Added from implementation + local tests

Signed-off-by: Brandon Lum <lumjjb@gmail.com>
containers · Apr 13, 2020 · 8aaba12 · 8aaba12
1 parent c99f6e8
commit 8aaba12
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 1 deletion.
diff --git a/cmd/buildah/from.go b/cmd/buildah/from.go
@@ -11,6 +11,8 @@ import (
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/common/pkg/config"
+	encconfig "github.com/containers/ocicrypt/config"
+	enchelpers "github.com/containers/ocicrypt/helpers"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -30,6 +32,7 @@ type fromReply struct {
 	quiet           bool
 	signaturePolicy string
 	tlsVerify       bool
+	decryptionKeys  []string
 	*buildahcli.FromAndBudResults
 	*buildahcli.UserNSResults
 	*buildahcli.NameSpaceResults
@@ -72,6 +75,7 @@ func init() {
 	flags.BoolVar(&opts.pullAlways, "pull-always", false, "pull the image even if the named image is present in store")
 	flags.BoolVar(&opts.pullNever, "pull-never", false, "do not pull the image, use the image present in store if available")
 	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "don't output progress information when pulling images")
+	flags.StringSliceVar(&opts.decryptionKeys, "decryption-key", nil, "*experimental* key needed to decrypt the image")
 	flags.StringVar(&opts.signaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)")
 	if err := flags.MarkHidden("signature-policy"); err != nil {
 		panic(fmt.Sprintf("error marking signature-policy as hidden: %v", err))
@@ -262,6 +266,18 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error {
 
 	capabilities := defaultContainerConfig.Capabilities("", iopts.CapAdd, iopts.CapDrop)
 	commonOpts.Ulimit = append(defaultContainerConfig.Containers.DefaultUlimits, commonOpts.Ulimit...)
+
+	decConfig := &encconfig.DecryptConfig{}
+	if len(iopts.decryptionKeys) > 0 {
+		// decryption
+		dcc, err := enchelpers.CreateCryptoConfig([]string{}, iopts.decryptionKeys)
+		if err != nil {
+			return errors.Wrapf(err, "Invalid decryption keys")
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
+		decConfig = cc.DecryptConfig
+	}
+
 	options := buildah.BuilderOptions{
 		FromImage:             args[0],
 		Container:             iopts.name,
@@ -283,6 +299,7 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error {
 		DefaultEnv:            defaultContainerConfig.GetDefaultEnv(),
 		MaxPullRetries:        maxPullPushRetries,
 		PullRetryDelay:        pullPushRetryDelay,
+		OciDecryptConfig:      decConfig,
 	}
 
 	if !iopts.quiet {

diff --git a/tests/from.bats b/tests/from.bats
@@ -389,3 +389,40 @@ load helpers
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --quiet docker.io/busybox
   expect_output "busybox-working-container"
 }
+
+@test "from encrypted local image" {
+  _prefetch busybox
+  mkdir ${TESTDIR}/tmp
+  openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
+  openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
+  openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox oci:${TESTDIR}/tmp/busybox_enc
+
+  # Try encrypted image without key should fail
+  run_buildah 1 from oci:${TESTDIR}/tmp/busybox_enc
+  # Try encrypted image with wrong key should fail
+  run_buildah 1 from --decryption-key ${TESTDIR}/tmp/mykey2.pem oci:${TESTDIR}/tmp/busybox_enc
+  # Providing the right key should succeed
+  run_buildah from  --decryption-key ${TESTDIR}/tmp/mykey.pem oci:${TESTDIR}/tmp/busybox_enc
+
+  rm -rf ${TESTDIR}/tmp
+}
+
+@test "from encrypted registry image" {
+  _prefetch busybox
+  mkdir ${TESTDIR}/tmp
+  openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
+  openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
+  openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox docker://localhost:5000/buildah/busybox_encrypted:latest
+
+  # Try encrypted image without key should fail
+  run_buildah 1 from --tls-verify=false --creds testuser:testpassword docker://localhost:5000/buildah/busybox_encrypted:latest
+  # Try encrypted image with wrong key should fail
+  run_buildah 1 from --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey2.pem docker://localhost:5000/buildah/busybox_encrypted:latest
+  # Providing the right key should succeed
+  run_buildah from --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest
+  run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest
+
+  rm -rf ${TESTDIR}/tmp
+}
diff --git a/tests/pull.bats b/tests/pull.bats
@@ -168,7 +168,25 @@ load helpers
   run_buildah 1 pull --authfile /tmp/nonexist --signature-policy ${TESTSDIR}/policy.json alpine
 }
 
-@test "pull encrypted image" {
+@test "pull encrypted local image" {
+  _prefetch busybox
+  mkdir ${TESTDIR}/tmp
+  openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
+  openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024
+  openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub
+  run_buildah push --signature-policy ${TESTSDIR}/policy.json --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox  oci:${TESTDIR}/tmp/busybox_enc
+
+  # Try to pull encrypted image without key should fail
+  run_buildah 1 pull --signature-policy ${TESTSDIR}/policy.json oci:${TESTDIR}/tmp/busybox_enc
+  # Try to pull encrypted image with wrong key should fail
+  run_buildah 1 pull --signature-policy ${TESTSDIR}/policy.json --decryption-key ${TESTDIR}/tmp/mykey2.pem oci:${TESTDIR}/tmp/busybox_enc
+  # Providing the right key should succeed
+  run_buildah pull --signature-policy ${TESTSDIR}/policy.json --decryption-key ${TESTDIR}/tmp/mykey.pem oci:${TESTDIR}/tmp/busybox_enc
+
+  rm -rf ${TESTDIR}/tmp
+}
+
+@test "pull encrypted registry image" {
   _prefetch busybox
   mkdir ${TESTDIR}/tmp
   openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024
@@ -183,5 +201,6 @@ load helpers
   # Providing the right key should succeed
   run_buildah pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest
   run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest
+
   rm -rf ${TESTDIR}/tmp
 }