kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Use cli for trusted relate command

Browse source 
This also removed some skipped test (that are skipped for a long while).

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This commit is contained in:
Vincent Demeester 2017-04-19 14:04:39 +02:00
parent 3482b45e60
commit b0ba39d431
No known key found for this signature in database
GPG key ID: 083CC6FD6EB699A3
10 changed files with 167 additions and 382 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
integration-cli/docker_cli_build_test.go
View file

@ -4199,21 +4199,20 @@ func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) {
// push a different tag to the releases role
otherTag := fmt.Sprintf("%s:other", repoName)
dockerCmd(c, "tag", "busybox", otherTag)
cli.DockerCmd(c, "tag", "busybox", otherTag)
icmd.RunCmd(icmd.Command(dockerBinary, "push", otherTag), trustedCmd).Assert(c, icmd.Success)
cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "other", "targets/releases")
s.assertTargetNotInRoles(c, repoName, "other", "targets")
out, status := dockerCmd(c, "rmi", otherTag)
c.Assert(status, check.Equals, 0, check.Commentf("docker rmi failed: %s", out))
cli.DockerCmd(c, "rmi", otherTag)
dockerFile := fmt.Sprintf(`
FROM %s
RUN []
`, otherTag)
name := "testtrustedbuildreleasesrole"
buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
cli.BuildCmd(c, name, trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
Out: fmt.Sprintf("FROM %s@sha", repoName),
})
}
@ -4231,14 +4230,13 @@ func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *che
// push a different tag to the other role
otherTag := fmt.Sprintf("%s:other", repoName)
dockerCmd(c, "tag", "busybox", otherTag)
cli.DockerCmd(c, "tag", "busybox", otherTag)
icmd.RunCmd(icmd.Command(dockerBinary, "push", otherTag), trustedCmd).Assert(c, icmd.Success)
cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "other", "targets/other")
s.assertTargetNotInRoles(c, repoName, "other", "targets")
out, status := dockerCmd(c, "rmi", otherTag)
c.Assert(status, check.Equals, 0, check.Commentf("docker rmi failed: %s", out))
cli.DockerCmd(c, "rmi", otherTag)
dockerFile := fmt.Sprintf(`
FROM %s
@ -4246,7 +4244,7 @@ func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *che
`, otherTag)
name := "testtrustedbuildotherrole"
buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
cli.Docker(cli.Build(name), trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
ExitCode: 1,
})
}

65
integration-cli/docker_cli_create_test.go
View file

@ -14,7 +14,6 @@ import (
"github.com/docker/docker/integration-cli/cli/build"
"github.com/docker/docker/integration-cli/cli/build/fakecontext"
"github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/pkg/testutil"
icmd "github.com/docker/docker/pkg/testutil/cmd"
"github.com/docker/go-connections/nat"
"github.com/go-check/check"
@ -295,24 +294,23 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-create")
// Try create
icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try untrusted create to ensure we pushed the tag to the registry
icmd.RunCmd(icmd.Command(dockerBinary, "create", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
cli.Docker(cli.Args("create", "--disable-content-trust=true", repoName)).Assert(c, SuccessDownloadedOnStderr)
}
func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliuntrusted/createtest", privateRegistryURL)
withTagName := fmt.Sprintf("%s:latest", repoName)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", withTagName)
dockerCmd(c, "push", withTagName)
dockerCmd(c, "rmi", withTagName)
cli.DockerCmd(c, "tag", "busybox", withTagName)
cli.DockerCmd(c, "push", withTagName)
cli.DockerCmd(c, "rmi", withTagName)
// Try trusted create on untrusted tag
icmd.RunCmd(icmd.Command(dockerBinary, "create", withTagName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("create", withTagName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: fmt.Sprintf("does not have trust data for %s", repoName),
})
@ -322,36 +320,10 @@ func (s *DockerTrustSuite) TestTrustedIsolatedCreate(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-isolated-create")
// Try create
icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.Docker(cli.Args("--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging)
defer os.RemoveAll("/tmp/docker-isolated-create")
dockerCmd(c, "rmi", repoName)
}
func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {
c.Skip("Currently changes system time, causing instability")
repoName := s.setupTrustedImage(c, "trusted-create-expired")
// Certificates have 10 years of expiration
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
// Try create
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "create", repoName},
}, trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not validate the path to a trusted root",
})
})
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
// Try create
result := icmd.RunCmd(icmd.Command(dockerBinary, "create", "--disable-content-trust", repoName), trustedCmd)
c.Assert(result.Error, check.Not(check.IsNil))
c.Assert(string(result.Combined()), checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted create in the distant future:\n%s", result.Combined()))
})
cli.DockerCmd(c, "rmi", repoName)
}
func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
@ -360,16 +332,13 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
c.Assert(err, check.IsNil)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try create
icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Kill the notary server, start a new "evil" one.
s.not.Close()
@ -378,13 +347,13 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
// tag an image and upload it to the private registry
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
// Push up to the new server
icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Now, try creating with the original client from this new trust server. This should fail because the new root is invalid.
icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not rotate trust to a new trusted root",
})

