fix(security): verify internal runtime mirror digests
This commit is contained in:
@@ -8,6 +8,7 @@ import tempfile
|
||||
import unittest
|
||||
from io import BytesIO
|
||||
from pathlib import Path
|
||||
from unittest.mock import patch
|
||||
|
||||
|
||||
ROOT = Path(__file__).resolve().parents[3]
|
||||
@@ -102,6 +103,18 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
|
||||
)
|
||||
)
|
||||
|
||||
def test_target_digest_verifier_uses_internal_registry_transport(self) -> None:
|
||||
image = controller.load_policy(POLICY_PATH).images[0]
|
||||
with patch.object(controller.subprocess, "run") as run:
|
||||
run.return_value.returncode = 0
|
||||
|
||||
self.assertTrue(controller._target_digest_present(image))
|
||||
|
||||
command = run.call_args.args[0]
|
||||
self.assertEqual(command[:3], ["docker", "manifest", "inspect"])
|
||||
self.assertIn("--insecure", command)
|
||||
self.assertEqual(command[-1], controller._target_digest_ref(image))
|
||||
|
||||
def test_source_manifests_match_internal_policy(self) -> None:
|
||||
policy = controller.load_policy(POLICY_PATH)
|
||||
by_asset = {image.asset_id: image for image in policy.images}
|
||||
|
||||
Reference in New Issue
Block a user