diff --git a/internal/util/util.go b/internal/util/util.go index 47510bff7ad..d329676aae9 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -117,7 +117,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error { // DecryptConfig translates decryptionKeys into a DescriptionConfig structure func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) { - decryptConfig := &encconfig.DecryptConfig{} + var decryptConfig *encconfig.DecryptConfig if len(decryptionKeys) > 0 { // decryption dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys) diff --git a/internal/util/util_test.go b/internal/util/util_test.go index c7109eb610e..62c40a3993c 100644 --- a/internal/util/util_test.go +++ b/internal/util/util_test.go @@ -7,6 +7,20 @@ import ( "github.com/stretchr/testify/assert" ) +func TestDecryptConfig(t *testing.T) { + // Just a smoke test for the default path. + res, err := DecryptConfig(nil) + assert.NoError(t, err) + assert.Nil(t, res) +} + +func TestEncryptConfig(t *testing.T) { + // Just a smoke test for the default path. + cfg, layers, err := EncryptConfig(nil, nil) + assert.NoError(t, err) + assert.Nil(t, cfg) + assert.Nil(t, layers) +} func TestGetFormat(t *testing.T) { _, err := GetFormat("bogus") assert.NotNil(t, err) diff --git a/tests/bud.bats b/tests/bud.bats index 41a214869f5..7a2b96b6720 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -4027,8 +4027,8 @@ EOM echo FROM localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest > $contextdir/Dockerfile # Try to build from encrypted image without key - run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile - assert "$output" =~ "missing private key needed for decryption" + run_buildah 1 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile + assert "$output" =~ "archive/tar: invalid tar header" # Try to build from encrypted image with wrong key run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key $contextdir/mykey2.pem -t ${target} -f $contextdir/Dockerfile diff --git a/tests/from.bats b/tests/from.bats index 118868cbed6..f3613070ca2 100644 --- a/tests/from.bats +++ b/tests/from.bats @@ -427,8 +427,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try encrypted image without key should fail - run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc + expect_output --substring "archive/tar: invalid tar header" # Try encrypted image with wrong key should fail run_buildah 125 from --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc @@ -450,8 +450,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest # Try encrypted image without key should fail - run_buildah 125 from --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 from --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest + expect_output --substring "archive/tar: invalid tar header" # Try encrypted image with wrong key should fail run_buildah 125 from --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest diff --git a/tests/pull.bats b/tests/pull.bats index 969321b2673..abf2e2e00d2 100644 --- a/tests/pull.bats +++ b/tests/pull.bats @@ -190,8 +190,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail run_buildah 125 pull $WITH_POLICY_JSON --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc @@ -213,8 +213,8 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail, with diff. msg run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest @@ -240,8 +240,8 @@ load helpers run_buildah commit --iidfile /dev/null --tls-verify=false --creds testuser:testpassword $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub -q $cid docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest - expect_output --substring "decrypting layer .* missing private key needed for decryption" + run_buildah 1 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest + expect_output --substring "archive/tar: invalid tar header" # Try to pull encrypted image with wrong key should fail run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest