diff --git a/integration-cli/docker_cli_create_test.go b/integration-cli/docker_cli_create_test.go index a50301ebff..ec65a66d04 100644 --- a/integration-cli/docker_cli_create_test.go +++ b/integration-cli/docker_cli_create_test.go @@ -10,9 +10,10 @@ import ( "os/exec" + "io/ioutil" + "github.com/docker/docker/pkg/nat" "github.com/go-check/check" - "io/ioutil" ) // Make sure we can create a simple container with some args @@ -444,7 +445,7 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) { c.Fatalf("Expected to fail on this create due to different remote data: %s\n%s", err, out) } - if !strings.Contains(string(out), "failed to validate integrity of roots") { + if !strings.Contains(string(out), "failed to validate data with current trusted certificates") { c.Fatalf("Missing expected output on trusted push:\n%s", out) } } diff --git a/integration-cli/docker_cli_pull_test.go b/integration-cli/docker_cli_pull_test.go index 918ea53e77..e9e8c39831 100644 --- a/integration-cli/docker_cli_pull_test.go +++ b/integration-cli/docker_cli_pull_test.go @@ -6,8 +6,9 @@ import ( "strings" "time" - "github.com/go-check/check" "io/ioutil" + + "github.com/go-check/check" ) // See issue docker/docker#8141 @@ -324,7 +325,45 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) { c.Fatalf("Expected to fail on this pull due to different remote data: %s\n%s", err, out) } - if !strings.Contains(string(out), "failed to validate integrity of roots") { + if !strings.Contains(string(out), "failed to validate data with current trusted certificates") { c.Fatalf("Missing expected output on trusted push:\n%s", out) } } + +func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) { + repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppull/trusted:latest", privateRegistryURL) + // tag the image and upload it to the private registry + dockerCmd(c, "tag", "busybox", repoName) + + // Push with default passphrases + pushCmd := exec.Command(dockerBinary, "push", repoName) + s.trustedCmd(pushCmd) + out, _, err := runCommandWithOutput(pushCmd) + if err != nil { + c.Fatalf("trusted push failed: %s\n%s", err, out) + } + + if !strings.Contains(string(out), "Signing and pushing trust metadata") { + c.Fatalf("Missing expected output on trusted push:\n%s", out) + } + + dockerCmd(c, "rmi", repoName) + + // Snapshots last for three years. This should be expired + fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4) + + // Should succeed because the server transparently re-signs one + runAtDifferentDate(fourYearsLater, func() { + // Try pull + pullCmd := exec.Command(dockerBinary, "pull", repoName) + s.trustedCmd(pullCmd) + out, _, err = runCommandWithOutput(pullCmd) + if err == nil { + c.Fatalf("Missing expected error running trusted pull with expired snapshots") + } + + if !strings.Contains(string(out), "repository out-of-date") { + c.Fatalf("Missing expected output on trusted pull with expired snapshot:\n%s", out) + } + }) +} diff --git a/integration-cli/docker_cli_push_test.go b/integration-cli/docker_cli_push_test.go index 8d96bb0f3e..f9483c2848 100644 --- a/integration-cli/docker_cli_push_test.go +++ b/integration-cli/docker_cli_push_test.go @@ -285,3 +285,72 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out) } } + +func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) { + repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL) + // tag the image and upload it to the private registry + dockerCmd(c, "tag", "busybox", repoName) + + // Push with default passphrases + pushCmd := exec.Command(dockerBinary, "push", repoName) + s.trustedCmd(pushCmd) + out, _, err := runCommandWithOutput(pushCmd) + if err != nil { + c.Fatalf("trusted push failed: %s\n%s", err, out) + } + + if !strings.Contains(string(out), "Signing and pushing trust metadata") { + c.Fatalf("Missing expected output on trusted push:\n%s", out) + } + + // Snapshots last for three years. This should be expired + fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4) + + runAtDifferentDate(fourYearsLater, func() { + // Push with wrong passphrases + pushCmd = exec.Command(dockerBinary, "push", repoName) + s.trustedCmd(pushCmd) + out, _, err = runCommandWithOutput(pushCmd) + if err == nil { + c.Fatalf("Error missing from trusted push with expired snapshot: \n%s", out) + } + + if !strings.Contains(string(out), "repository out-of-date") { + c.Fatalf("Missing expected output on trusted push with expired snapshot:\n%s", out) + } + }) +} + +func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) { + repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL) + // tag the image and upload it to the private registry + dockerCmd(c, "tag", "busybox", repoName) + + // Push with default passphrases + pushCmd := exec.Command(dockerBinary, "push", repoName) + s.trustedCmd(pushCmd) + out, _, err := runCommandWithOutput(pushCmd) + if err != nil { + c.Fatalf("trusted push failed: %s\n%s", err, out) + } + + if !strings.Contains(string(out), "Signing and pushing trust metadata") { + c.Fatalf("Missing expected output on trusted push:\n%s", out) + } + + // The timestamps expire in two weeks. Lets check three + threeWeeksLater := time.Now().Add(time.Hour * 24 * 21) + + // Should succeed because the server transparently re-signs one + runAtDifferentDate(threeWeeksLater, func() { + pushCmd := exec.Command(dockerBinary, "push", repoName) + s.trustedCmd(pushCmd) + out, _, err := runCommandWithOutput(pushCmd) + if err != nil { + c.Fatalf("Error running trusted push: %s\n%s", err, out) + } + if !strings.Contains(string(out), "Signing and pushing trust metadata") { + c.Fatalf("Missing expected output on trusted push with expired timestamp:\n%s", out) + } + }) +} diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 76ada75926..210788c3b4 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2699,7 +2699,7 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) { c.Fatalf("Expected to fail on this run due to different remote data: %s\n%s", err, out) } - if !strings.Contains(string(out), "failed to validate integrity of roots") { + if !strings.Contains(string(out), "failed to validate data with current trusted certificates") { c.Fatalf("Missing expected output on trusted push:\n%s", out) } }