Added tests

Makefile

@@ -41,7 +41,10 @@ linux:
 	OUTPUT_DIR=$$(pwd)/_output/bin/linux/amd64 \
 	./hack/build.sh
 
-ci: build-ci-dirs mac linux
+tests:
+	go test -covermode=count ./...
+
+ci: build-ci-dirs tests mac linux
 
 build-ci-dirs:
 	@mkdir -p _output/bin/linux/amd64 _output/bin/darwin/amd64

README.md

@@ -103,6 +103,8 @@ allow {
 
 nodeImage {
   images[_] = "node"
+} {
+  true
 }
 
 ## Get all FROM lines ##

cmd/docker-socket-firewall/main.go

@@ -154,7 +154,7 @@ func hijack(req *http.Request, w http.ResponseWriter) {
 		}
 	case err = <-errBackend:
 		if err != nil {
-			log.Debugf("hijack: Error when copying from docker to client", err)
+			log.Debugf("hijack: Error when copying from docker to client: %v", err)
 		} else {
 			log.Debug("Closed connection by docker")
 		}

pkg/opa/opa_test.go

@@ -0,0 +1,77 @@
+package opa
+
+import (
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+var (
+	_, b, _, _ = runtime.Caller(0)
+	basepath   = filepath.Dir(b)
+)
+
+func TestCreateNetworkDenied(t *testing.T) {
+
+	req, _ := http.NewRequest("GET", "/v1.39/networks/create?", nil)
+
+	opaHandler := &DockerOpaHandler{ basepath+"/../../sample_policies/deny_network_create.rego", "build.rego"}
+	res, _ := opaHandler.ValidateRequest(req);
+
+	assert.False(t, res, "Network creation should be rejected");
+
+}
+
+func TestDenyPost(t *testing.T) {
+
+	postReq, _ := http.NewRequest("POST", "/test", nil)
+
+	opaHandler := &DockerOpaHandler{ basepath+"/../../sample_policies/deny_post.rego", "build.rego"}
+	res, _ := opaHandler.ValidateRequest(postReq);
+
+	assert.False(t, res, "POST request should be rejected");
+
+	getReq, _ := http.NewRequest("GET", "/test", nil)
+
+	res, _ = opaHandler.ValidateRequest(getReq);
+
+	assert.True(t, res, "GET request should be allowed");
+
+}
+
+func TestDenyBasedOnHeader(t *testing.T) {
+	reqWithHeader, _ := http.NewRequest("POST", "/test", nil)
+
+	reqWithHeader.Header.Set("X-foo", "bar")
+
+	opaHandler := &DockerOpaHandler{ basepath+"/../../sample_policies/deny_header.rego", "build.rego"}
+	res, _ := opaHandler.ValidateRequest(reqWithHeader);
+
+	assert.True(t, res, "request with X-foo header should be allowed");
+
+	reqWithoutHeader, _ := http.NewRequest("POST", "/test", nil)
+
+	res, _ = opaHandler.ValidateRequest(reqWithoutHeader);
+
+	assert.False(t, res, "request without X-foo header should be rejected");
+
+}
+
+func TestBuildDockerfileFromFoo(t *testing.T) {
+
+	req, _ := http.NewRequest("GET", "/test", nil)
+
+	opaHandler := &DockerOpaHandler{ "", basepath+"/../../sample_policies/deny_build_foo.rego"}
+	res, _ := opaHandler.ValidateDockerFile(req, "FROM foo");
+
+	assert.False(t, res, "FROM foo should be rejected");
+
+	res, _ = opaHandler.ValidateDockerFile(req, "FROM bar");
+
+	assert.False(t, res, "FROM bar should be allowed");
+
+}
+
+

sample_policies/deny_build_foo.rego

@@ -0,0 +1,18 @@
+package docker.build
+
+allow {
+   not hasFooImage
+}
+
+hasFooImage {
+	images[_] = "foo"
+} {
+	true
+}
+
+## Get all FROM lines ##
+images[output] {
+  line := input.Dockerfile[_]
+  startswith(line, "FROM ")
+  output = substring(line, 5, -1)
+}

sample_policies/deny_header.rego

@@ -0,0 +1,9 @@
+package docker.authz
+
+allow {
+   hasXfooHeader
+}
+
+hasXfooHeader {
+	input.Headers["X-Foo"]
+}

sample_policies/deny_network_create.rego

@@ -0,0 +1,28 @@
+package docker.authz
+
+allow {
+  not createNetwork
+}
+
+createNetwork {
+  startswith(path, "/networks/create")
+}
+
+## Parsing Path, Allowing for versioned and non versioned
+versioned = output {
+  output = re_match("/v\\d+.*", input.Path)
+}
+
+path = output {
+  not versioned
+  index := indexof(input.Path, "?")
+  output = substring(input.Path, 0, index)
+}
+
+path = output {
+  versioned
+  path := substring(input.Path, 2, -1)
+  end := indexof(path, "?")
+  start := indexof(path, "/")
+  output = substring(path, start, end)
+}

sample_policies/deny_post.rego

@@ -0,0 +1,5 @@
+package docker.authz
+
+allow {
+  not input.Method = "POST"
+}