(t *testing.T)
| 1044 | } |
| 1045 | |
| 1046 | func TestProcessUser(t *testing.T) { |
| 1047 | testID := "test-id" |
| 1048 | testSandboxID := "sandbox-id" |
| 1049 | testContainerName := "container-name" |
| 1050 | testPid := uint32(1234) |
| 1051 | ociRuntime := config.Runtime{} |
| 1052 | c := newTestCRIService() |
| 1053 | testContainer := &containers.Container{ID: "64ddfe361f0099f8d59075398feeb3dcb3863b6851df7b946744755066c03e9d"} |
| 1054 | ctx := context.Background() |
| 1055 | |
| 1056 | etcPasswd := ` |
| 1057 | root:x:0:0:root:/root:/bin/sh |
| 1058 | alice:x:1000:1000:alice:/home/alice:/bin/sh |
| 1059 | ` // #nosec G101 |
| 1060 | etcGroup := ` |
| 1061 | root:x:0 |
| 1062 | alice:x:1000: |
| 1063 | additional-group-for-alice:x:11111:alice |
| 1064 | additional-group-for-root:x:22222:root |
| 1065 | ` |
| 1066 | tempRootDir := t.TempDir() |
| 1067 | require.NoError(t, |
| 1068 | os.MkdirAll(filepath.Join(tempRootDir, "etc"), 0755), |
| 1069 | ) |
| 1070 | require.NoError(t, |
| 1071 | os.WriteFile(filepath.Join(tempRootDir, "etc", "passwd"), []byte(etcPasswd), 0644), |
| 1072 | ) |
| 1073 | require.NoError(t, |
| 1074 | os.WriteFile(filepath.Join(tempRootDir, "etc", "group"), []byte(etcGroup), 0644), |
| 1075 | ) |
| 1076 | |
| 1077 | for _, test := range []struct { |
| 1078 | desc string |
| 1079 | imageConfigUser string |
| 1080 | securityContext *runtime.LinuxContainerSecurityContext |
| 1081 | expected runtimespec.User |
| 1082 | }{ |
| 1083 | { |
| 1084 | desc: "[SupplementalGroupsPolicy=Merge(default)] Only SecurityContext was set, SecurityContext defines User", |
| 1085 | securityContext: &runtime.LinuxContainerSecurityContext{ |
| 1086 | RunAsUser: &runtime.Int64Value{Value: 1000}, |
| 1087 | RunAsGroup: &runtime.Int64Value{Value: 2000}, |
| 1088 | SupplementalGroups: []int64{3333}, |
| 1089 | }, |
| 1090 | expected: runtimespec.User{UID: 1000, GID: 2000, AdditionalGids: []uint32{2000, 3333, 11111}}, |
| 1091 | }, |
| 1092 | { |
| 1093 | desc: "[SupplementalGroupsPolicy=Merge(default)] Only imageConfig.User was set, imageConfig.User defines User", |
| 1094 | imageConfigUser: "1000", |
| 1095 | securityContext: nil, |
| 1096 | expected: runtimespec.User{UID: 1000, GID: 1000, AdditionalGids: []uint32{1000, 11111}}, |
| 1097 | }, |
| 1098 | { |
| 1099 | desc: "[SupplementalGroupsPolicy=Merge(default)] Both SecurityContext and ImageConfig.User were set, SecurityContext defines User", |
| 1100 | imageConfigUser: "0", |
| 1101 | securityContext: &runtime.LinuxContainerSecurityContext{ |
| 1102 | RunAsUser: &runtime.Int64Value{Value: 1000}, |
| 1103 | RunAsGroup: &runtime.Int64Value{Value: 2000}, |
nothing calls this directly
no test coverage detected
searching dependent graphs…