fix(security): verify internal runtime mirror digests

This commit is contained in:
ogt
2026-07-14 16:54:28 +08:00
parent fd35fab9dc
commit 52b870824f
2 changed files with 20 additions and 1 deletions

View File

@@ -8,6 +8,7 @@ import tempfile
import unittest
from io import BytesIO
from pathlib import Path
from unittest.mock import patch
ROOT = Path(__file__).resolve().parents[3]
@@ -102,6 +103,18 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
)
)
def test_target_digest_verifier_uses_internal_registry_transport(self) -> None:
image = controller.load_policy(POLICY_PATH).images[0]
with patch.object(controller.subprocess, "run") as run:
run.return_value.returncode = 0
self.assertTrue(controller._target_digest_present(image))
command = run.call_args.args[0]
self.assertEqual(command[:3], ["docker", "manifest", "inspect"])
self.assertIn("--insecure", command)
self.assertEqual(command[-1], controller._target_digest_ref(image))
def test_source_manifests_match_internal_policy(self) -> None:
policy = controller.load_policy(POLICY_PATH)
by_asset = {image.asset_id: image for image in policy.images}