protected void VerifyCommonEnvironmentVariables(
ProductImageData imageData, IEnumerable <EnvironmentVariableInfo> customVariables = null)
{
List <EnvironmentVariableInfo> variables = new List <EnvironmentVariableInfo>();
variables.AddRange(GetCommonEnvironmentVariables());
variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", "http://+:80"));
if (customVariables != null)
{
variables.AddRange(customVariables);
}
if (imageData.OS.StartsWith(OS.AlpinePrefix))
{
variables.Add(new EnvironmentVariableInfo("DOTNET_SYSTEM_GLOBALIZATION_INVARIANT", "true"));
}
string imageTag;
if (imageData.IsDistroless)
{
imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash");
}
else
{
imageTag = imageData.GetImage(ImageType, DockerHelper);
}
EnvironmentVariableInfo.Validate(variables, imageTag, imageData, DockerHelper);
}
public void VerifyDistrolessRunsAsNonRootUser(ProductImageData imageData)
{
if (!imageData.IsDistroless)
{
return;
}
string command = $"bash -c \"echo $EUID\"";
string imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash");
string userId = DockerHelper.Run(
image: imageTag,
command: command,
name: imageData.GetIdentifier("NonRootUser"));
Assert.NotEqual("0", userId);
}
protected void VerifyCommonInsecureFiles(ProductImageData imageData)
{
if (imageData.Version < new Version("3.1") ||
(imageData.OS.Contains("alpine") && imageData.IsArm))
{
return;
}
string worldWritableDirectoriesWithoutStickyBitCmd = @"find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \)";
string worldWritableFilesCmd = "find / -xdev -type f -perm -o+w";
string noUserOrGroupFilesCmd;
if (imageData.OS.Contains("alpine"))
{
// BusyBox in Alpine doesn't support the more convenient -nouser and -nogroup options for the find command
noUserOrGroupFilesCmd = @"find / -xdev -exec stat -c %U-%n {} \+ | { grep ^UNKNOWN || true; }";
}
else
{
noUserOrGroupFilesCmd = @"find / -xdev \( -nouser -o -nogroup \)";
}
string command = $"/bin/sh -c \"{worldWritableDirectoriesWithoutStickyBitCmd} && {worldWritableFilesCmd} && {noUserOrGroupFilesCmd}\"";
string imageTag;
if (imageData.IsDistroless)
{
imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash", "findutils");
}
else
{
imageTag = imageData.GetImage(ImageType, DockerHelper);
}
string output = DockerHelper.Run(
image: imageTag,
name: imageData.GetIdentifier($"InsecureFiles-{ImageType}"),
command: command,
runAsUser: "******"
);
Assert.Empty(output);
}
private IEnumerable <string> GetInstalledRpmPackages(ProductImageData imageData)
{
// Get list of installed RPM packages
string command = $"bash -c \"rpm -qa | sort\"";
string imageTag;
if (imageData.IsDistroless)
{
imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash", "rpm");
}
else
{
imageTag = imageData.GetImage(ImageType, DockerHelper);
}
string installedPackages = DockerHelper.Run(
image: imageTag,
command: command,
name: imageData.GetIdentifier("PackageInstallation"));
return(installedPackages.Split(Environment.NewLine));
}
