Add unit tests for PID NamespaceMode_TARGET validation

tghartland · tghartland · commit efcb187429b7 · 2021-04-21T19:59:10.000+02:00
Signed-off-by: Thomas Hartland &lt;thomas.george.hartland@cern.ch&gt;
diff --git a/pkg/cri/server/helpers_test.go b/pkg/cri/server/helpers_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"io/ioutil"
 	"testing"
+	"time"
 
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/plugin"
@@ -34,6 +35,7 @@ import (
 
 	criconfig "github.com/containerd/containerd/pkg/cri/config"
 	"github.com/containerd/containerd/pkg/cri/store"
+	containerstore "github.com/containerd/containerd/pkg/cri/store/container"
 	imagestore "github.com/containerd/containerd/pkg/cri/store/image"
 )
 
@@ -501,3 +503,94 @@ func TestEnsureRemoveAllWithFile(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+// Helper function for setting up an environment to test PID namespace targeting.
+func addContainer(c *criService, containerID, sandboxID string, PID uint32, createdAt, startedAt, finishedAt int64) error {
+	meta := containerstore.Metadata{
+		ID:        containerID,
+		SandboxID: sandboxID,
+	}
+	status := containerstore.Status{
+		Pid:        PID,
+		CreatedAt:  createdAt,
+		StartedAt:  startedAt,
+		FinishedAt: finishedAt,
+	}
+	container, err := containerstore.NewContainer(meta,
+		containerstore.WithFakeStatus(status),
+	)
+	if err != nil {
+		return err
+	}
+	return c.containerStore.Add(container)
+}
+
+func TestValidateTargetContainer(t *testing.T) {
+	testSandboxID := "test-sandbox-uid"
+
+	// The existing container that will be targeted.
+	testTargetContainerID := "test-target-container"
+	testTargetContainerPID := uint32(4567)
+
+	// A container that has finished running and cannot be targeted.
+	testStoppedContainerID := "stopped-target-container"
+	testStoppedContainerPID := uint32(6789)
+
+	// A container from another pod.
+	testOtherContainerSandboxID := "other-sandbox-uid"
+	testOtherContainerID := "other-target-container"
+	testOtherContainerPID := uint32(7890)
+
+	// Container create/start/stop times.
+	createdAt := time.Now().Add(-15 * time.Second).UnixNano()
+	startedAt := time.Now().Add(-10 * time.Second).UnixNano()
+	finishedAt := time.Now().Add(-5 * time.Second).UnixNano()
+
+	c := newTestCRIService()
+
+	// Create a target container.
+	err := addContainer(c, testTargetContainerID, testSandboxID, testTargetContainerPID, createdAt, startedAt, 0)
+	require.NoError(t, err, "error creating test target container")
+
+	// Create a stopped container.
+	err = addContainer(c, testStoppedContainerID, testSandboxID, testStoppedContainerPID, createdAt, startedAt, finishedAt)
+	require.NoError(t, err, "error creating test stopped container")
+
+	// Create a container in another pod.
+	err = addContainer(c, testOtherContainerID, testOtherContainerSandboxID, testOtherContainerPID, createdAt, startedAt, 0)
+	require.NoError(t, err, "error creating test container in other pod")
+
+	for desc, test := range map[string]struct {
+		targetContainerID string
+		expectError       bool
+	}{
+		"target container in pod": {
+			targetContainerID: testTargetContainerID,
+			expectError:       false,
+		},
+		"target stopped container in pod": {
+			targetContainerID: testStoppedContainerID,
+			expectError:       true,
+		},
+		"target container does not exist": {
+			targetContainerID: "no-container-with-this-id",
+			expectError:       true,
+		},
+		"target container in other pod": {
+			targetContainerID: testOtherContainerID,
+			expectError:       true,
+		},
+	} {
+		t.Run(desc, func(t *testing.T) {
+			targetContainer, err := c.validateTargetContainer(testSandboxID, test.targetContainerID)
+			if test.expectError {
+				require.Error(t, err, "target should have been invalid but no error")
+				return
+			}
+			require.NoErrorf(t, err, "target should have been valid but got error")
+
+			assert.Equal(t, test.targetContainerID, targetContainer.ID, "returned target container does not have expected ID")
+		})
+	}
+
+}
