Browse code
Migrate DockerTrustSuite to docker/cli e2e tests
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Vincent Demeester authored on 2018/03/06 19:01:26Showing 13 changed files
- Dockerfile
- integration-cli/check_test.go
- integration-cli/docker_cli_build_test.go
- integration-cli/docker_cli_create_test.go
- integration-cli/docker_cli_plugins_test.go
- integration-cli/docker_cli_pull_trusted_test.go
- integration-cli/docker_cli_push_test.go
- integration-cli/docker_cli_run_test.go
- integration-cli/docker_cli_swarm_test.go
- integration-cli/docker_utils_test.go
- integration-cli/requirements_test.go
- integration-cli/trust_server_test.go
- registry/config.go
| ... | ... |
@@ -91,21 +91,6 @@ RUN set -x \ |
| 91 | 91 |
|
| 92 | 92 |
|
| 93 | 93 |
|
| 94 |
-FROM base AS notary |
|
| 95 |
-# Install notary and notary-server |
|
| 96 |
-ENV NOTARY_VERSION v0.5.0 |
|
| 97 |
-RUN set -x \ |
|
| 98 |
- && export GOPATH="$(mktemp -d)" \ |
|
| 99 |
- && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
|
| 100 |
- && (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ |
|
| 101 |
- && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
|
| 102 |
- go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 103 |
- && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
|
| 104 |
- go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 105 |
- && rm -rf "$GOPATH" |
|
| 106 |
- |
|
| 107 |
- |
|
| 108 |
- |
|
| 109 | 94 |
FROM base AS docker-py |
| 110 | 95 |
# Get the "docker-py" source so we can run their integration tests |
| 111 | 96 |
ENV DOCKER_PY_COMMIT 8b246db271a85d6541dc458838627e89c683e42f |
| ... | ... |
@@ -248,7 +233,6 @@ COPY --from=containerd /opt/containerd/ /usr/local/bin/ |
| 248 | 248 |
COPY --from=proxy /opt/proxy/ /usr/local/bin/ |
| 249 | 249 |
COPY --from=dockercli /opt/dockercli /usr/local/cli |
| 250 | 250 |
COPY --from=registry /usr/local/bin/registry* /usr/local/bin/ |
| 251 |
-COPY --from=notary /usr/local/bin/notary* /usr/local/bin/ |
|
| 252 | 251 |
COPY --from=criu /opt/criu/ /usr/local/ |
| 253 | 252 |
COPY --from=docker-py /docker-py /docker-py |
| 254 | 253 |
# TODO: This is for the docker-py tests, which shouldn't really be needed for |
| ... | ... |
@@ -14,7 +14,6 @@ import ( |
| 14 | 14 |
"time" |
| 15 | 15 |
|
| 16 | 16 |
"github.com/docker/docker/api/types/swarm" |
| 17 |
- "github.com/docker/docker/cli/config" |
|
| 18 | 17 |
"github.com/docker/docker/integration-cli/checker" |
| 19 | 18 |
"github.com/docker/docker/integration-cli/cli" |
| 20 | 19 |
"github.com/docker/docker/integration-cli/cli/build/fakestorage" |
| ... | ... |
@@ -387,74 +386,6 @@ func (s *DockerSwarmSuite) TearDownTest(c *check.C) {
|
| 387 | 387 |
} |
| 388 | 388 |
|
| 389 | 389 |
func init() {
|
| 390 |
- check.Suite(&DockerTrustSuite{
|
|
| 391 |
- ds: &DockerSuite{},
|
|
| 392 |
- }) |
|
| 393 |
-} |
|
| 394 |
- |
|
| 395 |
-type DockerTrustSuite struct {
|
|
| 396 |
- ds *DockerSuite |
|
| 397 |
- reg *registry.V2 |
|
| 398 |
- not *testNotary |
|
| 399 |
-} |
|
| 400 |
- |
|
| 401 |
-func (s *DockerTrustSuite) OnTimeout(c *check.C) {
|
|
| 402 |
- s.ds.OnTimeout(c) |
|
| 403 |
-} |
|
| 404 |
- |
|
| 405 |
-func (s *DockerTrustSuite) SetUpTest(c *check.C) {
|
|
| 406 |
- testRequires(c, registry.Hosting, NotaryServerHosting) |
|
| 407 |
- s.reg = setupRegistry(c, false, "", "") |
|
| 408 |
- s.not = setupNotary(c) |
|
| 409 |
-} |
|
| 410 |
- |
|
| 411 |
-func (s *DockerTrustSuite) TearDownTest(c *check.C) {
|
|
| 412 |
- if s.reg != nil {
|
|
| 413 |
- s.reg.Close() |
|
| 414 |
- } |
|
| 415 |
- if s.not != nil {
|
|
| 416 |
- s.not.Close() |
|
| 417 |
- } |
|
| 418 |
- |
|
| 419 |
- // Remove trusted keys and metadata after test |
|
| 420 |
- os.RemoveAll(filepath.Join(config.Dir(), "trust")) |
|
| 421 |
- s.ds.TearDownTest(c) |
|
| 422 |
-} |
|
| 423 |
- |
|
| 424 |
-func init() {
|
|
| 425 |
- ds := &DockerSuite{}
|
|
| 426 |
- check.Suite(&DockerTrustedSwarmSuite{
|
|
| 427 |
- trustSuite: DockerTrustSuite{
|
|
| 428 |
- ds: ds, |
|
| 429 |
- }, |
|
| 430 |
- swarmSuite: DockerSwarmSuite{
|
|
| 431 |
- ds: ds, |
|
| 432 |
- }, |
|
| 433 |
- }) |
|
| 434 |
-} |
|
| 435 |
- |
|
| 436 |
-type DockerTrustedSwarmSuite struct {
|
|
| 437 |
- swarmSuite DockerSwarmSuite |
|
| 438 |
- trustSuite DockerTrustSuite |
|
| 439 |
- reg *registry.V2 |
|
| 440 |
- not *testNotary |
|
| 441 |
-} |
|
| 442 |
- |
|
| 443 |
-func (s *DockerTrustedSwarmSuite) SetUpTest(c *check.C) {
|
|
| 444 |
- s.swarmSuite.SetUpTest(c) |
|
| 445 |
- s.trustSuite.SetUpTest(c) |
|
| 446 |
-} |
|
| 447 |
- |
|
| 448 |
-func (s *DockerTrustedSwarmSuite) TearDownTest(c *check.C) {
|
|
| 449 |
- s.trustSuite.TearDownTest(c) |
|
| 450 |
- s.swarmSuite.TearDownTest(c) |
|
| 451 |
-} |
|
| 452 |
- |
|
| 453 |
-func (s *DockerTrustedSwarmSuite) OnTimeout(c *check.C) {
|
|
| 454 |
- s.swarmSuite.OnTimeout(c) |
|
| 455 |
-} |
|
| 456 |
- |
|
| 457 |
-func init() {
|
|
| 458 | 390 |
check.Suite(&DockerPluginSuite{
|
| 459 | 391 |
ds: &DockerSuite{},
|
| 460 | 392 |
}) |
| ... | ... |
@@ -4048,140 +4048,6 @@ func (s *DockerSuite) TestBuildRUNErrMsg(c *check.C) {
|
| 4048 | 4048 |
}) |
| 4049 | 4049 |
} |
| 4050 | 4050 |
|
| 4051 |
-func (s *DockerTrustSuite) TestTrustedBuild(c *check.C) {
|
|
| 4052 |
- repoName := s.setupTrustedImage(c, "trusted-build") |
|
| 4053 |
- dockerFile := fmt.Sprintf(` |
|
| 4054 |
- FROM %s |
|
| 4055 |
- RUN [] |
|
| 4056 |
- `, repoName) |
|
| 4057 |
- |
|
| 4058 |
- name := "testtrustedbuild" |
|
| 4059 |
- |
|
| 4060 |
- buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
|
| 4061 |
- Out: fmt.Sprintf("FROM %s@sha", repoName[:len(repoName)-7]),
|
|
| 4062 |
- }) |
|
| 4063 |
- |
|
| 4064 |
- // We should also have a tag reference for the image. |
|
| 4065 |
- dockerCmd(c, "inspect", repoName) |
|
| 4066 |
- |
|
| 4067 |
- // We should now be able to remove the tag reference. |
|
| 4068 |
- dockerCmd(c, "rmi", repoName) |
|
| 4069 |
-} |
|
| 4070 |
- |
|
| 4071 |
-func (s *DockerTrustSuite) TestTrustedBuildUntrustedTag(c *check.C) {
|
|
| 4072 |
- repoName := fmt.Sprintf("%v/dockercli/build-untrusted-tag:latest", privateRegistryURL)
|
|
| 4073 |
- dockerFile := fmt.Sprintf(` |
|
| 4074 |
- FROM %s |
|
| 4075 |
- RUN [] |
|
| 4076 |
- `, repoName) |
|
| 4077 |
- |
|
| 4078 |
- name := "testtrustedbuilduntrustedtag" |
|
| 4079 |
- |
|
| 4080 |
- buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
|
| 4081 |
- ExitCode: 1, |
|
| 4082 |
- Err: "does not have trust data for", |
|
| 4083 |
- }) |
|
| 4084 |
-} |
|
| 4085 |
- |
|
| 4086 |
-// FIXME(vdemeester) should migrate to docker/cli e2e tests |
|
| 4087 |
-func (s *DockerTrustSuite) TestBuildContextDirIsSymlink(c *check.C) {
|
|
| 4088 |
- testRequires(c, DaemonIsLinux) |
|
| 4089 |
- tempDir, err := ioutil.TempDir("", "test-build-dir-is-symlink-")
|
|
| 4090 |
- c.Assert(err, check.IsNil) |
|
| 4091 |
- defer os.RemoveAll(tempDir) |
|
| 4092 |
- |
|
| 4093 |
- // Make a real context directory in this temp directory with a simple |
|
| 4094 |
- // Dockerfile. |
|
| 4095 |
- realContextDirname := filepath.Join(tempDir, "context") |
|
| 4096 |
- if err := os.Mkdir(realContextDirname, os.FileMode(0755)); err != nil {
|
|
| 4097 |
- c.Fatal(err) |
|
| 4098 |
- } |
|
| 4099 |
- |
|
| 4100 |
- if err = ioutil.WriteFile( |
|
| 4101 |
- filepath.Join(realContextDirname, "Dockerfile"), |
|
| 4102 |
- []byte(` |
|
| 4103 |
- FROM busybox |
|
| 4104 |
- RUN echo hello world |
|
| 4105 |
- `), |
|
| 4106 |
- os.FileMode(0644), |
|
| 4107 |
- ); err != nil {
|
|
| 4108 |
- c.Fatal(err) |
|
| 4109 |
- } |
|
| 4110 |
- |
|
| 4111 |
- // Make a symlink to the real context directory. |
|
| 4112 |
- contextSymlinkName := filepath.Join(tempDir, "context_link") |
|
| 4113 |
- if err := os.Symlink(realContextDirname, contextSymlinkName); err != nil {
|
|
| 4114 |
- c.Fatal(err) |
|
| 4115 |
- } |
|
| 4116 |
- |
|
| 4117 |
- // Executing the build with the symlink as the specified context should |
|
| 4118 |
- // *not* fail. |
|
| 4119 |
- dockerCmd(c, "build", contextSymlinkName) |
|
| 4120 |
-} |
|
| 4121 |
- |
|
| 4122 |
-func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) {
|
|
| 4123 |
- testRequires(c, NotaryHosting) |
|
| 4124 |
- |
|
| 4125 |
- latestTag := s.setupTrustedImage(c, "trusted-build-releases-role") |
|
| 4126 |
- repoName := strings.TrimSuffix(latestTag, ":latest") |
|
| 4127 |
- |
|
| 4128 |
- // Now create the releases role |
|
| 4129 |
- s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) |
|
| 4130 |
- s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) |
|
| 4131 |
- s.notaryPublish(c, repoName) |
|
| 4132 |
- |
|
| 4133 |
- // push a different tag to the releases role |
|
| 4134 |
- otherTag := fmt.Sprintf("%s:other", repoName)
|
|
| 4135 |
- cli.DockerCmd(c, "tag", "busybox", otherTag) |
|
| 4136 |
- |
|
| 4137 |
- cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
|
|
| 4138 |
- s.assertTargetInRoles(c, repoName, "other", "targets/releases") |
|
| 4139 |
- s.assertTargetNotInRoles(c, repoName, "other", "targets") |
|
| 4140 |
- |
|
| 4141 |
- cli.DockerCmd(c, "rmi", otherTag) |
|
| 4142 |
- |
|
| 4143 |
- dockerFile := fmt.Sprintf(` |
|
| 4144 |
- FROM %s |
|
| 4145 |
- RUN [] |
|
| 4146 |
- `, otherTag) |
|
| 4147 |
- name := "testtrustedbuildreleasesrole" |
|
| 4148 |
- cli.BuildCmd(c, name, trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
|
| 4149 |
- Out: fmt.Sprintf("FROM %s@sha", repoName),
|
|
| 4150 |
- }) |
|
| 4151 |
-} |
|
| 4152 |
- |
|
| 4153 |
-func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *check.C) {
|
|
| 4154 |
- testRequires(c, NotaryHosting) |
|
| 4155 |
- |
|
| 4156 |
- latestTag := s.setupTrustedImage(c, "trusted-build-releases-role") |
|
| 4157 |
- repoName := strings.TrimSuffix(latestTag, ":latest") |
|
| 4158 |
- |
|
| 4159 |
- // Now create a non-releases delegation role |
|
| 4160 |
- s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public) |
|
| 4161 |
- s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private) |
|
| 4162 |
- s.notaryPublish(c, repoName) |
|
| 4163 |
- |
|
| 4164 |
- // push a different tag to the other role |
|
| 4165 |
- otherTag := fmt.Sprintf("%s:other", repoName)
|
|
| 4166 |
- cli.DockerCmd(c, "tag", "busybox", otherTag) |
|
| 4167 |
- |
|
| 4168 |
- cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
|
|
| 4169 |
- s.assertTargetInRoles(c, repoName, "other", "targets/other") |
|
| 4170 |
- s.assertTargetNotInRoles(c, repoName, "other", "targets") |
|
| 4171 |
- |
|
| 4172 |
- cli.DockerCmd(c, "rmi", otherTag) |
|
| 4173 |
- |
|
| 4174 |
- dockerFile := fmt.Sprintf(` |
|
| 4175 |
- FROM %s |
|
| 4176 |
- RUN [] |
|
| 4177 |
- `, otherTag) |
|
| 4178 |
- |
|
| 4179 |
- name := "testtrustedbuildotherrole" |
|
| 4180 |
- cli.Docker(cli.Build(name), trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
|
| 4181 |
- ExitCode: 1, |
|
| 4182 |
- }) |
|
| 4183 |
-} |
|
| 4184 |
- |
|
| 4185 | 4051 |
// Issue #15634: COPY fails when path starts with "null" |
| 4186 | 4052 |
func (s *DockerSuite) TestBuildNullStringInAddCopyVolume(c *check.C) {
|
| 4187 | 4053 |
name := "testbuildnullstringinaddcopyvolume" |
| ... | ... |
@@ -6018,28 +5884,6 @@ func (s *DockerSuite) TestBuildMultiStageNameVariants(c *check.C) {
|
| 6018 | 6018 |
cli.Docker(cli.Args("run", "build1", "cat", "f2")).Assert(c, icmd.Expected{Out: "bar2"})
|
| 6019 | 6019 |
} |
| 6020 | 6020 |
|
| 6021 |
-func (s *DockerTrustSuite) TestBuildMultiStageTrusted(c *check.C) {
|
|
| 6022 |
- img1 := s.setupTrustedImage(c, "trusted-build1") |
|
| 6023 |
- img2 := s.setupTrustedImage(c, "trusted-build2") |
|
| 6024 |
- dockerFile := fmt.Sprintf(` |
|
| 6025 |
- FROM %s AS build-base |
|
| 6026 |
- RUN echo ok > /foo |
|
| 6027 |
- FROM %s |
|
| 6028 |
- COPY --from=build-base foo bar`, img1, img2) |
|
| 6029 |
- |
|
| 6030 |
- name := "testcopyfromtrustedbuild" |
|
| 6031 |
- |
|
| 6032 |
- r := buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)) |
|
| 6033 |
- r.Assert(c, icmd.Expected{
|
|
| 6034 |
- Out: fmt.Sprintf("FROM %s@sha", img1[:len(img1)-7]),
|
|
| 6035 |
- }) |
|
| 6036 |
- r.Assert(c, icmd.Expected{
|
|
| 6037 |
- Out: fmt.Sprintf("FROM %s@sha", img2[:len(img2)-7]),
|
|
| 6038 |
- }) |
|
| 6039 |
- |
|
| 6040 |
- dockerCmdWithResult("run", name, "cat", "bar").Assert(c, icmd.Expected{Out: "ok"})
|
|
| 6041 |
-} |
|
| 6042 |
- |
|
| 6043 | 6021 |
func (s *DockerSuite) TestBuildMultiStageMultipleBuildsWindows(c *check.C) {
|
| 6044 | 6022 |
testRequires(c, DaemonIsWindows) |
| 6045 | 6023 |
dockerfile := ` |
| ... | ... |
@@ -3,7 +3,6 @@ package main |
| 3 | 3 |
import ( |
| 4 | 4 |
"encoding/json" |
| 5 | 5 |
"fmt" |
| 6 |
- "io/ioutil" |
|
| 7 | 6 |
"os" |
| 8 | 7 |
"reflect" |
| 9 | 8 |
"strings" |
| ... | ... |
@@ -16,7 +15,6 @@ import ( |
| 16 | 16 |
"github.com/docker/docker/pkg/stringid" |
| 17 | 17 |
"github.com/docker/go-connections/nat" |
| 18 | 18 |
"github.com/go-check/check" |
| 19 |
- "github.com/gotestyourself/gotestyourself/icmd" |
|
| 20 | 19 |
) |
| 21 | 20 |
|
| 22 | 21 |
// Make sure we can create a simple container with some args |
| ... | ... |
@@ -292,75 +290,6 @@ func (s *DockerSuite) TestCreateByImageID(c *check.C) {
|
| 292 | 292 |
} |
| 293 | 293 |
} |
| 294 | 294 |
|
| 295 |
-func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
|
|
| 296 |
- repoName := s.setupTrustedImage(c, "trusted-create") |
|
| 297 |
- |
|
| 298 |
- // Try create |
|
| 299 |
- cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 300 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 301 |
- |
|
| 302 |
- // Try untrusted create to ensure we pushed the tag to the registry |
|
| 303 |
- cli.Docker(cli.Args("create", "--disable-content-trust=true", repoName)).Assert(c, SuccessDownloadedOnStderr)
|
|
| 304 |
-} |
|
| 305 |
- |
|
| 306 |
-func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {
|
|
| 307 |
- repoName := fmt.Sprintf("%v/dockercliuntrusted/createtest", privateRegistryURL)
|
|
| 308 |
- withTagName := fmt.Sprintf("%s:latest", repoName)
|
|
| 309 |
- // tag the image and upload it to the private registry |
|
| 310 |
- cli.DockerCmd(c, "tag", "busybox", withTagName) |
|
| 311 |
- cli.DockerCmd(c, "push", withTagName) |
|
| 312 |
- cli.DockerCmd(c, "rmi", withTagName) |
|
| 313 |
- |
|
| 314 |
- // Try trusted create on untrusted tag |
|
| 315 |
- cli.Docker(cli.Args("create", withTagName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 316 |
- ExitCode: 1, |
|
| 317 |
- Err: fmt.Sprintf("does not have trust data for %s", repoName),
|
|
| 318 |
- }) |
|
| 319 |
-} |
|
| 320 |
- |
|
| 321 |
-func (s *DockerTrustSuite) TestTrustedIsolatedCreate(c *check.C) {
|
|
| 322 |
- repoName := s.setupTrustedImage(c, "trusted-isolated-create") |
|
| 323 |
- |
|
| 324 |
- // Try create |
|
| 325 |
- cli.Docker(cli.Args("--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 326 |
- defer os.RemoveAll("/tmp/docker-isolated-create")
|
|
| 327 |
- |
|
| 328 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 329 |
-} |
|
| 330 |
- |
|
| 331 |
-func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
|
|
| 332 |
- repoName := fmt.Sprintf("%v/dockerclievilcreate/trusted:latest", privateRegistryURL)
|
|
| 333 |
- evilLocalConfigDir, err := ioutil.TempDir("", "evilcreate-local-config-dir")
|
|
| 334 |
- c.Assert(err, check.IsNil) |
|
| 335 |
- |
|
| 336 |
- // tag the image and upload it to the private registry |
|
| 337 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 338 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 339 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 340 |
- |
|
| 341 |
- // Try create |
|
| 342 |
- cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 343 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 344 |
- |
|
| 345 |
- // Kill the notary server, start a new "evil" one. |
|
| 346 |
- s.not.Close() |
|
| 347 |
- s.not, err = newTestNotary(c) |
|
| 348 |
- c.Assert(err, check.IsNil) |
|
| 349 |
- |
|
| 350 |
- // In order to make an evil server, lets re-init a client (with a different trust dir) and push new data. |
|
| 351 |
- // tag an image and upload it to the private registry |
|
| 352 |
- cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName) |
|
| 353 |
- |
|
| 354 |
- // Push up to the new server |
|
| 355 |
- cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 356 |
- |
|
| 357 |
- // Now, try creating with the original client from this new trust server. This should fail because the new root is invalid. |
|
| 358 |
- cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 359 |
- ExitCode: 1, |
|
| 360 |
- Err: "could not rotate trust to a new trusted root", |
|
| 361 |
- }) |
|
| 362 |
-} |
|
| 363 |
- |
|
| 364 | 295 |
func (s *DockerSuite) TestCreateStopSignal(c *check.C) {
|
| 365 | 296 |
name := "test_create_stop_signal" |
| 366 | 297 |
dockerCmd(c, "create", "--name", name, "--stop-signal", "9", "busybox") |
| ... | ... |
@@ -16,7 +16,6 @@ import ( |
| 16 | 16 |
"github.com/docker/docker/integration-cli/daemon" |
| 17 | 17 |
"github.com/docker/docker/integration-cli/fixtures/plugin" |
| 18 | 18 |
"github.com/go-check/check" |
| 19 |
- "github.com/gotestyourself/gotestyourself/icmd" |
|
| 20 | 19 |
"golang.org/x/net/context" |
| 21 | 20 |
) |
| 22 | 21 |
|
| ... | ... |
@@ -352,51 +351,6 @@ func (s *DockerSuite) TestPluginInspectOnWindows(c *check.C) {
|
| 352 | 352 |
c.Assert(err.Error(), checker.Contains, "plugins are not supported on this platform") |
| 353 | 353 |
} |
| 354 | 354 |
|
| 355 |
-func (s *DockerTrustSuite) TestPluginTrustedInstall(c *check.C) {
|
|
| 356 |
- testRequires(c, DaemonIsLinux, IsAmd64, Network) |
|
| 357 |
- |
|
| 358 |
- trustedName := s.setupTrustedplugin(c, pNameWithTag, "trusted-plugin-install") |
|
| 359 |
- |
|
| 360 |
- cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 361 |
- Out: trustedName, |
|
| 362 |
- }) |
|
| 363 |
- |
|
| 364 |
- out := cli.DockerCmd(c, "plugin", "ls").Combined() |
|
| 365 |
- c.Assert(out, checker.Contains, "true") |
|
| 366 |
- |
|
| 367 |
- out = cli.DockerCmd(c, "plugin", "disable", trustedName).Combined() |
|
| 368 |
- c.Assert(strings.TrimSpace(out), checker.Contains, trustedName) |
|
| 369 |
- |
|
| 370 |
- out = cli.DockerCmd(c, "plugin", "enable", trustedName).Combined() |
|
| 371 |
- c.Assert(strings.TrimSpace(out), checker.Contains, trustedName) |
|
| 372 |
- |
|
| 373 |
- out = cli.DockerCmd(c, "plugin", "rm", "-f", trustedName).Combined() |
|
| 374 |
- c.Assert(strings.TrimSpace(out), checker.Contains, trustedName) |
|
| 375 |
- |
|
| 376 |
- // Try untrusted pull to ensure we pushed the tag to the registry |
|
| 377 |
- cli.Docker(cli.Args("plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded)
|
|
| 378 |
- |
|
| 379 |
- out = cli.DockerCmd(c, "plugin", "ls").Combined() |
|
| 380 |
- c.Assert(out, checker.Contains, "true") |
|
| 381 |
- |
|
| 382 |
-} |
|
| 383 |
- |
|
| 384 |
-func (s *DockerTrustSuite) TestPluginUntrustedInstall(c *check.C) {
|
|
| 385 |
- testRequires(c, DaemonIsLinux, IsAmd64, Network) |
|
| 386 |
- |
|
| 387 |
- pluginName := fmt.Sprintf("%v/dockercliuntrusted/plugintest:latest", privateRegistryURL)
|
|
| 388 |
- // install locally and push to private registry |
|
| 389 |
- cli.DockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", pluginName, pNameWithTag) |
|
| 390 |
- cli.DockerCmd(c, "plugin", "push", pluginName) |
|
| 391 |
- cli.DockerCmd(c, "plugin", "rm", "-f", pluginName) |
|
| 392 |
- |
|
| 393 |
- // Try trusted install on untrusted plugin |
|
| 394 |
- cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 395 |
- ExitCode: 1, |
|
| 396 |
- Err: "Error: remote trust data does not exist", |
|
| 397 |
- }) |
|
| 398 |
-} |
|
| 399 |
- |
|
| 400 | 355 |
func (ps *DockerPluginSuite) TestPluginIDPrefix(c *check.C) {
|
| 401 | 356 |
name := "test" |
| 402 | 357 |
client := testEnv.APIClient() |
| 403 | 358 |
deleted file mode 100644 |
| ... | ... |
@@ -1,222 +0,0 @@ |
| 1 |
-package main |
|
| 2 |
- |
|
| 3 |
-import ( |
|
| 4 |
- "fmt" |
|
| 5 |
- "io/ioutil" |
|
| 6 |
- |
|
| 7 |
- "github.com/docker/docker/integration-cli/checker" |
|
| 8 |
- "github.com/docker/docker/integration-cli/cli" |
|
| 9 |
- "github.com/docker/docker/integration-cli/cli/build" |
|
| 10 |
- "github.com/go-check/check" |
|
| 11 |
- "github.com/gotestyourself/gotestyourself/icmd" |
|
| 12 |
-) |
|
| 13 |
- |
|
| 14 |
-func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
|
|
| 15 |
- repoName := s.setupTrustedImage(c, "trusted-pull") |
|
| 16 |
- |
|
| 17 |
- // Try pull |
|
| 18 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 19 |
- |
|
| 20 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 21 |
- // Try untrusted pull to ensure we pushed the tag to the registry |
|
| 22 |
- cli.Docker(cli.Args("pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
|
|
| 23 |
-} |
|
| 24 |
- |
|
| 25 |
-func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) {
|
|
| 26 |
- repoName := s.setupTrustedImage(c, "trusted-isolated-pull") |
|
| 27 |
- |
|
| 28 |
- // Try pull (run from isolated directory without trust information) |
|
| 29 |
- cli.Docker(cli.Args("--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 30 |
- |
|
| 31 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 32 |
-} |
|
| 33 |
- |
|
| 34 |
-func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
|
|
| 35 |
- repoName := fmt.Sprintf("%v/dockercliuntrusted/pulltest:latest", privateRegistryURL)
|
|
| 36 |
- // tag the image and upload it to the private registry |
|
| 37 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 38 |
- cli.DockerCmd(c, "push", repoName) |
|
| 39 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 40 |
- |
|
| 41 |
- // Try trusted pull on untrusted tag |
|
| 42 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 43 |
- ExitCode: 1, |
|
| 44 |
- Err: "Error: remote trust data does not exist", |
|
| 45 |
- }) |
|
| 46 |
-} |
|
| 47 |
- |
|
| 48 |
-func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
|
|
| 49 |
- repoName := fmt.Sprintf("%v/dockerclievilpull/trusted:latest", privateRegistryURL)
|
|
| 50 |
- evilLocalConfigDir, err := ioutil.TempDir("", "evil-local-config-dir")
|
|
| 51 |
- if err != nil {
|
|
| 52 |
- c.Fatalf("Failed to create local temp dir")
|
|
| 53 |
- } |
|
| 54 |
- |
|
| 55 |
- // tag the image and upload it to the private registry |
|
| 56 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 57 |
- |
|
| 58 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 59 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 60 |
- |
|
| 61 |
- // Try pull |
|
| 62 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 63 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 64 |
- |
|
| 65 |
- // Kill the notary server, start a new "evil" one. |
|
| 66 |
- s.not.Close() |
|
| 67 |
- s.not, err = newTestNotary(c) |
|
| 68 |
- |
|
| 69 |
- c.Assert(err, check.IsNil, check.Commentf("Restarting notary server failed."))
|
|
| 70 |
- |
|
| 71 |
- // In order to make an evil server, lets re-init a client (with a different trust dir) and push new data. |
|
| 72 |
- // tag an image and upload it to the private registry |
|
| 73 |
- cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName) |
|
| 74 |
- |
|
| 75 |
- // Push up to the new server |
|
| 76 |
- cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 77 |
- |
|
| 78 |
- // Now, try pulling with the original client from this new trust server. This should fail because the new root is invalid. |
|
| 79 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 80 |
- ExitCode: 1, |
|
| 81 |
- Err: "could not rotate trust to a new trusted root", |
|
| 82 |
- }) |
|
| 83 |
-} |
|
| 84 |
- |
|
| 85 |
-func (s *DockerTrustSuite) TestTrustedOfflinePull(c *check.C) {
|
|
| 86 |
- repoName := s.setupTrustedImage(c, "trusted-offline-pull") |
|
| 87 |
- |
|
| 88 |
- cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
|
|
| 89 |
- ExitCode: 1, |
|
| 90 |
- Err: "error contacting notary server", |
|
| 91 |
- }) |
|
| 92 |
- // Do valid trusted pull to warm cache |
|
| 93 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 94 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 95 |
- |
|
| 96 |
- // Try pull again with invalid notary server, should use cache |
|
| 97 |
- cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
|
|
| 98 |
-} |
|
| 99 |
- |
|
| 100 |
-func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
|
|
| 101 |
- repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, "trusted-pull-delete")
|
|
| 102 |
- // tag the image and upload it to the private registry |
|
| 103 |
- cli.BuildCmd(c, repoName, build.WithDockerfile(` |
|
| 104 |
- FROM busybox |
|
| 105 |
- CMD echo trustedpulldelete |
|
| 106 |
- `)) |
|
| 107 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 108 |
- |
|
| 109 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 110 |
- |
|
| 111 |
- // Try pull |
|
| 112 |
- result := cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Success)
|
|
| 113 |
- |
|
| 114 |
- matches := digestRegex.FindStringSubmatch(result.Combined()) |
|
| 115 |
- c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", result.Combined()))
|
|
| 116 |
- pullDigest := matches[1] |
|
| 117 |
- |
|
| 118 |
- imageID := inspectField(c, repoName, "Id") |
|
| 119 |
- |
|
| 120 |
- imageByDigest := repoName + "@" + pullDigest |
|
| 121 |
- byDigestID := inspectField(c, imageByDigest, "Id") |
|
| 122 |
- |
|
| 123 |
- c.Assert(byDigestID, checker.Equals, imageID) |
|
| 124 |
- |
|
| 125 |
- // rmi of tag should also remove the digest reference |
|
| 126 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 127 |
- |
|
| 128 |
- _, err := inspectFieldWithError(imageByDigest, "Id") |
|
| 129 |
- c.Assert(err, checker.NotNil, check.Commentf("digest reference should have been removed"))
|
|
| 130 |
- |
|
| 131 |
- _, err = inspectFieldWithError(imageID, "Id") |
|
| 132 |
- c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
|
|
| 133 |
-} |
|
| 134 |
- |
|
| 135 |
-func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
|
|
| 136 |
- testRequires(c, NotaryHosting) |
|
| 137 |
- repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
|
|
| 138 |
- targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 139 |
- |
|
| 140 |
- // Push with targets first, initializing the repo |
|
| 141 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 142 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
|
| 143 |
- s.assertTargetInRoles(c, repoName, "latest", "targets") |
|
| 144 |
- |
|
| 145 |
- // Try pull, check we retrieve from targets role |
|
| 146 |
- cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 147 |
- Err: "retrieving target for targets role", |
|
| 148 |
- }) |
|
| 149 |
- |
|
| 150 |
- // Now we'll create the releases role, and try pushing and pulling |
|
| 151 |
- s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) |
|
| 152 |
- s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) |
|
| 153 |
- s.notaryPublish(c, repoName) |
|
| 154 |
- |
|
| 155 |
- // try a pull, check that we can still pull because we can still read the |
|
| 156 |
- // old tag in the targets role |
|
| 157 |
- cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 158 |
- Err: "retrieving target for targets role", |
|
| 159 |
- }) |
|
| 160 |
- |
|
| 161 |
- // try a pull -a, check that it succeeds because we can still pull from the |
|
| 162 |
- // targets role |
|
| 163 |
- cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
|
|
| 164 |
- |
|
| 165 |
- // Push, should sign with targets/releases |
|
| 166 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 167 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
|
| 168 |
- s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases") |
|
| 169 |
- |
|
| 170 |
- // Try pull, check we retrieve from targets/releases role |
|
| 171 |
- cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 172 |
- Err: "retrieving target for targets/releases role", |
|
| 173 |
- }) |
|
| 174 |
- |
|
| 175 |
- // Create another delegation that we'll sign with |
|
| 176 |
- s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[1].Public) |
|
| 177 |
- s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private) |
|
| 178 |
- s.notaryPublish(c, repoName) |
|
| 179 |
- |
|
| 180 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 181 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
|
| 182 |
- s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other") |
|
| 183 |
- |
|
| 184 |
- // Try pull, check we retrieve from targets/releases role |
|
| 185 |
- cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 186 |
- Err: "retrieving target for targets/releases role", |
|
| 187 |
- }) |
|
| 188 |
-} |
|
| 189 |
- |
|
| 190 |
-func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C) {
|
|
| 191 |
- testRequires(c, NotaryHosting) |
|
| 192 |
- repoName := fmt.Sprintf("%v/dockerclipullotherdelegation/trusted", privateRegistryURL)
|
|
| 193 |
- targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 194 |
- |
|
| 195 |
- // We'll create a repo first with a non-release delegation role, so that when we |
|
| 196 |
- // push we'll sign it into the delegation role |
|
| 197 |
- s.notaryInitRepo(c, repoName) |
|
| 198 |
- s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public) |
|
| 199 |
- s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private) |
|
| 200 |
- s.notaryPublish(c, repoName) |
|
| 201 |
- |
|
| 202 |
- // Push should write to the delegation role, not targets |
|
| 203 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 204 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
|
| 205 |
- s.assertTargetInRoles(c, repoName, "latest", "targets/other") |
|
| 206 |
- s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
|
| 207 |
- |
|
| 208 |
- // Try pull - we should fail, since pull will only pull from the targets/releases |
|
| 209 |
- // role or the targets role |
|
| 210 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 211 |
- cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 212 |
- ExitCode: 1, |
|
| 213 |
- Err: "No trust data for", |
|
| 214 |
- }) |
|
| 215 |
- |
|
| 216 |
- // try a pull -a: we should fail since pull will only pull from the targets/releases |
|
| 217 |
- // role or the targets role |
|
| 218 |
- cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 219 |
- ExitCode: 1, |
|
| 220 |
- Err: "No trusted tags for", |
|
| 221 |
- }) |
|
| 222 |
-} |
| ... | ... |
@@ -7,14 +7,11 @@ import ( |
| 7 | 7 |
"net/http" |
| 8 | 8 |
"net/http/httptest" |
| 9 | 9 |
"os" |
| 10 |
- "path/filepath" |
|
| 11 | 10 |
"strings" |
| 12 | 11 |
"sync" |
| 13 | 12 |
|
| 14 | 13 |
"github.com/docker/distribution/reference" |
| 15 |
- "github.com/docker/docker/cli/config" |
|
| 16 | 14 |
"github.com/docker/docker/integration-cli/checker" |
| 17 |
- "github.com/docker/docker/integration-cli/cli" |
|
| 18 | 15 |
"github.com/docker/docker/integration-cli/cli/build" |
| 19 | 16 |
"github.com/go-check/check" |
| 20 | 17 |
"github.com/gotestyourself/gotestyourself/icmd" |
| ... | ... |
@@ -281,225 +278,6 @@ func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c |
| 281 | 281 |
c.Assert(out3, check.Equals, "hello world") |
| 282 | 282 |
} |
| 283 | 283 |
|
| 284 |
-func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
|
|
| 285 |
- repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL)
|
|
| 286 |
- // tag the image and upload it to the private registry |
|
| 287 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 288 |
- |
|
| 289 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 290 |
- |
|
| 291 |
- // Try pull after push |
|
| 292 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 293 |
- Out: "Status: Image is up to date", |
|
| 294 |
- }) |
|
| 295 |
- |
|
| 296 |
- // Assert that we rotated the snapshot key to the server by checking our local keystore |
|
| 297 |
- contents, err := ioutil.ReadDir(filepath.Join(config.Dir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest")) |
|
| 298 |
- c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files"))
|
|
| 299 |
- // Check that we only have 1 key (targets key) |
|
| 300 |
- c.Assert(contents, checker.HasLen, 1) |
|
| 301 |
-} |
|
| 302 |
- |
|
| 303 |
-func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
|
|
| 304 |
- repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL)
|
|
| 305 |
- // tag the image and upload it to the private registry |
|
| 306 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 307 |
- |
|
| 308 |
- cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing)
|
|
| 309 |
- |
|
| 310 |
- // Try pull after push |
|
| 311 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 312 |
- Out: "Status: Image is up to date", |
|
| 313 |
- }) |
|
| 314 |
-} |
|
| 315 |
- |
|
| 316 |
-func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) {
|
|
| 317 |
- repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL)
|
|
| 318 |
- // tag the image and upload it to the private registry |
|
| 319 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 320 |
- |
|
| 321 |
- // Using a name that doesn't resolve to an address makes this test faster |
|
| 322 |
- cli.Docker(cli.Args("push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{
|
|
| 323 |
- ExitCode: 1, |
|
| 324 |
- Err: "error contacting notary server", |
|
| 325 |
- }) |
|
| 326 |
-} |
|
| 327 |
- |
|
| 328 |
-func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
|
|
| 329 |
- repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL)
|
|
| 330 |
- // tag the image and upload it to the private registry |
|
| 331 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 332 |
- |
|
| 333 |
- result := cli.Docker(cli.Args("push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/"))
|
|
| 334 |
- result.Assert(c, icmd.Success) |
|
| 335 |
- c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:"))
|
|
| 336 |
-} |
|
| 337 |
- |
|
| 338 |
-func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
|
|
| 339 |
- repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL)
|
|
| 340 |
- // tag the image and upload it to the private registry |
|
| 341 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 342 |
- cli.DockerCmd(c, "push", repoName) |
|
| 343 |
- |
|
| 344 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 345 |
- |
|
| 346 |
- // Try pull after push |
|
| 347 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 348 |
- Out: "Status: Image is up to date", |
|
| 349 |
- }) |
|
| 350 |
-} |
|
| 351 |
- |
|
| 352 |
-func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
|
|
| 353 |
- repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL)
|
|
| 354 |
- // tag the image and upload it to the private registry |
|
| 355 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 356 |
- |
|
| 357 |
- // Do a trusted push |
|
| 358 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 359 |
- |
|
| 360 |
- // Do another trusted push |
|
| 361 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 362 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 363 |
- |
|
| 364 |
- // Try pull to ensure the double push did not break our ability to pull |
|
| 365 |
- cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessDownloaded)
|
|
| 366 |
-} |
|
| 367 |
- |
|
| 368 |
-func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) {
|
|
| 369 |
- repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL)
|
|
| 370 |
- // tag the image and upload it to the private registry |
|
| 371 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 372 |
- |
|
| 373 |
- // Push with default passphrases |
|
| 374 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 375 |
- |
|
| 376 |
- // Push with wrong passphrases |
|
| 377 |
- cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{
|
|
| 378 |
- ExitCode: 1, |
|
| 379 |
- Err: "could not find necessary signing keys", |
|
| 380 |
- }) |
|
| 381 |
-} |
|
| 382 |
- |
|
| 383 |
-func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) {
|
|
| 384 |
- testRequires(c, NotaryHosting) |
|
| 385 |
- repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL)
|
|
| 386 |
- targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 387 |
- s.notaryInitRepo(c, repoName) |
|
| 388 |
- s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) |
|
| 389 |
- s.notaryPublish(c, repoName) |
|
| 390 |
- |
|
| 391 |
- s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) |
|
| 392 |
- |
|
| 393 |
- // tag the image and upload it to the private registry |
|
| 394 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 395 |
- |
|
| 396 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 397 |
- // check to make sure that the target has been added to targets/releases and not targets |
|
| 398 |
- s.assertTargetInRoles(c, repoName, "latest", "targets/releases") |
|
| 399 |
- s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
|
| 400 |
- |
|
| 401 |
- // Try pull after push |
|
| 402 |
- os.RemoveAll(filepath.Join(config.Dir(), "trust")) |
|
| 403 |
- |
|
| 404 |
- cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 405 |
- Out: "Status: Image is up to date", |
|
| 406 |
- }) |
|
| 407 |
-} |
|
| 408 |
- |
|
| 409 |
-func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) {
|
|
| 410 |
- testRequires(c, NotaryHosting) |
|
| 411 |
- repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL)
|
|
| 412 |
- targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 413 |
- s.notaryInitRepo(c, repoName) |
|
| 414 |
- s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) |
|
| 415 |
- s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public) |
|
| 416 |
- s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public) |
|
| 417 |
- |
|
| 418 |
- // import everything except the third key |
|
| 419 |
- s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) |
|
| 420 |
- s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) |
|
| 421 |
- |
|
| 422 |
- s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public) |
|
| 423 |
- s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private) |
|
| 424 |
- |
|
| 425 |
- s.notaryPublish(c, repoName) |
|
| 426 |
- |
|
| 427 |
- // tag the image and upload it to the private registry |
|
| 428 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 429 |
- |
|
| 430 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 431 |
- |
|
| 432 |
- // check to make sure that the target has been added to targets/role1 and targets/role2, and |
|
| 433 |
- // not targets (because there are delegations) or targets/role3 (due to missing key) or |
|
| 434 |
- // targets/role1/subrole (due to it being a second level delegation) |
|
| 435 |
- s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2") |
|
| 436 |
- s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
|
| 437 |
- |
|
| 438 |
- // Try pull after push |
|
| 439 |
- os.RemoveAll(filepath.Join(config.Dir(), "trust")) |
|
| 440 |
- |
|
| 441 |
- // pull should fail because none of these are the releases role |
|
| 442 |
- cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 443 |
- ExitCode: 1, |
|
| 444 |
- }) |
|
| 445 |
-} |
|
| 446 |
- |
|
| 447 |
-func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) {
|
|
| 448 |
- repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL)
|
|
| 449 |
- targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 450 |
- s.notaryInitRepo(c, repoName) |
|
| 451 |
- s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z") |
|
| 452 |
- s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y") |
|
| 453 |
- s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest") |
|
| 454 |
- s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest") |
|
| 455 |
- |
|
| 456 |
- // import everything except the third key |
|
| 457 |
- s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) |
|
| 458 |
- s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) |
|
| 459 |
- s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private) |
|
| 460 |
- |
|
| 461 |
- s.notaryPublish(c, repoName) |
|
| 462 |
- |
|
| 463 |
- // tag the image and upload it to the private registry |
|
| 464 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 465 |
- |
|
| 466 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 467 |
- |
|
| 468 |
- // check to make sure that the target has been added to targets/role1 and targets/role4, and |
|
| 469 |
- // not targets (because there are delegations) or targets/role2 (due to path restrictions) or |
|
| 470 |
- // targets/role3 (due to missing key) |
|
| 471 |
- s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4") |
|
| 472 |
- s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
|
| 473 |
- |
|
| 474 |
- // Try pull after push |
|
| 475 |
- os.RemoveAll(filepath.Join(config.Dir(), "trust")) |
|
| 476 |
- |
|
| 477 |
- // pull should fail because none of these are the releases role |
|
| 478 |
- cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 479 |
- ExitCode: 1, |
|
| 480 |
- }) |
|
| 481 |
-} |
|
| 482 |
- |
|
| 483 |
-func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) {
|
|
| 484 |
- testRequires(c, NotaryHosting) |
|
| 485 |
- repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL)
|
|
| 486 |
- targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 487 |
- s.notaryInitRepo(c, repoName) |
|
| 488 |
- s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) |
|
| 489 |
- s.notaryPublish(c, repoName) |
|
| 490 |
- |
|
| 491 |
- // do not import any delegations key |
|
| 492 |
- |
|
| 493 |
- // tag the image and upload it to the private registry |
|
| 494 |
- cli.DockerCmd(c, "tag", "busybox", targetName) |
|
| 495 |
- |
|
| 496 |
- cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 497 |
- ExitCode: 1, |
|
| 498 |
- Err: "no valid signing keys", |
|
| 499 |
- }) |
|
| 500 |
- s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1") |
|
| 501 |
-} |
|
| 502 |
- |
|
| 503 | 284 |
func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) {
|
| 504 | 285 |
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
|
| 505 | 286 |
dockerCmd(c, "tag", "busybox", repoName) |
| ... | ... |
@@ -3140,75 +3140,6 @@ func (s *DockerSuite) TestRunNetworkFilesBindMountROFilesystem(c *check.C) {
|
| 3140 | 3140 |
} |
| 3141 | 3141 |
} |
| 3142 | 3142 |
|
| 3143 |
-func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
|
|
| 3144 |
- // Windows does not support this functionality |
|
| 3145 |
- testRequires(c, DaemonIsLinux) |
|
| 3146 |
- repoName := s.setupTrustedImage(c, "trusted-run") |
|
| 3147 |
- |
|
| 3148 |
- // Try run |
|
| 3149 |
- cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 3150 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 3151 |
- |
|
| 3152 |
- // Try untrusted run to ensure we pushed the tag to the registry |
|
| 3153 |
- cli.Docker(cli.Args("run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
|
|
| 3154 |
-} |
|
| 3155 |
- |
|
| 3156 |
-func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
|
|
| 3157 |
- // Windows does not support this functionality |
|
| 3158 |
- testRequires(c, DaemonIsLinux) |
|
| 3159 |
- repoName := fmt.Sprintf("%v/dockercliuntrusted/runtest:latest", privateRegistryURL)
|
|
| 3160 |
- // tag the image and upload it to the private registry |
|
| 3161 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 3162 |
- cli.DockerCmd(c, "push", repoName) |
|
| 3163 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 3164 |
- |
|
| 3165 |
- // Try trusted run on untrusted tag |
|
| 3166 |
- cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 3167 |
- ExitCode: 125, |
|
| 3168 |
- Err: "does not have trust data for", |
|
| 3169 |
- }) |
|
| 3170 |
-} |
|
| 3171 |
- |
|
| 3172 |
-func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
|
|
| 3173 |
- // Windows does not support this functionality |
|
| 3174 |
- testRequires(c, DaemonIsLinux) |
|
| 3175 |
- repoName := fmt.Sprintf("%v/dockerclievilrun/trusted:latest", privateRegistryURL)
|
|
| 3176 |
- evilLocalConfigDir, err := ioutil.TempDir("", "evilrun-local-config-dir")
|
|
| 3177 |
- if err != nil {
|
|
| 3178 |
- c.Fatalf("Failed to create local temp dir")
|
|
| 3179 |
- } |
|
| 3180 |
- |
|
| 3181 |
- // tag the image and upload it to the private registry |
|
| 3182 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 3183 |
- |
|
| 3184 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 3185 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 3186 |
- |
|
| 3187 |
- // Try run |
|
| 3188 |
- cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
|
|
| 3189 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 3190 |
- |
|
| 3191 |
- // Kill the notary server, start a new "evil" one. |
|
| 3192 |
- s.not.Close() |
|
| 3193 |
- s.not, err = newTestNotary(c) |
|
| 3194 |
- if err != nil {
|
|
| 3195 |
- c.Fatalf("Restarting notary server failed.")
|
|
| 3196 |
- } |
|
| 3197 |
- |
|
| 3198 |
- // In order to make an evil server, lets re-init a client (with a different trust dir) and push new data. |
|
| 3199 |
- // tag an image and upload it to the private registry |
|
| 3200 |
- cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName) |
|
| 3201 |
- |
|
| 3202 |
- // Push up to the new server |
|
| 3203 |
- cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 3204 |
- |
|
| 3205 |
- // Now, try running with the original client from this new trust server. This should fail because the new root is invalid. |
|
| 3206 |
- cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
|
|
| 3207 |
- ExitCode: 125, |
|
| 3208 |
- Err: "could not rotate trust to a new trusted root", |
|
| 3209 |
- }) |
|
| 3210 |
-} |
|
| 3211 |
- |
|
| 3212 | 3143 |
func (s *DockerSuite) TestPtraceContainerProcsFromHost(c *check.C) {
|
| 3213 | 3144 |
// Not applicable on Windows as uses Unix specific functionality |
| 3214 | 3145 |
testRequires(c, DaemonIsLinux, SameHostDaemon) |
| ... | ... |
@@ -1560,78 +1560,6 @@ func (s *DockerSwarmSuite) TestSwarmNetworkIPAMOptions(c *check.C) {
|
| 1560 | 1560 |
c.Assert(strings.TrimSpace(out), checker.Contains, "com.docker.network.ipam.serial:true") |
| 1561 | 1561 |
} |
| 1562 | 1562 |
|
| 1563 |
-func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) {
|
|
| 1564 |
- d := s.swarmSuite.AddDaemon(c, true, true) |
|
| 1565 |
- |
|
| 1566 |
- // Attempt creating a service from an image that is known to notary. |
|
| 1567 |
- repoName := s.trustSuite.setupTrustedImage(c, "trusted-pull") |
|
| 1568 |
- |
|
| 1569 |
- name := "trusted" |
|
| 1570 |
- cli.Docker(cli.Args("-D", "service", "create", "--detach", "--no-resolve-image", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
|
| 1571 |
- Err: "resolved image tag to", |
|
| 1572 |
- }) |
|
| 1573 |
- |
|
| 1574 |
- out, err := d.Cmd("service", "inspect", "--pretty", name)
|
|
| 1575 |
- c.Assert(err, checker.IsNil, check.Commentf(out)) |
|
| 1576 |
- c.Assert(out, checker.Contains, repoName+"@", check.Commentf(out)) |
|
| 1577 |
- |
|
| 1578 |
- // Try trusted service create on an untrusted tag. |
|
| 1579 |
- |
|
| 1580 |
- repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
|
|
| 1581 |
- // tag the image and upload it to the private registry |
|
| 1582 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 1583 |
- cli.DockerCmd(c, "push", repoName) |
|
| 1584 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 1585 |
- |
|
| 1586 |
- name = "untrusted" |
|
| 1587 |
- cli.Docker(cli.Args("service", "create", "--detach", "--no-resolve-image", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
|
| 1588 |
- ExitCode: 1, |
|
| 1589 |
- Err: "Error: remote trust data does not exist", |
|
| 1590 |
- }) |
|
| 1591 |
- |
|
| 1592 |
- out, err = d.Cmd("service", "inspect", "--pretty", name)
|
|
| 1593 |
- c.Assert(err, checker.NotNil, check.Commentf(out)) |
|
| 1594 |
-} |
|
| 1595 |
- |
|
| 1596 |
-func (s *DockerTrustedSwarmSuite) TestTrustedServiceUpdate(c *check.C) {
|
|
| 1597 |
- d := s.swarmSuite.AddDaemon(c, true, true) |
|
| 1598 |
- |
|
| 1599 |
- // Attempt creating a service from an image that is known to notary. |
|
| 1600 |
- repoName := s.trustSuite.setupTrustedImage(c, "trusted-pull") |
|
| 1601 |
- |
|
| 1602 |
- name := "myservice" |
|
| 1603 |
- |
|
| 1604 |
- // Create a service without content trust |
|
| 1605 |
- cli.Docker(cli.Args("service", "create", "--detach", "--no-resolve-image", "--name", name, repoName, "top"), cli.Daemon(d.Daemon)).Assert(c, icmd.Success)
|
|
| 1606 |
- |
|
| 1607 |
- result := cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon))
|
|
| 1608 |
- c.Assert(result.Error, checker.IsNil, check.Commentf(result.Combined())) |
|
| 1609 |
- // Daemon won't insert the digest because this is disabled by |
|
| 1610 |
- // DOCKER_SERVICE_PREFER_OFFLINE_IMAGE. |
|
| 1611 |
- c.Assert(result.Combined(), check.Not(checker.Contains), repoName+"@", check.Commentf(result.Combined())) |
|
| 1612 |
- |
|
| 1613 |
- cli.Docker(cli.Args("-D", "service", "update", "--detach", "--no-resolve-image", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
|
| 1614 |
- Err: "resolved image tag to", |
|
| 1615 |
- }) |
|
| 1616 |
- |
|
| 1617 |
- cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
|
| 1618 |
- Out: repoName + "@", |
|
| 1619 |
- }) |
|
| 1620 |
- |
|
| 1621 |
- // Try trusted service update on an untrusted tag. |
|
| 1622 |
- |
|
| 1623 |
- repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
|
|
| 1624 |
- // tag the image and upload it to the private registry |
|
| 1625 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 1626 |
- cli.DockerCmd(c, "push", repoName) |
|
| 1627 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 1628 |
- |
|
| 1629 |
- cli.Docker(cli.Args("service", "update", "--detach", "--no-resolve-image", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
|
| 1630 |
- ExitCode: 1, |
|
| 1631 |
- Err: "Error: remote trust data does not exist", |
|
| 1632 |
- }) |
|
| 1633 |
-} |
|
| 1634 |
- |
|
| 1635 | 1563 |
// Test case for issue #27866, which did not allow NW name that is the prefix of a swarm NW ID. |
| 1636 | 1564 |
// e.g. if the ingress ID starts with "n1", it was impossible to create a NW named "n1". |
| 1637 | 1565 |
func (s *DockerSwarmSuite) TestSwarmNetworkCreateIssue27866(c *check.C) {
|
| ... | ... |
@@ -202,12 +202,6 @@ func buildImage(name string, cmdOperators ...cli.CmdOperator) *icmd.Result {
|
| 202 | 202 |
return cli.Docker(cli.Build(name), cmdOperators...) |
| 203 | 203 |
} |
| 204 | 204 |
|
| 205 |
-// Deprecated: use trustedcmd |
|
| 206 |
-func trustedBuild(cmd *icmd.Cmd) func() {
|
|
| 207 |
- trustedCmd(cmd) |
|
| 208 |
- return nil |
|
| 209 |
-} |
|
| 210 |
- |
|
| 211 | 205 |
// Write `content` to the file at path `dst`, creating it if necessary, |
| 212 | 206 |
// as well as any missing directories. |
| 213 | 207 |
// The file is truncated if it already exists. |
| ... | ... |
@@ -306,13 +300,6 @@ func setupRegistry(c *check.C, schema1 bool, auth, tokenURL string) *registry.V2 |
| 306 | 306 |
return reg |
| 307 | 307 |
} |
| 308 | 308 |
|
| 309 |
-func setupNotary(c *check.C) *testNotary {
|
|
| 310 |
- ts, err := newTestNotary(c) |
|
| 311 |
- c.Assert(err, check.IsNil) |
|
| 312 |
- |
|
| 313 |
- return ts |
|
| 314 |
-} |
|
| 315 |
- |
|
| 316 | 309 |
// appendBaseEnv appends the minimum set of environment variables to exec the |
| 317 | 310 |
// docker cli binary for testing with correct configuration to the given env |
| 318 | 311 |
// list. |
| ... | ... |
@@ -112,22 +112,6 @@ func Apparmor() bool {
|
| 112 | 112 |
return err == nil && len(buf) > 1 && buf[0] == 'Y' |
| 113 | 113 |
} |
| 114 | 114 |
|
| 115 |
-func NotaryHosting() bool {
|
|
| 116 |
- // for now notary binary is built only if we're running inside |
|
| 117 |
- // container through `make test`. Figure that out by testing if |
|
| 118 |
- // notary-server binary is in PATH. |
|
| 119 |
- _, err := exec.LookPath(notaryServerBinary) |
|
| 120 |
- return err == nil |
|
| 121 |
-} |
|
| 122 |
- |
|
| 123 |
-func NotaryServerHosting() bool {
|
|
| 124 |
- // for now notary-server binary is built only if we're running inside |
|
| 125 |
- // container through `make test`. Figure that out by testing if |
|
| 126 |
- // notary-server binary is in PATH. |
|
| 127 |
- _, err := exec.LookPath(notaryServerBinary) |
|
| 128 |
- return err == nil |
|
| 129 |
-} |
|
| 130 |
- |
|
| 131 | 115 |
func Devicemapper() bool {
|
| 132 | 116 |
return strings.HasPrefix(testEnv.DaemonInfo.Driver, "devicemapper") |
| 133 | 117 |
} |
| 134 | 118 |
deleted file mode 100644 |
| ... | ... |
@@ -1,334 +0,0 @@ |
| 1 |
-package main |
|
| 2 |
- |
|
| 3 |
-import ( |
|
| 4 |
- "context" |
|
| 5 |
- "fmt" |
|
| 6 |
- "io/ioutil" |
|
| 7 |
- "net" |
|
| 8 |
- "net/http" |
|
| 9 |
- "os" |
|
| 10 |
- "os/exec" |
|
| 11 |
- "path/filepath" |
|
| 12 |
- "strings" |
|
| 13 |
- "time" |
|
| 14 |
- |
|
| 15 |
- "github.com/docker/docker/api/types" |
|
| 16 |
- cliconfig "github.com/docker/docker/cli/config" |
|
| 17 |
- "github.com/docker/docker/integration-cli/checker" |
|
| 18 |
- "github.com/docker/docker/integration-cli/cli" |
|
| 19 |
- "github.com/docker/docker/integration-cli/fixtures/plugin" |
|
| 20 |
- "github.com/docker/go-connections/tlsconfig" |
|
| 21 |
- "github.com/go-check/check" |
|
| 22 |
- "github.com/gotestyourself/gotestyourself/icmd" |
|
| 23 |
-) |
|
| 24 |
- |
|
| 25 |
-var notaryBinary = "notary" |
|
| 26 |
-var notaryServerBinary = "notary-server" |
|
| 27 |
- |
|
| 28 |
-type keyPair struct {
|
|
| 29 |
- Public string |
|
| 30 |
- Private string |
|
| 31 |
-} |
|
| 32 |
- |
|
| 33 |
-type testNotary struct {
|
|
| 34 |
- cmd *exec.Cmd |
|
| 35 |
- dir string |
|
| 36 |
- keys []keyPair |
|
| 37 |
-} |
|
| 38 |
- |
|
| 39 |
-const notaryHost = "localhost:4443" |
|
| 40 |
-const notaryURL = "https://" + notaryHost |
|
| 41 |
- |
|
| 42 |
-var SuccessTagging = icmd.Expected{
|
|
| 43 |
- Out: "Tagging", |
|
| 44 |
-} |
|
| 45 |
- |
|
| 46 |
-var SuccessSigningAndPushing = icmd.Expected{
|
|
| 47 |
- Out: "Signing and pushing trust metadata", |
|
| 48 |
-} |
|
| 49 |
- |
|
| 50 |
-var SuccessDownloaded = icmd.Expected{
|
|
| 51 |
- Out: "Status: Downloaded", |
|
| 52 |
-} |
|
| 53 |
- |
|
| 54 |
-var SuccessDownloadedOnStderr = icmd.Expected{
|
|
| 55 |
- Err: "Status: Downloaded", |
|
| 56 |
-} |
|
| 57 |
- |
|
| 58 |
-func newTestNotary(c *check.C) (*testNotary, error) {
|
|
| 59 |
- // generate server config |
|
| 60 |
- template := `{
|
|
| 61 |
- "server": {
|
|
| 62 |
- "http_addr": "%s", |
|
| 63 |
- "tls_key_file": "%s", |
|
| 64 |
- "tls_cert_file": "%s" |
|
| 65 |
- }, |
|
| 66 |
- "trust_service": {
|
|
| 67 |
- "type": "local", |
|
| 68 |
- "hostname": "", |
|
| 69 |
- "port": "", |
|
| 70 |
- "key_algorithm": "ed25519" |
|
| 71 |
- }, |
|
| 72 |
- "logging": {
|
|
| 73 |
- "level": "debug" |
|
| 74 |
- }, |
|
| 75 |
- "storage": {
|
|
| 76 |
- "backend": "memory" |
|
| 77 |
- } |
|
| 78 |
-}` |
|
| 79 |
- tmp, err := ioutil.TempDir("", "notary-test-")
|
|
| 80 |
- if err != nil {
|
|
| 81 |
- return nil, err |
|
| 82 |
- } |
|
| 83 |
- confPath := filepath.Join(tmp, "config.json") |
|
| 84 |
- config, err := os.Create(confPath) |
|
| 85 |
- if err != nil {
|
|
| 86 |
- return nil, err |
|
| 87 |
- } |
|
| 88 |
- defer config.Close() |
|
| 89 |
- |
|
| 90 |
- workingDir, err := os.Getwd() |
|
| 91 |
- if err != nil {
|
|
| 92 |
- return nil, err |
|
| 93 |
- } |
|
| 94 |
- if _, err := fmt.Fprintf(config, template, notaryHost, filepath.Join(workingDir, "fixtures/notary/localhost.key"), filepath.Join(workingDir, "fixtures/notary/localhost.cert")); err != nil {
|
|
| 95 |
- os.RemoveAll(tmp) |
|
| 96 |
- return nil, err |
|
| 97 |
- } |
|
| 98 |
- |
|
| 99 |
- // generate client config |
|
| 100 |
- clientConfPath := filepath.Join(tmp, "client-config.json") |
|
| 101 |
- clientConfig, err := os.Create(clientConfPath) |
|
| 102 |
- if err != nil {
|
|
| 103 |
- return nil, err |
|
| 104 |
- } |
|
| 105 |
- defer clientConfig.Close() |
|
| 106 |
- |
|
| 107 |
- template = `{
|
|
| 108 |
- "trust_dir" : "%s", |
|
| 109 |
- "remote_server": {
|
|
| 110 |
- "url": "%s", |
|
| 111 |
- "skipTLSVerify": true |
|
| 112 |
- } |
|
| 113 |
-}` |
|
| 114 |
- if _, err = fmt.Fprintf(clientConfig, template, filepath.Join(cliconfig.Dir(), "trust"), notaryURL); err != nil {
|
|
| 115 |
- os.RemoveAll(tmp) |
|
| 116 |
- return nil, err |
|
| 117 |
- } |
|
| 118 |
- |
|
| 119 |
- // load key fixture filenames |
|
| 120 |
- var keys []keyPair |
|
| 121 |
- for i := 1; i < 5; i++ {
|
|
| 122 |
- keys = append(keys, keyPair{
|
|
| 123 |
- Public: filepath.Join(workingDir, fmt.Sprintf("fixtures/notary/delgkey%v.crt", i)),
|
|
| 124 |
- Private: filepath.Join(workingDir, fmt.Sprintf("fixtures/notary/delgkey%v.key", i)),
|
|
| 125 |
- }) |
|
| 126 |
- } |
|
| 127 |
- |
|
| 128 |
- // run notary-server |
|
| 129 |
- cmd := exec.Command(notaryServerBinary, "-config", confPath) |
|
| 130 |
- if err := cmd.Start(); err != nil {
|
|
| 131 |
- os.RemoveAll(tmp) |
|
| 132 |
- if os.IsNotExist(err) {
|
|
| 133 |
- c.Skip(err.Error()) |
|
| 134 |
- } |
|
| 135 |
- return nil, err |
|
| 136 |
- } |
|
| 137 |
- |
|
| 138 |
- testNotary := &testNotary{
|
|
| 139 |
- cmd: cmd, |
|
| 140 |
- dir: tmp, |
|
| 141 |
- keys: keys, |
|
| 142 |
- } |
|
| 143 |
- |
|
| 144 |
- // Wait for notary to be ready to serve requests. |
|
| 145 |
- for i := 1; i <= 20; i++ {
|
|
| 146 |
- if err = testNotary.Ping(); err == nil {
|
|
| 147 |
- break |
|
| 148 |
- } |
|
| 149 |
- time.Sleep(10 * time.Millisecond * time.Duration(i*i)) |
|
| 150 |
- } |
|
| 151 |
- |
|
| 152 |
- if err != nil {
|
|
| 153 |
- c.Fatalf("Timeout waiting for test notary to become available: %s", err)
|
|
| 154 |
- } |
|
| 155 |
- |
|
| 156 |
- return testNotary, nil |
|
| 157 |
-} |
|
| 158 |
- |
|
| 159 |
-func (t *testNotary) Ping() error {
|
|
| 160 |
- tlsConfig := tlsconfig.ClientDefault() |
|
| 161 |
- tlsConfig.InsecureSkipVerify = true |
|
| 162 |
- client := http.Client{
|
|
| 163 |
- Transport: &http.Transport{
|
|
| 164 |
- Proxy: http.ProxyFromEnvironment, |
|
| 165 |
- Dial: (&net.Dialer{
|
|
| 166 |
- Timeout: 30 * time.Second, |
|
| 167 |
- KeepAlive: 30 * time.Second, |
|
| 168 |
- }).Dial, |
|
| 169 |
- TLSHandshakeTimeout: 10 * time.Second, |
|
| 170 |
- TLSClientConfig: tlsConfig, |
|
| 171 |
- }, |
|
| 172 |
- } |
|
| 173 |
- resp, err := client.Get(fmt.Sprintf("%s/v2/", notaryURL))
|
|
| 174 |
- if err != nil {
|
|
| 175 |
- return err |
|
| 176 |
- } |
|
| 177 |
- if resp.StatusCode != http.StatusOK {
|
|
| 178 |
- return fmt.Errorf("notary ping replied with an unexpected status code %d", resp.StatusCode)
|
|
| 179 |
- } |
|
| 180 |
- return nil |
|
| 181 |
-} |
|
| 182 |
- |
|
| 183 |
-func (t *testNotary) Close() {
|
|
| 184 |
- t.cmd.Process.Kill() |
|
| 185 |
- t.cmd.Process.Wait() |
|
| 186 |
- os.RemoveAll(t.dir) |
|
| 187 |
-} |
|
| 188 |
- |
|
| 189 |
-func trustedCmd(cmd *icmd.Cmd) func() {
|
|
| 190 |
- pwd := "12345678" |
|
| 191 |
- cmd.Env = append(cmd.Env, trustEnv(notaryURL, pwd, pwd)...) |
|
| 192 |
- return nil |
|
| 193 |
-} |
|
| 194 |
- |
|
| 195 |
-func trustedCmdWithServer(server string) func(*icmd.Cmd) func() {
|
|
| 196 |
- return func(cmd *icmd.Cmd) func() {
|
|
| 197 |
- pwd := "12345678" |
|
| 198 |
- cmd.Env = append(cmd.Env, trustEnv(server, pwd, pwd)...) |
|
| 199 |
- return nil |
|
| 200 |
- } |
|
| 201 |
-} |
|
| 202 |
- |
|
| 203 |
-func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) func() {
|
|
| 204 |
- return func(cmd *icmd.Cmd) func() {
|
|
| 205 |
- cmd.Env = append(cmd.Env, trustEnv(notaryURL, rootPwd, repositoryPwd)...) |
|
| 206 |
- return nil |
|
| 207 |
- } |
|
| 208 |
-} |
|
| 209 |
- |
|
| 210 |
-func trustEnv(server, rootPwd, repositoryPwd string) []string {
|
|
| 211 |
- env := append(os.Environ(), []string{
|
|
| 212 |
- "DOCKER_CONTENT_TRUST=1", |
|
| 213 |
- fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server),
|
|
| 214 |
- fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
|
|
| 215 |
- fmt.Sprintf("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=%s", repositoryPwd),
|
|
| 216 |
- }...) |
|
| 217 |
- return env |
|
| 218 |
-} |
|
| 219 |
- |
|
| 220 |
-func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string {
|
|
| 221 |
- repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
|
|
| 222 |
- // tag the image and upload it to the private registry |
|
| 223 |
- cli.DockerCmd(c, "tag", "busybox", repoName) |
|
| 224 |
- cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 225 |
- cli.DockerCmd(c, "rmi", repoName) |
|
| 226 |
- return repoName |
|
| 227 |
-} |
|
| 228 |
- |
|
| 229 |
-func (s *DockerTrustSuite) setupTrustedplugin(c *check.C, source, name string) string {
|
|
| 230 |
- repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
|
|
| 231 |
- |
|
| 232 |
- client := testEnv.APIClient() |
|
| 233 |
- |
|
| 234 |
- ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) |
|
| 235 |
- err := plugin.Create(ctx, client, repoName) |
|
| 236 |
- cancel() |
|
| 237 |
- c.Assert(err, checker.IsNil, check.Commentf("could not create test plugin"))
|
|
| 238 |
- |
|
| 239 |
- // tag the image and upload it to the private registry |
|
| 240 |
- // TODO: shouldn't need to use the CLI to do trust |
|
| 241 |
- cli.Docker(cli.Args("plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
|
| 242 |
- |
|
| 243 |
- ctx, cancel = context.WithTimeout(context.Background(), 60*time.Second) |
|
| 244 |
- err = client.PluginRemove(ctx, repoName, types.PluginRemoveOptions{Force: true})
|
|
| 245 |
- cancel() |
|
| 246 |
- c.Assert(err, checker.IsNil, check.Commentf("failed to cleanup test plugin for trust suite"))
|
|
| 247 |
- return repoName |
|
| 248 |
-} |
|
| 249 |
- |
|
| 250 |
-func (s *DockerTrustSuite) notaryCmd(c *check.C, args ...string) string {
|
|
| 251 |
- pwd := "12345678" |
|
| 252 |
- env := []string{
|
|
| 253 |
- fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", pwd),
|
|
| 254 |
- fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", pwd),
|
|
| 255 |
- fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", pwd),
|
|
| 256 |
- fmt.Sprintf("NOTARY_DELEGATION_PASSPHRASE=%s", pwd),
|
|
| 257 |
- } |
|
| 258 |
- result := icmd.RunCmd(icmd.Cmd{
|
|
| 259 |
- Command: append([]string{notaryBinary, "-c", filepath.Join(s.not.dir, "client-config.json")}, args...),
|
|
| 260 |
- Env: append(os.Environ(), env...), |
|
| 261 |
- }) |
|
| 262 |
- result.Assert(c, icmd.Success) |
|
| 263 |
- return result.Combined() |
|
| 264 |
-} |
|
| 265 |
- |
|
| 266 |
-func (s *DockerTrustSuite) notaryInitRepo(c *check.C, repoName string) {
|
|
| 267 |
- s.notaryCmd(c, "init", repoName) |
|
| 268 |
-} |
|
| 269 |
- |
|
| 270 |
-func (s *DockerTrustSuite) notaryCreateDelegation(c *check.C, repoName, role string, pubKey string, paths ...string) {
|
|
| 271 |
- pathsArg := "--all-paths" |
|
| 272 |
- if len(paths) > 0 {
|
|
| 273 |
- pathsArg = "--paths=" + strings.Join(paths, ",") |
|
| 274 |
- } |
|
| 275 |
- |
|
| 276 |
- s.notaryCmd(c, "delegation", "add", repoName, role, pubKey, pathsArg) |
|
| 277 |
-} |
|
| 278 |
- |
|
| 279 |
-func (s *DockerTrustSuite) notaryPublish(c *check.C, repoName string) {
|
|
| 280 |
- s.notaryCmd(c, "publish", repoName) |
|
| 281 |
-} |
|
| 282 |
- |
|
| 283 |
-func (s *DockerTrustSuite) notaryImportKey(c *check.C, repoName, role string, privKey string) {
|
|
| 284 |
- s.notaryCmd(c, "key", "import", privKey, "-g", repoName, "-r", role) |
|
| 285 |
-} |
|
| 286 |
- |
|
| 287 |
-func (s *DockerTrustSuite) notaryListTargetsInRole(c *check.C, repoName, role string) map[string]string {
|
|
| 288 |
- out := s.notaryCmd(c, "list", repoName, "-r", role) |
|
| 289 |
- |
|
| 290 |
- // should look something like: |
|
| 291 |
- // NAME DIGEST SIZE (BYTES) ROLE |
|
| 292 |
- // ------------------------------------------------------------------------------------------------------ |
|
| 293 |
- // latest 24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56 1377 targets |
|
| 294 |
- |
|
| 295 |
- targets := make(map[string]string) |
|
| 296 |
- |
|
| 297 |
- // no target |
|
| 298 |
- lines := strings.Split(strings.TrimSpace(out), "\n") |
|
| 299 |
- if len(lines) == 1 && strings.Contains(out, "No targets present in this repository.") {
|
|
| 300 |
- return targets |
|
| 301 |
- } |
|
| 302 |
- |
|
| 303 |
- // otherwise, there is at least one target |
|
| 304 |
- c.Assert(len(lines), checker.GreaterOrEqualThan, 3) |
|
| 305 |
- |
|
| 306 |
- for _, line := range lines[2:] {
|
|
| 307 |
- tokens := strings.Fields(line) |
|
| 308 |
- c.Assert(tokens, checker.HasLen, 4) |
|
| 309 |
- targets[tokens[0]] = tokens[3] |
|
| 310 |
- } |
|
| 311 |
- |
|
| 312 |
- return targets |
|
| 313 |
-} |
|
| 314 |
- |
|
| 315 |
-func (s *DockerTrustSuite) assertTargetInRoles(c *check.C, repoName, target string, roles ...string) {
|
|
| 316 |
- // check all the roles |
|
| 317 |
- for _, role := range roles {
|
|
| 318 |
- targets := s.notaryListTargetsInRole(c, repoName, role) |
|
| 319 |
- roleName, ok := targets[target] |
|
| 320 |
- c.Assert(ok, checker.True) |
|
| 321 |
- c.Assert(roleName, checker.Equals, role) |
|
| 322 |
- } |
|
| 323 |
-} |
|
| 324 |
- |
|
| 325 |
-func (s *DockerTrustSuite) assertTargetNotInRoles(c *check.C, repoName, target string, roles ...string) {
|
|
| 326 |
- targets := s.notaryListTargetsInRole(c, repoName, "targets") |
|
| 327 |
- |
|
| 328 |
- roleName, ok := targets[target] |
|
| 329 |
- if ok {
|
|
| 330 |
- for _, role := range roles {
|
|
| 331 |
- c.Assert(roleName, checker.Not(checker.Equals), role) |
|
| 332 |
- } |
|
| 333 |
- } |
|
| 334 |
-} |
| ... | ... |
@@ -45,9 +45,6 @@ var ( |
| 45 | 45 |
// IndexName is the name of the index |
| 46 | 46 |
IndexName = "docker.io" |
| 47 | 47 |
|
| 48 |
- // NotaryServer is the endpoint serving the Notary trust server |
|
| 49 |
- NotaryServer = "https://notary.docker.io" |
|
| 50 |
- |
|
| 51 | 48 |
// DefaultV2Registry is the URI of the default v2 registry |
| 52 | 49 |
DefaultV2Registry = &url.URL{
|
| 53 | 50 |
Scheme: "https", |