-
Notifications
You must be signed in to change notification settings - Fork 1
/
s2i_dropcaps.go
47 lines (36 loc) · 1.57 KB
/
s2i_dropcaps.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package builds
import (
"fmt"
g "github.com/onsi/ginkgo"
o "github.com/onsi/gomega"
exutil "github.com/openshift/origin/test/extended/util"
)
var _ = g.Describe("[builds][Slow] Capabilities should be dropped for s2i builders", func() {
defer g.GinkgoRecover()
var (
s2ibuilderFixture = exutil.FixturePath("testdata", "s2i-dropcaps", "rootable-ruby")
rootAccessBuildFixture = exutil.FixturePath("testdata", "s2i-dropcaps", "root-access-build.yaml")
oc = exutil.NewCLI("build-s2i-dropcaps", exutil.KubeConfigPath())
)
g.JustBeforeEach(func() {
g.By("waiting for builder service account")
err := exutil.WaitForBuilderAccount(oc.KubeClient().Core().ServiceAccounts(oc.Namespace()))
o.Expect(err).NotTo(o.HaveOccurred())
})
g.Describe("s2i build with a rootable builder", func() {
g.It("should not be able to switch to root with an assemble script", func() {
g.By("calling oc new-build for rootable-builder")
err := oc.Run("new-build").Args("--binary", "--name=rootable-ruby").Execute()
o.Expect(err).NotTo(o.HaveOccurred())
g.By("starting the rootable-ruby build")
br, _ := exutil.StartBuildAndWait(oc, "rootable-ruby", fmt.Sprintf("--from-dir=%s", s2ibuilderFixture))
br.AssertSuccess()
g.By("creating a build that tries to gain root access via su")
err = oc.Run("create").Args("-f", rootAccessBuildFixture).Execute()
o.Expect(err).NotTo(o.HaveOccurred())
g.By("start the root-access-build which attempts root access")
br2, _ := exutil.StartBuildAndWait(oc, "root-access-build")
br2.AssertFailure()
})
})
})