diff --git a/testcontainers/src/clients/cli.rs b/testcontainers/src/clients/cli.rs index 5107b3e7..10f0b48f 100644 --- a/testcontainers/src/clients/cli.rs +++ b/testcontainers/src/clients/cli.rs @@ -607,6 +607,42 @@ mod tests { ); } + #[test] + fn cli_run_command_with_custom_sha256_should_attach_that() { + let image = GenericImage::new("hello", "0.0"); + let image = RunnableImage::from(image).with_sha256("a_sha_256"); + let command = Client::build_run_command(&image, Command::new("docker")); + + assert_eq!( + format!("{:?}", command), + r#""docker" "run" "-P" "-d" "hello:0.0@sha256:a_sha_256""# + ); + } + + #[test] + fn cli_run_command_with_generic_image_that_includes_sha256_it_should_attach_that() { + let image = GenericImage::new("hello", "0.0").with_sha256(Some("a_sha_256")); + let image = RunnableImage::from(image); + let command = Client::build_run_command(&image, Command::new("docker")); + + assert_eq!( + format!("{:?}", command), + r#""docker" "run" "-P" "-d" "hello:0.0@sha256:a_sha_256""# + ); + } + + #[test] + fn cli_run_command_with_sha256_should_attach_that() { + let image = GenericImage::new_with_sha256("hello", "a_sha_256"); + let image = RunnableImage::from(image); + let command = Client::build_run_command(&image, Command::new("docker")); + + assert_eq!( + format!("{:?}", command), + r#""docker" "run" "-P" "-d" "hello:latest@sha256:a_sha_256""# + ); + } + #[test] fn cli_run_command_should_include_privileged() { let image = GenericImage::new("hello", "0.0"); diff --git a/testcontainers/src/core/image.rs b/testcontainers/src/core/image.rs index b13f59d1..1d5fe290 100644 --- a/testcontainers/src/core/image.rs +++ b/testcontainers/src/core/image.rs @@ -32,9 +32,17 @@ where /// Implementations are encouraged to include a tag that will not change (i.e. NOT latest) /// in order to prevent test code from randomly breaking because the underlying docker - /// suddenly changed. + /// suddenly changed. It is advised to also attach a sha256. fn tag(&self) -> String; + /// Every docker image has a unique sha256 generated corresponding to it. It is strongly + /// encouraged to use sha256 digests over versions, as versions might be overwritten + /// by the publisher, which could cause compatability issues, but more importantly, + /// pose a security risk. + fn sha256(&self) -> Option { + None + } + /// Returns a list of conditions that need to be met before a started container is considered ready. /// /// This method is the **🍞 and butter** of the whole testcontainers library. Containers are @@ -158,6 +166,7 @@ pub struct RunnableImage { image: I, image_args: I::Args, image_tag: Option, + image_sha256: Option, container_name: Option, network: Option, env_vars: BTreeMap, @@ -210,11 +219,17 @@ impl RunnableImage { } pub fn descriptor(&self) -> String { - if let Some(tag) = &self.image_tag { - format!("{}:{}", self.image.name(), tag) - } else { - format!("{}:{}", self.image.name(), self.image.tag()) + let mut descriptor = self.image.name(); + + descriptor.push(':'); + descriptor.push_str(&self.image_tag.clone().unwrap_or_else(|| self.image.tag())); + + if let Some(sha256) = &self.image_sha256.clone().or_else(|| self.image.sha256()) { + descriptor.push_str("@sha256:"); + descriptor.push_str(sha256); } + + descriptor } pub fn ready_conditions(&self) -> Vec { @@ -240,6 +255,12 @@ impl RunnableImage { } } + pub fn with_sha256(mut self, sha256: impl Into) -> Self { + self.image_sha256 = Some(sha256.into()); + + self + } + pub fn with_container_name(self, name: impl Into) -> Self { Self { container_name: Some(name.into()), @@ -311,6 +332,7 @@ impl From<(I, I::Args)> for RunnableImage { ports: None, privileged: false, shm_size: None, + image_sha256: None, } } } diff --git a/testcontainers/src/images/generic.rs b/testcontainers/src/images/generic.rs index 9a1bf32d..c19c2e14 100644 --- a/testcontainers/src/images/generic.rs +++ b/testcontainers/src/images/generic.rs @@ -12,6 +12,7 @@ impl ImageArgs for Vec { pub struct GenericImage { name: String, tag: String, + sha256: Option, volumes: BTreeMap, env_vars: BTreeMap, wait_for: Vec, @@ -23,7 +24,8 @@ impl Default for GenericImage { fn default() -> Self { Self { name: "".to_owned(), - tag: "".to_owned(), + tag: "latest".to_owned(), + sha256: None, volumes: BTreeMap::new(), env_vars: BTreeMap::new(), wait_for: Vec::new(), @@ -42,11 +44,24 @@ impl GenericImage { } } + pub fn new_with_sha256>(name: S, sha256: S) -> GenericImage { + Self { + name: name.into(), + sha256: Some(sha256.into()), + ..Default::default() + } + } + pub fn with_volume, D: Into>(mut self, from: F, dest: D) -> Self { self.volumes.insert(from.into(), dest.into()); self } + pub fn with_sha256>(mut self, value: Option) -> Self { + self.sha256 = value.map(|it| it.into()); + self + } + pub fn with_env_var, V: Into>(mut self, key: K, value: V) -> Self { self.env_vars.insert(key.into(), value.into()); self @@ -79,6 +94,10 @@ impl Image for GenericImage { self.tag.clone() } + fn sha256(&self) -> Option { + self.sha256.clone() + } + fn ready_conditions(&self) -> Vec { self.wait_for.clone() } @@ -104,6 +123,8 @@ impl Image for GenericImage { mod tests { use super::*; + const A_SHA256: &str = "a_sha256"; + #[test] fn should_return_env_vars() { let image = GenericImage::new("hello-world", "latest") @@ -119,4 +140,25 @@ mod tests { assert_eq!(second_key, "two-key"); assert_eq!(second_value, "two-value"); } + + #[test] + fn should_return_sha256() { + let image = GenericImage::new("hello-world", "latest").with_sha256(Some(A_SHA256)); + + assert_eq!(image.sha256(), Some(A_SHA256.to_string())); + } + + #[test] + fn should_return_sha256_when_created_with_it() { + let image = GenericImage::new_with_sha256("hello-world", A_SHA256); + + assert_eq!(image.sha256(), Some(A_SHA256.to_string())); + } + + #[test] + fn should_return_none_for_sha256_when_created_with_tag() { + let image = GenericImage::new("hello-world", "latest"); + + assert_eq!(image.sha256(), None); + } }