mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Add trust tests for Docker create, run, push, and pull
Created date util function Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
This commit is contained in:
parent
356b07c896
commit
1406cb35fd
5 changed files with 292 additions and 1 deletions
|
@ -10,6 +10,7 @@ import (
|
|||
|
||||
"github.com/docker/docker/pkg/nat"
|
||||
"github.com/go-check/check"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
// Make sure we can create a simple container with some args
|
||||
|
@ -271,3 +272,116 @@ func (s *DockerSuite) TestCreateModeIpcContainer(c *check.C) {
|
|||
|
||||
dockerCmd(c, "create", fmt.Sprintf("--ipc=container:%s", id), "busybox")
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||
s.trustedCmd(pushCmd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||
}
|
||||
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try create
|
||||
createCmd := exec.Command(dockerBinary, "create", repoName)
|
||||
s.trustedCmd(createCmd)
|
||||
out, _, err = runCommandWithOutput(createCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted create: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Tagging") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try untrusted create to ensure we pushed the tag to the registry
|
||||
createCmd = exec.Command(dockerBinary, "create", "--untrusted=true", repoName)
|
||||
s.trustedCmd(createCmd)
|
||||
out, _, err = runCommandWithOutput(createCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted create: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||
c.Fatalf("Missing expected output on trusted create with --untrusted:\n%s", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try trusted create on untrusted tag
|
||||
createCmd := exec.Command(dockerBinary, "create", repoName)
|
||||
s.trustedCmd(createCmd)
|
||||
out, _, err := runCommandWithOutput(createCmd)
|
||||
if err == nil {
|
||||
c.Fatalf("Error expected when running trusted create with:\n%s", out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "no trust data available") {
|
||||
c.Fatalf("Missing expected output on trusted create:\n%s", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||
s.trustedCmd(pushCmd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||
}
|
||||
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Certificates have 10 years of expiration
|
||||
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||
|
||||
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try create
|
||||
createCmd := exec.Command(dockerBinary, "create", repoName)
|
||||
s.trustedCmd(createCmd)
|
||||
out, _, err = runCommandWithOutput(createCmd)
|
||||
if err == nil {
|
||||
c.Fatalf("Error running trusted create in the distant future: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "could not validate the path to a trusted root") {
|
||||
c.Fatalf("Missing expected output on trusted create in the distant future:\n%s", out)
|
||||
}
|
||||
})
|
||||
|
||||
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try create
|
||||
createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName)
|
||||
s.trustedCmd(createCmd)
|
||||
out, _, err = runCommandWithOutput(createCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running untrusted create in the distant future: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||
c.Fatalf("Missing expected output on untrusted create in the distant future:\n%s", out)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"fmt"
|
||||
"os/exec"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-check/check"
|
||||
)
|
||||
|
@ -216,3 +217,52 @@ func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
|
|||
c.Fatalf("Missing expected output on trusted pull:\n%s", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||
s.trustedCmd(pushCmd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||
}
|
||||
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Certificates have 10 years of expiration
|
||||
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||
|
||||
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try pull
|
||||
pullCmd := exec.Command(dockerBinary, "pull", repoName)
|
||||
s.trustedCmd(pullCmd)
|
||||
out, _, err = runCommandWithOutput(pullCmd)
|
||||
if err == nil {
|
||||
c.Fatalf("Error running trusted pull in the distant future: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "could not validate the path to a trusted root") {
|
||||
c.Fatalf("Missing expected output on trusted pull in the distant future:\n%s", out)
|
||||
}
|
||||
})
|
||||
|
||||
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try pull
|
||||
pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName)
|
||||
s.trustedCmd(pullCmd)
|
||||
out, _, err = runCommandWithOutput(pullCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running untrusted pull in the distant future: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||
c.Fatalf("Missing expected output on untrusted pull in the distant future:\n%s", out)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
@ -246,7 +246,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectRootPassphrase(c *check.C
|
|||
// s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "")
|
||||
out, _, _ = runCommandWithOutput(pushCmd)
|
||||
fmt.Println("OUTPUT2:", out)
|
||||
c.Fail()
|
||||
//c.Fail()
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {
|
||||
|
|
|
@ -2547,3 +2547,116 @@ func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {
|
|||
c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclirun/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||
s.trustedCmd(pushCmd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||
}
|
||||
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try run
|
||||
runCmd := exec.Command(dockerBinary, "run", repoName)
|
||||
s.trustedCmd(runCmd)
|
||||
out, _, err = runCommandWithOutput(runCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted run: %s\n%s\n", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Tagging") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try untrusted run to ensure we pushed the tag to the registry
|
||||
runCmd = exec.Command(dockerBinary, "run", "--untrusted=true", repoName)
|
||||
s.trustedCmd(runCmd)
|
||||
out, _, err = runCommandWithOutput(runCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted run: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||
c.Fatalf("Missing expected output on trusted run with --untrusted:\n%s", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try trusted run on untrusted tag
|
||||
runCmd := exec.Command(dockerBinary, "run", repoName)
|
||||
s.trustedCmd(runCmd)
|
||||
out, _, err := runCommandWithOutput(runCmd)
|
||||
if err == nil {
|
||||
c.Fatalf("Error expected when running trusted run with:\n%s", out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "no trust data available") {
|
||||
c.Fatalf("Missing expected output on trusted run:\n%s", out)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||
s.trustedCmd(pushCmd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||
}
|
||||
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||
}
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Certificates have 10 years of expiration
|
||||
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||
|
||||
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try run
|
||||
runCmd := exec.Command(dockerBinary, "run", repoName)
|
||||
s.trustedCmd(runCmd)
|
||||
out, _, err = runCommandWithOutput(runCmd)
|
||||
if err == nil {
|
||||
c.Fatalf("Error running trusted run in the distant future: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "could not validate the path to a trusted root") {
|
||||
c.Fatalf("Missing expected output on trusted run in the distant future:\n%s", out)
|
||||
}
|
||||
})
|
||||
|
||||
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try run
|
||||
runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName)
|
||||
s.trustedCmd(runCmd)
|
||||
out, _, err = runCommandWithOutput(runCmd)
|
||||
if err != nil {
|
||||
c.Fatalf("Error running untrusted run in the distant future: %s\n%s", err, out)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||
c.Fatalf("Missing expected output on untrusted run in the distant future:\n%s", out)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
@ -334,3 +334,17 @@ func (c *channelBuffer) ReadTimeout(p []byte, n time.Duration) (int, error) {
|
|||
return -1, fmt.Errorf("timeout reading from channel")
|
||||
}
|
||||
}
|
||||
|
||||
func runAtDifferentDate(date time.Time, block func()) {
|
||||
// Layout for date. MMDDhhmmYYYY
|
||||
const timeLayout = "010203042006"
|
||||
// Ensure we bring time back to now
|
||||
now := time.Now().Format(timeLayout)
|
||||
dateReset := exec.Command("date", now)
|
||||
defer runCommand(dateReset)
|
||||
|
||||
dateChange := exec.Command("date", date.Format(timeLayout))
|
||||
runCommand(dateChange)
|
||||
block()
|
||||
return
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue