zishuo/skopeo
1
0
Fork 0
mirror of https://github.com/containers/skopeo.git synced 2025-09-26 20:31:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

sync: honor CLI/global tls-verify unless YAML explicitly sets tls-verify

Browse Source 
Signed-off-by: Andy Allan <58987282+andya1lan@users.noreply.github.com>

chore: make linter happy

Signed-off-by: Andy Allan <58987282+andya1lan@users.noreply.github.com>

test(sync): refactor TLS override precedence test to table-driven

Signed-off-by: Andy Allan <58987282+andya1lan@users.noreply.github.com>

test(sync): refactor cases when YAML omitted

Signed-off-by: Andy Allan <58987282+andya1lan@users.noreply.github.com>

test(sync): readd TLS verification tests when yaml specfied

Signed-off-by: Andy Allan <58987282+andya1lan@users.noreply.github.com>

test(sync): readd TLS verification tests when yaml specfied and `incomingDaemonSkip` condition

Signed-off-by: Andy Allan <58987282+andya1lan@users.noreply.github.com>
This commit is contained in:
Andy Allan
2025-09-18 01:48:34 +08:00
parent f0f0c2c639
commit dbd18b9728
2 changed files with 134 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/skopeo/sync.go
View File

@@ -289,8 +289,11 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
// override ctx with per-registryName options
serverCtx.DockerCertPath = cfg.CertDir
serverCtx.DockerDaemonCertPath = cfg.CertDir
// Only override TLS verification if explicitly specified in YAML; otherwise, keep CLI/global settings.
if cfg.TLSVerify.skip != types.OptionalBoolUndefined {
serverCtx.DockerDaemonInsecureSkipTLSVerify = (cfg.TLSVerify.skip == types.OptionalBoolTrue)
serverCtx.DockerInsecureSkipTLSVerify = cfg.TLSVerify.skip
}
if cfg.Credentials != (types.DockerAuthConfig{}) {
serverCtx.DockerAuthConfig = &cfg.Credentials
}

129
cmd/skopeo/sync_test.go
View File

@@ -59,3 +59,132 @@ func TestSync(t *testing.T) {
// FIXME: Much more test coverage
// Actual feature tests exist in integration and systemtest
}
// TestTLSPrecedence_YAMLOmitted verifies that when YAML omits tls-verify,
// imagesToCopyFromRegistry preserves the incoming SystemContext values
// (e.g., from CLI/global flags) for both DockerInsecureSkipTLSVerify and
// DockerDaemonInsecureSkipTLSVerify.
func TestTLSPrecedence_YAMLOmitted(t *testing.T) {
baseRegistry := "example.com"
imageName := "repo"
cfgBase := registrySyncConfig{
Images: map[string][]string{imageName: {"latest"}}, // avoid network
}
tests := []struct {
name string
incomingSkip types.OptionalBool
incomingDaemonSkip bool
yamlSkip types.OptionalBool // OptionalBoolUndefined means YAML omitted
wantSkip types.OptionalBool
wantDaemonSkip bool
}{
{
name: "YAML omitted preserves incoming skip=true",
incomingSkip: types.OptionalBoolTrue,
incomingDaemonSkip: true,
yamlSkip: types.OptionalBoolUndefined,
wantSkip: types.OptionalBoolTrue,
wantDaemonSkip: true,
},
{
name: "YAML omitted preserves incoming skip=false (CLI pass verify)",
incomingSkip: types.OptionalBoolFalse,
incomingDaemonSkip: false,
yamlSkip: types.OptionalBoolUndefined,
wantSkip: types.OptionalBoolFalse,
wantDaemonSkip: false,
},
{
name: "YAML omitted preserves daemon skip=true while docker skip=undefined",
incomingSkip: types.OptionalBoolUndefined,
incomingDaemonSkip: true,
yamlSkip: types.OptionalBoolUndefined,
wantSkip: types.OptionalBoolUndefined,
wantDaemonSkip: true,
},
{
name: "YAML omitted preserves mismatched incoming (docker skip=true, daemon skip=false)",
incomingSkip: types.OptionalBoolTrue,
incomingDaemonSkip: false,
yamlSkip: types.OptionalBoolUndefined,
wantSkip: types.OptionalBoolTrue,
wantDaemonSkip: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
src := types.SystemContext{
DockerInsecureSkipTLSVerify: tt.incomingSkip,
DockerDaemonInsecureSkipTLSVerify: tt.incomingDaemonSkip,
}
cfg := cfgBase
cfg.TLSVerify = tlsVerifyConfig{skip: tt.yamlSkip}
descs, err := imagesToCopyFromRegistry(baseRegistry, cfg, src)
require.NoError(t, err)
require.NotEmpty(t, descs)
ctx := descs[0].Context
require.NotNil(t, ctx)
assert.Equal(t, tt.wantSkip, ctx.DockerInsecureSkipTLSVerify)
assert.Equal(t, tt.wantDaemonSkip, ctx.DockerDaemonInsecureSkipTLSVerify)
})
}
}
// TestTLSPrecedence_YAMLSpecified verifies that when YAML explicitly specifies
// tls-verify, it overrides incoming SystemContext values (e.g., CLI/global flags)
// for both DockerInsecureSkipTLSVerify and DockerDaemonInsecureSkipTLSVerify.
func TestTLSPrecedence_YAMLSpecified(t *testing.T) {
baseRegistry := "example.com"
imageName := "repo"
cfgBase := registrySyncConfig{
Images: map[string][]string{imageName: {"latest"}}, // avoid network
}
tests := []struct {
name string
incomingSkip types.OptionalBool
incomingDaemonSkip bool
yamlSkip types.OptionalBool // YAML explicitly sets this
wantSkip types.OptionalBool
wantDaemonSkip bool
}{
{
name: "YAML tls-verify:true enforces verification",
incomingSkip: types.OptionalBoolTrue,
incomingDaemonSkip: true,
yamlSkip: types.OptionalBoolFalse,
wantSkip: types.OptionalBoolFalse,
wantDaemonSkip: false,
},
{
name: "YAML tls-verify:false disables verification",
incomingSkip: types.OptionalBoolFalse,
incomingDaemonSkip: false,
yamlSkip: types.OptionalBoolTrue,
wantSkip: types.OptionalBoolTrue,
wantDaemonSkip: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
src := types.SystemContext{
DockerInsecureSkipTLSVerify: tt.incomingSkip,
DockerDaemonInsecureSkipTLSVerify: tt.incomingDaemonSkip,
}
cfg := cfgBase
cfg.TLSVerify = tlsVerifyConfig{skip: tt.yamlSkip}
descs, err := imagesToCopyFromRegistry(baseRegistry, cfg, src)
require.NoError(t, err)
require.NotEmpty(t, descs)
ctx := descs[0].Context
require.NotNil(t, ctx)
assert.Equal(t, tt.wantSkip, ctx.DockerInsecureSkipTLSVerify)
assert.Equal(t, tt.wantDaemonSkip, ctx.DockerDaemonInsecureSkipTLSVerify)
})
}
}