2b045027 |
// +build !windows
package main
import (
"fmt"
"strings"
|
33968e6c |
"github.com/docker/docker/integration-cli/checker" |
48de91a3 |
"github.com/docker/docker/integration-cli/daemon" |
2b045027 |
"github.com/go-check/check"
)
var ( |
f4798b98 |
authzPluginName = "riyaz/authz-no-volume-plugin" |
2b045027 |
authzPluginTag = "latest"
authzPluginNameWithTag = authzPluginName + ":" + authzPluginTag |
f4798b98 |
authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest" |
2b045027 |
nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin"
)
func init() {
check.Suite(&DockerAuthzV2Suite{
ds: &DockerSuite{},
})
}
type DockerAuthzV2Suite struct {
ds *DockerSuite |
48de91a3 |
d *daemon.Daemon |
2b045027 |
}
func (s *DockerAuthzV2Suite) SetUpTest(c *check.C) { |
c410222e |
testRequires(c, DaemonIsLinux, Network) |
48de91a3 |
s.d = daemon.New(c, dockerBinary, dockerdBinary, daemon.Config{ |
c8016e66 |
Experimental: testEnv.ExperimentalDaemon(), |
48de91a3 |
}) |
c502fb49 |
s.d.Start(c) |
2b045027 |
}
func (s *DockerAuthzV2Suite) TearDownTest(c *check.C) { |
5890091c |
if s.d != nil { |
c502fb49 |
s.d.Stop(c) |
5890091c |
s.ds.TearDownTest(c)
} |
2b045027 |
}
func (s *DockerAuthzV2Suite) TestAuthZPluginAllowNonVolumeRequest(c *check.C) { |
ebff8c79 |
testRequires(c, DaemonIsLinux, IsAmd64, Network) |
2b045027 |
// Install authz plugin
_, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag)
c.Assert(err, checker.IsNil)
// start the daemon with the plugin and load busybox, --net=none build fails otherwise
// because it needs to pull busybox |
c502fb49 |
s.d.Restart(c, "--authorization-plugin="+authzPluginNameWithTag) |
2b045027 |
c.Assert(s.d.LoadBusybox(), check.IsNil)
// defer disabling the plugin
defer func() { |
c502fb49 |
s.d.Restart(c) |
2b045027 |
_, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag)
c.Assert(err, checker.IsNil)
_, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag)
c.Assert(err, checker.IsNil)
}()
// Ensure docker run command and accompanying docker ps are successful
out, err := s.d.Cmd("run", "-d", "busybox", "top")
c.Assert(err, check.IsNil)
id := strings.TrimSpace(out)
out, err = s.d.Cmd("ps")
c.Assert(err, check.IsNil)
c.Assert(assertContainerList(out, []string{id}), check.Equals, true)
}
func (s *DockerAuthzV2Suite) TestAuthZPluginRejectVolumeRequests(c *check.C) { |
ebff8c79 |
testRequires(c, DaemonIsLinux, IsAmd64, Network) |
2b045027 |
// Install authz plugin
_, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag)
c.Assert(err, checker.IsNil)
// restart the daemon with the plugin |
c502fb49 |
s.d.Restart(c, "--authorization-plugin="+authzPluginNameWithTag) |
2b045027 |
// defer disabling the plugin
defer func() { |
c502fb49 |
s.d.Restart(c) |
2b045027 |
_, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag)
c.Assert(err, checker.IsNil)
_, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag)
c.Assert(err, checker.IsNil)
}()
out, err := s.d.Cmd("volume", "create")
c.Assert(err, check.NotNil)
c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
out, err = s.d.Cmd("volume", "ls")
c.Assert(err, check.NotNil)
c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
// The plugin will block the command before it can determine the volume does not exist
out, err = s.d.Cmd("volume", "rm", "test")
c.Assert(err, check.NotNil)
c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
out, err = s.d.Cmd("volume", "inspect", "test")
c.Assert(err, check.NotNil)
c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
out, err = s.d.Cmd("volume", "prune", "-f")
c.Assert(err, check.NotNil)
c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
}
func (s *DockerAuthzV2Suite) TestAuthZPluginBadManifestFailsDaemonStart(c *check.C) { |
ebff8c79 |
testRequires(c, DaemonIsLinux, IsAmd64, Network) |
2b045027 |
// Install authz plugin with bad manifest
_, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginBadManifestName)
c.Assert(err, checker.IsNil)
// start the daemon with the plugin, it will error |
c502fb49 |
c.Assert(s.d.RestartWithError("--authorization-plugin="+authzPluginBadManifestName), check.NotNil) |
2b045027 |
// restarting the daemon without requiring the plugin will succeed |
c502fb49 |
s.d.Restart(c) |
2b045027 |
}
func (s *DockerAuthzV2Suite) TestNonexistentAuthZPluginFailsDaemonStart(c *check.C) { |
ebff8c79 |
testRequires(c, DaemonIsLinux, Network) |
2b045027 |
// start the daemon with a non-existent authz plugin, it will error |
c502fb49 |
c.Assert(s.d.RestartWithError("--authorization-plugin="+nonexistentAuthzPluginName), check.NotNil) |
2b045027 |
// restarting the daemon without requiring the plugin will succeed |
c502fb49 |
s.d.Start(c) |
2b045027 |
} |