From bdc5eee544b25ca75f8347011927b3eba05b45fc Mon Sep 17 00:00:00 2001
From: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Date: Tue, 20 Mar 2018 13:36:24 -0600
Subject: [PATCH] test: Add unit tests for privileged runtime functions

- Add unit test for privilegedSandbox

- Add unit test  for getRuntime

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
---
 pkg/server/helpers_test.go     | 65 ++++++++++++++++++++++++++++++++--
 pkg/server/sandbox_run_test.go | 55 ++++++++++++++++++++++++++++
 2 files changed, 118 insertions(+), 2 deletions(-)

diff --git a/pkg/server/helpers_test.go b/pkg/server/helpers_test.go
index af3841b00..0abcd9c75 100644
--- a/pkg/server/helpers_test.go
+++ b/pkg/server/helpers_test.go
@@ -19,10 +19,10 @@ package server
 import (
 	"testing"
 
+	criconfig "github.com/containerd/cri/pkg/config"
+	"github.com/containerd/cri/pkg/util"
 	imagedigest "github.com/opencontainers/go-digest"
 	"github.com/stretchr/testify/assert"
-
-	"github.com/containerd/cri/pkg/util"
 )
 
 // TestGetUserFromImage tests the logic of getting image uid or user name of image user.
@@ -142,3 +142,64 @@ func TestBuildLabels(t *testing.T) {
 	assert.Empty(t, configLabels[containerKindLabel], "should not add new labels into original label")
 	assert.Equal(t, "b", configLabels["a"], "change in new labels should not affect original label")
 }
+
+func Test_criService_getRuntime(t *testing.T) {
+
+	const (
+		privilegedWorkload    = true
+		nonPrivilegedWorkload = false
+	)
+
+	nonPrivilegedRuntime := criconfig.Runtime{
+		Type:   "io.containerd.runtime.v1.linux",
+		Engine: "kata-runtime",
+		Root:   "",
+	}
+
+	privilegedRuntime := criconfig.Runtime{
+		Type:   "io.containerd.runtime.v1.linux",
+		Engine: "runc",
+		Root:   "",
+	}
+
+	// Crate a configuration that does not specify a privileged runtime
+	// Both privileged and non-privileged workloads are created with the
+	// defaultRuntime (nonPrivilegedRuntime).
+	nonPrivilegedConfig := criService{
+		config: criconfig.Config{
+			PluginConfig: criconfig.DefaultConfig(),
+		},
+	}
+	nonPrivilegedConfig.config.ContainerdConfig.DefaultRuntime = nonPrivilegedRuntime
+
+	// Crate a configuration that specifies a privileged runtime
+	// The privileged workloads are created with the privilegedRuntime
+	// The non-privileged workloads be created with the
+	// defaultRuntime(nonPrivilegedRuntime)
+	privilegedConfig := criService{
+		config: criconfig.Config{
+			PluginConfig: criconfig.DefaultConfig(),
+		},
+	}
+	privilegedConfig.config.ContainerdConfig.DefaultRuntime = nonPrivilegedRuntime
+	privilegedConfig.config.ContainerdConfig.PrivilegedRuntime = privilegedRuntime
+
+	tests := []struct {
+		name        string
+		cri         criService
+		privileged  bool
+		wantRuntime criconfig.Runtime
+	}{
+		{"nonPrivilegedConfig/PrivilegedWorkload", nonPrivilegedConfig, privilegedWorkload, nonPrivilegedRuntime},
+		{"nonPrivilegedConfig/PrivilegedWorkload", nonPrivilegedConfig, nonPrivilegedWorkload, nonPrivilegedRuntime},
+		{"PrivilegedConfig/nonPrivilegedWorkload", privilegedConfig, privilegedWorkload, privilegedRuntime},
+		{"PrivilegedConfig/nonPrivilegedWorkload", privilegedConfig, nonPrivilegedWorkload, nonPrivilegedRuntime},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotRuntime := tt.cri.getRuntime(tt.privileged)
+			assert.Equal(t, tt.wantRuntime, gotRuntime)
+		})
+	}
+}
diff --git a/pkg/server/sandbox_run_test.go b/pkg/server/sandbox_run_test.go
index 18aea395e..c578d11c0 100644
--- a/pkg/server/sandbox_run_test.go
+++ b/pkg/server/sandbox_run_test.go
@@ -435,3 +435,58 @@ func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
 
 // TODO(random-liu): [P1] Add unit test for different error cases to make sure
 // the function cleans up on error properly.
+
+func TestPrivilegedSandbox(t *testing.T) {
+	privilegedContext := runtime.RunPodSandboxRequest{
+		Config: &runtime.PodSandboxConfig{
+			Linux: &runtime.LinuxPodSandboxConfig{
+				SecurityContext: &runtime.LinuxSandboxSecurityContext{
+					Privileged: true,
+				},
+			},
+		},
+	}
+	nonPrivilegedContext := runtime.RunPodSandboxRequest{
+		Config: &runtime.PodSandboxConfig{
+			Linux: &runtime.LinuxPodSandboxConfig{
+				SecurityContext: &runtime.LinuxSandboxSecurityContext{
+					Privileged: false,
+				},
+			},
+		},
+	}
+	hostNamespace := runtime.RunPodSandboxRequest{
+		Config: &runtime.PodSandboxConfig{
+			Linux: &runtime.LinuxPodSandboxConfig{
+				SecurityContext: &runtime.LinuxSandboxSecurityContext{
+					Privileged: false,
+					NamespaceOptions: &runtime.NamespaceOption{
+						Network: runtime.NamespaceMode_NODE,
+						Pid:     runtime.NamespaceMode_NODE,
+						Ipc:     runtime.NamespaceMode_NODE,
+					},
+				},
+			},
+		},
+	}
+	type args struct {
+		req *runtime.RunPodSandboxRequest
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{"Security Context is nil", args{&runtime.RunPodSandboxRequest{}}, false},
+		{"Security Context is privileged", args{&privilegedContext}, true},
+		{"Security Context is not privileged", args{&nonPrivilegedContext}, false},
+		{"Security Context namespace host access", args{&hostNamespace}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := privilegedSandbox(tt.args.req); got != tt.want {
+				t.Errorf("privilegedSandbox() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}