Browse code
Add test for targets/releases preference when pulling
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Riyaz Faizullabhoy authored on 2016/03/09 17:18:30Showing 4 changed files
- api/client/trust.go
- integration-cli/check_test.go
- integration-cli/docker_cli_pull_trusted_test.go
- integration-cli/docker_cli_push_test.go
| ... | ... |
@@ -339,6 +339,7 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr |
| 339 | 339 |
if err != nil {
|
| 340 | 340 |
return notaryError(repoInfo.FullName(), err) |
| 341 | 341 |
} |
| 342 |
+ logrus.Debugf("retrieving target for %s role\n", t.Role)
|
|
| 342 | 343 |
r, err := convertTarget(t.Target) |
| 343 | 344 |
if err != nil {
|
| 344 | 345 |
return err |
| ... | ... |
@@ -510,7 +511,6 @@ func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository, |
| 510 | 510 |
// Also don't bother checking the keys if we can't add the target |
| 511 | 511 |
// to this role due to path restrictions |
| 512 | 512 |
if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) {
|
| 513 |
- fmt.Println("skipping", delegationRole.Name)
|
|
| 514 | 513 |
continue |
| 515 | 514 |
} |
| 516 | 515 |
|
| ... | ... |
@@ -2,8 +2,11 @@ package main |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"fmt" |
| 5 |
+ "os" |
|
| 6 |
+ "path/filepath" |
|
| 5 | 7 |
"testing" |
| 6 | 8 |
|
| 9 |
+ "github.com/docker/docker/cliconfig" |
|
| 7 | 10 |
"github.com/docker/docker/pkg/reexec" |
| 8 | 11 |
"github.com/go-check/check" |
| 9 | 12 |
) |
| ... | ... |
@@ -206,5 +209,8 @@ func (s *DockerTrustSuite) TearDownTest(c *check.C) {
|
| 206 | 206 |
if s.not != nil {
|
| 207 | 207 |
s.not.Close() |
| 208 | 208 |
} |
| 209 |
+ |
|
| 210 |
+ // Remove trusted keys and metadata after test |
|
| 211 |
+ os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust")) |
|
| 209 | 212 |
s.ds.TearDownTest(c) |
| 210 | 213 |
} |
| ... | ... |
@@ -254,3 +254,56 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
|
| 254 | 254 |
_, err = inspectFieldWithError(imageID, "Id") |
| 255 | 255 |
c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
|
| 256 | 256 |
} |
| 257 |
+ |
|
| 258 |
+func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
|
|
| 259 |
+ repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
|
|
| 260 |
+ targetName := fmt.Sprintf("%s:latest", repoName)
|
|
| 261 |
+ pwd := "12345678" |
|
| 262 |
+ |
|
| 263 |
+ // Push with targets first, initializing the repo |
|
| 264 |
+ dockerCmd(c, "tag", "busybox", targetName) |
|
| 265 |
+ pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
| 266 |
+ s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) |
|
| 267 |
+ out, _, err := runCommandWithOutput(pushCmd) |
|
| 268 |
+ c.Assert(err, check.IsNil, check.Commentf(out)) |
|
| 269 |
+ |
|
| 270 |
+ // Try pull, check we retrieve from targets role |
|
| 271 |
+ pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName) |
|
| 272 |
+ s.trustedCmd(pullCmd) |
|
| 273 |
+ out, _, err = runCommandWithOutput(pullCmd) |
|
| 274 |
+ c.Assert(err, check.IsNil, check.Commentf(out)) |
|
| 275 |
+ c.Assert(out, checker.Contains, "retrieving target for targets role") |
|
| 276 |
+ |
|
| 277 |
+ // Now we'll create the releases role, and try pushing and pulling |
|
| 278 |
+ s.notaryCreateDelegation(c, repoName, pwd, "targets/releases", s.not.keys[0].Public) |
|
| 279 |
+ s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) |
|
| 280 |
+ s.notaryPublish(c, repoName, pwd) |
|
| 281 |
+ |
|
| 282 |
+ // Push, should sign with targets/releases |
|
| 283 |
+ dockerCmd(c, "tag", "busybox", targetName) |
|
| 284 |
+ pushCmd = exec.Command(dockerBinary, "push", targetName) |
|
| 285 |
+ s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) |
|
| 286 |
+ out, _, err = runCommandWithOutput(pushCmd) |
|
| 287 |
+ |
|
| 288 |
+ // Try pull, check we retrieve from targets/releases role |
|
| 289 |
+ pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) |
|
| 290 |
+ s.trustedCmd(pullCmd) |
|
| 291 |
+ out, _, err = runCommandWithOutput(pullCmd) |
|
| 292 |
+ c.Assert(out, checker.Contains, "retrieving target for targets/releases role") |
|
| 293 |
+ |
|
| 294 |
+ // Create another delegation that we'll sign with |
|
| 295 |
+ s.notaryCreateDelegation(c, repoName, pwd, "targets/other", s.not.keys[1].Public) |
|
| 296 |
+ s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private) |
|
| 297 |
+ s.notaryPublish(c, repoName, pwd) |
|
| 298 |
+ |
|
| 299 |
+ dockerCmd(c, "tag", "busybox", targetName) |
|
| 300 |
+ pushCmd = exec.Command(dockerBinary, "push", targetName) |
|
| 301 |
+ s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) |
|
| 302 |
+ out, _, err = runCommandWithOutput(pushCmd) |
|
| 303 |
+ |
|
| 304 |
+ // Try pull, check we retrieve from targets/releases role |
|
| 305 |
+ pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) |
|
| 306 |
+ s.trustedCmd(pullCmd) |
|
| 307 |
+ out, _, err = runCommandWithOutput(pullCmd) |
|
| 308 |
+ c.Assert(out, checker.Contains, "retrieving target for targets/releases role") |
|
| 309 |
+} |
| ... | ... |
@@ -631,7 +631,7 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c |
| 631 | 631 |
pushCmd := exec.Command(dockerBinary, "push", targetName) |
| 632 | 632 |
s.trustedCmdWithPassphrases(pushCmd, pwd, pwd) |
| 633 | 633 |
out, _, err := runCommandWithOutput(pushCmd) |
| 634 |
- c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeed but should have failed:\n%s", out))
|
|
| 634 |
+ c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeeded but should have failed:\n%s", out))
|
|
| 635 | 635 |
c.Assert(out, checker.Contains, "no valid signing keys", |
| 636 | 636 |
check.Commentf("Missing expected output on trusted push without keys"))
|
| 637 | 637 |
} |