From 356b07c89602e4f5e9c9d4c53ec24b341b4e7865 Mon Sep 17 00:00:00 2001
From: Diogo Monica <diogo@docker.com>
Date: Tue, 21 Jul 2015 20:36:22 -0700
Subject: [PATCH] Add more integration tests for trusted push and pull

Signed-off-by: Diogo Monica <diogo@docker.com>
---
 integration-cli/docker_cli_pull_test.go |  34 ++++++++
 integration-cli/docker_cli_push_test.go | 106 ++++++++++++++++++++++++
 integration-cli/trust_server.go         |  21 ++++-
 3 files changed, 157 insertions(+), 4 deletions(-)

diff --git a/integration-cli/docker_cli_pull_test.go b/integration-cli/docker_cli_pull_test.go
index 1c7810a35b..9f5375bf46 100644
--- a/integration-cli/docker_cli_pull_test.go
+++ b/integration-cli/docker_cli_pull_test.go
@@ -181,4 +181,38 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
 	if !strings.Contains(string(out), "Tagging") {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
+
+	dockerCmd(c, "rmi", repoName)
+
+	// Try untrusted pull to ensure we pushed the tag to the registry
+	pullCmd = exec.Command(dockerBinary, "pull", "--untrusted=true", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err = runCommandWithOutput(pullCmd)
+	if err != nil {
+		c.Fatalf("Error running trusted pull: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Status: Downloaded") {
+		c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+	dockerCmd(c, "push", repoName)
+	dockerCmd(c, "rmi", repoName)
+
+	// Try trusted pull on untrusted tag
+	pullCmd := exec.Command(dockerBinary, "pull", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err := runCommandWithOutput(pullCmd)
+	if err == nil {
+		c.Fatalf("Error expected when running trusted pull with:\n%s", out)
+	}
+
+	if !strings.Contains(string(out), "no trust data available") {
+		c.Fatalf("Missing expected output on trusted pull:\n%s", out)
+	}
 }
diff --git a/integration-cli/docker_cli_push_test.go b/integration-cli/docker_cli_push_test.go
index 1bbb925913..bd2a82e98c 100644
--- a/integration-cli/docker_cli_push_test.go
+++ b/integration-cli/docker_cli_push_test.go
@@ -159,3 +159,109 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
 }
+
+func (s *DockerTrustSuite) TestTrustedPushWithoutServer(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmdWithServer(pushCmd, "example/")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err == nil {
+		c.Fatalf("Missing error while running trusted push w/ no server")
+	}
+
+	if !strings.Contains(string(out), "Error establishing connection to notary repository") {
+		c.Fatalf("Missing expected output on trusted push:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	s.trustedCmdWithServer(pushCmd, "example/")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push with no server and --untrusted failed: %s\n%s", err, out)
+	}
+
+	if strings.Contains(string(out), "Error establishing connection to notary repository") {
+		c.Fatalf("Missing expected output on trusted push with --untrusted:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+	dockerCmd(c, "push", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push failed: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {
+		c.Fatalf("Missing expected output on trusted push with existing tag:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithShortRootPassphrase(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmdWithPassphrases(pushCmd, "rootPwd", "", "")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err == nil {
+		c.Fatalf("Error missing from trusted push with short root passphrase")
+	}
+
+	if !strings.Contains(string(out), "tuf: insufficient signatures for Cryptoservice") {
+		c.Fatalf("Missing expected output on trusted push with short root passphrase:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithIncorrectRootPassphrase(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	// Push with default passphrase
+	pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, _ := runCommandWithOutput(pushCmd)
+	fmt.Println("OUTPUT: ", out)
+
+	// Push with incorrect passphrase
+	pushCmd = exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	s.trustedCmd(pushCmd)
+	// s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "")
+	out, _, _ = runCommandWithOutput(pushCmd)
+	fmt.Println("OUTPUT2:", out)
+	c.Fail()
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmdWithPassphrases(pushCmd, "12345678", "short", "short")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err == nil {
+		c.Fatalf("Error missing from trusted push with short targets passphrase")
+	}
+
+	if !strings.Contains(string(out), "tuf: insufficient signatures for Cryptoservice") {
+		c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)
+	}
+}
diff --git a/integration-cli/trust_server.go b/integration-cli/trust_server.go
index 0205de620c..1f68440fe7 100644
--- a/integration-cli/trust_server.go
+++ b/integration-cli/trust_server.go
@@ -99,12 +99,25 @@ func (t *testNotary) Close() {
 }
 
 func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) {
+	pwd := "12345678"
+	trustCmdEnv(cmd, s.not.address(), pwd, pwd, pwd)
+}
+
+func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) {
+	pwd := "12345678"
+	trustCmdEnv(cmd, server, pwd, pwd, pwd)
+}
+func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, snapshotPwd, targetPwd string) {
+	trustCmdEnv(cmd, s.not.address(), rootPwd, snapshotPwd, targetPwd)
+}
+
+func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
 	env := []string{
 		"DOCKER_TRUST=1",
-		fmt.Sprintf("DOCKER_TRUST_SERVER=%s", s.not.address()),
-		"DOCKER_TRUST_ROOT_PASSPHRASE=12345678",
-		"DOCKER_TRUST_TARGET_PASSPHRASE=12345678",
-		"DOCKER_TRUST_SNAPSHOT_PASSPHRASE=12345678",
+		fmt.Sprintf("DOCKER_TRUST_SERVER=%s", server),
+		fmt.Sprintf("DOCKER_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
+		fmt.Sprintf("DOCKER_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
+		fmt.Sprintf("DOCKER_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
 	}
 	cmd.Env = append(os.Environ(), env...)
 }