| 6db32fde |
package main
import ( |
| 576985a1 |
"archive/tar" |
| 6db32fde |
"fmt" |
| d477d42d |
"io/ioutil" |
| 1b5c2e1d |
"net/http"
"net/http/httptest" |
| d477d42d |
"os" |
| 6db32fde |
"os/exec" |
| 1db0c7bb |
"path/filepath" |
| dbec2317 |
"strings"
"time" |
| d477d42d |
|
| 06e9a056 |
"github.com/docker/distribution/digest" |
| 1db0c7bb |
"github.com/docker/docker/cliconfig" |
| 710817a7 |
"github.com/docker/docker/pkg/integration/checker" |
| dc944ea7 |
"github.com/go-check/check" |
| 6db32fde |
)
|
| f244ed25 |
// Pushing an image to a private registry. |
| 1fa2e311 |
func testPushBusyboxImage(c *check.C) { |
| dbec2317 |
repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) |
| a2b0c977 |
// tag the image to upload it to the private registry |
| 5c295460 |
dockerCmd(c, "tag", "busybox", repoName)
// push the image to the registry
dockerCmd(c, "push", repoName) |
| 6db32fde |
}
|
| 1fa2e311 |
func (s *DockerRegistrySuite) TestPushBusyboxImage(c *check.C) {
testPushBusyboxImage(c)
}
func (s *DockerSchema1RegistrySuite) TestPushBusyboxImage(c *check.C) {
testPushBusyboxImage(c)
}
|
| 6db32fde |
// pushing an image without a prefix should throw an error |
| dc944ea7 |
func (s *DockerSuite) TestPushUnprefixedRepo(c *check.C) { |
| 710817a7 |
out, _, err := dockerCmdWithError("push", "busybox")
c.Assert(err, check.NotNil, check.Commentf("pushing an unprefixed repo didn't result in a non-zero exit status: %s", out)) |
| dbec2317 |
}
|
| 1fa2e311 |
func testPushUntagged(c *check.C) { |
| dbec2317 |
repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) |
| d172f125 |
expected := "Repository does not exist" |
| 710817a7 |
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out))
c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) |
| dbec2317 |
}
|
| 1fa2e311 |
func (s *DockerRegistrySuite) TestPushUntagged(c *check.C) {
testPushUntagged(c)
}
func (s *DockerSchema1RegistrySuite) TestPushUntagged(c *check.C) {
testPushUntagged(c)
}
func testPushBadTag(c *check.C) { |
| 403d981d |
repoName := fmt.Sprintf("%v/dockercli/busybox:latest", privateRegistryURL)
expected := "does not exist" |
| 5c295460 |
|
| 710817a7 |
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out))
c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) |
| 403d981d |
}
|
| 1fa2e311 |
func (s *DockerRegistrySuite) TestPushBadTag(c *check.C) {
testPushBadTag(c)
}
func (s *DockerSchema1RegistrySuite) TestPushBadTag(c *check.C) {
testPushBadTag(c)
}
func testPushMultipleTags(c *check.C) { |
| 403d981d |
repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
repoTag1 := fmt.Sprintf("%v/dockercli/busybox:t1", privateRegistryURL)
repoTag2 := fmt.Sprintf("%v/dockercli/busybox:t2", privateRegistryURL) |
| 62f91b1d |
// tag the image and upload it to the private registry |
| 5c295460 |
dockerCmd(c, "tag", "busybox", repoTag1) |
| 403d981d |
|
| 5c295460 |
dockerCmd(c, "tag", "busybox", repoTag2)
|
| 4f3b0d0f |
dockerCmd(c, "push", repoName) |
| 697cdb8e |
// Ensure layer list is equivalent for repoTag1 and repoTag2
