kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/daemon/oci_windows_test.go

394 lines
14 KiB
Go
Raw Permalink Normal View History

Making it possible to pass Windows credential specs directly to the engine Instead of having to go through files or registry values as is currently the case. While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726) I stumbled upon the fact that Docker currently only allows passing Windows credential specs through files or registry values, forcing the Kubelet to perform a rather awkward dance of writing-then-deleting to either the disk or the registry to be able to create a Windows container with cred specs. This patch solves this problem by making it possible to directly pass whole base64-encoded cred specs to the engine's API. I took the opportunity to slightly refactor the method responsible for Windows cred spec as it seemed hard to read to me. Added some unit tests on Windows credential specs handling, as there were previously none. Added/amended the relevant integration tests. I have also tested it manually: given a Windows container using a cred spec that you would normally start with e.g. ```powershell docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # output: # my.ad.domain.com. (1) # The command completed successfully ``` can now equivalently be started with ```powershell $rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json' $escaped = $rawCredSpec.Replace('"', '\"') docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # same output! ``` I'll do another PR on Swarmkit after this is merged to allow services to use the same option. (It's worth noting that @dperny faced the same problem adding GMSA support to Swarmkit, to which he came up with an interesting solution - see https://github.com/moby/moby/pull/38632 - but alas these tricks are not available to the Kubelet.) Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-07 01:44:36 +00:00
package daemon
import (
"fmt"
"os"
"path/filepath"
"strings"
"testing"
bump gotest.tools v3.0.1 for compatibility with Go 1.14 full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-07 13:39:24 +00:00
"gotest.tools/v3/fs"
Making it possible to pass Windows credential specs directly to the engine Instead of having to go through files or registry values as is currently the case. While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726) I stumbled upon the fact that Docker currently only allows passing Windows credential specs through files or registry values, forcing the Kubelet to perform a rather awkward dance of writing-then-deleting to either the disk or the registry to be able to create a Windows container with cred specs. This patch solves this problem by making it possible to directly pass whole base64-encoded cred specs to the engine's API. I took the opportunity to slightly refactor the method responsible for Windows cred spec as it seemed hard to read to me. Added some unit tests on Windows credential specs handling, as there were previously none. Added/amended the relevant integration tests. I have also tested it manually: given a Windows container using a cred spec that you would normally start with e.g. ```powershell docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # output: # my.ad.domain.com. (1) # The command completed successfully ``` can now equivalently be started with ```powershell $rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json' $escaped = $rawCredSpec.Replace('"', '\"') docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # same output! ``` I'll do another PR on Swarmkit after this is merged to allow services to use the same option. (It's worth noting that @dperny faced the same problem adding GMSA support to Swarmkit, to which he came up with an interesting solution - see https://github.com/moby/moby/pull/38632 - but alas these tricks are not available to the Kubelet.) Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-07 01:44:36 +00:00
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
Bump swarmkit to v2 Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-04-21 21:33:07 +00:00
swarmagent "github.com/moby/swarmkit/v2/agent"
swarmapi "github.com/moby/swarmkit/v2/api"
goimports: fix imports Format the source according to latest goimports. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-05 14:37:47 +00:00
specs "github.com/opencontainers/runtime-spec/specs-go"
