cf84246115
Move unit tests from tests/unit/ to internal/ following Go conventions: - tests/unit/config/* -> internal/config/* (constants, mode_paths, paths, validation) - tests/unit/container/* -> internal/container/* (podman, security tests) - tests/unit/envpool/* -> internal/envpool/* (envpool tests) - tests/unit/errors/* -> internal/errtypes/* (errors_test.go moved to errtypes package) - tests/unit/experiment/* -> internal/experiment/* (manager tests) - tests/unit/jupyter/* -> internal/jupyter/* (config, package_blacklist, service_manager, trash_restore) Update import paths in test files to reflect new locations. Note: errors_test.go moved from tests/unit/errors/ to internal/errtypes/ to match the package structure.
112 lines
3 KiB
Go
112 lines
3 KiB
Go
package container_test
|
|
|
|
import (
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/jfraeys/fetch_ml/internal/container"
|
|
)
|
|
|
|
// TestContainerSecurityPolicy enforces the security contract for container configurations.
|
|
// These tests serve as executable documentation of security requirements.
|
|
func TestContainerSecurityPolicy(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
reason string
|
|
config container.PodmanConfig
|
|
shouldFail bool
|
|
}{
|
|
{
|
|
name: "reject privileged mode",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: true, // NEVER allowed
|
|
},
|
|
shouldFail: true,
|
|
reason: "privileged containers bypass isolation",
|
|
},
|
|
{
|
|
name: "reject host network",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Network: "host", // NEVER allowed
|
|
},
|
|
shouldFail: true,
|
|
reason: "host network breaks isolation",
|
|
},
|
|
{
|
|
name: "accept valid configuration",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: false,
|
|
Network: "bridge",
|
|
ReadOnlyMounts: true,
|
|
},
|
|
shouldFail: false,
|
|
reason: "valid secure configuration",
|
|
},
|
|
{
|
|
name: "accept empty network (default bridge)",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: false,
|
|
Network: "", // Empty means default bridge
|
|
},
|
|
shouldFail: false,
|
|
reason: "empty network uses default bridge",
|
|
},
|
|
{
|
|
name: "warn on non-read-only mounts",
|
|
config: container.PodmanConfig{
|
|
Image: "pytorch:latest",
|
|
Privileged: false,
|
|
Network: "bridge",
|
|
ReadOnlyMounts: false, // Warning-level issue
|
|
},
|
|
shouldFail: false, // Not a hard failure
|
|
reason: "non-read-only mounts are discouraged but allowed",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
err := container.ValidateSecurityPolicy(tt.config)
|
|
if tt.shouldFail {
|
|
if err == nil {
|
|
t.Errorf("%s: expected failure (%s), got success", tt.name, tt.reason)
|
|
} else if !errors.Is(err, container.ErrSecurityViolation) {
|
|
t.Errorf("%s: expected ErrSecurityViolation, got %v", tt.name, err)
|
|
}
|
|
} else {
|
|
if err != nil {
|
|
t.Errorf("%s: expected success (%s), got error: %v", tt.name, tt.reason, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestSecurityPolicy_IsolationEnforcement verifies isolation boundaries
|
|
func TestSecurityPolicy_IsolationEnforcement(t *testing.T) {
|
|
t.Run("privileged_equals_root_access", func(t *testing.T) {
|
|
cfg := container.PodmanConfig{
|
|
Image: "test:latest",
|
|
Privileged: true,
|
|
}
|
|
err := container.ValidateSecurityPolicy(cfg)
|
|
if err == nil {
|
|
t.Fatal("privileged mode must be rejected - it grants root access to host")
|
|
}
|
|
})
|
|
|
|
t.Run("host_network_equals_no_isolation", func(t *testing.T) {
|
|
cfg := container.PodmanConfig{
|
|
Image: "test:latest",
|
|
Network: "host",
|
|
}
|
|
err := container.ValidateSecurityPolicy(cfg)
|
|
if err == nil {
|
|
t.Fatal("host network must be rejected - it removes network isolation")
|
|
}
|
|
})
|
|
}
|