out1, _ := dockerCmd(c, "pull", repoTag1) |
| 710817a7 |
|
| 697cdb8e |
imageAlreadyExists := ": Image already exists"
var out1Lines []string
for _, outputLine := range strings.Split(out1, "\n") {
if strings.Contains(outputLine, imageAlreadyExists) {
out1Lines = append(out1Lines, outputLine)
}
}
out2, _ := dockerCmd(c, "pull", repoTag2) |
| 710817a7 |
|
| 697cdb8e |
var out2Lines []string
for _, outputLine := range strings.Split(out2, "\n") {
if strings.Contains(outputLine, imageAlreadyExists) {
out1Lines = append(out1Lines, outputLine)
}
} |
| 710817a7 |
c.Assert(out2Lines, checker.HasLen, len(out1Lines)) |
| 697cdb8e |
for i := range out1Lines { |
| 710817a7 |
c.Assert(out1Lines[i], checker.Equals, out2Lines[i]) |
| 697cdb8e |
} |
| 403d981d |
}
|
| 1fa2e311 |
func (s *DockerRegistrySuite) TestPushMultipleTags(c *check.C) {
testPushMultipleTags(c)
}
func (s *DockerSchema1RegistrySuite) TestPushMultipleTags(c *check.C) {
testPushMultipleTags(c)
}
func testPushEmptyLayer(c *check.C) { |
| d477d42d |
repoName := fmt.Sprintf("%v/dockercli/emptylayer", privateRegistryURL)
emptyTarball, err := ioutil.TempFile("", "empty_tarball") |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Unable to create test file"))
|
| d477d42d |
tw := tar.NewWriter(emptyTarball)
err = tw.Close() |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Error creating empty tarball"))
|
| d477d42d |
freader, err := os.Open(emptyTarball.Name()) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Could not open test tarball")) |
| d477d42d |
importCmd := exec.Command(dockerBinary, "import", "-", repoName)
importCmd.Stdin = freader
out, _, err := runCommandWithOutput(importCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("import failed: %q", out)) |
| d477d42d |
// Now verify we can push it |
| 710817a7 |
out, _, err = dockerCmdWithError("push", repoName)
c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out)) |
| d477d42d |
} |
| 58a1de9b |
|
| 1fa2e311 |
func (s *DockerRegistrySuite) TestPushEmptyLayer(c *check.C) {
testPushEmptyLayer(c)
}
func (s *DockerSchema1RegistrySuite) TestPushEmptyLayer(c *check.C) {
testPushEmptyLayer(c)
}
|
| 5c99eebe |
// testConcurrentPush pushes multiple tags to the same repo
// concurrently.
func testConcurrentPush(c *check.C) {
repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
repos := []string{}
for _, tag := range []string{"push1", "push2", "push3"} {
repo := fmt.Sprintf("%v:%v", repoName, tag)
_, err := buildImage(repo, fmt.Sprintf(`
FROM busybox
ENTRYPOINT ["/bin/echo"]
ENV FOO foo
ENV BAR bar
CMD echo %s
`, repo), true)
c.Assert(err, checker.IsNil)
repos = append(repos, repo)
}
// Push tags, in parallel
results := make(chan error)
for _, repo := range repos {
go func(repo string) {
_, _, err := runCommandWithOutput(exec.Command(dockerBinary, "push", repo))
results <- err
}(repo)
}
for range repos {
err := <-results
c.Assert(err, checker.IsNil, check.Commentf("concurrent push failed with error: %v", err))
}
// Clear local images store.
args := append([]string{"rmi"}, repos...)
dockerCmd(c, args...)
// Re-pull and run individual tags, to make sure pushes succeeded
for _, repo := range repos {
dockerCmd(c, "pull", repo)
dockerCmd(c, "inspect", repo)
out, _ := dockerCmd(c, "run", "--rm", repo)
c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo)
}
}
func (s *DockerRegistrySuite) TestConcurrentPush(c *check.C) {
testConcurrentPush(c)
}
func (s *DockerSchema1RegistrySuite) TestConcurrentPush(c *check.C) {
testConcurrentPush(c)
}
|
| 7289c721 |
func (s *DockerRegistrySuite) TestCrossRepositoryLayerPush(c *check.C) {
sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
// tag the image to upload it to the private registry
dockerCmd(c, "tag", "busybox", sourceRepoName)
// push the image to the registry
out1, _, err := dockerCmdWithError("push", sourceRepoName)
c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1))
// ensure that none of the layers were mounted from another repository during push
c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false)
|
| 06e9a056 |
digest1 := digest.DigestRegexp.FindString(out1)
c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
|
| 7289c721 |
destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL)
// retag the image to upload the same layers to another repo in the same registry
dockerCmd(c, "tag", "busybox", destRepoName)
// push the image to the registry
out2, _, err := dockerCmdWithError("push", destRepoName)
c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2))
// ensure that layers were mounted from the first repo during push
c.Assert(strings.Contains(out2, "Mounted from dockercli/busybox"), check.Equals, true)
|
| 06e9a056 |
digest2 := digest.DigestRegexp.FindString(out2)
c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
c.Assert(digest1, check.Equals, digest2)
|
| 63099477 |
// ensure that we can pull and run the cross-repo-pushed repository |
| 7289c721 |
dockerCmd(c, "rmi", destRepoName)
dockerCmd(c, "pull", destRepoName) |
| 63099477 |
out3, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world")
c.Assert(out3, check.Equals, "hello world") |
| 7289c721 |
}
func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c *check.C) {
sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
// tag the image to upload it to the private registry
dockerCmd(c, "tag", "busybox", sourceRepoName)
// push the image to the registry
out1, _, err := dockerCmdWithError("push", sourceRepoName)
c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1))
// ensure that none of the layers were mounted from another repository during push
c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false)
|
| 06e9a056 |
digest1 := digest.DigestRegexp.FindString(out1)
c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
|
| 7289c721 |
destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL)
// retag the image to upload the same layers to another repo in the same registry
dockerCmd(c, "tag", "busybox", destRepoName)
// push the image to the registry
out2, _, err := dockerCmdWithError("push", destRepoName)
c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2))
// schema1 registry should not support cross-repo layer mounts, so ensure that this does not happen |
| 1d3480f9 |
c.Assert(strings.Contains(out2, "Mounted from"), check.Equals, false) |
| 7289c721 |
|
| 06e9a056 |
digest2 := digest.DigestRegexp.FindString(out2)
c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
c.Assert(digest1, check.Equals, digest2)
|
| 63099477 |
// ensure that we can pull and run the second pushed repository |
| 7289c721 |
dockerCmd(c, "rmi", destRepoName)
dockerCmd(c, "pull", destRepoName) |
| 63099477 |
out3, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world")
c.Assert(out3, check.Equals, "hello world") |
| 7289c721 |
}
|
| 58a1de9b |
func (s *DockerTrustSuite) TestTrustedPush(c *check.C) { |
| 0617521b |
repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL) |
| 58a1de9b |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
| 1c125f50 |
// Try pull after push
pullCmd := exec.Command(dockerBinary, "pull", repoName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd)
c.Assert(err, check.IsNil, check.Commentf(out))
c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
| f75622e5 |
// Assert that we rotated the snapshot key to the server by checking our local keystore
contents, err := ioutil.ReadDir(filepath.Join(cliconfig.ConfigDir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest"))
c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files"))
// Check that we only have 1 key (targets key)
c.Assert(contents, checker.HasLen, 1) |
| 58a1de9b |
} |
| 356b07c8 |
|
| 63f8db83 |
func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) { |
| 1c125f50 |
repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL) |
| 63f8db83 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmdWithPassphrases(pushCmd, "12345678", "12345678")
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
| 1c125f50 |
// Try pull after push
pullCmd := exec.Command(dockerBinary, "pull", repoName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd)
