2021-08-23 09:14:53 -04:00
|
|
|
//go:build !windows
|
2017-09-22 09:05:56 -04:00
|
|
|
// +build !windows
|
|
|
|
|
2018-02-05 16:05:59 -05:00
|
|
|
package authz // import "github.com/docker/docker/integration/plugin/authz"
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
2021-08-24 06:10:50 -04:00
|
|
|
"io"
|
2017-09-22 09:05:56 -04:00
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
2017-10-02 09:17:51 -04:00
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
"github.com/docker/docker/api/types/filters"
|
|
|
|
volumetypes "github.com/docker/docker/api/types/volume"
|
|
|
|
"github.com/docker/docker/client"
|
2018-02-12 18:08:25 -05:00
|
|
|
"github.com/docker/docker/integration/internal/container"
|
2018-02-09 13:13:26 -05:00
|
|
|
"github.com/docker/docker/integration/internal/requirement"
|
2020-02-07 08:39:24 -05:00
|
|
|
"gotest.tools/v3/assert"
|
|
|
|
"gotest.tools/v3/skip"
|
2017-09-22 09:05:56 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
authzPluginName = "riyaz/authz-no-volume-plugin"
|
|
|
|
authzPluginTag = "latest"
|
|
|
|
authzPluginNameWithTag = authzPluginName + ":" + authzPluginTag
|
|
|
|
authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest"
|
|
|
|
nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin"
|
|
|
|
)
|
|
|
|
|
|
|
|
func setupTestV2(t *testing.T) func() {
|
2018-04-19 05:14:15 -04:00
|
|
|
skip.If(t, testEnv.DaemonInfo.OSType == "windows")
|
2018-06-11 09:32:11 -04:00
|
|
|
skip.If(t, !requirement.HasHubConnectivity(t))
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
teardown := setupTest(t)
|
|
|
|
|
|
|
|
d.Start(t)
|
|
|
|
|
|
|
|
return teardown
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthZPluginV2AllowNonVolumeRequest(t *testing.T) {
|
2018-06-11 09:32:11 -04:00
|
|
|
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
|
2017-09-22 09:05:56 -04:00
|
|
|
defer setupTestV2(t)()
|
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
c := d.NewClientT(t)
|
2018-02-12 18:08:25 -05:00
|
|
|
ctx := context.Background()
|
|
|
|
|
2017-09-22 09:05:56 -04:00
|
|
|
// Install authz plugin
|
2018-12-22 09:53:02 -05:00
|
|
|
err := pluginInstallGrantAllPermissions(c, authzPluginNameWithTag)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
// start the daemon with the plugin and load busybox, --net=none build fails otherwise
|
|
|
|
// because it needs to pull busybox
|
|
|
|
d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
|
|
|
|
d.LoadBusybox(t)
|
|
|
|
|
|
|
|
// Ensure docker run command and accompanying docker ps are successful
|
2019-06-06 07:15:31 -04:00
|
|
|
cID := container.Run(ctx, t, c)
|
2017-10-02 09:17:51 -04:00
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.ContainerInspect(ctx, cID)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthZPluginV2Disable(t *testing.T) {
|
2018-06-11 09:32:11 -04:00
|
|
|
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
|
2017-09-22 09:05:56 -04:00
|
|
|
defer setupTestV2(t)()
|
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
c := d.NewClientT(t)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// Install authz plugin
|
2018-12-22 09:53:02 -05:00
|
|
|
err := pluginInstallGrantAllPermissions(c, authzPluginNameWithTag)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
|
|
|
|
d.LoadBusybox(t)
|
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{Driver: "local"})
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// disable the plugin
|
2018-12-22 09:53:02 -05:00
|
|
|
err = c.PluginDisable(context.Background(), authzPluginNameWithTag, types.PluginDisableOptions{})
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// now test to see if the docker api works.
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{Driver: "local"})
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthZPluginV2RejectVolumeRequests(t *testing.T) {
|
2018-06-11 09:32:11 -04:00
|
|
|
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
|
2017-09-22 09:05:56 -04:00
|
|
|
defer setupTestV2(t)()
|
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
c := d.NewClientT(t)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// Install authz plugin
|
2018-12-22 09:53:02 -05:00
|
|
|
err := pluginInstallGrantAllPermissions(c, authzPluginNameWithTag)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// restart the daemon with the plugin
|
|
|
|
d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
|
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{Driver: "local"})
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
|
2017-09-22 09:05:56 -04:00
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.VolumeList(context.Background(), filters.Args{})
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// The plugin will block the command before it can determine the volume does not exist
|
2018-12-22 09:53:02 -05:00
|
|
|
err = c.VolumeRemove(context.Background(), "test", false)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
|
2017-09-22 09:05:56 -04:00
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.VolumeInspect(context.Background(), "test")
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
|
2017-09-22 09:05:56 -04:00
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
_, err = c.VolumesPrune(context.Background(), filters.Args{})
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
|
2017-09-22 09:05:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthZPluginV2BadManifestFailsDaemonStart(t *testing.T) {
|
2018-06-11 09:32:11 -04:00
|
|
|
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
|
2017-09-22 09:05:56 -04:00
|
|
|
defer setupTestV2(t)()
|
|
|
|
|
2018-12-22 09:53:02 -05:00
|
|
|
c := d.NewClientT(t)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// Install authz plugin with bad manifest
|
2018-12-22 09:53:02 -05:00
|
|
|
err := pluginInstallGrantAllPermissions(c, authzPluginBadManifestName)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.NilError(t, err)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// start the daemon with the plugin, it will error
|
|
|
|
err = d.RestartWithError("--authorization-plugin=" + authzPluginBadManifestName)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// restarting the daemon without requiring the plugin will succeed
|
|
|
|
d.Start(t)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthZPluginV2NonexistentFailsDaemonStart(t *testing.T) {
|
|
|
|
defer setupTestV2(t)()
|
|
|
|
|
|
|
|
// start the daemon with a non-existent authz plugin, it will error
|
|
|
|
err := d.RestartWithError("--authorization-plugin=" + nonexistentAuthzPluginName)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Assert(t, err != nil)
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
// restarting the daemon without requiring the plugin will succeed
|
|
|
|
d.Start(t)
|
|
|
|
}
|
2017-10-02 09:17:51 -04:00
|
|
|
|
|
|
|
func pluginInstallGrantAllPermissions(client client.APIClient, name string) error {
|
|
|
|
ctx := context.Background()
|
|
|
|
options := types.PluginInstallOptions{
|
|
|
|
RemoteRef: name,
|
|
|
|
AcceptAllPermissions: true,
|
|
|
|
}
|
|
|
|
responseReader, err := client.PluginInstall(ctx, "", options)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer responseReader.Close()
|
|
|
|
// we have to read the response out here because the client API
|
|
|
|
// actually starts a goroutine which we can only be sure has
|
|
|
|
// completed when we get EOF from reading responseBody
|
2021-08-24 06:10:50 -04:00
|
|
|
_, err = io.ReadAll(responseReader)
|
2017-10-02 09:17:51 -04:00
|
|
|
return err
|
|
|
|
}
|