Tests for the ubi-hardening-extras Docker images.

mathworks-ref-arch · Nov 8, 2023 · 3c0c29d · 3c0c29d
1 parent 6b15358
commit 3c0c29d
Show file tree

Hide file tree

Showing 10 changed files with 233 additions and 5 deletions.
diff --git a/.github/workflows/build-and-publish-ubi-hardening-extras.yml b/.github/workflows/build-and-publish-ubi-hardening-extras.yml
@@ -85,7 +85,7 @@ jobs:
 
       # Build the package Docker image locally to retrieve the new signature.
       # We will only push to GHCR if the new package SHA-256 is different from the latest one.
-      - name: Build new UBI package Docker image locally
+      - name: Build new UBI package Docker image to file system
         uses: docker/build-push-action@v5
         with:
           context: ./ubi-hardening-extras/${{ matrix.package }}
@@ -136,10 +136,10 @@ jobs:
           fi
           echo "is_identical=${STATUS}" >> $GITHUB_OUTPUT
 
-      # Rebuild the same package Docker image from step "Build new UBI package Docker image locally"
-      # this time storing the new version number and pushing to GHCR (since we now know if something has changed). 
+      # Rebuild the same package Docker image from step "Build new UBI package Docker image to file system"
+      # this time build locally storing the new version number.
       # The build relies on the docker build cache to simply update the version and push.
-      - name: Build and push to GitHub Container Registry if package has changed
+      - name: Build Docker image for UBI packages
         uses: docker/build-push-action@v5
         if: ${{ steps.check.outputs.is_identical != '0' }}
         with:
@@ -150,4 +150,27 @@ jobs:
           tags: |
             ${{ env.IMAGE_NAME }}:latest
             ${{ env.IMAGE_NAME }}:${{ steps.extract.outputs.next_version }}
-          push: true
+
+      - name: Set up Python 3
+        if: ${{ steps.check.outputs.is_identical != '0' }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+
+      - name: Install test dependencies
+        if: ${{ steps.check.outputs.is_identical != '0' }}
+        working-directory: ubi-hardening-extras/tests
+        run: |
+          python -m pip install --upgrade pip
+          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+      - name: Test new UBI package Docker image
+        if: ${{ steps.check.outputs.is_identical != '0' }}
+        working-directory: ubi-hardening-extras/tests
+        run: python -m unittest ${{ matrix.package }}/*.py
+
+      # Push the package Docker image built in the "Build Docker image for UBI packages" step to GHCR 
+      # (since we now know if something has changed). 
+      - name: Push to GitHub Container Registry if package has changed
+        if: ${{ steps.check.outputs.is_identical != '0' }}
+        run: docker push --all-tags ${{ env.IMAGE_NAME }}
diff --git a/ubi-hardening-extras/tests/.gitignore b/ubi-hardening-extras/tests/.gitignore
@@ -0,0 +1 @@
+__pycache__
diff --git a/ubi-hardening-extras/tests/icewm/icewm_test.py b/ubi-hardening-extras/tests/icewm/icewm_test.py
@@ -0,0 +1,27 @@
+# Copyright 2023 The MathWorks, Inc.
+
+"""
+Module for testing the "icewm" image 
+"""
+
+from utils import basetest
+import unittest
+
+
+class IcewmTest(basetest.TestCase):
+    """
+    Test class to build a Docker image from the "icewm" one and test the resulting image
+    """
+
+    def test_packages_present(self):
+        """Test that the icewm-* packages are installed"""
+        packages = ["icewm", "icewm-data", "icewm-themes"]
+        for name in packages:
+            with self.subTest(packagename=name):
+                self.assertTrue(self.host.package(name).is_installed)
+
+
+##################################################################################
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/ubi-hardening-extras/tests/novnc/novnc_test.py b/ubi-hardening-extras/tests/novnc/novnc_test.py
@@ -0,0 +1,25 @@
+# Copyright 2023 The MathWorks, Inc.
+
+"""
+Module for testing the "novnc" image 
+"""
+
+from utils import basetest
+import unittest
+
+
+class NoVncTest(basetest.TestCase):
+    """
+    Test class to build a Docker image from the "novnc" one and test the resulting image
+    """
+    dockerfile = "Dockerfile.novnc"
+
+    def test_can_launch(self):
+        """Test that the launch.sh executable exists"""
+        self.assertTrue(self.host.file("/tmp/novnc/utils/launch.sh").exists)
+
+
+##################################################################################
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/ubi-hardening-extras/tests/requirements.txt b/ubi-hardening-extras/tests/requirements.txt
@@ -0,0 +1,4 @@
+# Copyright 2023 The MathWorks, Inc.
+
+docker>=6.1.2
+pytest-testinfra>=9.0
diff --git a/ubi-hardening-extras/tests/tigervnc/tigervnc_test.py b/ubi-hardening-extras/tests/tigervnc/tigervnc_test.py
@@ -0,0 +1,30 @@
+# Copyright 2023 The MathWorks, Inc.
+
+"""
+Module for testing the "tigervnc" image 
+"""
+
+from utils import basetest
+import unittest
+
+
+class TigerVncTest(basetest.TestCase):
+    """
+    Test class to build a Docker image from the "tigervnc" one and test the resulting image
+    """
+
+    def test_packages_present(self):
+        """Test that the tigervnc_* packages are installed"""
+        packages = [
+            "tigervnc-server-minimal",
+            "tigervnc-license",
+        ]
+        for name in packages:
+            with self.subTest(packagename=name):
+                self.assertTrue(self.host.package(name).is_installed)
+
+
+##################################################################################
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/ubi-hardening-extras/tests/utils/Dockerfile b/ubi-hardening-extras/tests/utils/Dockerfile
@@ -0,0 +1,23 @@
+# Copyright 2023 The MathWorks, Inc.
+
+ARG BASE_REGISTRY=redhat
+ARG BASE_IMAGE=ubi8
+ARG BASE_TAG=8.8
+ARG IMAGE_UNDER_TEST
+
+FROM ${IMAGE_UNDER_TEST} AS image-under-test
+
+# install the RPM packages contained in the $TAR_IMAGE into a redhat-ubi image
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+ARG RPM_INSTALL=/tmp
+
+COPY --from=image-under-test *.rpm.tar.gz ${RPM_INSTALL}
+
+RUN cd ${RPM_INSTALL} && \
+    ls *.rpm.tar.gz | xargs -n 1 tar -xvzf && \
+    dnf install -y --nodocs *.rpm --nogpgcheck && \
+    dnf -y clean all && \
+    rm -rf /var/cache/dnf && \
+    rm -rf ${RPM_INSTALL}
diff --git a/ubi-hardening-extras/tests/utils/Dockerfile.novnc b/ubi-hardening-extras/tests/utils/Dockerfile.novnc
@@ -0,0 +1,15 @@
+# Copyright 2023 The MathWorks, Inc.
+
+ARG BASE_REGISTRY=redhat
+ARG BASE_IMAGE=ubi8
+ARG BASE_TAG=8.8
+ARG IMAGE_UNDER_TEST=novnc
+
+FROM ${IMAGE_UNDER_TEST} AS image-under-test
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+COPY --from=image-under-test *.tar.gz /tmp
+
+RUN mkdir /tmp/novnc/ && \
+    tar -xzf /tmp/novnc.tar.gz --directory /tmp/novnc/ --no-same-owner --no-same-permissions
diff --git a/ubi-hardening-extras/tests/utils/basetest.py b/ubi-hardening-extras/tests/utils/basetest.py
@@ -0,0 +1,50 @@
+# Copyright 2023 The MathWorks, Inc.
+
+import testinfra
+import docker
+import unittest
+import pathlib
+import os
+
+
+class TestCase(unittest.TestCase):
+    """Base test class"""
+
+    # default parameters (can be overridden in derived test classes)
+    buildargs = {"IMAGE_UNDER_TEST": os.getenv("IMAGE_NAME")}
+    dockerfile = "Dockerfile"
+
+    @classmethod
+    def setUpClass(cls):
+        """
+        Build a Docker image from the Dockerfile contained in this directory.
+        To choose which image use as a base image, set the buildargs "IMAGE_UNDER_TEST"
+        """
+        cls.client = docker.from_env()
+        cls.image, _ = cls.client.images.build(
+            path=str(pathlib.Path(__file__).parent.resolve()),
+            buildargs=cls.buildargs,
+            dockerfile=cls.dockerfile,
+            rm=True,
+        )
+
+    def setUp(self):
+        """Run the docker container. Equivalent to
+
+        'docker run --rm -i -d DOCKER_IMAGE '
+        """
+        self.container = self.client.containers.run(
+            image=self.image.id, detach=True, stdin_open=True
+        )
+        self.host = testinfra.get_host("docker://" + self.container.id)
+
+    def tearDown(self):
+        """Stop and remove the container."""
+        self.container.stop()
+        self.container.remove()
+
+    @classmethod
+    def tearDownClass(cls):
+        """Remove the image and the client."""
+        cls.client.images.remove(cls.image.id, force=True)
+        cls.client.close()
diff --git a/ubi-hardening-extras/tests/xterm/xterm_test.py b/ubi-hardening-extras/tests/xterm/xterm_test.py
@@ -0,0 +1,30 @@
+# Copyright 2023 The MathWorks, Inc.
+
+"""
+Module for testing the "xterm" image 
+"""
+
+from utils import basetest
+import unittest
+
+
+class XtermVncTest(basetest.TestCase):
+    """
+    Test class to build a Docker image from the "xterm" one and test the resulting image
+    """
+
+    def test_packages_present(self):
+        """Test that the xterm-* packages are installed"""
+        packages = [
+            "xterm",
+            "xterm-resize",
+        ]
+        for name in packages:
+            with self.subTest(packagename=name):
+                self.assertTrue(self.host.package(name).is_installed)
+
+
+##################################################################################
+
+if __name__ == "__main__":
+    unittest.main()