28
integration-cli/docker_cli_plugins_test.go
View file

@ -8,6 +8,7 @@ import (
"strings"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
icmd "github.com/docker/docker/pkg/testutil/cmd"
"github.com/go-check/check"
)
@ -304,31 +305,26 @@ func (s *DockerTrustSuite) TestPluginTrustedInstall(c *check.C) {
trustedName := s.setupTrustedplugin(c, pNameWithTag, "trusted-plugin-install")
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{
Out: trustedName,
})
out, _, err := dockerCmdWithError("plugin", "ls")
c.Assert(err, checker.IsNil)
out := cli.DockerCmd(c, "plugin", "ls").Combined()
c.Assert(out, checker.Contains, "true")
out, _, err = dockerCmdWithError("plugin", "disable", trustedName)
c.Assert(err, checker.IsNil)
out = cli.DockerCmd(c, "plugin", "disable", trustedName).Combined()
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
out, _, err = dockerCmdWithError("plugin", "enable", trustedName)
c.Assert(err, checker.IsNil)
out = cli.DockerCmd(c, "plugin", "enable", trustedName).Combined()
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
out, _, err = dockerCmdWithError("plugin", "rm", "-f", trustedName)
c.Assert(err, checker.IsNil)
out = cli.DockerCmd(c, "plugin", "rm", "-f", trustedName).Combined()
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
// Try untrusted pull to ensure we pushed the tag to the registry
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded)
cli.Docker(cli.Args("plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded)
out, _, err = dockerCmdWithError("plugin", "ls")
c.Assert(err, checker.IsNil)
out = cli.DockerCmd(c, "plugin", "ls").Combined()
c.Assert(out, checker.Contains, "true")
}
@ -338,12 +334,12 @@ func (s *DockerTrustSuite) TestPluginUntrustedInstall(c *check.C) {
pluginName := fmt.Sprintf("%v/dockercliuntrusted/plugintest:latest", privateRegistryURL)
// install locally and push to private registry
dockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", pluginName, pNameWithTag)
dockerCmd(c, "plugin", "push", pluginName)
dockerCmd(c, "plugin", "rm", "-f", pluginName)
cli.DockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", pluginName, pNameWithTag)
cli.DockerCmd(c, "plugin", "push", pluginName)
cli.DockerCmd(c, "plugin", "rm", "-f", pluginName)
// Try trusted install on untrusted plugin
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})