Making it possible to pass Windows credential specs directly to the engine Instead of having to go through files or registry values as is currently the case. While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726) I stumbled upon the fact that Docker currently only allows passing Windows credential specs through files or registry values, forcing the Kubelet to perform a rather awkward dance of writing-then-deleting to either the disk or the registry to be able to create a Windows container with cred specs. This patch solves this problem by making it possible to directly pass whole base64-encoded cred specs to the engine's API. I took the opportunity to slightly refactor the method responsible for Windows cred spec as it seemed hard to read to me. Added some unit tests on Windows credential specs handling, as there were previously none. Added/amended the relevant integration tests. I have also tested it manually: given a Windows container using a cred spec that you would normally start with e.g. ```powershell docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # output: # my.ad.domain.com. (1) # The command completed successfully ``` can now equivalently be started with ```powershell $rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json' $escaped = $rawCredSpec.Replace('"', '\"') docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # same output! ``` I'll do another PR on Swarmkit after this is merged to allow services to use the same option. (It's worth noting that @dperny faced the same problem adding GMSA support to Swarmkit, to which he came up with an interesting solution - see https://github.com/moby/moby/pull/38632 - but alas these tricks are not available to the Kubelet.) Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-07 01:44:36 +00:00
"golang.org/x/sys/windows/registry"
bump gotest.tools v3.0.1 for compatibility with Go 1.14 full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-07 13:39:24 +00:00
"gotest.tools/v3/assert"
Making it possible to pass Windows credential specs directly to the engine Instead of having to go through files or registry values as is currently the case. While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726) I stumbled upon the fact that Docker currently only allows passing Windows credential specs through files or registry values, forcing the Kubelet to perform a rather awkward dance of writing-then-deleting to either the disk or the registry to be able to create a Windows container with cred specs. This patch solves this problem by making it possible to directly pass whole base64-encoded cred specs to the engine's API. I took the opportunity to slightly refactor the method responsible for Windows cred spec as it seemed hard to read to me. Added some unit tests on Windows credential specs handling, as there were previously none. Added/amended the relevant integration tests. I have also tested it manually: given a Windows container using a cred spec that you would normally start with e.g. ```powershell docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # output: # my.ad.domain.com. (1) # The command completed successfully ``` can now equivalently be started with ```powershell $rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json' $escaped = $rawCredSpec.Replace('"', '\"') docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # same output! ``` I'll do another PR on Swarmkit after this is merged to allow services to use the same option. (It's worth noting that @dperny faced the same problem adding GMSA support to Swarmkit, to which he came up with an interesting solution - see https://github.com/moby/moby/pull/38632 - but alas these tricks are not available to the Kubelet.) Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-07 01:44:36 +00:00
)
func TestSetWindowsCredentialSpecInSpec(t *testing.T) {
// we need a temp directory to act as the daemon's root
tmpDaemonRoot := fs.NewDir(t, t.Name()).Path()
defer func() {
assert.NilError(t, os.RemoveAll(tmpDaemonRoot))
}()
daemon := &Daemon{
root: tmpDaemonRoot,
}
t.Run("it does nothing if there are no security options", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(&container.Container{}, spec)
assert.NilError(t, err)
assert.Check(t, spec.Windows == nil)
err = daemon.setWindowsCredentialSpec(&container.Container{HostConfig: &containertypes.HostConfig{}}, spec)
assert.NilError(t, err)
assert.Check(t, spec.Windows == nil)
err = daemon.setWindowsCredentialSpec(&container.Container{HostConfig: &containertypes.HostConfig{SecurityOpt: []string{}}}, spec)
assert.NilError(t, err)
assert.Check(t, spec.Windows == nil)
})
dummyContainerID := "dummy-container-ID"
containerFactory := func(secOpt string) *container.Container {
if !strings.Contains(secOpt, "=") {
secOpt = "credentialspec=" + secOpt
}
return &container.Container{
ID: dummyContainerID,
HostConfig: &containertypes.HostConfig{
SecurityOpt: []string{secOpt},
},
}
}
credSpecsDir := filepath.Join(tmpDaemonRoot, credentialSpecFileLocation)
dummyCredFileContents := `{"We don't need no": "education"}`
t.Run("happy path with a 'file://' option", func(t *testing.T) {
spec := &specs.Spec{}
// let's render a dummy cred file
err := os.Mkdir(credSpecsDir, os.ModePerm)
assert.NilError(t, err)
dummyCredFileName := "dummy-cred-spec.json"
dummyCredFilePath := filepath.Join(credSpecsDir, dummyCredFileName)
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-24 10:10:50 +00:00
err = os.WriteFile(dummyCredFilePath, []byte(dummyCredFileContents), 0644)
Making it possible to pass Windows credential specs directly to the engine Instead of having to go through files or registry values as is currently the case. While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726) I stumbled upon the fact that Docker currently only allows passing Windows credential specs through files or registry values, forcing the Kubelet to perform a rather awkward dance of writing-then-deleting to either the disk or the registry to be able to create a Windows container with cred specs. This patch solves this problem by making it possible to directly pass whole base64-encoded cred specs to the engine's API. I took the opportunity to slightly refactor the method responsible for Windows cred spec as it seemed hard to read to me. Added some unit tests on Windows credential specs handling, as there were previously none. Added/amended the relevant integration tests. I have also tested it manually: given a Windows container using a cred spec that you would normally start with e.g. ```powershell docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # output: # my.ad.domain.com. (1) # The command completed successfully ``` can now equivalently be started with ```powershell $rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json' $escaped = $rawCredSpec.Replace('"', '\"') docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # same output! ``` I'll do another PR on Swarmkit after this is merged to allow services to use the same option. (It's worth noting that @dperny faced the same problem adding GMSA support to Swarmkit, to which he came up with an interesting solution - see https://github.com/moby/moby/pull/38632 - but alas these tricks are not available to the Kubelet.) Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-07 01:44:36 +00:00
defer func() {
assert.NilError(t, os.Remove(dummyCredFilePath))
}()
assert.NilError(t, err)
err = daemon.setWindowsCredentialSpec(containerFactory("file://"+dummyCredFileName), spec)
assert.NilError(t, err)
if assert.Check(t, spec.Windows != nil) {
assert.Equal(t, dummyCredFileContents, spec.Windows.CredentialSpec)
}
})
t.Run("it's not allowed to use a 'file://' option with an absolute path", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory(`file://C:\path\to\my\credspec.json`), spec)
assert.ErrorContains(t, err, "invalid credential spec - file:// path cannot be absolute")
assert.Check(t, spec.Windows == nil)
})
t.Run("it's not allowed to use a 'file://' option breaking out of the cred specs' directory", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory(`file://..\credspec.json`), spec)
assert.ErrorContains(t, err, fmt.Sprintf("invalid credential spec - file:// path must be under %s", credSpecsDir))
assert.Check(t, spec.Windows == nil)
})
t.Run("when using a 'file://' option pointing to a file that doesn't exist, it fails gracefully", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("file://i-dont-exist.json"), spec)
assert.ErrorContains(t, err, fmt.Sprintf("credential spec for container %s could not be read from file", dummyContainerID))
assert.ErrorContains(t, err, "The system cannot find")
assert.Check(t, spec.Windows == nil)
})
t.Run("happy path with a 'registry://' option", func(t *testing.T) {
valueName := "my-cred-spec"
key := &dummyRegistryKey{
getStringValueFunc: func(name string) (val string, valtype uint32, err error) {
assert.Equal(t, valueName, name)
return dummyCredFileContents, 0, nil
},
}
defer setRegistryOpenKeyFunc(t, key)()
spec := &specs.Spec{}
assert.NilError(t, daemon.setWindowsCredentialSpec(containerFactory("registry://"+valueName), spec))
if assert.Check(t, spec.Windows != nil) {
assert.Equal(t, dummyCredFileContents, spec.Windows.CredentialSpec)
}
assert.Check(t, key.closed)
})
t.Run("when using a 'registry://' option and opening the registry key fails, it fails gracefully", func(t *testing.T) {
dummyError := fmt.Errorf("dummy error")
defer setRegistryOpenKeyFunc(t, &dummyRegistryKey{}, dummyError)()
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("registry://my-cred-spec"), spec)
assert.ErrorContains(t, err, fmt.Sprintf("registry key %s could not be opened: %v", credentialSpecRegistryLocation, dummyError))
assert.Check(t, spec.Windows == nil)
})
t.Run("when using a 'registry://' option pointing to a value that doesn't exist, it fails gracefully", func(t *testing.T) {
valueName := "my-cred-spec"
key := &dummyRegistryKey{
getStringValueFunc: func(name string) (val string, valtype uint32, err error) {
assert.Equal(t, valueName, name)
return "", 0, registry.ErrNotExist
},
}
defer setRegistryOpenKeyFunc(t, key)()
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("registry://"+valueName), spec)
assert.ErrorContains(t, err, fmt.Sprintf("registry credential spec %q for container %s was not found", valueName, dummyContainerID))
assert.Check(t, key.closed)
})
t.Run("when using a 'registry://' option and reading the registry value fails, it fails gracefully", func(t *testing.T) {
dummyError := fmt.Errorf("dummy error")
valueName := "my-cred-spec"
key := &dummyRegistryKey{
getStringValueFunc: func(name string) (val string, valtype uint32, err error) {
assert.Equal(t, valueName, name)
return "", 0, dummyError
},
}
defer setRegistryOpenKeyFunc(t, key)()
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("registry://"+valueName), spec)
