Skip to content

Commit

Permalink
test: Test creating and running of container with key file missing
Browse files Browse the repository at this point in the history
Signed-off-by: Stefan Berger <[email protected]>
  • Loading branch information
stefanberger committed Jun 16, 2023
1 parent 0512869 commit 286470a
Showing 1 changed file with 61 additions and 2 deletions.
63 changes: 61 additions & 2 deletions script/tests/test_encryption.sh
Original file line number Diff line number Diff line change
Expand Up @@ -702,8 +702,8 @@ testLocalKeys() {

echo "Testing JWE and PKCS11 type of encryption with local unpack keys"

# Remove original images
$CTR images rm --sync ${ALPINE_ENC} ${ALPINE_DEC} ${NGINX_ENC} ${NGINX_DEC} &>/dev/null
# Remove existing images
$CTR images rm --sync ${ALPINE_ENC} ${ALPINE_DEC} ${NGINX_ENC} ${NGINX_DEC} ${BASH_ENC} &>/dev/null

local recipient1=jwe:${PUBKEYPEM}
local recipient2=pkcs11:${SOFTHSM_KEY}
Expand Down Expand Up @@ -773,6 +773,65 @@ testLocalKeys() {

echo "PASS: JWE and PKCS11 type of encryption with local unpack keys"
echo

rm -f ${LOCAL_KEYS_PATH}/*

echo "Testing creation of container from encrypted image with local key (JWK)"

recipient=jwe:${PUBKEYJWK}
$CTR images encrypt \
--recipient ${recipient} \
${BASH} ${BASH_ENC}
failExit $? "Image encryption with JWE failed; public key: ${recipient}"

MSG=$($CTR container rm testcontainer1 2>&1)
MSG=$($CTR snapshot rm testcontainer1 2>&1)

# Create testcontainer1 from encrypted bash image ${BASH_ENC}
# Creating the container without providing (right) key must fail
MSG=$(sudo $CTR container create ${BASH_ENC} testcontainer1 2>&1)
if [ $? -eq 0 ]; then
MSG=$($CTR container rm testcontainer1 2>&1)
MSG=$($CTR snapshot rm testcontainer1 2>&1)
failExit 1 "Should not have been able to create a container from encrypted image when JWK key file is not available"
fi
MSG=$($CTR snapshot rm testcontainer1 2>&1)

# creating the container when providing right key must work
cp ${PRIVKEYJWK} ${LOCAL_KEYS_PATH}/.
MSG=$(sudo bash -c "$CTR container create --skip-decrypt-auth ${BASH_ENC} testcontainer1 2>&1")
failExit $? "Should have been able to create a container from encrypted image when JWK key file is available\n${MSG}"
MSG=$($CTR container rm testcontainer1 2>&1)
MSG=$($CTR snapshot rm testcontainer1 2>&1)

# Running the container without providing (right) key must fail.
# If we were not to pass --skip-decrypt-auth then this test would fail since then
# authorization will fail since no keys are provided via command line that ctr-enc
# could do authorization with (on client side!). To make running the image fail we
# don't pass --skip-decrypt-auth.
rm -f ${LOCAL_KEYS_PATH}/*
MSG=$(sudo bash -c "$CTR run \
--rm \
${BASH_ENC} testcontainer1 echo 'Hello world'" 2>&1)
if [ $? -eq 0 ]; then
MSG=$($CTR snapshot rm testcontainer1 2>&1)
failExit 1 "Should not have been able to run a container from encrypted image when JWK key file is not available"
fi
MSG=$($CTR snapshot rm testcontainer1 2>&1)

# Running the container when providing right key must work
# This only works if --skip-decrypt-auth is passed since no keys are provided
# on the command line and ctr-enc would otherwise do authorization
cp ${PRIVKEYJWK} ${LOCAL_KEYS_PATH}/.
MSG=$(sudo bash -c "$CTR run \
--rm \
--skip-decrypt-auth \
${BASH_ENC} testcontainer1 echo 'Hello world'" 2>&1)
failExit $? "Should have been able to run a container from encrypted image when JWK key file is available\n${MSG}"

$CTR images rm --sync ${BASH_ENC} &>/dev/null

echo "PASS: Creation of container from encrypted image with local JWK key"
}

setupPKCS7() {
Expand Down

0 comments on commit 286470a

Please sign in to comment.