Add trust tests for Docker create, run, push, and pull
Created date util function Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
This commit is contained in:
parent
356b07c896
commit
1406cb35fd
|
@ -10,6 +10,7 @@ import (
|
||||||
|
|
||||||
"github.com/docker/docker/pkg/nat"
|
"github.com/docker/docker/pkg/nat"
|
||||||
"github.com/go-check/check"
|
"github.com/go-check/check"
|
||||||
|
"os/exec"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Make sure we can create a simple container with some args
|
// Make sure we can create a simple container with some args
|
||||||
|
@ -271,3 +272,116 @@ func (s *DockerSuite) TestCreateModeIpcContainer(c *check.C) {
|
||||||
|
|
||||||
dockerCmd(c, "create", fmt.Sprintf("--ipc=container:%s", id), "busybox")
|
dockerCmd(c, "create", fmt.Sprintf("--ipc=container:%s", id), "busybox")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Try create
|
||||||
|
createCmd := exec.Command(dockerBinary, "create", repoName)
|
||||||
|
s.trustedCmd(createCmd)
|
||||||
|
out, _, err = runCommandWithOutput(createCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted create: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Tagging") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Try untrusted create to ensure we pushed the tag to the registry
|
||||||
|
createCmd = exec.Command(dockerBinary, "create", "--untrusted=true", repoName)
|
||||||
|
s.trustedCmd(createCmd)
|
||||||
|
out, _, err = runCommandWithOutput(createCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted create: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||||
|
c.Fatalf("Missing expected output on trusted create with --untrusted:\n%s", out)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
dockerCmd(c, "push", repoName)
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Try trusted create on untrusted tag
|
||||||
|
createCmd := exec.Command(dockerBinary, "create", repoName)
|
||||||
|
s.trustedCmd(createCmd)
|
||||||
|
out, _, err := runCommandWithOutput(createCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Error expected when running trusted create with:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "no trust data available") {
|
||||||
|
c.Fatalf("Missing expected output on trusted create:\n%s", out)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Certificates have 10 years of expiration
|
||||||
|
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||||
|
|
||||||
|
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||||
|
// Try create
|
||||||
|
createCmd := exec.Command(dockerBinary, "create", repoName)
|
||||||
|
s.trustedCmd(createCmd)
|
||||||
|
out, _, err = runCommandWithOutput(createCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Error running trusted create in the distant future: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "could not validate the path to a trusted root") {
|
||||||
|
c.Fatalf("Missing expected output on trusted create in the distant future:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||||
|
// Try create
|
||||||
|
createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName)
|
||||||
|
s.trustedCmd(createCmd)
|
||||||
|
out, _, err = runCommandWithOutput(createCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running untrusted create in the distant future: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||||
|
c.Fatalf("Missing expected output on untrusted create in the distant future:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/go-check/check"
|
"github.com/go-check/check"
|
||||||
)
|
)
|
||||||
|
@ -216,3 +217,52 @@ func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
|
||||||
c.Fatalf("Missing expected output on trusted pull:\n%s", out)
|
c.Fatalf("Missing expected output on trusted pull:\n%s", out)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Certificates have 10 years of expiration
|
||||||
|
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||||
|
|
||||||
|
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||||
|
// Try pull
|
||||||
|
pullCmd := exec.Command(dockerBinary, "pull", repoName)
|
||||||
|
s.trustedCmd(pullCmd)
|
||||||
|
out, _, err = runCommandWithOutput(pullCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Error running trusted pull in the distant future: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "could not validate the path to a trusted root") {
|
||||||
|
c.Fatalf("Missing expected output on trusted pull in the distant future:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||||
|
// Try pull
|
||||||
|
pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName)
|
||||||
|
s.trustedCmd(pullCmd)
|
||||||
|
out, _, err = runCommandWithOutput(pullCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running untrusted pull in the distant future: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||||
|
c.Fatalf("Missing expected output on untrusted pull in the distant future:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -246,7 +246,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectRootPassphrase(c *check.C
|
||||||
// s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "")
|
// s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "")
|
||||||
out, _, _ = runCommandWithOutput(pushCmd)
|
out, _, _ = runCommandWithOutput(pushCmd)
|
||||||
fmt.Println("OUTPUT2:", out)
|
fmt.Println("OUTPUT2:", out)
|
||||||
c.Fail()
|
//c.Fail()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {
|
func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {
|
||||||
|
|
|
@ -2547,3 +2547,116 @@ func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {
|
||||||
c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual)
|
c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockerclirun/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Try run
|
||||||
|
runCmd := exec.Command(dockerBinary, "run", repoName)
|
||||||
|
s.trustedCmd(runCmd)
|
||||||
|
out, _, err = runCommandWithOutput(runCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted run: %s\n%s\n", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Tagging") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Try untrusted run to ensure we pushed the tag to the registry
|
||||||
|
runCmd = exec.Command(dockerBinary, "run", "--untrusted=true", repoName)
|
||||||
|
s.trustedCmd(runCmd)
|
||||||
|
out, _, err = runCommandWithOutput(runCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted run: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||||
|
c.Fatalf("Missing expected output on trusted run with --untrusted:\n%s", out)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
dockerCmd(c, "push", repoName)
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Try trusted run on untrusted tag
|
||||||
|
runCmd := exec.Command(dockerBinary, "run", repoName)
|
||||||
|
s.trustedCmd(runCmd)
|
||||||
|
out, _, err := runCommandWithOutput(runCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Error expected when running trusted run with:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "no trust data available") {
|
||||||
|
c.Fatalf("Missing expected output on trusted run:\n%s", out)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Certificates have 10 years of expiration
|
||||||
|
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||||
|
|
||||||
|
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||||
|
// Try run
|
||||||
|
runCmd := exec.Command(dockerBinary, "run", repoName)
|
||||||
|
s.trustedCmd(runCmd)
|
||||||
|
out, _, err = runCommandWithOutput(runCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Error running trusted run in the distant future: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "could not validate the path to a trusted root") {
|
||||||
|
c.Fatalf("Missing expected output on trusted run in the distant future:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
runAtDifferentDate(elevenYearsFromNow, func() {
|
||||||
|
// Try run
|
||||||
|
runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName)
|
||||||
|
s.trustedCmd(runCmd)
|
||||||
|
out, _, err = runCommandWithOutput(runCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running untrusted run in the distant future: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Status: Downloaded") {
|
||||||
|
c.Fatalf("Missing expected output on untrusted run in the distant future:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -334,3 +334,17 @@ func (c *channelBuffer) ReadTimeout(p []byte, n time.Duration) (int, error) {
|
||||||
return -1, fmt.Errorf("timeout reading from channel")
|
return -1, fmt.Errorf("timeout reading from channel")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func runAtDifferentDate(date time.Time, block func()) {
|
||||||
|
// Layout for date. MMDDhhmmYYYY
|
||||||
|
const timeLayout = "010203042006"
|
||||||
|
// Ensure we bring time back to now
|
||||||
|
now := time.Now().Format(timeLayout)
|
||||||
|
dateReset := exec.Command("date", now)
|
||||||
|
defer runCommand(dateReset)
|
||||||
|
|
||||||
|
dateChange := exec.Command("date", date.Format(timeLayout))
|
||||||
|
runCommand(dateChange)
|
||||||
|
block()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue