fix: update tests to use strict() policy for image whitelist tests

echobt · echobt · commit fb63e63871da · 2026-01-04T22:04:09.000Z
- test_validate_image_blocked now uses strict() policy
- test_default_policy_blocks_malicious_images renamed and uses strict()
- Added test_default_allows_all_images and test_default_policy_allows_all_images
- test_full_config_validation no longer tests malicious image (moved to separate test)
- test_policy_enforcement uses strict() policy
- Added test_default_policy_allows_images for broker
diff --git a/crates/secure-container-runtime/src/broker.rs b/crates/secure-container-runtime/src/broker.rs
@@ -929,8 +929,8 @@ mod tests {
 
     #[tokio::test]
     async fn test_policy_enforcement() {
-        // Test that policy validation works without Docker
-        let policy = SecurityPolicy::default();
+        // Test that strict policy blocks non-whitelisted images
+        let policy = SecurityPolicy::strict();
 
         let config = ContainerConfig {
             image: "malicious/image:latest".to_string(),
@@ -941,4 +941,19 @@ mod tests {
 
         assert!(policy.validate(&config).is_err());
     }
+
+    #[tokio::test]
+    async fn test_default_policy_allows_images() {
+        // Default policy allows all images
+        let policy = SecurityPolicy::default();
+
+        let config = ContainerConfig {
+            image: "any/image:latest".to_string(),
+            challenge_id: "test".to_string(),
+            owner_id: "test".to_string(),
+            ..Default::default()
+        };
+
+        assert!(policy.validate(&config).is_ok());
+    }
 }
diff --git a/crates/secure-container-runtime/src/policy.rs b/crates/secure-container-runtime/src/policy.rs
@@ -76,10 +76,11 @@ impl Default for SecurityPolicy {
 impl SecurityPolicy {
     /// Create a strict policy for production with image whitelist
     pub fn strict() -> Self {
-        let mut policy = Self::default();
-        // Only allow platform images in strict mode
-        policy.allowed_image_prefixes = vec!["ghcr.io/platformnetwork/".to_string()];
-        policy
+        Self {
+            // Only allow platform images in strict mode
+            allowed_image_prefixes: vec!["ghcr.io/platformnetwork/".to_string()],
+            ..Default::default()
+        }
     }
 
     /// Create a more permissive policy for development
@@ -301,13 +302,25 @@ mod tests {
 
     #[test]
     fn test_validate_image_blocked() {
-        let policy = SecurityPolicy::default();
+        // Use strict() policy which has whitelist enabled
+        let policy = SecurityPolicy::strict();
         assert!(policy
             .validate_image("docker.io/malicious/image:latest")
             .is_err());
         assert!(policy.validate_image("alpine:latest").is_err());
     }
 
+    #[test]
+    fn test_default_allows_all_images() {
+        // Default policy has no whitelist, allows all images
+        let policy = SecurityPolicy::default();
+        assert!(policy.validate_image("docker.io/any/image:latest").is_ok());
+        assert!(policy.validate_image("alpine:latest").is_ok());
+        assert!(policy
+            .validate_image("alexgshaw/code-from-image:20251031")
+            .is_ok());
+    }
+
     #[test]
     fn test_validate_docker_socket_blocked() {
         let policy = SecurityPolicy::default();
diff --git a/crates/secure-container-runtime/tests/integration_tests.rs b/crates/secure-container-runtime/tests/integration_tests.rs
@@ -42,10 +42,11 @@ fn test_default_policy_blocks_docker_socket() {
 }
 
 #[test]
-fn test_default_policy_blocks_malicious_images() {
-    let policy = SecurityPolicy::default();
+fn test_strict_policy_blocks_non_whitelisted_images() {
+    // Use strict() which has whitelist enabled
+    let policy = SecurityPolicy::strict();
 
-    // Blocked images
+    // Blocked images (not in whitelist)
     let blocked = vec![
         "alpine:latest",
         "ubuntu:22.04",
@@ -59,7 +60,7 @@ fn test_default_policy_blocks_malicious_images() {
         assert!(result.is_err(), "Image should be blocked: {}", image);
     }
 
-    // Allowed images
+    // Allowed images (in whitelist)
     let allowed = vec![
         "ghcr.io/platformnetwork/term-challenge:latest",
         "ghcr.io/platformnetwork/validator:v1.0.0",
@@ -72,6 +73,24 @@ fn test_default_policy_blocks_malicious_images() {
     }
 }
 
+#[test]
+fn test_default_policy_allows_all_images() {
+    // Default policy has empty whitelist = allow all
+    let policy = SecurityPolicy::default();
+
+    let images = vec![
+        "alpine:latest",
+        "ubuntu:22.04",
+        "alexgshaw/code-from-image:20251031",
+        "ghcr.io/platformnetwork/term-challenge:latest",
+    ];
+
+    for image in images {
+        let result = policy.validate_image(image);
+        assert!(result.is_ok(), "Image should be allowed: {}", image);
+    }
+}
+
 #[test]
 fn test_policy_enforces_resource_limits() {
     let policy = SecurityPolicy::default();
@@ -157,7 +176,7 @@ fn test_policy_container_limits() {
 fn test_full_config_validation() {
     let policy = SecurityPolicy::default();
 
-    // Valid config
+    // Valid config (default allows all images)
     let valid = ContainerConfig {
         image: TEST_IMAGE.to_string(),
         challenge_id: "test-challenge".to_string(),
@@ -183,8 +202,13 @@ fn test_full_config_validation() {
         ..Default::default()
     };
     assert!(policy.validate(&missing_owner).is_err());
+}
+
+#[test]
+fn test_strict_policy_blocks_malicious_image() {
+    // Use strict() policy to test image whitelist
+    let policy = SecurityPolicy::strict();
 
-    // Malicious image
     let malicious = ContainerConfig {
         image: MALICIOUS_IMAGE.to_string(),
         challenge_id: "test-challenge".to_string(),
