mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
547b993e07
The remote API allows full privilege escalation and is equivalent to having root access on the host. Because of this, the API should never be accessible through an insecure connection (TCP without TLS, or TCP without TLS verification). Although a warning is already logged on startup if the daemon uses an insecure configuration, this warning is not very visible (unless someone decides to read the logs). This patch attempts to make insecure configuration more visible by sending back warnings through the API (which will be printed when using `docker info`). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
66 lines
1.4 KiB
Go
66 lines
1.4 KiB
Go
package system // import "github.com/docker/docker/integration/system"
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/docker/docker/internal/test/daemon"
|
|
"github.com/docker/docker/internal/test/request"
|
|
"gotest.tools/assert"
|
|
is "gotest.tools/assert/cmp"
|
|
)
|
|
|
|
func TestInfoAPI(t *testing.T) {
|
|
client := request.NewAPIClient(t)
|
|
|
|
info, err := client.Info(context.Background())
|
|
assert.NilError(t, err)
|
|
|
|
// always shown fields
|
|
stringsToCheck := []string{
|
|
"ID",
|
|
"Containers",
|
|
"ContainersRunning",
|
|
"ContainersPaused",
|
|
"ContainersStopped",
|
|
"Images",
|
|
"LoggingDriver",
|
|
"OperatingSystem",
|
|
"NCPU",
|
|
"OSType",
|
|
"Architecture",
|
|
"MemTotal",
|
|
"KernelVersion",
|
|
"Driver",
|
|
"ServerVersion",
|
|
"SecurityOptions"}
|
|
|
|
out := fmt.Sprintf("%+v", info)
|
|
for _, linePrefix := range stringsToCheck {
|
|
assert.Check(t, is.Contains(out, linePrefix))
|
|
}
|
|
}
|
|
|
|
func TestInfoAPIWarnings(t *testing.T) {
|
|
d := daemon.New(t)
|
|
|
|
client, err := d.NewClient()
|
|
assert.NilError(t, err)
|
|
|
|
d.StartWithBusybox(t, "--iptables=false", "-H=0.0.0.0:23756", "-H=unix://"+d.Sock())
|
|
defer d.Stop(t)
|
|
|
|
info, err := client.Info(context.Background())
|
|
assert.NilError(t, err)
|
|
|
|
stringsToCheck := []string{
|
|
"Access to the remote API is equivalent to root access",
|
|
"http://0.0.0.0:23756",
|
|
}
|
|
|
|
out := fmt.Sprintf("%+v", info)
|
|
for _, linePrefix := range stringsToCheck {
|
|
assert.Check(t, is.Contains(out, linePrefix))
|
|
}
|
|
}
|