissions(&opts) if checkPushPermsCallCount != test.checkPushPermsExpectedCallCount { t.Errorf("expected check push permissions call count to be %d but it was %d", test.checkPushPermsExpectedCallCount, checkPushPermsCallCount) } }) } } func TestSkipPushPermission(t *testing.T) { tests := []struct { description string cacheRepo string checkPushPermsExpectedCallCount int destinations []string existingConfig bool noPush bool noPushCache bool skipPushPermission bool }{ {description: "skip push permission enabled", destinations: []string{"test.io/skip"}, checkPushPermsExpectedCallCount: 0, skipPushPermission: true}, {description: "skip push permission disabled", destinations: []string{"test.io/push"}, checkPushPermsExpectedCallCount: 1, skipPushPermission: false}, } checkRemotePushPermission = fakeCheckPushPermission for _, test := range tests { t.Run(test.description, func(t *testing.T) { resetCalledCount() newOsFs = afero.NewMemMapFs() opts := config.KanikoOptions{ CacheRepo: test.cacheRepo, Destinations: test.destinations, NoPush: test.noPush, NoPushCache: test.noPushCache, SkipPushPermissionCheck: test.skipPushPermission, } if test.existingConfig { afero.WriteFile(newOsFs, util.DockerConfLocation(), []byte(""), os.FileMode(0644)) defer newOsFs.Remove(util.DockerConfLocation()) } CheckPushPermissions(&opts) if checkPushPermsCallCount != test.checkPushPermsExpectedCallCount { t.Errorf("expected check push permissions call count to be %d but it was %d", test.checkPushPermsExpectedCallCount, checkPushPermsCallCount) } }) } } func TestHelperProcess(t *testing.T) { if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" { return } fmt.Fprintf(os.Stdout, "fake result") os.Exit(0) } func TestWriteDigestFile(t *testing.T) { tmpDir := t.TempDir() t.Run("parent directory does not exist", func(t *testing.T) { err := writeDigestFile(tmpDir+"/test/df", []byte("test")) if err != nil { t.Errorf("expected file to be written successfully, but got error: %v", err) } }) t.Run("parent directory exists", func(t *testing.T) { err := writeDigestFile(tmpDir+"/df", []byte("test")) if err != nil { t.Errorf("expected file to be written successfully, but got error: %v", err) } }) t.Run("https PUT OK", func(t *testing.T) { var uploadedContent []byte // Start a test server that checks the PUT request. server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPut { w.WriteHeader(http.StatusMethodNotAllowed) return } uploadedContent, _ = io.ReadAll(r.Body) w.WriteHeader(http.StatusNoContent) })) defer server.Close() // Temporarily replace the default client with the test server client to avoid TLS verification errors. oldClient := http.DefaultClient defer func() { http.DefaultClient = oldClient }() http.DefaultClient = server.Client() err := writeDigestFile(server.URL+"/df?sig=1234", []byte("test")) if err != nil { t.Fatalf("expected file to be written successfully, but got error: %v", err) } if string(uploadedContent) != "test" { t.Errorf("expected uploaded content to be 'test', but got '%s'", uploadedContent) } }) }