assert.ErrorContains(t, err, fmt.Sprintf("error reading credential spec %q from registry for container %s: %v", valueName, dummyContainerID, dummyError))
assert.Check(t, key.closed)
})
t.Run("happy path with a 'config://' option", func(t *testing.T) {
configID := "my-cred-spec"
vendor: github.com/docker/swarmkit 616e8db4c3b0 Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-03-10 21:07:02 +00:00
dependencyManager := swarmagent.NewDependencyManager(nil)
Making it possible to pass Windows credential specs directly to the engine Instead of having to go through files or registry values as is currently the case. While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726) I stumbled upon the fact that Docker currently only allows passing Windows credential specs through files or registry values, forcing the Kubelet to perform a rather awkward dance of writing-then-deleting to either the disk or the registry to be able to create a Windows container with cred specs. This patch solves this problem by making it possible to directly pass whole base64-encoded cred specs to the engine's API. I took the opportunity to slightly refactor the method responsible for Windows cred spec as it seemed hard to read to me. Added some unit tests on Windows credential specs handling, as there were previously none. Added/amended the relevant integration tests. I have also tested it manually: given a Windows container using a cred spec that you would normally start with e.g. ```powershell docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # output: # my.ad.domain.com. (1) # The command completed successfully ``` can now equivalently be started with ```powershell $rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json' $escaped = $rawCredSpec.Replace('"', '\"') docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain # same output! ``` I'll do another PR on Swarmkit after this is merged to allow services to use the same option. (It's worth noting that @dperny faced the same problem adding GMSA support to Swarmkit, to which he came up with an interesting solution - see https://github.com/moby/moby/pull/38632 - but alas these tricks are not available to the Kubelet.) Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-07 01:44:36 +00:00
dependencyManager.Configs().Add(swarmapi.Config{
ID: configID,
Spec: swarmapi.ConfigSpec{
Data: []byte(dummyCredFileContents),
},
})
task := &swarmapi.Task{
Spec: swarmapi.TaskSpec{
Runtime: &swarmapi.TaskSpec_Container{
Container: &swarmapi.ContainerSpec{
Configs: []*swarmapi.ConfigReference{
{
ConfigID: configID,
},
},
},
},
},
}
cntr := containerFactory("config://" + configID)
cntr.DependencyStore = swarmagent.Restrict(dependencyManager, task)
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(cntr, spec)
assert.NilError(t, err)
if assert.Check(t, spec.Windows != nil) {
assert.Equal(t, dummyCredFileContents, spec.Windows.CredentialSpec)
}
})
t.Run("using a 'config://' option on a container not managed by swarmkit is not allowed, and results in a generic error message to hide that purely internal API", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("config://whatever"), spec)
assert.Equal(t, errInvalidCredentialSpecSecOpt, err)
assert.Check(t, spec.Windows == nil)
})
t.Run("happy path with a 'raw://' option", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("raw://"+dummyCredFileContents), spec)
assert.NilError(t, err)
if assert.Check(t, spec.Windows != nil) {
assert.Equal(t, dummyCredFileContents, spec.Windows.CredentialSpec)
}
})
t.Run("it's not case sensitive in the option names", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("CreDENtiaLSPeC=rAw://"+dummyCredFileContents), spec)
assert.NilError(t, err)
if assert.Check(t, spec.Windows != nil) {
assert.Equal(t, dummyCredFileContents, spec.Windows.CredentialSpec)
}
})
t.Run("it rejects unknown options", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("credentialspe=config://whatever"), spec)
assert.ErrorContains(t, err, "security option not supported: credentialspe")
assert.Check(t, spec.Windows == nil)
})
t.Run("it rejects unsupported credentialspec options", func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory("idontexist://whatever"), spec)
assert.Equal(t, errInvalidCredentialSpecSecOpt, err)
assert.Check(t, spec.Windows == nil)
})
for _, option := range []string{"file", "registry", "config", "raw"} {
t.Run(fmt.Sprintf("it rejects empty values for %s", option), func(t *testing.T) {
spec := &specs.Spec{}
err := daemon.setWindowsCredentialSpec(containerFactory(option+"://"), spec)
assert.Equal(t, errInvalidCredentialSpecSecOpt, err)
assert.Check(t, spec.Windows == nil)
})
}
}
/* Helpers below */
type dummyRegistryKey struct {
getStringValueFunc func(name string) (val string, valtype uint32, err error)
closed bool
}
func (k *dummyRegistryKey) GetStringValue(name string) (val string, valtype uint32, err error) {
return k.getStringValueFunc(name)
}
func (k *dummyRegistryKey) Close() error {
k.closed = true
return nil
}
// setRegistryOpenKeyFunc replaces the registryOpenKeyFunc package variable, and returns a function
// to be called to revert the change when done with testing.
