From e795044a60552eaeee48207383e2147ae7a90fda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 18 Apr 2023 21:10:27 +0200 Subject: [PATCH] Don't decrypt images by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A non-nil but empty decryption configuration seems to be valid enough to trigger decryption in some configurations, per https://github.com/containers/podman/issues/18196 . Like in Skopeo and Podman, only decrypt when the user explicitly instructs us to (e.g. not triggering decryption based on environment variables). Signed-off-by: Miloslav Trmač --- internal/util/util.go | 2 +- internal/util/util_test.go | 14 ++++++++++++++ tests/bud.bats | 4 ++-- tests/from.bats | 8 ++++---- tests/pull.bats | 12 ++++++------ 5 files changed, 27 insertions(+), 13 deletions(-) diff --git a/internal/util/util.go b/internal/util/util.go index c945ca85b8b..e2c1cfb566a 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -109,7 +109,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error { // DecryptConfig translates decryptionKeys into a DescriptionConfig structure func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) { - decryptConfig := &encconfig.DecryptConfig{} + var decryptConfig *encconfig.DecryptConfig if len(decryptionKeys) > 0 { // decryption dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys) diff --git a/internal/util/util_test.go b/internal/util/util_test.go index c7109eb610e..62c40a3993c 100644 --- a/internal/util/util_test.go +++ b/internal/util/util_test.go @@ -7,6 +7,20 @@ import ( "github.com/stretchr/testify/assert" ) +func TestDecryptConfig(t *testing.T) { + // Just a smoke test for the default path. + res, err := DecryptConfig(nil) + assert.NoError(t, err) + assert.Nil(t, res) +} + +func TestEncryptConfig(t *testing.T) { + // Just a smoke test for the default path. + cfg, layers, err := EncryptConfig(nil, nil) + assert.NoError(t, err) + assert.Nil(t, cfg) + assert.Nil(t, layers) +} func TestGetFormat(t *testing.T) { _, err := GetFormat("bogus") assert.NotNil(t, err) diff --git a/tests/bud.bats b/tests/bud.bats index 65cbbb069f2..435497fd3b7 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -3997,8 +3997,8 @@ EOM echo FROM localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest > $contextdir/Dockerfile # Try to build from encrypted image without key - run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile - assert "$output" =~ "missing private key needed for decryption" + run_buildah 1 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile + assert "$output" =~ "archive/tar: invalid tar header" # Try to build from encrypted image with wrong key run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key $contextdir/mykey2.pem -t ${target} -f $contextdir/Dockerfile diff --git a/tests/from.bats b/tests/from.bats index 118868cbed6..f3613070ca2 100644 --- a/tests/from.bats +++ b/tests/from.bats @@ -427,8 +427,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try encrypted image without key should fail - run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc + expect_output --substring "archive/tar: invalid tar header" # Try encrypted image with wrong key should fail run_buildah 125 from --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc @@ -450,8 +450,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest # Try encrypted image without key should fail - run_buildah 125 from --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 from --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest + expect_output --substring "archive/tar: invalid tar header" # Try encrypted image with wrong key should fail run_buildah 125 from --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest diff --git a/tests/pull.bats b/tests/pull.bats index 969321b2673..abf2e2e00d2 100644 --- a/tests/pull.bats +++ b/tests/pull.bats @@ -190,8 +190,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail run_buildah 125 pull $WITH_POLICY_JSON --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc @@ -213,8 +213,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail, with diff. msg run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest @@ -240,8 +240,8 @@ load helpers run_buildah commit --iidfile /dev/null --tls-verify=false --creds testuser:testpassword $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub -q $cid docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest