Browse code
Add more integration tests for trusted push and pull
Signed-off-by: Diogo Monica <diogo@docker.com>
Diogo Monica authored on 2015/07/22 12:36:22Showing 3 changed files
- integration-cli/docker_cli_pull_test.go
- integration-cli/docker_cli_push_test.go
- integration-cli/trust_server.go
| ... | ... |
@@ -181,4 +181,38 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
|
| 181 | 181 |
if !strings.Contains(string(out), "Tagging") {
|
| 182 | 182 |
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
| 183 | 183 |
} |
| 184 |
+ |
|
| 185 |
+ dockerCmd(c, "rmi", repoName) |
|
| 186 |
+ |
|
| 187 |
+ // Try untrusted pull to ensure we pushed the tag to the registry |
|
| 188 |
+ pullCmd = exec.Command(dockerBinary, "pull", "--untrusted=true", repoName) |
|
| 189 |
+ s.trustedCmd(pullCmd) |
|
| 190 |
+ out, _, err = runCommandWithOutput(pullCmd) |
|
| 191 |
+ if err != nil {
|
|
| 192 |
+ c.Fatalf("Error running trusted pull: %s\n%s", err, out)
|
|
| 193 |
+ } |
|
| 194 |
+ |
|
| 195 |
+ if !strings.Contains(string(out), "Status: Downloaded") {
|
|
| 196 |
+ c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
|
|
| 197 |
+ } |
|
| 198 |
+} |
|
| 199 |
+ |
|
| 200 |
+func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
|
|
| 201 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 202 |
+ // tag the image and upload it to the private registry |
|
| 203 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 204 |
+ dockerCmd(c, "push", repoName) |
|
| 205 |
+ dockerCmd(c, "rmi", repoName) |
|
| 206 |
+ |
|
| 207 |
+ // Try trusted pull on untrusted tag |
|
| 208 |
+ pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
| 209 |
+ s.trustedCmd(pullCmd) |
|
| 210 |
+ out, _, err := runCommandWithOutput(pullCmd) |
|
| 211 |
+ if err == nil {
|
|
| 212 |
+ c.Fatalf("Error expected when running trusted pull with:\n%s", out)
|
|
| 213 |
+ } |
|
| 214 |
+ |
|
| 215 |
+ if !strings.Contains(string(out), "no trust data available") {
|
|
| 216 |
+ c.Fatalf("Missing expected output on trusted pull:\n%s", out)
|
|
| 217 |
+ } |
|
| 184 | 218 |
} |
| ... | ... |
@@ -159,3 +159,109 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
|
| 159 | 159 |
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
| 160 | 160 |
} |
| 161 | 161 |
} |
| 162 |
+ |
|
| 163 |
+func (s *DockerTrustSuite) TestTrustedPushWithoutServer(c *check.C) {
|
|
| 164 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 165 |
+ // tag the image and upload it to the private registry |
|
| 166 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 167 |
+ |
|
| 168 |
+ pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
| 169 |
+ s.trustedCmdWithServer(pushCmd, "example/") |
|
| 170 |
+ out, _, err := runCommandWithOutput(pushCmd) |
|
| 171 |
+ if err == nil {
|
|
| 172 |
+ c.Fatalf("Missing error while running trusted push w/ no server")
|
|
| 173 |
+ } |
|
| 174 |
+ |
|
| 175 |
+ if !strings.Contains(string(out), "Error establishing connection to notary repository") {
|
|
| 176 |
+ c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
|
| 177 |
+ } |
|
| 178 |
+} |
|
| 179 |
+ |
|
| 180 |
+func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
|
|
| 181 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 182 |
+ // tag the image and upload it to the private registry |
|
| 183 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 184 |
+ |
|
| 185 |
+ pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName) |
|
| 186 |
+ s.trustedCmdWithServer(pushCmd, "example/") |
|
| 187 |
+ out, _, err := runCommandWithOutput(pushCmd) |
|
| 188 |
+ if err != nil {
|
|
| 189 |
+ c.Fatalf("trusted push with no server and --untrusted failed: %s\n%s", err, out)
|
|
| 190 |
+ } |
|
| 191 |
+ |
|
| 192 |
+ if strings.Contains(string(out), "Error establishing connection to notary repository") {
|
|
| 193 |
+ c.Fatalf("Missing expected output on trusted push with --untrusted:\n%s", out)
|
|
| 194 |
+ } |
|
| 195 |
+} |
|
| 196 |
+ |
|
| 197 |
+func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
|
|
| 198 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 199 |
+ // tag the image and upload it to the private registry |
|
| 200 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 201 |
+ dockerCmd(c, "push", repoName) |
|
| 202 |
+ |
|
| 203 |
+ pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
| 204 |
+ s.trustedCmd(pushCmd) |
|
| 205 |
+ out, _, err := runCommandWithOutput(pushCmd) |
|
| 206 |
+ if err != nil {
|
|
| 207 |
+ c.Fatalf("trusted push failed: %s\n%s", err, out)
|
|
| 208 |
+ } |
|
| 209 |
+ |
|
| 210 |
+ if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
|
| 211 |
+ c.Fatalf("Missing expected output on trusted push with existing tag:\n%s", out)
|
|
| 212 |
+ } |
|
| 213 |
+} |
|
| 214 |
+ |
|
| 215 |
+func (s *DockerTrustSuite) TestTrustedPushWithShortRootPassphrase(c *check.C) {
|
|
| 216 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 217 |
+ // tag the image and upload it to the private registry |
|
| 218 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 219 |
+ |
|
| 220 |
+ pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
| 221 |
+ s.trustedCmdWithPassphrases(pushCmd, "rootPwd", "", "") |
|
| 222 |
+ out, _, err := runCommandWithOutput(pushCmd) |
|
| 223 |
+ if err == nil {
|
|
| 224 |
+ c.Fatalf("Error missing from trusted push with short root passphrase")
|
|
| 225 |
+ } |
|
| 226 |
+ |
|
| 227 |
+ if !strings.Contains(string(out), "tuf: insufficient signatures for Cryptoservice") {
|
|
| 228 |
+ c.Fatalf("Missing expected output on trusted push with short root passphrase:\n%s", out)
|
|
| 229 |
+ } |
|
| 230 |
+} |
|
| 231 |
+ |
|
| 232 |
+func (s *DockerTrustSuite) TestTrustedPushWithIncorrectRootPassphrase(c *check.C) {
|
|
| 233 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 234 |
+ // tag the image and upload it to the private registry |
|
| 235 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 236 |
+ |
|
| 237 |
+ // Push with default passphrase |
|
| 238 |
+ pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName) |
|
| 239 |
+ s.trustedCmd(pushCmd) |
|
| 240 |
+ out, _, _ := runCommandWithOutput(pushCmd) |
|
| 241 |
+ fmt.Println("OUTPUT: ", out)
|
|
| 242 |
+ |
|
| 243 |
+ // Push with incorrect passphrase |
|
| 244 |
+ pushCmd = exec.Command(dockerBinary, "push", "--untrusted", repoName) |
|
| 245 |
+ s.trustedCmd(pushCmd) |
|
| 246 |
+ // s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "") |
|
| 247 |
+ out, _, _ = runCommandWithOutput(pushCmd) |
|
| 248 |
+ fmt.Println("OUTPUT2:", out)
|
|
| 249 |
+ c.Fail() |
|
| 250 |
+} |
|
| 251 |
+ |
|
| 252 |
+func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {
|
|
| 253 |
+ repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
|
| 254 |
+ // tag the image and upload it to the private registry |
|
| 255 |
+ dockerCmd(c, "tag", "busybox", repoName) |
|
| 256 |
+ |
|
| 257 |
+ pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
| 258 |
+ s.trustedCmdWithPassphrases(pushCmd, "12345678", "short", "short") |
|
| 259 |
+ out, _, err := runCommandWithOutput(pushCmd) |
|
| 260 |
+ if err == nil {
|
|
| 261 |
+ c.Fatalf("Error missing from trusted push with short targets passphrase")
|
|
| 262 |
+ } |
|
| 263 |
+ |
|
| 264 |
+ if !strings.Contains(string(out), "tuf: insufficient signatures for Cryptoservice") {
|
|
| 265 |
+ c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)
|
|
| 266 |
+ } |
|
| 267 |
+} |
| ... | ... |
@@ -99,12 +99,25 @@ func (t *testNotary) Close() {
|
| 99 | 99 |
} |
| 100 | 100 |
|
| 101 | 101 |
func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) {
|
| 102 |
+ pwd := "12345678" |
|
| 103 |
+ trustCmdEnv(cmd, s.not.address(), pwd, pwd, pwd) |
|
| 104 |
+} |
|
| 105 |
+ |
|
| 106 |
+func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) {
|
|
| 107 |
+ pwd := "12345678" |
|
| 108 |
+ trustCmdEnv(cmd, server, pwd, pwd, pwd) |
|
| 109 |
+} |
|
| 110 |
+func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, snapshotPwd, targetPwd string) {
|
|
| 111 |
+ trustCmdEnv(cmd, s.not.address(), rootPwd, snapshotPwd, targetPwd) |
|
| 112 |
+} |
|
| 113 |
+ |
|
| 114 |
+func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
|
|
| 102 | 115 |
env := []string{
|
| 103 | 116 |
"DOCKER_TRUST=1", |
| 104 |
- fmt.Sprintf("DOCKER_TRUST_SERVER=%s", s.not.address()),
|
|
| 105 |
- "DOCKER_TRUST_ROOT_PASSPHRASE=12345678", |
|
| 106 |
- "DOCKER_TRUST_TARGET_PASSPHRASE=12345678", |
|
| 107 |
- "DOCKER_TRUST_SNAPSHOT_PASSPHRASE=12345678", |
|
| 117 |
+ fmt.Sprintf("DOCKER_TRUST_SERVER=%s", server),
|
|
| 118 |
+ fmt.Sprintf("DOCKER_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
|
|
| 119 |
+ fmt.Sprintf("DOCKER_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
|
|
| 120 |
+ fmt.Sprintf("DOCKER_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
|
|
| 108 | 121 |
} |
| 109 | 122 |
cmd.Env = append(os.Environ(), env...) |
| 110 | 123 |
} |