-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
RHOAIENG-16517: chore(tests): add sandboxing so that Dockerfile build…
…s can only access files we know they access (#803)
- Loading branch information
Showing
7 changed files
with
173 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| #! /usr/bin/env python3 | ||
|
|
||
| import argparse | ||
| import logging | ||
| import pathlib | ||
| import shutil | ||
| import subprocess | ||
| import sys | ||
| import tempfile | ||
| import json | ||
| from typing import cast | ||
|
|
||
| ROOT_DIR = pathlib.Path(__file__).parent.parent | ||
| MAKE = shutil.which("gmake") or shutil.which("make") | ||
|
|
||
| logging.basicConfig() | ||
| logging.root.name = pathlib.Path(__file__).name | ||
|
|
||
|
|
||
| class Args(argparse.Namespace): | ||
| dockerfile: pathlib.Path | ||
| remaining: list[str] | ||
|
|
||
|
|
||
| def main() -> int: | ||
| p = argparse.ArgumentParser(allow_abbrev=False) | ||
| p.add_argument("--dockerfile", type=pathlib.Path, required=True) | ||
| p.add_argument('remaining', nargs=argparse.REMAINDER) | ||
|
|
||
| args = cast(Args, p.parse_args()) | ||
|
|
||
| print(f"{__file__=} started with {args=}") | ||
|
|
||
| if not args.remaining or args.remaining[0] != "--": | ||
| print("must specify command to execute after double dashes at the end, such as `-- command --args ...`") | ||
| return 1 | ||
| if not "{};" in args.remaining: | ||
| print("must give a `{};` parameter that will be replaced with new build context") | ||
| return 1 | ||
|
|
||
| if not (ROOT_DIR / "bin/buildinputs").exists(): | ||
| subprocess.check_call([MAKE, "bin/buildinputs"], cwd=ROOT_DIR) | ||
| stdout = subprocess.check_output([ROOT_DIR / "bin/buildinputs", str(args.dockerfile)], | ||
| text=True, cwd=ROOT_DIR) | ||
| prereqs = [pathlib.Path(file) for file in json.loads(stdout)] if stdout != "\n" else [] | ||
| print(f"{prereqs=}") | ||
|
|
||
| with tempfile.TemporaryDirectory(delete=True) as tmpdir: | ||
| setup_sandbox(prereqs, pathlib.Path(tmpdir)) | ||
| command = [arg if arg != "{};" else tmpdir for arg in args.remaining[1:]] | ||
| print(f"running {command=}") | ||
| try: | ||
| subprocess.check_call(command) | ||
| except subprocess.CalledProcessError as err: | ||
| logging.error("Failed to execute process, see errors logged above ^^^") | ||
| return err.returncode | ||
| return 0 | ||
|
|
||
|
|
||
| def setup_sandbox(prereqs: list[pathlib.Path], tmpdir: pathlib.Path): | ||
| # always adding .gitignore | ||
| gitignore = ROOT_DIR / ".gitignore" | ||
| if gitignore.exists(): | ||
| shutil.copy(gitignore, tmpdir) | ||
|
|
||
| for dep in prereqs: | ||
| if dep.is_absolute(): | ||
| dep = dep.relative_to(ROOT_DIR) | ||
| if dep.is_dir(): | ||
| shutil.copytree(dep, tmpdir / dep, symlinks=False, dirs_exist_ok=True) | ||
| else: | ||
| (tmpdir / dep.parent).mkdir(parents=True, exist_ok=True) | ||
| shutil.copy(dep, tmpdir / dep.parent) | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| sys.exit(main()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| #! /usr/bin/env python3 | ||
|
|
||
| import glob | ||
| import logging | ||
| import pathlib | ||
| import sys | ||
| import tempfile | ||
|
|
||
| import pyfakefs.fake_filesystem | ||
|
|
||
| from scripts.sandbox import setup_sandbox | ||
|
|
||
| ROOT_DIR = pathlib.Path(__file__).parent.parent | ||
|
|
||
| logging.basicConfig() | ||
| logging.root.name = pathlib.Path(__file__).name | ||
|
|
||
| class TestSandbox: | ||
| def test_filesystem_file(self, fs: pyfakefs.fake_filesystem.FakeFilesystem): | ||
| pathlib.Path("a").write_text("a") | ||
|
|
||
| with tempfile.TemporaryDirectory(delete=True) as tmpdir: | ||
| setup_sandbox([pathlib.Path("a")], pathlib.Path(tmpdir)) | ||
| assert (pathlib.Path(tmpdir) / "a").is_file() | ||
|
|
||
| def test_filesystem_dir_with_file(self, fs: pyfakefs.fake_filesystem.FakeFilesystem): | ||
| pathlib.Path("a/").mkdir() | ||
| pathlib.Path("a/b").write_text("b") | ||
|
|
||
| with tempfile.TemporaryDirectory(delete=True) as tmpdir: | ||
| setup_sandbox([pathlib.Path("a")], pathlib.Path(tmpdir)) | ||
| assert (pathlib.Path(tmpdir) / "a").is_dir() | ||
| assert (pathlib.Path(tmpdir) / "a" / "b").is_file() | ||
|
|
||
| def test_filesystem_dir_with_dir_with_file(self, fs: pyfakefs.fake_filesystem.FakeFilesystem): | ||
| pathlib.Path("a/b").mkdir(parents=True) | ||
| pathlib.Path("a/b/c").write_text("c") | ||
|
|
||
| with tempfile.TemporaryDirectory(delete=True) as tmpdir: | ||
| setup_sandbox([pathlib.Path("a")], pathlib.Path(tmpdir)) | ||
| assert (pathlib.Path(tmpdir) / "a").is_dir() | ||
| assert (pathlib.Path(tmpdir) / "a" / "b").is_dir() | ||
| assert (pathlib.Path(tmpdir) / "a" / "b" / "c").is_file() | ||
|
|
||
| def test_filesystem_file_in_dir_in_dir(self, fs: pyfakefs.fake_filesystem.FakeFilesystem): | ||
| pathlib.Path("a/b").mkdir(parents=True) | ||
| pathlib.Path("a/b/c").write_text("c") | ||
|
|
||
| with tempfile.TemporaryDirectory(delete=True) as tmpdir: | ||
| setup_sandbox([pathlib.Path("a/b/c")], pathlib.Path(tmpdir)) | ||
| for g in glob.glob("**/*", recursive=True): | ||
| logging.debug("%s", g) | ||
| assert (pathlib.Path(tmpdir) / "a").is_dir() | ||
| assert (pathlib.Path(tmpdir) / "a" / "b").is_dir() | ||
| assert (pathlib.Path(tmpdir) / "a" / "b" / "c").is_file() |