From 8aaba12fbe8f19452879b8c47bb4a83290fdbfde Mon Sep 17 00:00:00 2001 From: Brandon Lum Date: Mon, 13 Apr 2020 18:57:44 +0000 Subject: [PATCH] Added from implementation + local tests Signed-off-by: Brandon Lum --- cmd/buildah/from.go | 17 +++++++++++++++++ tests/from.bats | 37 +++++++++++++++++++++++++++++++++++++ tests/pull.bats | 21 ++++++++++++++++++++- 3 files changed, 74 insertions(+), 1 deletion(-) diff --git a/cmd/buildah/from.go b/cmd/buildah/from.go index 8d6ce9fff17..c6a706506ec 100644 --- a/cmd/buildah/from.go +++ b/cmd/buildah/from.go @@ -11,6 +11,8 @@ import ( buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/buildah/pkg/parse" "github.com/containers/common/pkg/config" + encconfig "github.com/containers/ocicrypt/config" + enchelpers "github.com/containers/ocicrypt/helpers" "github.com/opencontainers/runc/libcontainer/configs" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -30,6 +32,7 @@ type fromReply struct { quiet bool signaturePolicy string tlsVerify bool + decryptionKeys []string *buildahcli.FromAndBudResults *buildahcli.UserNSResults *buildahcli.NameSpaceResults @@ -72,6 +75,7 @@ func init() { flags.BoolVar(&opts.pullAlways, "pull-always", false, "pull the image even if the named image is present in store") flags.BoolVar(&opts.pullNever, "pull-never", false, "do not pull the image, use the image present in store if available") flags.BoolVarP(&opts.quiet, "quiet", "q", false, "don't output progress information when pulling images") + flags.StringSliceVar(&opts.decryptionKeys, "decryption-key", nil, "*experimental* key needed to decrypt the image") flags.StringVar(&opts.signaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)") if err := flags.MarkHidden("signature-policy"); err != nil { panic(fmt.Sprintf("error marking signature-policy as hidden: %v", err)) @@ -262,6 +266,18 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error { capabilities := defaultContainerConfig.Capabilities("", iopts.CapAdd, iopts.CapDrop) commonOpts.Ulimit = append(defaultContainerConfig.Containers.DefaultUlimits, commonOpts.Ulimit...) + + decConfig := &encconfig.DecryptConfig{} + if len(iopts.decryptionKeys) > 0 { + // decryption + dcc, err := enchelpers.CreateCryptoConfig([]string{}, iopts.decryptionKeys) + if err != nil { + return errors.Wrapf(err, "Invalid decryption keys") + } + cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc}) + decConfig = cc.DecryptConfig + } + options := buildah.BuilderOptions{ FromImage: args[0], Container: iopts.name, @@ -283,6 +299,7 @@ func fromCmd(c *cobra.Command, args []string, iopts fromReply) error { DefaultEnv: defaultContainerConfig.GetDefaultEnv(), MaxPullRetries: maxPullPushRetries, PullRetryDelay: pullPushRetryDelay, + OciDecryptConfig: decConfig, } if !iopts.quiet { diff --git a/tests/from.bats b/tests/from.bats index 8ac2924eefe..ce86ebfe365 100644 --- a/tests/from.bats +++ b/tests/from.bats @@ -389,3 +389,40 @@ load helpers run_buildah from --signature-policy ${TESTSDIR}/policy.json --quiet docker.io/busybox expect_output "busybox-working-container" } + +@test "from encrypted local image" { + _prefetch busybox + mkdir ${TESTDIR}/tmp + openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024 + openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024 + openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub + run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox oci:${TESTDIR}/tmp/busybox_enc + + # Try encrypted image without key should fail + run_buildah 1 from oci:${TESTDIR}/tmp/busybox_enc + # Try encrypted image with wrong key should fail + run_buildah 1 from --decryption-key ${TESTDIR}/tmp/mykey2.pem oci:${TESTDIR}/tmp/busybox_enc + # Providing the right key should succeed + run_buildah from --decryption-key ${TESTDIR}/tmp/mykey.pem oci:${TESTDIR}/tmp/busybox_enc + + rm -rf ${TESTDIR}/tmp +} + +@test "from encrypted registry image" { + _prefetch busybox + mkdir ${TESTDIR}/tmp + openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024 + openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024 + openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub + run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox docker://localhost:5000/buildah/busybox_encrypted:latest + + # Try encrypted image without key should fail + run_buildah 1 from --tls-verify=false --creds testuser:testpassword docker://localhost:5000/buildah/busybox_encrypted:latest + # Try encrypted image with wrong key should fail + run_buildah 1 from --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey2.pem docker://localhost:5000/buildah/busybox_encrypted:latest + # Providing the right key should succeed + run_buildah from --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest + run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest + + rm -rf ${TESTDIR}/tmp +} diff --git a/tests/pull.bats b/tests/pull.bats index 2830e1113b4..aa3c25e27dc 100644 --- a/tests/pull.bats +++ b/tests/pull.bats @@ -168,7 +168,25 @@ load helpers run_buildah 1 pull --authfile /tmp/nonexist --signature-policy ${TESTSDIR}/policy.json alpine } -@test "pull encrypted image" { +@test "pull encrypted local image" { + _prefetch busybox + mkdir ${TESTDIR}/tmp + openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024 + openssl genrsa -out ${TESTDIR}/tmp/mykey2.pem 1024 + openssl rsa -in ${TESTDIR}/tmp/mykey.pem -pubout > ${TESTDIR}/tmp/mykey.pub + run_buildah push --signature-policy ${TESTSDIR}/policy.json --encryption-key jwe:${TESTDIR}/tmp/mykey.pub busybox oci:${TESTDIR}/tmp/busybox_enc + + # Try to pull encrypted image without key should fail + run_buildah 1 pull --signature-policy ${TESTSDIR}/policy.json oci:${TESTDIR}/tmp/busybox_enc + # Try to pull encrypted image with wrong key should fail + run_buildah 1 pull --signature-policy ${TESTSDIR}/policy.json --decryption-key ${TESTDIR}/tmp/mykey2.pem oci:${TESTDIR}/tmp/busybox_enc + # Providing the right key should succeed + run_buildah pull --signature-policy ${TESTSDIR}/policy.json --decryption-key ${TESTDIR}/tmp/mykey.pem oci:${TESTDIR}/tmp/busybox_enc + + rm -rf ${TESTDIR}/tmp +} + +@test "pull encrypted registry image" { _prefetch busybox mkdir ${TESTDIR}/tmp openssl genrsa -out ${TESTDIR}/tmp/mykey.pem 1024 @@ -183,5 +201,6 @@ load helpers # Providing the right key should succeed run_buildah pull --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword --decryption-key ${TESTDIR}/tmp/mykey.pem docker://localhost:5000/buildah/busybox_encrypted:latest run_buildah rmi localhost:5000/buildah/busybox_encrypted:latest + rm -rf ${TESTDIR}/tmp }