kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Migrate DockerTrustSuite to docker/cli e2e tests 

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This commit is contained in:
Vincent Demeester 2018-03-06 11:01:26 +01:00
parent 7bda5be956
commit 5433ceb12e
No known key found for this signature in database
GPG Key ID: 083CC6FD6EB699A3
13 changed files with 0 additions and 1309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Dockerfile
View File

@ -91,21 +91,6 @@ RUN set -x \
FROM base AS notary
# Install notary and notary-server
ENV NOTARY_VERSION v0.5.0
RUN set -x \
&& export GOPATH="$(mktemp -d)" \
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \
go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \
go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \
&& rm -rf "$GOPATH"
FROM base AS docker-py
# Get the "docker-py" source so we can run their integration tests
ENV DOCKER_PY_COMMIT 8b246db271a85d6541dc458838627e89c683e42f
@ -248,7 +233,6 @@ COPY --from=containerd /opt/containerd/ /usr/local/bin/
COPY --from=proxy /opt/proxy/ /usr/local/bin/
COPY --from=dockercli /opt/dockercli /usr/local/cli
COPY --from=registry /usr/local/bin/registry* /usr/local/bin/
COPY --from=notary /usr/local/bin/notary* /usr/local/bin/
COPY --from=criu /opt/criu/ /usr/local/
COPY --from=docker-py /docker-py /docker-py
# TODO: This is for the docker-py tests, which shouldn't really be needed for

69
integration-cli/check_test.go
View File

@ -14,7 +14,6 @@ import (
"time"
"github.com/docker/docker/api/types/swarm"
"github.com/docker/docker/cli/config"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/cli/build/fakestorage"
@ -386,74 +385,6 @@ func (s *DockerSwarmSuite) TearDownTest(c *check.C) {
s.ds.TearDownTest(c)
}
func init() {
check.Suite(&DockerTrustSuite{
ds: &DockerSuite{},
})
}
type DockerTrustSuite struct {
ds *DockerSuite
reg *registry.V2
not *testNotary
}
func (s *DockerTrustSuite) OnTimeout(c *check.C) {
s.ds.OnTimeout(c)
}
func (s *DockerTrustSuite) SetUpTest(c *check.C) {
testRequires(c, registry.Hosting, NotaryServerHosting)
s.reg = setupRegistry(c, false, "", "")
s.not = setupNotary(c)
}
func (s *DockerTrustSuite) TearDownTest(c *check.C) {
if s.reg != nil {
s.reg.Close()
}
if s.not != nil {
s.not.Close()
}
// Remove trusted keys and metadata after test
os.RemoveAll(filepath.Join(config.Dir(), "trust"))
s.ds.TearDownTest(c)
}
func init() {
ds := &DockerSuite{}
check.Suite(&DockerTrustedSwarmSuite{
trustSuite: DockerTrustSuite{
ds: ds,
},
swarmSuite: DockerSwarmSuite{
ds: ds,
},
})
}
type DockerTrustedSwarmSuite struct {
swarmSuite DockerSwarmSuite
trustSuite DockerTrustSuite
reg *registry.V2
not *testNotary
}
func (s *DockerTrustedSwarmSuite) SetUpTest(c *check.C) {
s.swarmSuite.SetUpTest(c)
s.trustSuite.SetUpTest(c)
}
func (s *DockerTrustedSwarmSuite) TearDownTest(c *check.C) {
s.trustSuite.TearDownTest(c)
s.swarmSuite.TearDownTest(c)
}
func (s *DockerTrustedSwarmSuite) OnTimeout(c *check.C) {
s.swarmSuite.OnTimeout(c)
}
func init() {
check.Suite(&DockerPluginSuite{
ds: &DockerSuite{},

156
integration-cli/docker_cli_build_test.go
View File

@ -4048,140 +4048,6 @@ func (s *DockerSuite) TestBuildRUNErrMsg(c *check.C) {
})
}
func (s *DockerTrustSuite) TestTrustedBuild(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-build")
dockerFile := fmt.Sprintf(`
FROM %s
RUN []
`, repoName)
name := "testtrustedbuild"
buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
Out: fmt.Sprintf("FROM %s@sha", repoName[:len(repoName)-7]),
})
// We should also have a tag reference for the image.
dockerCmd(c, "inspect", repoName)
// We should now be able to remove the tag reference.
dockerCmd(c, "rmi", repoName)
}
func (s *DockerTrustSuite) TestTrustedBuildUntrustedTag(c *check.C) {
repoName := fmt.Sprintf("%v/dockercli/build-untrusted-tag:latest", privateRegistryURL)
dockerFile := fmt.Sprintf(`
FROM %s
RUN []
`, repoName)
name := "testtrustedbuilduntrustedtag"
buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "does not have trust data for",
})
}
// FIXME(vdemeester) should migrate to docker/cli e2e tests
func (s *DockerTrustSuite) TestBuildContextDirIsSymlink(c *check.C) {
testRequires(c, DaemonIsLinux)
tempDir, err := ioutil.TempDir("", "test-build-dir-is-symlink-")
c.Assert(err, check.IsNil)
defer os.RemoveAll(tempDir)
// Make a real context directory in this temp directory with a simple
// Dockerfile.
realContextDirname := filepath.Join(tempDir, "context")
if err := os.Mkdir(realContextDirname, os.FileMode(0755)); err != nil {
c.Fatal(err)
}
if err = ioutil.WriteFile(
filepath.Join(realContextDirname, "Dockerfile"),
[]byte(`
FROM busybox
RUN echo hello world
`),
os.FileMode(0644),
); err != nil {
c.Fatal(err)
}
// Make a symlink to the real context directory.
contextSymlinkName := filepath.Join(tempDir, "context_link")
if err := os.Symlink(realContextDirname, contextSymlinkName); err != nil {
c.Fatal(err)
}
// Executing the build with the symlink as the specified context should
// *not* fail.
dockerCmd(c, "build", contextSymlinkName)
}
func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) {
testRequires(c, NotaryHosting)
latestTag := s.setupTrustedImage(c, "trusted-build-releases-role")
repoName := strings.TrimSuffix(latestTag, ":latest")
// Now create the releases role
s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
s.notaryPublish(c, repoName)
// push a different tag to the releases role
otherTag := fmt.Sprintf("%s:other", repoName)
cli.DockerCmd(c, "tag", "busybox", otherTag)
cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "other", "targets/releases")
s.assertTargetNotInRoles(c, repoName, "other", "targets")
cli.DockerCmd(c, "rmi", otherTag)
dockerFile := fmt.Sprintf(`
FROM %s
RUN []
`, otherTag)
name := "testtrustedbuildreleasesrole"
cli.BuildCmd(c, name, trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
Out: fmt.Sprintf("FROM %s@sha", repoName),
})
}
func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *check.C) {
testRequires(c, NotaryHosting)
latestTag := s.setupTrustedImage(c, "trusted-build-releases-role")
repoName := strings.TrimSuffix(latestTag, ":latest")
// Now create a non-releases delegation role
s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public)
s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private)
s.notaryPublish(c, repoName)
// push a different tag to the other role
otherTag := fmt.Sprintf("%s:other", repoName)
cli.DockerCmd(c, "tag", "busybox", otherTag)
cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "other", "targets/other")
s.assertTargetNotInRoles(c, repoName, "other", "targets")
cli.DockerCmd(c, "rmi", otherTag)
dockerFile := fmt.Sprintf(`
FROM %s
RUN []
`, otherTag)
name := "testtrustedbuildotherrole"
cli.Docker(cli.Build(name), trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
ExitCode: 1,
})
}
// Issue #15634: COPY fails when path starts with "null"
func (s *DockerSuite) TestBuildNullStringInAddCopyVolume(c *check.C) {
name := "testbuildnullstringinaddcopyvolume"
@ -6018,28 +5884,6 @@ func (s *DockerSuite) TestBuildMultiStageNameVariants(c *check.C) {
cli.Docker(cli.Args("run", "build1", "cat", "f2")).Assert(c, icmd.Expected{Out: "bar2"})
}
func (s *DockerTrustSuite) TestBuildMultiStageTrusted(c *check.C) {
img1 := s.setupTrustedImage(c, "trusted-build1")
img2 := s.setupTrustedImage(c, "trusted-build2")
dockerFile := fmt.Sprintf(`
FROM %s AS build-base
RUN echo ok > /foo
FROM %s
COPY --from=build-base foo bar`, img1, img2)
name := "testcopyfromtrustedbuild"
r := buildImage(name, trustedBuild, build.WithDockerfile(dockerFile))
r.Assert(c, icmd.Expected{
Out: fmt.Sprintf("FROM %s@sha", img1[:len(img1)-7]),
})
r.Assert(c, icmd.Expected{
Out: fmt.Sprintf("FROM %s@sha", img2[:len(img2)-7]),
})
dockerCmdWithResult("run", name, "cat", "bar").Assert(c, icmd.Expected{Out: "ok"})
}
func (s *DockerSuite) TestBuildMultiStageMultipleBuildsWindows(c *check.C) {
testRequires(c, DaemonIsWindows)
dockerfile := `

71
integration-cli/docker_cli_create_test.go
View File

@ -3,7 +3,6 @@ package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"reflect"
"strings"
@ -16,7 +15,6 @@ import (
"github.com/docker/docker/pkg/stringid"
"github.com/docker/go-connections/nat"
"github.com/go-check/check"
"github.com/gotestyourself/gotestyourself/icmd"
)
// Make sure we can create a simple container with some args
@ -292,75 +290,6 @@ func (s *DockerSuite) TestCreateByImageID(c *check.C) {
}
}
func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-create")
// Try create
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try untrusted create to ensure we pushed the tag to the registry
cli.Docker(cli.Args("create", "--disable-content-trust=true", repoName)).Assert(c, SuccessDownloadedOnStderr)
}
func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliuntrusted/createtest", privateRegistryURL)
withTagName := fmt.Sprintf("%s:latest", repoName)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", withTagName)
cli.DockerCmd(c, "push", withTagName)
cli.DockerCmd(c, "rmi", withTagName)
// Try trusted create on untrusted tag
cli.Docker(cli.Args("create", withTagName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: fmt.Sprintf("does not have trust data for %s", repoName),
})
}
func (s *DockerTrustSuite) TestTrustedIsolatedCreate(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-isolated-create")
// Try create
cli.Docker(cli.Args("--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging)
defer os.RemoveAll("/tmp/docker-isolated-create")
cli.DockerCmd(c, "rmi", repoName)
}
func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclievilcreate/trusted:latest", privateRegistryURL)
evilLocalConfigDir, err := ioutil.TempDir("", "evilcreate-local-config-dir")
c.Assert(err, check.IsNil)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try create
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Kill the notary server, start a new "evil" one.
s.not.Close()
s.not, err = newTestNotary(c)
c.Assert(err, check.IsNil)
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
// tag an image and upload it to the private registry
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
// Push up to the new server
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Now, try creating with the original client from this new trust server. This should fail because the new root is invalid.
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not rotate trust to a new trusted root",
})
}
func (s *DockerSuite) TestCreateStopSignal(c *check.C) {
name := "test_create_stop_signal"
dockerCmd(c, "create", "--name", name, "--stop-signal", "9", "busybox")

46
integration-cli/docker_cli_plugins_test.go
View File

@ -16,7 +16,6 @@ import (
"github.com/docker/docker/integration-cli/daemon"
"github.com/docker/docker/integration-cli/fixtures/plugin"
"github.com/go-check/check"
"github.com/gotestyourself/gotestyourself/icmd"
"golang.org/x/net/context"
)
@ -352,51 +351,6 @@ func (s *DockerSuite) TestPluginInspectOnWindows(c *check.C) {
c.Assert(err.Error(), checker.Contains, "plugins are not supported on this platform")
}
func (s *DockerTrustSuite) TestPluginTrustedInstall(c *check.C) {
testRequires(c, DaemonIsLinux, IsAmd64, Network)
trustedName := s.setupTrustedplugin(c, pNameWithTag, "trusted-plugin-install")
cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{
Out: trustedName,
})
out := cli.DockerCmd(c, "plugin", "ls").Combined()
c.Assert(out, checker.Contains, "true")
out = cli.DockerCmd(c, "plugin", "disable", trustedName).Combined()
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
out = cli.DockerCmd(c, "plugin", "enable", trustedName).Combined()
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
out = cli.DockerCmd(c, "plugin", "rm", "-f", trustedName).Combined()
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
// Try untrusted pull to ensure we pushed the tag to the registry
cli.Docker(cli.Args("plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded)
out = cli.DockerCmd(c, "plugin", "ls").Combined()
c.Assert(out, checker.Contains, "true")
}
func (s *DockerTrustSuite) TestPluginUntrustedInstall(c *check.C) {
testRequires(c, DaemonIsLinux, IsAmd64, Network)
pluginName := fmt.Sprintf("%v/dockercliuntrusted/plugintest:latest", privateRegistryURL)
// install locally and push to private registry
cli.DockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", pluginName, pNameWithTag)
cli.DockerCmd(c, "plugin", "push", pluginName)
cli.DockerCmd(c, "plugin", "rm", "-f", pluginName)
// Try trusted install on untrusted plugin
cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})
}
func (ps *DockerPluginSuite) TestPluginIDPrefix(c *check.C) {
name := "test"
client := testEnv.APIClient()