c.Assert(err, check.IsNil, check.Commentf(out))
c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
| 63f8db83 |
}
// This test ensures backwards compatibility with old ENV variables. Should be
// deprecated by 1.10
func (s *DockerTrustSuite) TestTrustedPushWithDeprecatedEnvPasswords(c *check.C) {
repoName := fmt.Sprintf("%v/dockercli/trusteddeprecated:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmdWithDeprecatedEnvPassphrases(pushCmd, "12345678", "12345678")
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
| 63f8db83 |
}
|
| 09c4643c |
func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) { |
| 0617521b |
repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL) |
| 356b07c8 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
pushCmd := exec.Command(dockerBinary, "push", repoName) |
| a2f9fb77 |
s.trustedCmdWithServer(pushCmd, "https://example.com:81/") |
| 356b07c8 |
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.NotNil, check.Commentf("Missing error while running trusted push w/ no server"))
c.Assert(out, checker.Contains, "error contacting notary server", check.Commentf("Missing expected output on trusted push")) |
| 356b07c8 |
}
func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) { |
| 0617521b |
repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL) |
| 356b07c8 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
|
| 259cadb0 |
pushCmd := exec.Command(dockerBinary, "push", "--disable-content-trust", repoName) |
| a2f9fb77 |
s.trustedCmdWithServer(pushCmd, "https://example.com/") |
| 356b07c8 |
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push with no server and --disable-content-trust failed: %s\n%s", err, out))
c.Assert(out, check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:")) |
| 356b07c8 |
}
func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) { |
| 1c125f50 |
repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL) |
| 356b07c8 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
dockerCmd(c, "push", repoName)
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
| 1c125f50 |
// Try pull after push
pullCmd := exec.Command(dockerBinary, "pull", repoName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd)
c.Assert(err, check.IsNil, check.Commentf(out))
c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
| 356b07c8 |
}
|
| eeb6d0a7 |
func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL) |
| 356b07c8 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
|
| eeb6d0a7 |
// Do a trusted push |
| 356b07c8 |
pushCmd := exec.Command(dockerBinary, "push", repoName) |
| eeb6d0a7 |
s.trustedCmd(pushCmd) |
| 356b07c8 |
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
| 356b07c8 |
|
| eeb6d0a7 |
// Do another trusted push
pushCmd = exec.Command(dockerBinary, "push", repoName) |
| 356b07c8 |
s.trustedCmd(pushCmd) |
| eeb6d0a7 |
out, _, err = runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
| eeb6d0a7 |
dockerCmd(c, "rmi", repoName)
// Try pull to ensure the double push did not break our ability to pull
pullCmd := exec.Command(dockerBinary, "pull", repoName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Error running trusted pull: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted pull with --disable-content-trust")) |
| eeb6d0a7 |
|
| 356b07c8 |
}
|
| eeb6d0a7 |
func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL) |
| 356b07c8 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
|
| eeb6d0a7 |
// Push with default passphrases |
| 356b07c8 |
pushCmd := exec.Command(dockerBinary, "push", repoName) |
| eeb6d0a7 |
s.trustedCmd(pushCmd) |
| 356b07c8 |
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
| eeb6d0a7 |
// Push with wrong passphrases
pushCmd = exec.Command(dockerBinary, "push", repoName) |
| 6ce76cd9 |
s.trustedCmdWithPassphrases(pushCmd, "12345678", "87654321") |
| eeb6d0a7 |
out, _, err = runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.NotNil, check.Commentf("Error missing from trusted push with short targets passphrase: \n%s", out)) |
| 52021ac2 |
c.Assert(out, checker.Contains, "could not find necessary signing keys", check.Commentf("Missing expected output on trusted push with short targets/snapsnot passphrase")) |
| 356b07c8 |
} |
| 3e90b12d |
|
| 63f8db83 |
// This test ensures backwards compatibility with old ENV variables. Should be
// deprecated by 1.10
func (s *DockerTrustSuite) TestTrustedPushWithIncorrectDeprecatedPassphraseForNonRoot(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliincorretdeprecatedpwd/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
| 63f8db83 |
// Push with wrong passphrases
pushCmd = exec.Command(dockerBinary, "push", repoName)
s.trustedCmdWithDeprecatedEnvPassphrases(pushCmd, "12345678", "87654321")
out, _, err = runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.NotNil, check.Commentf("Error missing from trusted push with short targets passphrase: \n%s", out)) |
| 52021ac2 |
c.Assert(out, checker.Contains, "could not find necessary signing keys", check.Commentf("Missing expected output on trusted push with short targets/snapsnot passphrase")) |
| 63f8db83 |
}
|
| 3e90b12d |
func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) { |
| bf3c1e6a |
c.Skip("Currently changes system time, causing instability") |
| 3e90b12d |
repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
| 3e90b12d |
// Snapshots last for three years. This should be expired
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
runAtDifferentDate(fourYearsLater, func() {
// Push with wrong passphrases
pushCmd = exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err = runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.NotNil, check.Commentf("Error missing from trusted push with expired snapshot: \n%s", out))
c.Assert(out, checker.Contains, "repository out-of-date", check.Commentf("Missing expected output on trusted push with expired snapshot")) |
| 3e90b12d |
})
}
func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) { |
| bf3c1e6a |
c.Skip("Currently changes system time, causing instability") |
| 3e90b12d |
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
| 3e90b12d |
// The timestamps expire in two weeks. Lets check three
threeWeeksLater := time.Now().Add(time.Hour * 24 * 21)
// Should succeed because the server transparently re-signs one
runAtDifferentDate(threeWeeksLater, func() {
pushCmd := exec.Command(dockerBinary, "push", repoName)
s.trustedCmd(pushCmd)
out, _, err := runCommandWithOutput(pushCmd) |
| 710817a7 |
c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with expired timestamp")) |
| 3e90b12d |
})
} |
| 1db0c7bb |
|
| 497a58e6 |
func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) { |
| db700a67 |
testRequires(c, NotaryHosting) |
| 497a58e6 |
repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL) |
| 1db0c7bb |
targetName := fmt.Sprintf("%s:latest", repoName) |
| 623ccc2f |
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)
s.notaryPublish(c, repoName) |
| 497a58e6 |
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) |
| 1db0c7bb |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
|
| 497a58e6 |
pushCmd := exec.Command(dockerBinary, "push", targetName) |
| 623ccc2f |
s.trustedCmd(pushCmd) |
| 1db0c7bb |
out, _, err := runCommandWithOutput(pushCmd)
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
| 623ccc2f |
// check to make sure that the target has been added to targets/releases and not targets
s.assertTargetInRoles(c, repoName, "latest", "targets/releases")
s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
| 1db0c7bb |
// Try pull after push |
| 497a58e6 |
os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))
|
| 1db0c7bb |
pullCmd := exec.Command(dockerBinary, "pull", targetName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd)
c.Assert(err, check.IsNil, check.Commentf(out))
c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
| 497a58e6 |
}
func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName) |
| 623ccc2f |
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public)
s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public)
s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public) |
| 497a58e6 |
// import everything except the third key
s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private)
s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private)
|
| 623ccc2f |
s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public) |
| 497a58e6 |
s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private)
|
| 623ccc2f |
s.notaryPublish(c, repoName) |
| 497a58e6 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
pushCmd := exec.Command(dockerBinary, "push", targetName) |
| 623ccc2f |
s.trustedCmd(pushCmd) |
| 497a58e6 |
out, _, err := runCommandWithOutput(pushCmd)
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag"))
|
| 623ccc2f |
// check to make sure that the target has been added to targets/role1 and targets/role2, and
// not targets (because there are delegations) or targets/role3 (due to missing key) or
// targets/role1/subrole (due to it being a second level delegation)
s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
|
| 497a58e6 |
// Try pull after push
os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))
|
| 623ccc2f |
// pull should fail because none of these are the releases role |
| 497a58e6 |
pullCmd := exec.Command(dockerBinary, "pull", targetName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd) |
| 623ccc2f |
c.Assert(err, check.NotNil, check.Commentf(out)) |
| 497a58e6 |
}
func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName) |
| 623ccc2f |
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z")
s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y")
s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest")
s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest") |
| 1db0c7bb |
|
| 497a58e6 |
// import everything except the third key
s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private)
s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private)
s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private)
