27c8b08a16
Reorganize tests for better structure and coverage: - Move container/security_test.go from internal/ to tests/unit/container/ - Move related tests to proper unit test locations - Delete orphaned test files (startup_blacklist_test.go) - Add privacy middleware unit tests - Add worker config unit tests - Update E2E tests for homelab and websocket scenarios - Update test fixtures with utility functions - Add CLI helper script for arraylist fixes
112 lines
3 KiB
Go
112 lines
3 KiB
Go
package tests
|
|
|
|
import (
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/jfraeys/fetch_ml/internal/container"
|
|
)
|
|
|
|
// TestContainerSecurityPolicy enforces the security contract for container configurations.
|
|
// These tests serve as executable documentation of security requirements.
|
|
func TestContainerSecurityPolicy(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
config container.PodmanConfig
|
|
shouldFail bool
|
|
reason string
|
|
}{
|
|
{
|
|
name: "reject privileged mode",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: true, // NEVER allowed
|
|
},
|
|
shouldFail: true,
|
|
reason: "privileged containers bypass isolation",
|
|
},
|
|
{
|
|
name: "reject host network",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Network: "host", // NEVER allowed
|
|
},
|
|
shouldFail: true,
|
|
reason: "host network breaks isolation",
|
|
},
|
|
{
|
|
name: "accept valid configuration",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: false,
|
|
Network: "bridge",
|
|
ReadOnlyMounts: true,
|
|
},
|
|
shouldFail: false,
|
|
reason: "valid secure configuration",
|
|
},
|
|
{
|
|
name: "accept empty network (default bridge)",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: false,
|
|
Network: "", // Empty means default bridge
|
|
},
|
|
shouldFail: false,
|
|
reason: "empty network uses default bridge",
|
|
},
|
|
{
|
|
name: "warn on non-read-only mounts",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: false,
|
|
Network: "bridge",
|
|
ReadOnlyMounts: false, // Warning-level issue
|
|
},
|
|
shouldFail: false, // Not a hard failure
|
|
reason: "non-read-only mounts are discouraged but allowed",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
err := container.ValidateSecurityPolicy(tt.config)
|
|
if tt.shouldFail {
|
|
if err == nil {
|
|
t.Errorf("%s: expected failure (%s), got success", tt.name, tt.reason)
|
|
} else if !errors.Is(err, container.ErrSecurityViolation) {
|
|
t.Errorf("%s: expected ErrSecurityViolation, got %v", tt.name, err)
|
|
}
|
|
} else {
|
|
if err != nil {
|
|
t.Errorf("%s: expected success (%s), got error: %v", tt.name, tt.reason, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestSecurityPolicy_IsolationEnforcement verifies isolation boundaries
|
|
func TestSecurityPolicy_IsolationEnforcement(t *testing.T) {
|
|
t.Run("privileged_equals_root_access", func(t *testing.T) {
|
|
cfg := container.PodmanConfig{
|
|
Image: "test:latest",
|
|
Privileged: true,
|
|
}
|
|
err := container.ValidateSecurityPolicy(cfg)
|
|
if err == nil {
|
|
t.Fatal("privileged mode must be rejected - it grants root access to host")
|
|
}
|
|
})
|
|
|
|
t.Run("host_network_equals_no_isolation", func(t *testing.T) {
|
|
cfg := container.PodmanConfig{
|
|
Image: "test:latest",
|
|
Network: "host",
|
|
}
|
|
err := container.ValidateSecurityPolicy(cfg)
|
|
if err == nil {
|
|
t.Fatal("host network must be rejected - it removes network isolation")
|
|
}
|
|
})
|
|
}
|