222
integration-cli/docker_cli_pull_trusted_test.go
View File

@ -1,222 +0,0 @@
package main
import (
"fmt"
"io/ioutil"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/cli/build"
"github.com/go-check/check"
"github.com/gotestyourself/gotestyourself/icmd"
)
func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-pull")
// Try pull
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try untrusted pull to ensure we pushed the tag to the registry
cli.Docker(cli.Args("pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
}
func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-isolated-pull")
// Try pull (run from isolated directory without trust information)
cli.Docker(cli.Args("--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
}
func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliuntrusted/pulltest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
// Try trusted pull on untrusted tag
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})
}
func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclievilpull/trusted:latest", privateRegistryURL)
evilLocalConfigDir, err := ioutil.TempDir("", "evil-local-config-dir")
if err != nil {
c.Fatalf("Failed to create local temp dir")
}
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try pull
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Kill the notary server, start a new "evil" one.
s.not.Close()
s.not, err = newTestNotary(c)
c.Assert(err, check.IsNil, check.Commentf("Restarting notary server failed."))
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
// tag an image and upload it to the private registry
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
// Push up to the new server
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Now, try pulling with the original client from this new trust server. This should fail because the new root is invalid.
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not rotate trust to a new trusted root",
})
}
func (s *DockerTrustSuite) TestTrustedOfflinePull(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-offline-pull")
cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
// Do valid trusted pull to warm cache
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try pull again with invalid notary server, should use cache
cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
}
func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, "trusted-pull-delete")
// tag the image and upload it to the private registry
cli.BuildCmd(c, repoName, build.WithDockerfile(`
FROM busybox
CMD echo trustedpulldelete
`))
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try pull
result := cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Success)
matches := digestRegex.FindStringSubmatch(result.Combined())
c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", result.Combined()))
pullDigest := matches[1]
imageID := inspectField(c, repoName, "Id")
imageByDigest := repoName + "@" + pullDigest
byDigestID := inspectField(c, imageByDigest, "Id")
c.Assert(byDigestID, checker.Equals, imageID)
// rmi of tag should also remove the digest reference
cli.DockerCmd(c, "rmi", repoName)
_, err := inspectFieldWithError(imageByDigest, "Id")
c.Assert(err, checker.NotNil, check.Commentf("digest reference should have been removed"))
_, err = inspectFieldWithError(imageID, "Id")
c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
}
func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName)
// Push with targets first, initializing the repo
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets")
// Try pull, check we retrieve from targets role
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets role",
})
// Now we'll create the releases role, and try pushing and pulling
s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
s.notaryPublish(c, repoName)
// try a pull, check that we can still pull because we can still read the
// old tag in the targets role
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets role",
})
// try a pull -a, check that it succeeds because we can still pull from the
// targets role
cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
// Push, should sign with targets/releases
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases")
// Try pull, check we retrieve from targets/releases role
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets/releases role",
})
// Create another delegation that we'll sign with
s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[1].Public)
s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
s.notaryPublish(c, repoName)
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other")
// Try pull, check we retrieve from targets/releases role
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets/releases role",
})
}
func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclipullotherdelegation/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName)
// We'll create a repo first with a non-release delegation role, so that when we
// push we'll sign it into the delegation role
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public)
s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private)
s.notaryPublish(c, repoName)
// Push should write to the delegation role, not targets
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets/other")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
// Try pull - we should fail, since pull will only pull from the targets/releases
// role or the targets role
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "No trust data for",
})
// try a pull -a: we should fail since pull will only pull from the targets/releases
// role or the targets role
cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "No trusted tags for",
})
}

222
integration-cli/docker_cli_push_test.go
View File

@ -7,14 +7,11 @@ import (
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"strings"
"sync"
"github.com/docker/distribution/reference"
"github.com/docker/docker/cli/config"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/cli/build"
"github.com/go-check/check"
"github.com/gotestyourself/gotestyourself/icmd"
@ -281,225 +278,6 @@ func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c
c.Assert(out3, check.Equals, "hello world")
}
func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Try pull after push
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
// Assert that we rotated the snapshot key to the server by checking our local keystore
contents, err := ioutil.ReadDir(filepath.Join(config.Dir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest"))
c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files"))
// Check that we only have 1 key (targets key)
c.Assert(contents, checker.HasLen, 1)
}
func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing)
// Try pull after push
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
}
func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
// Using a name that doesn't resolve to an address makes this test faster
cli.Docker(cli.Args("push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
}
func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
result := cli.Docker(cli.Args("push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/"))
result.Assert(c, icmd.Success)
c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:"))
}
func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Try pull after push
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
}
func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
// Do a trusted push
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Do another trusted push
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try pull to ensure the double push did not break our ability to pull
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessDownloaded)
}
func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Push with wrong passphrases
cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not find necessary signing keys",
})
}
func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName)
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)
s.notaryPublish(c, repoName)
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// check to make sure that the target has been added to targets/releases and not targets
s.assertTargetInRoles(c, repoName, "latest", "targets/releases")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
// Try pull after push
os.RemoveAll(filepath.Join(config.Dir(), "trust"))
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
}
func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName)
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public)
s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public)
s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public)
// import everything except the third key
s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private)
s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private)
s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public)
s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private)
s.notaryPublish(c, repoName)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// check to make sure that the target has been added to targets/role1 and targets/role2, and
// not targets (because there are delegations) or targets/role3 (due to missing key) or
// targets/role1/subrole (due to it being a second level delegation)
s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
// Try pull after push
os.RemoveAll(filepath.Join(config.Dir(), "trust"))
// pull should fail because none of these are the releases role
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
})
}
func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName)
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z")
s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y")
s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest")
s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest")
// import everything except the third key
s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private)
s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private)
s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private)
s.notaryPublish(c, repoName)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// check to make sure that the target has been added to targets/role1 and targets/role4, and
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
// targets/role3 (due to missing key)
s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
// Try pull after push
os.RemoveAll(filepath.Join(config.Dir(), "trust"))
// pull should fail because none of these are the releases role
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
})
}
func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL)
targetName := fmt.Sprintf("%s:latest", repoName)
s.notaryInitRepo(c, repoName)
s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public)
s.notaryPublish(c, repoName)
// do not import any delegations key
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "no valid signing keys",
})
s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1")
}
func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) {
repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
dockerCmd(c, "tag", "busybox", repoName)

69
integration-cli/docker_cli_run_test.go
View File

@ -3140,75 +3140,6 @@ func (s *DockerSuite) TestRunNetworkFilesBindMountROFilesystem(c *check.C) {
}
}
func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
// Windows does not support this functionality
testRequires(c, DaemonIsLinux)
repoName := s.setupTrustedImage(c, "trusted-run")
// Try run
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try untrusted run to ensure we pushed the tag to the registry
cli.Docker(cli.Args("run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
}
func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
// Windows does not support this functionality
testRequires(c, DaemonIsLinux)
repoName := fmt.Sprintf("%v/dockercliuntrusted/runtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
// Try trusted run on untrusted tag
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 125,
Err: "does not have trust data for",
})
}
func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
// Windows does not support this functionality
testRequires(c, DaemonIsLinux)
repoName := fmt.Sprintf("%v/dockerclievilrun/trusted:latest", privateRegistryURL)
evilLocalConfigDir, err := ioutil.TempDir("", "evilrun-local-config-dir")
if err != nil {
c.Fatalf("Failed to create local temp dir")
}
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try run
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Kill the notary server, start a new "evil" one.
s.not.Close()
s.not, err = newTestNotary(c)
if err != nil {
c.Fatalf("Restarting notary server failed.")
}
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
// tag an image and upload it to the private registry
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
// Push up to the new server
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Now, try running with the original client from this new trust server. This should fail because the new root is invalid.
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 125,
Err: "could not rotate trust to a new trusted root",
})
}
func (s *DockerSuite) TestPtraceContainerProcsFromHost(c *check.C) {
// Not applicable on Windows as uses Unix specific functionality
testRequires(c, DaemonIsLinux, SameHostDaemon)

72
integration-cli/docker_cli_swarm_test.go
View File

@ -1560,78 +1560,6 @@ func (s *DockerSwarmSuite) TestSwarmNetworkIPAMOptions(c *check.C) {
c.Assert(strings.TrimSpace(out), checker.Contains, "com.docker.network.ipam.serial:true")
}
func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) {
d := s.swarmSuite.AddDaemon(c, true, true)
// Attempt creating a service from an image that is known to notary.
repoName := s.trustSuite.setupTrustedImage(c, "trusted-pull")
name := "trusted"
cli.Docker(cli.Args("-D", "service", "create", "--detach", "--no-resolve-image", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
Err: "resolved image tag to",
})
out, err := d.Cmd("service", "inspect", "--pretty", name)
c.Assert(err, checker.IsNil, check.Commentf(out))
c.Assert(out, checker.Contains, repoName+"@", check.Commentf(out))
// Try trusted service create on an untrusted tag.
repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
name = "untrusted"
cli.Docker(cli.Args("service", "create", "--detach", "--no-resolve-image", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})
out, err = d.Cmd("service", "inspect", "--pretty", name)
c.Assert(err, checker.NotNil, check.Commentf(out))
}
func (s *DockerTrustedSwarmSuite) TestTrustedServiceUpdate(c *check.C) {
d := s.swarmSuite.AddDaemon(c, true, true)
// Attempt creating a service from an image that is known to notary.
repoName := s.trustSuite.setupTrustedImage(c, "trusted-pull")
name := "myservice"
// Create a service without content trust
cli.Docker(cli.Args("service", "create", "--detach", "--no-resolve-image", "--name", name, repoName, "top"), cli.Daemon(d.Daemon)).Assert(c, icmd.Success)
result := cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon))
c.Assert(result.Error, checker.IsNil, check.Commentf(result.Combined()))
// Daemon won't insert the digest because this is disabled by
// DOCKER_SERVICE_PREFER_OFFLINE_IMAGE.
c.Assert(result.Combined(), check.Not(checker.Contains), repoName+"@", check.Commentf(result.Combined()))
cli.Docker(cli.Args("-D", "service", "update", "--detach", "--no-resolve-image", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
Err: "resolved image tag to",
})
cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
Out: repoName + "@",
})
// Try trusted service update on an untrusted tag.
repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("service", "update", "--detach", "--no-resolve-image", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})
}
// Test case for issue #27866, which did not allow NW name that is the prefix of a swarm NW ID.
// e.g. if the ingress ID starts with "n1", it was impossible to create a NW named "n1".
func (s *DockerSwarmSuite) TestSwarmNetworkCreateIssue27866(c *check.C) {

13
integration-cli/docker_utils_test.go
View File

@ -202,12 +202,6 @@ func buildImage(name string, cmdOperators ...cli.CmdOperator) *icmd.Result {
return cli.Docker(cli.Build(name), cmdOperators...)
}
// Deprecated: use trustedcmd
func trustedBuild(cmd *icmd.Cmd) func() {
trustedCmd(cmd)
return nil
}
// Write `content` to the file at path `dst`, creating it if necessary,
// as well as any missing directories.
// The file is truncated if it already exists.
@ -306,13 +300,6 @@ func setupRegistry(c *check.C, schema1 bool, auth, tokenURL string) *registry.V2
return reg
}
func setupNotary(c *check.C) *testNotary {
ts, err := newTestNotary(c)
c.Assert(err, check.IsNil)
return ts
}
// appendBaseEnv appends the minimum set of environment variables to exec the
// docker cli binary for testing with correct configuration to the given env
// list.

16
integration-cli/requirements_test.go
View File

@ -112,22 +112,6 @@ func Apparmor() bool {
return err == nil && len(buf) > 1 && buf[0] == 'Y'
}
func NotaryHosting() bool {
// for now notary binary is built only if we're running inside
// container through `make test`. Figure that out by testing if
// notary-server binary is in PATH.
_, err := exec.LookPath(notaryServerBinary)
return err == nil
}
func NotaryServerHosting() bool {
// for now notary-server binary is built only if we're running inside
// container through `make test`. Figure that out by testing if
// notary-server binary is in PATH.
_, err := exec.LookPath(notaryServerBinary)
return err == nil
}
func Devicemapper() bool {
return strings.HasPrefix(testEnv.DaemonInfo.Driver, "devicemapper")
}

334
integration-cli/trust_server_test.go
View File

@ -1,334 +0,0 @@
package main
import (
"context"
"fmt"
"io/ioutil"
"net"
"net/http"
"os"
"os/exec"
"path/filepath"
"strings"
"time"
"github.com/docker/docker/api/types"
cliconfig "github.com/docker/docker/cli/config"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/fixtures/plugin"
"github.com/docker/go-connections/tlsconfig"
"github.com/go-check/check"
"github.com/gotestyourself/gotestyourself/icmd"
)
var notaryBinary = "notary"
var notaryServerBinary = "notary-server"
type keyPair struct {
Public string
Private string
}
type testNotary struct {
cmd *exec.Cmd
dir string
keys []keyPair
}
const notaryHost = "localhost:4443"
const notaryURL = "https://" + notaryHost
var SuccessTagging = icmd.Expected{
Out: "Tagging",
}
var SuccessSigningAndPushing = icmd.Expected{
Out: "Signing and pushing trust metadata",
}
var SuccessDownloaded = icmd.Expected{
Out: "Status: Downloaded",
}
var SuccessDownloadedOnStderr = icmd.Expected{
Err: "Status: Downloaded",
}
func newTestNotary(c *check.C) (*testNotary, error) {
// generate server config
template := `{
"server": {
"http_addr": "%s",
"tls_key_file": "%s",
"tls_cert_file": "%s"
},
"trust_service": {
"type": "local",
"hostname": "",
"port": "",
"key_algorithm": "ed25519"
},
"logging": {
"level": "debug"
},
"storage": {
"backend": "memory"
}
}`
tmp, err := ioutil.TempDir("", "notary-test-")
if err != nil {
return nil, err
}
confPath := filepath.Join(tmp, "config.json")
config, err := os.Create(confPath)
if err != nil {
return nil, err
}
defer config.Close()
workingDir, err := os.Getwd()
if err != nil {
return nil, err
}
if _, err := fmt.Fprintf(config, template, notaryHost, filepath.Join(workingDir, "fixtures/notary/localhost.key"), filepath.Join(workingDir, "fixtures/notary/localhost.cert")); err != nil {
os.RemoveAll(tmp)
return nil, err
}
// generate client config
clientConfPath := filepath.Join(tmp, "client-config.json")
clientConfig, err := os.Create(clientConfPath)
if err != nil {
return nil, err
}
defer clientConfig.Close()
template = `{
"trust_dir" : "%s",
"remote_server": {
"url": "%s",
"skipTLSVerify": true
}
}`
if _, err = fmt.Fprintf(clientConfig, template, filepath.Join(cliconfig.Dir(), "trust"), notaryURL); err != nil {
os.RemoveAll(tmp)
return nil, err
}
// load key fixture filenames
var keys []keyPair
for i := 1; i < 5; i++ {
keys = append(keys, keyPair{
Public: filepath.Join(workingDir, fmt.Sprintf("fixtures/notary/delgkey%v.crt", i)),
Private: filepath.Join(workingDir, fmt.Sprintf("fixtures/notary/delgkey%v.key", i)),
})
}
// run notary-server
cmd := exec.Command(notaryServerBinary, "-config", confPath)
if err := cmd.Start(); err != nil {
os.RemoveAll(tmp)
if os.IsNotExist(err) {
c.Skip(err.Error())
}
return nil, err
}
testNotary := &testNotary{
cmd: cmd,
dir: tmp,
keys: keys,
}
// Wait for notary to be ready to serve requests.
for i := 1; i <= 20; i++ {
if err = testNotary.Ping(); err == nil {
break
}
time.Sleep(10 * time.Millisecond * time.Duration(i*i))
}
if err != nil {
c.Fatalf("Timeout waiting for test notary to become available: %s", err)
}
return testNotary, nil
}
func (t *testNotary) Ping() error {
tlsConfig := tlsconfig.ClientDefault()
tlsConfig.InsecureSkipVerify = true
client := http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: tlsConfig,
},
}
resp, err := client.Get(fmt.Sprintf("%s/v2/", notaryURL))
if err != nil {
return err
}
if resp.StatusCode != http.StatusOK {
return fmt.Errorf("notary ping replied with an unexpected status code %d", resp.StatusCode)
}
return nil
}
func (t *testNotary) Close() {
t.cmd.Process.Kill()
t.cmd.Process.Wait()
os.RemoveAll(t.dir)
}
func trustedCmd(cmd *icmd.Cmd) func() {
pwd := "12345678"
cmd.Env = append(cmd.Env, trustEnv(notaryURL, pwd, pwd)...)
return nil
}
func trustedCmdWithServer(server string) func(*icmd.Cmd) func() {
return func(cmd *icmd.Cmd) func() {
pwd := "12345678"
cmd.Env = append(cmd.Env, trustEnv(server, pwd, pwd)...)
return nil
}
}
func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) func() {
return func(cmd *icmd.Cmd) func() {
cmd.Env = append(cmd.Env, trustEnv(notaryURL, rootPwd, repositoryPwd)...)
return nil
}
}
func trustEnv(server, rootPwd, repositoryPwd string) []string {
env := append(os.Environ(), []string{
"DOCKER_CONTENT_TRUST=1",
fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server),
fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
fmt.Sprintf("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=%s", repositoryPwd),
}...)
return env
}
func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string {
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
// tag the image and upload it to the private registry
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
return repoName
}
func (s *DockerTrustSuite) setupTrustedplugin(c *check.C, source, name string) string {
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
client := testEnv.APIClient()
ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
err := plugin.Create(ctx, client, repoName)
cancel()
c.Assert(err, checker.IsNil, check.Commentf("could not create test plugin"))
// tag the image and upload it to the private registry
// TODO: shouldn't need to use the CLI to do trust
cli.Docker(cli.Args("plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
ctx, cancel = context.WithTimeout(context.Background(), 60*time.Second)
err = client.PluginRemove(ctx, repoName, types.PluginRemoveOptions{Force: true})
cancel()
c.Assert(err, checker.IsNil, check.Commentf("failed to cleanup test plugin for trust suite"))
return repoName
}
func (s *DockerTrustSuite) notaryCmd(c *check.C, args ...string) string {
pwd := "12345678"
env := []string{
fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", pwd),
fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", pwd),
fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", pwd),
fmt.Sprintf("NOTARY_DELEGATION_PASSPHRASE=%s", pwd),
}
result := icmd.RunCmd(icmd.Cmd{
Command: append([]string{notaryBinary, "-c", filepath.Join(s.not.dir, "client-config.json")}, args...),
Env: append(os.Environ(), env...),
})
result.Assert(c, icmd.Success)
return result.Combined()
}
func (s *DockerTrustSuite) notaryInitRepo(c *check.C, repoName string) {
s.notaryCmd(c, "init", repoName)
}
func (s *DockerTrustSuite) notaryCreateDelegation(c *check.C, repoName, role string, pubKey string, paths ...string) {
pathsArg := "--all-paths"
if len(paths) > 0 {
pathsArg = "--paths=" + strings.Join(paths, ",")
}
s.notaryCmd(c, "delegation", "add", repoName, role, pubKey, pathsArg)
}
func (s *DockerTrustSuite) notaryPublish(c *check.C, repoName string) {
s.notaryCmd(c, "publish", repoName)
}
func (s *DockerTrustSuite) notaryImportKey(c *check.C, repoName, role string, privKey string) {
s.notaryCmd(c, "key", "import", privKey, "-g", repoName, "-r", role)
}
func (s *DockerTrustSuite) notaryListTargetsInRole(c *check.C, repoName, role string) map[string]string {
out := s.notaryCmd(c, "list", repoName, "-r", role)
// should look something like:
// NAME DIGEST SIZE (BYTES) ROLE
// ------------------------------------------------------------------------------------------------------
// latest 24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56 1377 targets
targets := make(map[string]string)
// no target
lines := strings.Split(strings.TrimSpace(out), "\n")
if len(lines) == 1 && strings.Contains(out, "No targets present in this repository.") {
return targets
}
// otherwise, there is at least one target
c.Assert(len(lines), checker.GreaterOrEqualThan, 3)
for _, line := range lines[2:] {
tokens := strings.Fields(line)
c.Assert(tokens, checker.HasLen, 4)
targets[tokens[0]] = tokens[3]
}
return targets
}
func (s *DockerTrustSuite) assertTargetInRoles(c *check.C, repoName, target string, roles ...string) {
// check all the roles
for _, role := range roles {
targets := s.notaryListTargetsInRole(c, repoName, role)
roleName, ok := targets[target]
c.Assert(ok, checker.True)
c.Assert(roleName, checker.Equals, role)
}
}
func (s *DockerTrustSuite) assertTargetNotInRoles(c *check.C, repoName, target string, roles ...string) {
targets := s.notaryListTargetsInRole(c, repoName, "targets")
roleName, ok := targets[target]
if ok {
for _, role := range roles {
c.Assert(roleName, checker.Not(checker.Equals), role)
}
}
}

3
registry/config.go
View File

@ -45,9 +45,6 @@ var (
// IndexName is the name of the index
IndexName = "docker.io"
// NotaryServer is the endpoint serving the Notary trust server
NotaryServer = "https://notary.docker.io"
// DefaultV2Registry is the URI of the default v2 registry
DefaultV2Registry = &url.URL{
Scheme: "https",