|
| 623ccc2f |
s.notaryPublish(c, repoName) |
| 497a58e6 |
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
pushCmd := exec.Command(dockerBinary, "push", targetName) |
| 623ccc2f |
s.trustedCmd(pushCmd) |
| 497a58e6 |
out, _, err := runCommandWithOutput(pushCmd)
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag"))
|
| 623ccc2f |
// check to make sure that the target has been added to targets/role1 and targets/role4, and
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
// targets/role3 (due to missing key)
s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
|
| 497a58e6 |
// Try pull after push
os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))
|
| 623ccc2f |
// pull should fail because none of these are the releases role |
| 497a58e6 |
pullCmd := exec.Command(dockerBinary, "pull", targetName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd) |
| 623ccc2f |
c.Assert(err, check.NotNil, check.Commentf(out)) |
| 497a58e6 |
}
func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName) |
| 623ccc2f |
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public)
s.notaryPublish(c, repoName) |
| 497a58e6 |
// do not import any delegations key
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
pushCmd := exec.Command(dockerBinary, "push", targetName) |
| 623ccc2f |
s.trustedCmd(pushCmd) |
| 497a58e6 |
out, _, err := runCommandWithOutput(pushCmd) |
| 623ccc2f |
c.Assert(err, check.NotNil, check.Commentf("trusted push succeeded but should have failed:\n%s", out)) |
| 497a58e6 |
c.Assert(out, checker.Contains, "no valid signing keys",
check.Commentf("Missing expected output on trusted push without keys")) |
| 623ccc2f |
s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1") |
| 1db0c7bb |
} |
| 497d5450 |
|
| 1b5c2e1d |
func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) { |
| 497d5450 |
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out))
c.Assert(out, check.Not(checker.Contains), "Retrying")
c.Assert(out, checker.Contains, "no basic auth credentials")
} |
| 6d23c3c5 |
// This may be flaky but it's needed not to regress on unauthorized push, see #21054
func (s *DockerSuite) TestPushToCentralRegistryUnauthorized(c *check.C) {
testRequires(c, Network)
repoName := "test/busybox"
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out)) |
| 264b5b60 |
c.Assert(out, check.Not(checker.Contains), "Retrying") |
| 6d23c3c5 |
} |
| 1b5c2e1d |
|
| c48439af |
func getTestTokenService(status int, body string) *httptest.Server {
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(status) |
| 1b5c2e1d |
w.Header().Set("Content-Type", "application/json") |
| c48439af |
w.Write([]byte(body)) |
| 1b5c2e1d |
})) |
| c48439af |
}
func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *check.C) {
ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`) |
| 1b5c2e1d |
defer ts.Close()
s.setupRegistryWithTokenService(c, ts.URL)
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out)) |
| c48439af |
c.Assert(out, checker.Not(checker.Contains), "Retrying") |
| 1b5c2e1d |
c.Assert(out, checker.Contains, "unauthorized: a message")
}
|
| c48439af |
func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *check.C) {
ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`)
defer ts.Close()
s.setupRegistryWithTokenService(c, ts.URL)
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out))
c.Assert(out, checker.Not(checker.Contains), "Retrying")
split := strings.Split(out, "\n")
c.Assert(split[len(split)-2], check.Equals, "unauthorized: authentication required")
}
func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *check.C) {
ts := getTestTokenService(http.StatusInternalServerError, `{"error": "unexpected"}`)
defer ts.Close()
s.setupRegistryWithTokenService(c, ts.URL)
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out))
c.Assert(out, checker.Contains, "Retrying")
split := strings.Split(out, "\n")
c.Assert(split[len(split)-2], check.Equals, "received unexpected HTTP status: 500 Internal Server Error")
}
func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *check.C) {
ts := getTestTokenService(http.StatusForbidden, `no way`) |
| 1b5c2e1d |
defer ts.Close()
s.setupRegistryWithTokenService(c, ts.URL)
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out)) |
| c48439af |
c.Assert(out, checker.Not(checker.Contains), "Retrying")
split := strings.Split(out, "\n")
c.Assert(split[len(split)-2], checker.Contains, "error parsing HTTP 403 response body: ") |
| 1b5c2e1d |
} |
| 264b5b60 |
func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *check.C) {
ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`)
defer ts.Close()
s.setupRegistryWithTokenService(c, ts.URL)
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)
out, _, err := dockerCmdWithError("push", repoName)
c.Assert(err, check.NotNil, check.Commentf(out))
c.Assert(out, checker.Not(checker.Contains), "Retrying")
split := strings.Split(out, "\n")
c.Assert(split[len(split)-2], check.Equals, "authorization server did not include a token in the response")
} |