Added tests for expired snapshots and timestamps
Signed-off-by: Diogo Monica <diogo@docker.com>
This commit is contained in:
parent
268fa5af47
commit
3e90b12d42
|
@ -10,9 +10,10 @@ import (
|
||||||
|
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
|
||||||
|
"io/ioutil"
|
||||||
|
|
||||||
"github.com/docker/docker/pkg/nat"
|
"github.com/docker/docker/pkg/nat"
|
||||||
"github.com/go-check/check"
|
"github.com/go-check/check"
|
||||||
"io/ioutil"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Make sure we can create a simple container with some args
|
// Make sure we can create a simple container with some args
|
||||||
|
@ -444,7 +445,7 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
|
||||||
c.Fatalf("Expected to fail on this create due to different remote data: %s\n%s", err, out)
|
c.Fatalf("Expected to fail on this create due to different remote data: %s\n%s", err, out)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.Contains(string(out), "failed to validate integrity of roots") {
|
if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {
|
||||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,8 +6,9 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/go-check/check"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
|
||||||
|
"github.com/go-check/check"
|
||||||
)
|
)
|
||||||
|
|
||||||
// See issue docker/docker#8141
|
// See issue docker/docker#8141
|
||||||
|
@ -324,7 +325,45 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
|
||||||
c.Fatalf("Expected to fail on this pull due to different remote data: %s\n%s", err, out)
|
c.Fatalf("Expected to fail on this pull due to different remote data: %s\n%s", err, out)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.Contains(string(out), "failed to validate integrity of roots") {
|
if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {
|
||||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppull/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
// Push with default passphrases
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("trusted push failed: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
dockerCmd(c, "rmi", repoName)
|
||||||
|
|
||||||
|
// Snapshots last for three years. This should be expired
|
||||||
|
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
|
||||||
|
|
||||||
|
// Should succeed because the server transparently re-signs one
|
||||||
|
runAtDifferentDate(fourYearsLater, func() {
|
||||||
|
// Try pull
|
||||||
|
pullCmd := exec.Command(dockerBinary, "pull", repoName)
|
||||||
|
s.trustedCmd(pullCmd)
|
||||||
|
out, _, err = runCommandWithOutput(pullCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Missing expected error running trusted pull with expired snapshots")
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "repository out-of-date") {
|
||||||
|
c.Fatalf("Missing expected output on trusted pull with expired snapshot:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -285,3 +285,72 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c
|
||||||
c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)
|
c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
// Push with default passphrases
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("trusted push failed: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Snapshots last for three years. This should be expired
|
||||||
|
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
|
||||||
|
|
||||||
|
runAtDifferentDate(fourYearsLater, func() {
|
||||||
|
// Push with wrong passphrases
|
||||||
|
pushCmd = exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err = runCommandWithOutput(pushCmd)
|
||||||
|
if err == nil {
|
||||||
|
c.Fatalf("Error missing from trusted push with expired snapshot: \n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "repository out-of-date") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push with expired snapshot:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL)
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", repoName)
|
||||||
|
|
||||||
|
// Push with default passphrases
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("trusted push failed: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
// The timestamps expire in two weeks. Lets check three
|
||||||
|
threeWeeksLater := time.Now().Add(time.Hour * 24 * 21)
|
||||||
|
|
||||||
|
// Should succeed because the server transparently re-signs one
|
||||||
|
runAtDifferentDate(threeWeeksLater, func() {
|
||||||
|
pushCmd := exec.Command(dockerBinary, "push", repoName)
|
||||||
|
s.trustedCmd(pushCmd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error running trusted push: %s\n%s", err, out)
|
||||||
|
}
|
||||||
|
if !strings.Contains(string(out), "Signing and pushing trust metadata") {
|
||||||
|
c.Fatalf("Missing expected output on trusted push with expired timestamp:\n%s", out)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -2699,7 +2699,7 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
|
||||||
c.Fatalf("Expected to fail on this run due to different remote data: %s\n%s", err, out)
|
c.Fatalf("Expected to fail on this run due to different remote data: %s\n%s", err, out)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.Contains(string(out), "failed to validate integrity of roots") {
|
if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {
|
||||||
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
c.Fatalf("Missing expected output on trusted push:\n%s", out)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue