Added tests for expired snapshots and timestamps

Signed-off-by: Diogo Monica <diogo@docker.com>

integration-cli/docker_cli_create_test.go

@@ -10,9 +10,10 @@ import (
 
 	"os/exec"
 
+	"io/ioutil"
+
 	"github.com/docker/docker/pkg/nat"
 	"github.com/go-check/check"
-	"io/ioutil"
 )
 
 // Make sure we can create a simple container with some args
@@ -444,7 +445,7 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
 		c.Fatalf("Expected to fail on this create due to different remote data: %s\n%s", err, out)
 	}
 
-	if !strings.Contains(string(out), "failed to validate integrity of roots") {
+	if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
 }

integration-cli/docker_cli_pull_test.go

@@ -6,8 +6,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-check/check"
 	"io/ioutil"
+
+	"github.com/go-check/check"
 )
 
 // See issue docker/docker#8141
@@ -324,7 +325,45 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
 		c.Fatalf("Expected to fail on this pull due to different remote data: %s\n%s", err, out)
 	}
 
-	if !strings.Contains(string(out), "failed to validate integrity of roots") {
+	if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
 }
+
+func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppull/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	// Push with default passphrases
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push failed: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {
+		c.Fatalf("Missing expected output on trusted push:\n%s", out)
+	}
+
+	dockerCmd(c, "rmi", repoName)
+
+	// Snapshots last for three years. This should be expired
+	fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
+
+	// Should succeed because the server transparently re-signs one
+	runAtDifferentDate(fourYearsLater, func() {
+		// Try pull
+		pullCmd := exec.Command(dockerBinary, "pull", repoName)
+		s.trustedCmd(pullCmd)
+		out, _, err = runCommandWithOutput(pullCmd)
+		if err == nil {
+			c.Fatalf("Missing expected error running trusted pull with expired snapshots")
+		}
+
+		if !strings.Contains(string(out), "repository out-of-date") {
+			c.Fatalf("Missing expected output on trusted pull with expired snapshot:\n%s", out)
+		}
+	})
+}

integration-cli/docker_cli_push_test.go

@@ -285,3 +285,72 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c
 		c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)
 	}
 }
+
+func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	// Push with default passphrases
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push failed: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {
+		c.Fatalf("Missing expected output on trusted push:\n%s", out)
+	}
+
+	// Snapshots last for three years. This should be expired
+	fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
+
+	runAtDifferentDate(fourYearsLater, func() {
+		// Push with wrong passphrases
+		pushCmd = exec.Command(dockerBinary, "push", repoName)
+		s.trustedCmd(pushCmd)
+		out, _, err = runCommandWithOutput(pushCmd)
+		if err == nil {
+			c.Fatalf("Error missing from trusted push with expired snapshot: \n%s", out)
+		}
+
+		if !strings.Contains(string(out), "repository out-of-date") {
+			c.Fatalf("Missing expected output on trusted push with expired snapshot:\n%s", out)
+		}
+	})
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	// Push with default passphrases
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push failed: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {
+		c.Fatalf("Missing expected output on trusted push:\n%s", out)
+	}
+
+	// The timestamps expire in two weeks. Lets check three
+	threeWeeksLater := time.Now().Add(time.Hour * 24 * 21)
+
+	// Should succeed because the server transparently re-signs one
+	runAtDifferentDate(threeWeeksLater, func() {
+		pushCmd := exec.Command(dockerBinary, "push", repoName)
+		s.trustedCmd(pushCmd)
+		out, _, err := runCommandWithOutput(pushCmd)
+		if err != nil {
+			c.Fatalf("Error running trusted push: %s\n%s", err, out)
+		}
+		if !strings.Contains(string(out), "Signing and pushing trust metadata") {
+			c.Fatalf("Missing expected output on trusted push with expired timestamp:\n%s", out)
+		}
+	})
+}

integration-cli/docker_cli_run_test.go

@@ -2699,7 +2699,7 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
 		c.Fatalf("Expected to fail on this run due to different remote data: %s\n%s", err, out)
 	}
 
-	if !strings.Contains(string(out), "failed to validate integrity of roots") {
+	if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
 }