Disable network access during rpmbuild

Generally the build phase should be completely isolated, this makes sure that consumers of the srpm can reliably rebuild packages. This may be somewhat controversial. If we need to we can add a toggle for this later. Mainly I don't want to release anything now that allows internet access only to take it away later (which will be much harder after anyone starts adopting dalec). Signed-off-by: Brian Goff <[email protected]>
Azure · Feb 23, 2024 · f8323f3 · f8323f3
1 parent aa62582
commit f8323f3
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 4 deletions.
diff --git a/frontend/rpm/handle_rpm.go b/frontend/rpm/handle_rpm.go
@@ -30,6 +30,7 @@ func Build(topDir, workerImg llb.State, specPath string, opts ...llb.Constraints
 		llb.AddMount("/build/top", topDir),
 		llb.AddMount("/build/tmp", llb.Scratch(), llb.Tmpfs()),
 		llb.Dir("/build/top"),
+		llb.Network(llb.NetModeNone),
 		dalec.WithConstraints(opts...),
 	).
 		AddMount("/build/out", llb.Scratch())

diff --git a/test/main_test.go b/test/main_test.go
@@ -18,11 +18,17 @@ import (
 )
 
 var (
-	baseCtx = context.Background()
-	testEnv *testenv.BuildxEnv
+	baseCtx          = context.Background()
+	testEnv          *testenv.BuildxEnv
+	externalTestHost = os.Getenv("TEST_DALEC_EXTERNAL_HOST")
 )
 
 func TestMain(m *testing.M) {
+	if externalTestHost == "" {
+		externalTestHost = "https://github.com"
+	}
+	flag.StringVar(&externalTestHost, "external-test-host", externalTestHost, "http server to use for validating network access")
+
 	flag.Parse()
 
 	if testing.Short() {

diff --git a/test/mariner2_test.go b/test/mariner2_test.go
@@ -9,16 +9,84 @@ import (
 
 	"github.com/Azure/dalec"
 	gwclient "github.com/moby/buildkit/frontend/gateway/client"
+	moby_buildkit_v1_frontend "github.com/moby/buildkit/frontend/gateway/pb"
 )
 
 func TestMariner2(t *testing.T) {
 	t.Parallel()
 
 	ctx := startTestSpan(baseCtx, t)
-	testDistroContainer(ctx, t, "mariner2/container")
+	testDistro(ctx, t, "mariner2/container")
 }
 
-func testDistroContainer(ctx context.Context, t *testing.T, buildTarget string) {
+func testDistro(ctx context.Context, t *testing.T, buildTarget string) {
+	t.Run("Fail when non-zero exit code during build", func(t *testing.T) {
+		t.Parallel()
+		spec := dalec.Spec{
+			Name:        "test-build-commands-fail",
+			Version:     "v0.0.1",
+			Revision:    "1",
+			License:     "MIT",
+			Website:     "https://github.com/azure/dalec",
+			Vendor:      "Dalec",
+			Packager:    "Dalec",
+			Description: "Testing builds commands that fail cause the whole build to fail",
+			Build: dalec.ArtifactBuild{
+				Steps: []dalec.BuildStep{
+					{
+						Command: "exit 42",
+					},
+				},
+			},
+		}
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, gwc gwclient.Client) (*gwclient.Result, error) {
+			sr := newSolveRequest(withSpec(ctx, t, &spec), withBuildTarget(buildTarget))
+			sr.Evaluate = true
+			_, err := gwc.Solve(ctx, sr)
+			var xErr *moby_buildkit_v1_frontend.ExitError
+			if !errors.As(err, &xErr) {
+				t.Fatalf("expected exit error, got %T: %v", errors.Unwrap(err), err)
+			}
+			return gwclient.NewResult(), nil
+		})
+	})
+
+	t.Run("should not have internet access during build", func(t *testing.T) {
+		t.Parallel()
+		spec := dalec.Spec{
+			Name:        "test-no-internet-access",
+			Version:     "v0.0.1",
+			Revision:    "1",
+			License:     "MIT",
+			Website:     "https://github.com/azure/dalec",
+			Vendor:      "Dalec",
+			Packager:    "Dalec",
+			Description: "Should not have internet access during build",
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: map[string][]string{"curl": {}},
+			},
+			Build: dalec.ArtifactBuild{
+				Steps: []dalec.BuildStep{
+					{
+						Command: fmt.Sprintf("curl --head -ksSf %s > /dev/null", externalTestHost),
+					},
+				},
+			},
+		}
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, gwc gwclient.Client) (*gwclient.Result, error) {
+			sr := newSolveRequest(withSpec(ctx, t, &spec), withBuildTarget(buildTarget))
+			sr.Evaluate = true
+
+			_, err := gwc.Solve(ctx, sr)
+			var xErr *moby_buildkit_v1_frontend.ExitError
+			if !errors.As(err, &xErr) {
+				t.Fatalf("expected exit error, got %T: %v", errors.Unwrap(err), err)
+			}
+			return gwclient.NewResult(), nil
+		})
+	})
 	t.Run("container", func(t *testing.T) {
 		spec := dalec.Spec{
 			Name:        "test-container-build",