func setRegistryOpenKeyFunc(t *testing.T, key *dummyRegistryKey, err ...error) func() {
previousRegistryOpenKeyFunc := registryOpenKeyFunc
registryOpenKeyFunc = func(baseKey registry.Key, path string, access uint32) (registryKey, error) {
// this should always be called with exactly the same arguments
assert.Equal(t, registry.LOCAL_MACHINE, baseKey)
assert.Equal(t, credentialSpecRegistryLocation, path)
assert.Equal(t, uint32(registry.QUERY_VALUE), access)
if len(err) > 0 {
return nil, err[0]
}
return key, nil
}
return func() {
registryOpenKeyFunc = previousRegistryOpenKeyFunc
}
}
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
func TestSetupWindowsDevices(t *testing.T) {
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
t.Run("it does nothing if there are no devices", func(t *testing.T) {
devices, err := setupWindowsDevices(nil)
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.NilError(t, err)
assert.Equal(t, len(devices), 0)
})
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
t.Run("it fails if any devices are blank", func(t *testing.T) {
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: ""}})
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.ErrorContains(t, err, "invalid device assignment path")
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
assert.ErrorContains(t, err, "''")
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.Equal(t, len(devices), 0)
})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
t.Run("it fails if all devices do not contain '/' or '://'", func(t *testing.T) {
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "anything"}, {PathOnHost: "goes"}})
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.ErrorContains(t, err, "invalid device assignment path")
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
assert.ErrorContains(t, err, "'anything'")
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.Equal(t, len(devices), 0)
})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
t.Run("it fails if any devices do not contain '/' or '://'", func(t *testing.T) {
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: "goes"}})
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.ErrorContains(t, err, "invalid device assignment path")
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
assert.ErrorContains(t, err, "'goes'")
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.Equal(t, len(devices), 0)
})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
t.Run("it fails if all '/'-separated devices do not have IDType 'class'", func(t *testing.T) {
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "klass/anything"}, {PathOnHost: "klass/goes"}})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
assert.ErrorContains(t, err, "invalid device assignment path")
assert.ErrorContains(t, err, "'klass/anything'")
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.Equal(t, len(devices), 0)
})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
t.Run("it fails if any '/'-separated devices do not have IDType 'class'", func(t *testing.T) {
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: "klass/goes"}})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
assert.ErrorContains(t, err, "invalid device assignment path")
assert.ErrorContains(t, err, "'klass/goes'")
assert.Equal(t, len(devices), 0)
})
t.Run("it fails if any '://'-separated devices have IDType ''", func(t *testing.T) {
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: "://goes"}})
assert.ErrorContains(t, err, "invalid device assignment path")
assert.ErrorContains(t, err, "'://goes'")
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
assert.Equal(t, len(devices), 0)
})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
t.Run("it creates devices if all '/'-separated devices have IDType 'class'", func(t *testing.T) {
Allow Windows Devices to be activated for HyperV Isolation If not using the containerd backend, this will still fail, but later. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 14:32:18 +00:00
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: "class/goes"}})
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
expectedDevices := []specs.WindowsDevice{{IDType: "class", ID: "anything"}, {IDType: "class", ID: "goes"}}
assert.NilError(t, err)
assert.Equal(t, len(devices), len(expectedDevices))
for i := range expectedDevices {
assert.Equal(t, devices[i], expectedDevices[i])
}
})
Implement :// separator for arbitrary Windows Device IDTypes Arbitrary here does not include '', best to catch that one early as it's almost certainly a mistake (possibly an attempt to pass a POSIX path through this API) Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-13 06:01:28 +00:00
t.Run("it creates devices if all '://'-separated devices have non-blank IDType", func(t *testing.T) {
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class://anything"}, {PathOnHost: "klass://goes"}})
expectedDevices := []specs.WindowsDevice{{IDType: "class", ID: "anything"}, {IDType: "klass", ID: "goes"}}
assert.NilError(t, err)
assert.Equal(t, len(devices), len(expectedDevices))
for i := range expectedDevices {
assert.Equal(t, devices[i], expectedDevices[i])
}
})
t.Run("it creates devices when given a mix of '/'-separated and '://'-separated devices", func(t *testing.T) {
devices, err := setupWindowsDevices([]containertypes.DeviceMapping{{PathOnHost: "class/anything"}, {PathOnHost: "klass://goes"}})
expectedDevices := []specs.WindowsDevice{{IDType: "class", ID: "anything"}, {IDType: "klass", ID: "goes"}}
assert.NilError(t, err)
assert.Equal(t, len(devices), len(expectedDevices))
for i := range expectedDevices {
assert.Equal(t, devices[i], expectedDevices[i])
}
})
Break out `setupWindowsDevices` and add tests Since this function is about to get more complicated, and change behaviour, this establishes tests for the existing implementation. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-12 10:05:55 +00:00
}