From 2e923173a9dfc18a7e2b0c935dc2c2cc858dfb6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 18 Apr 2023 21:10:27 +0200 Subject: [PATCH] Don't decrypt images by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A non-nil but empty decryption configuration seems to be valid enough to trigger decryption in some configurations, per https://github.com/containers/podman/issues/18196 . Like in Skopeo and Podman, only decrypt when the user explicitly instructs us to (e.g. not triggering decryption based on environment variables). Signed-off-by: Miloslav Trmač --- internal/util/util.go | 2 +- internal/util/util_test.go | 14 ++++++++++++++ tests/bud.bats | 2 +- tests/from.bats | 4 ++-- tests/pull.bats | 6 +++--- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/internal/util/util.go b/internal/util/util.go index c945ca85b8b..e2c1cfb566a 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -109,7 +109,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error { // DecryptConfig translates decryptionKeys into a DescriptionConfig structure func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) { - decryptConfig := &encconfig.DecryptConfig{} + var decryptConfig *encconfig.DecryptConfig if len(decryptionKeys) > 0 { // decryption dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys) diff --git a/internal/util/util_test.go b/internal/util/util_test.go index c7109eb610e..62c40a3993c 100644 --- a/internal/util/util_test.go +++ b/internal/util/util_test.go @@ -7,6 +7,20 @@ import ( "github.com/stretchr/testify/assert" ) +func TestDecryptConfig(t *testing.T) { + // Just a smoke test for the default path. + res, err := DecryptConfig(nil) + assert.NoError(t, err) + assert.Nil(t, res) +} + +func TestEncryptConfig(t *testing.T) { + // Just a smoke test for the default path. + cfg, layers, err := EncryptConfig(nil, nil) + assert.NoError(t, err) + assert.Nil(t, cfg) + assert.Nil(t, layers) +} func TestGetFormat(t *testing.T) { _, err := GetFormat("bogus") assert.NotNil(t, err) diff --git a/tests/bud.bats b/tests/bud.bats index 65cbbb069f2..eae682f8727 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -3998,7 +3998,7 @@ EOM # Try to build from encrypted image without key run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile - assert "$output" =~ "missing private key needed for decryption" + assert "$output" =~ "archive/tar: invalid tar header" # Try to build from encrypted image with wrong key run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key $contextdir/mykey2.pem -t ${target} -f $contextdir/Dockerfile diff --git a/tests/from.bats b/tests/from.bats index 118868cbed6..a6a218bdd91 100644 --- a/tests/from.bats +++ b/tests/from.bats @@ -428,7 +428,7 @@ load helpers # Try encrypted image without key should fail run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc - expect_output --substring "decrypting layer .* missing private key needed for decryption" + expect_output --substring "archive/tar: invalid tar header" # Try encrypted image with wrong key should fail run_buildah 125 from --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc @@ -451,7 +451,7 @@ load helpers # Try encrypted image without key should fail run_buildah 125 from --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + expect_output --substring "archive/tar: invalid tar header" # Try encrypted image with wrong key should fail run_buildah 125 from --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest diff --git a/tests/pull.bats b/tests/pull.bats index 969321b2673..a2bf93faa63 100644 --- a/tests/pull.bats +++ b/tests/pull.bats @@ -191,7 +191,7 @@ load helpers # Try to pull encrypted image without key should fail run_buildah 125 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc - expect_output --substring "decrypting layer .* missing private key needed for decryption" + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail run_buildah 125 pull $WITH_POLICY_JSON --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc @@ -214,7 +214,7 @@ load helpers # Try to pull encrypted image without key should fail run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail, with diff. msg run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest @@ -241,7 +241,7 @@ load helpers # Try to pull encrypted image without key should fail run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest