fix(security): verify internal runtime mirror digests
This commit is contained in:
@@ -299,7 +299,13 @@ def _target_digest_ref(image: ImagePolicy) -> str:
|
||||
def _target_digest_present(image: ImagePolicy) -> bool:
|
||||
try:
|
||||
completed = subprocess.run(
|
||||
["docker", "manifest", "inspect", _target_digest_ref(image)],
|
||||
[
|
||||
"docker",
|
||||
"manifest",
|
||||
"inspect",
|
||||
"--insecure",
|
||||
_target_digest_ref(image),
|
||||
],
|
||||
check=False,
|
||||
stdout=subprocess.DEVNULL,
|
||||
stderr=subprocess.DEVNULL,
|
||||
|
||||
@@ -8,6 +8,7 @@ import tempfile
|
||||
import unittest
|
||||
from io import BytesIO
|
||||
from pathlib import Path
|
||||
from unittest.mock import patch
|
||||
|
||||
|
||||
ROOT = Path(__file__).resolve().parents[3]
|
||||
@@ -102,6 +103,18 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
|
||||
)
|
||||
)
|
||||
|
||||
def test_target_digest_verifier_uses_internal_registry_transport(self) -> None:
|
||||
image = controller.load_policy(POLICY_PATH).images[0]
|
||||
with patch.object(controller.subprocess, "run") as run:
|
||||
run.return_value.returncode = 0
|
||||
|
||||
self.assertTrue(controller._target_digest_present(image))
|
||||
|
||||
command = run.call_args.args[0]
|
||||
self.assertEqual(command[:3], ["docker", "manifest", "inspect"])
|
||||
self.assertIn("--insecure", command)
|
||||
self.assertEqual(command[-1], controller._target_digest_ref(image))
|
||||
|
||||
def test_source_manifests_match_internal_policy(self) -> None:
|
||||
policy = controller.load_policy(POLICY_PATH)
|
||||
by_asset = {image.asset_id: image for image in policy.images}
|
||||
|
||||
Reference in New Issue
Block a user