diff --git a/integration/containerd/confidential/agent_image.bats b/integration/containerd/confidential/agent_image.bats index 547c80f64..642cf01b6 100644 --- a/integration/containerd/confidential/agent_image.bats +++ b/integration/containerd/confidential/agent_image.bats @@ -31,20 +31,18 @@ setup() { assert_pod_fail } -@test "$test_tag Test can pull an unencrypted image inside the guest without signature config" { - local container_config="${FIXTURES_DIR}/container-config.yaml" +@test "$test_tag Test cannot pull an unencrypted unsigned image from a protected registry" { + local container_config="${FIXTURES_DIR}/container-config_unsigned-protected.yaml" + setup_signature_files + create_test_pod - assert_container "$container_config" - - echo "Check the image was not pulled in the host" - local pod_id=$(crictl pods --name "$sandbox_name" -q) - rootfs=($(find /run/kata-containers/shared/sandboxes/${pod_id}/shared \ - -name rootfs)) - [ ${#rootfs[@]} -eq 1 ] + assert_container_fail "$container_config" + assert_logs_contain "kata" 'Validate image failed: The signatures do not satisfied! Reject reason: \[Match reference failed.\]' } + @test "$test_tag Test can pull a unencrypted signed image from a protected registry" { local container_config="${FIXTURES_DIR}/container-config.yaml" @@ -55,15 +53,18 @@ setup() { assert_container "$container_config" } -@test "$test_tag Test cannot pull an unencrypted unsigned image from a protected registry" { - local container_config="${FIXTURES_DIR}/container-config_unsigned-protected.yaml" +@test "$test_tag Test can pull an unencrypted image inside the guest without signature config" { + local container_config="${FIXTURES_DIR}/container-config.yaml" - setup_signature_files - create_test_pod - assert_container_fail "$container_config" - assert_logs_contain 'Validate image failed: The signatures do not satisfied! Reject reason: \[Match reference failed.\]' + assert_container "$container_config" + + echo "Check the image was not pulled in the host" + local pod_id=$(crictl pods --name "$sandbox_name" -q) + rootfs=($(find /run/kata-containers/shared/sandboxes/${pod_id}/shared \ + -name rootfs)) + [ ${#rootfs[@]} -eq 1 ] } @test "$test_tag Test can pull an unencrypted unsigned image from an unprotected registry" { @@ -84,7 +85,7 @@ setup() { create_test_pod assert_container_fail "$container_config" - assert_logs_contain 'Validate image failed: The signatures do not satisfied! Reject reason: \[signature verify failed! There is no pubkey can verify the signature!\]' + assert_logs_contain "kata" 'Validate image failed: The signatures do not satisfied! Reject reason: \[signature verify failed! There is no pubkey can verify the signature!\]' } @test "$test_tag Test unencrypted image signed with cosign" { @@ -105,10 +106,21 @@ setup() { create_test_pod assert_container_fail "$container_config" - assert_logs_contain 'Validate image failed: \[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1' + assert_logs_contain "kata" 'Validate image failed: \[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1' } @test "$test_tag Test pull an unencrypted unsigned image from an authenticated registry with correct credentials" { + mkdir -p ~/.docker + cat << EOF | tee ~/.docker/config +{ + "auths": { + "quay.io": { + "auth": "$REGISTRY_CREDENTIAL_ENCODED", + "email": "" + } + } +} +EOF local container_config="${FIXTURES_DIR}/container-config_authenticated.yaml" setup_credentials_files "quay.io/kata-containers/confidential-containers-auth" @@ -119,6 +131,18 @@ setup() { } @test "$test_tag Test cannot pull an image from an authenticated registry with incorrect credentials" { + mkdir -p ~/.docker + cat << EOF | tee ~/.docker/config +{ + "auths": { + "quay.io": { + "auth": "incorrectCredentials", + "email": "" + } + } +} +EOF + local container_config="${FIXTURES_DIR}/container-config_authenticated.yaml" REGISTRY_CREDENTIAL_ENCODED="QXJhbmRvbXF1YXl0ZXN0YWNjb3VudHRoYXRkb2VzbnRleGlzdDpwYXNzd29yZAo=" setup_credentials_files "quay.io/kata-containers/confidential-containers-auth" @@ -135,7 +159,7 @@ setup() { create_test_pod assert_container_fail "$container_config" - assert_logs_contain 'failed to pull manifest Not authorized' + assert_logs_contain "containerd" 'failed to resolve reference \\"quay.io/kata-containers/confidential-containers-auth:test\\": pulling from host quay.io failed with status code \[manifests test\]: 401 UNAUTHORIZED' } teardown() {