debug

Signed-off-by: Fabiano Fidêncio <[email protected]>
kata-containers · Sep 27, 2023 · 738ce6b · 738ce6b
1 parent 3ae0e57
commit 738ce6b
Showing 1 changed file with 42 additions and 18 deletions.
diff --git a/integration/containerd/confidential/agent_image.bats b/integration/containerd/confidential/agent_image.bats
@@ -31,20 +31,18 @@ setup() {
 	assert_pod_fail
 }
 
-@test "$test_tag Test can pull an unencrypted image inside the guest without signature config" {
-	local container_config="${FIXTURES_DIR}/container-config.yaml"
+@test "$test_tag Test cannot pull an unencrypted unsigned image from a protected registry" {
+	local container_config="${FIXTURES_DIR}/container-config_unsigned-protected.yaml"
 
+	setup_signature_files
+
 	create_test_pod
 
-	assert_container "$container_config"
-
-	echo "Check the image was not pulled in the host"
-	local pod_id=$(crictl pods --name "$sandbox_name" -q)
-	rootfs=($(find /run/kata-containers/shared/sandboxes/${pod_id}/shared \
-		-name rootfs))
-	[ ${#rootfs[@]} -eq 1 ]
+	assert_container_fail "$container_config"
+	assert_logs_contain "kata" 'Validate image failed: The signatures do not satisfied! Reject reason: \[Match reference failed.\]'
 }
 
+
 @test "$test_tag Test can pull a unencrypted signed image from a protected registry" {
 	local container_config="${FIXTURES_DIR}/container-config.yaml"
 
@@ -55,15 +53,18 @@ setup() {
 	assert_container "$container_config"
 }
 
-@test "$test_tag Test cannot pull an unencrypted unsigned image from a protected registry" {
-	local container_config="${FIXTURES_DIR}/container-config_unsigned-protected.yaml"
+@test "$test_tag Test can pull an unencrypted image inside the guest without signature config" {
+	local container_config="${FIXTURES_DIR}/container-config.yaml"
 
-	setup_signature_files
-
 	create_test_pod
 
-	assert_container_fail "$container_config"
-	assert_logs_contain 'Validate image failed: The signatures do not satisfied! Reject reason: \[Match reference failed.\]'
+	assert_container "$container_config"
+
+	echo "Check the image was not pulled in the host"
+	local pod_id=$(crictl pods --name "$sandbox_name" -q)
+	rootfs=($(find /run/kata-containers/shared/sandboxes/${pod_id}/shared \
+		-name rootfs))
+	[ ${#rootfs[@]} -eq 1 ]
 }
 
 @test "$test_tag Test can pull an unencrypted unsigned image from an unprotected registry" {
@@ -84,7 +85,7 @@ setup() {
 	create_test_pod
 
 	assert_container_fail "$container_config"
-	assert_logs_contain 'Validate image failed: The signatures do not satisfied! Reject reason: \[signature verify failed! There is no pubkey can verify the signature!\]'
+	assert_logs_contain "kata" 'Validate image failed: The signatures do not satisfied! Reject reason: \[signature verify failed! There is no pubkey can verify the signature!\]'
 }
 
 @test "$test_tag Test unencrypted image signed with cosign" {
@@ -105,10 +106,21 @@ setup() {
 	create_test_pod
 
 	assert_container_fail "$container_config"
-	assert_logs_contain 'Validate image failed: \[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1'
+	assert_logs_contain "kata" 'Validate image failed: \[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1'
 }
 
 @test "$test_tag Test pull an unencrypted unsigned image from an authenticated registry with correct credentials" {
+	mkdir -p ~/.docker
+	cat << EOF | tee ~/.docker/config
+{
+  "auths": {
+    "quay.io": {
+      "auth": "$REGISTRY_CREDENTIAL_ENCODED",
+      "email": ""
+    }
+  }
+}
+EOF
 	local container_config="${FIXTURES_DIR}/container-config_authenticated.yaml"
 
 	setup_credentials_files "quay.io/kata-containers/confidential-containers-auth" 
@@ -119,6 +131,18 @@ setup() {
 }
 
 @test "$test_tag Test cannot pull an image from an authenticated registry with incorrect credentials" {
+	mkdir -p ~/.docker
+	cat << EOF | tee ~/.docker/config
+{
+  "auths": {
+    "quay.io": {
+      "auth": "incorrectCredentials",
+      "email": ""
+    }
+  }
+}
+EOF
+
 	local container_config="${FIXTURES_DIR}/container-config_authenticated.yaml"
 
 	REGISTRY_CREDENTIAL_ENCODED="QXJhbmRvbXF1YXl0ZXN0YWNjb3VudHRoYXRkb2VzbnRleGlzdDpwYXNzd29yZAo=" setup_credentials_files "quay.io/kata-containers/confidential-containers-auth"
@@ -135,7 +159,7 @@ setup() {
 	create_test_pod
 
 	assert_container_fail "$container_config"
-	assert_logs_contain 'failed to pull manifest Not authorized'
+        assert_logs_contain "containerd" 'failed to resolve reference \\"quay.io/kata-containers/confidential-containers-auth:test\\": pulling from host quay.io failed with status code \[manifests test\]: 401 UNAUTHORIZED'
 }
 
 teardown() {