137
integration-cli/docker_cli_pull_trusted_test.go
View file

@ -3,11 +3,10 @@ package main
import (
"fmt"
"io/ioutil"
"time"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/cli/build"
"github.com/docker/docker/pkg/testutil"
icmd "github.com/docker/docker/pkg/testutil/cmd"
"github.com/go-check/check"
)
@ -16,61 +15,36 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-pull")
// Try pull
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "rmi", repoName)
// Try untrusted pull to ensure we pushed the tag to the registry
icmd.RunCmd(icmd.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
cli.Docker(cli.Args("pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
}
func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-isolated-pull")
// Try pull (run from isolated directory without trust information)
icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.Docker(cli.Args("--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "rmi", repoName)
}
func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliuntrusted/pulltest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
dockerCmd(c, "push", repoName)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
// Try trusted pull on untrusted tag
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})
}
func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
c.Skip("Currently changes system time, causing instability")
repoName := s.setupTrustedImage(c, "trusted-cert-expired")
// Certificates have 10 years of expiration
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
// Try pull
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "pull", repoName},
}, trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not validate the path to a trusted root",
})
})
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
// Try pull
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "pull", "--disable-content-trust", repoName},
}, trustedCmd).Assert(c, SuccessDownloaded)
})
}
func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclievilpull/trusted:latest", privateRegistryURL)
evilLocalConfigDir, err := ioutil.TempDir("", "evil-local-config-dir")
@ -79,14 +53,14 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
}
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try pull
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Kill the notary server, start a new "evil" one.
s.not.Close()
@ -96,71 +70,46 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
// tag an image and upload it to the private registry
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
// Push up to the new server
icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Now, try pulling with the original client from this new trust server. This should fail because the new root is invalid.
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not rotate trust to a new trusted root",
})
}
func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) {
c.Skip("Currently changes system time, causing instability")
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppull/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
dockerCmd(c, "rmi", repoName)
// Snapshots last for three years. This should be expired
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
testutil.RunAtDifferentDate(fourYearsLater, func() {
// Try pull
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "pull", repoName},
}, trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "repository out-of-date",
})
})
}
func (s *DockerTrustSuite) TestTrustedOfflinePull(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-offline-pull")
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
// Do valid trusted pull to warm cache
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try pull again with invalid notary server, should use cache
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
}
func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, "trusted-pull-delete")
// tag the image and upload it to the private registry
buildImageSuccessfully(c, repoName, build.WithDockerfile(`
cli.BuildCmd(c, repoName, build.WithDockerfile(`
FROM busybox
CMD echo trustedpulldelete
`))
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "rmi", repoName)
// Try pull
result := icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd)
result.Assert(c, icmd.Success)
result := cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Success)
matches := digestRegex.FindStringSubmatch(result.Combined())
c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", result.Combined()))
@ -174,7 +123,7 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
c.Assert(byDigestID, checker.Equals, imageID)
// rmi of tag should also remove the digest reference
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "rmi", repoName)
_, err := inspectFieldWithError(imageByDigest, "Id")
c.Assert(err, checker.NotNil, check.Commentf("digest reference should have been removed"))
@ -189,12 +138,12 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
targetName := fmt.Sprintf("%s:latest", repoName)
// Push with targets first, initializing the repo
dockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets")
// Try pull, check we retrieve from targets role
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets role",
})
@ -205,21 +154,21 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
// try a pull, check that we can still pull because we can still read the
// old tag in the targets role
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets role",
})
// try a pull -a, check that it succeeds because we can still pull from the
// targets role
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
// Push, should sign with targets/releases
dockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases")
// Try pull, check we retrieve from targets/releases role
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets/releases role",
})
@ -228,12 +177,12 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
s.notaryPublish(c, repoName)
dockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other")
// Try pull, check we retrieve from targets/releases role
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Err: "retrieving target for targets/releases role",
})
}
@ -251,22 +200,22 @@ func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C
s.notaryPublish(c, repoName)
// Push should write to the delegation role, not targets
dockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
s.assertTargetInRoles(c, repoName, "latest", "targets/other")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
// Try pull - we should fail, since pull will only pull from the targets/releases
// role or the targets role
dockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.DockerCmd(c, "tag", "busybox", targetName)
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "No trust data for",
})
// try a pull -a: we should fail since pull will only pull from the targets/releases
// role or the targets role
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "No trusted tags for",
})

124
integration-cli/docker_cli_push_test.go
View file

@ -3,6 +3,13 @@ package main
import (
"archive/tar"
"fmt"
"github.com/docker/distribution/reference"
cliconfig "github.com/docker/docker/cli/config"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/cli/build"
icmd "github.com/docker/docker/pkg/testutil/cmd"
"github.com/go-check/check"
"io/ioutil"
"net/http"
"net/http/httptest"
@ -10,15 +17,6 @@ import (
"path/filepath"
"strings"
"sync"
"time"
"github.com/docker/distribution/reference"
cliconfig "github.com/docker/docker/cli/config"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli/build"
"github.com/docker/docker/pkg/testutil"
icmd "github.com/docker/docker/pkg/testutil/cmd"
"github.com/go-check/check"
)
// Pushing an image to a private registry.
@ -285,12 +283,12 @@ func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c
func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Try pull after push
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
@ -304,12 +302,12 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing)
// Try pull after push
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
}
@ -317,10 +315,10 @@ func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
// Using a name that doesn't resolve to an address makes this test faster
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{
cli.Docker(cli.Args("push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
@ -329,9 +327,9 @@ func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) {
func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
result := icmd.RunCmd(icmd.Command(dockerBinary, "push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/"))
result := cli.Docker(cli.Args("push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/"))
result.Assert(c, icmd.Success)
c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:"))
}
@ -339,13 +337,13 @@ func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C)
func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
dockerCmd(c, "push", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Try pull after push
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
}
@ -353,76 +351,34 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
// Do a trusted push
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Do another trusted push
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try pull to ensure the double push did not break our ability to pull
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessDownloaded)
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessDownloaded)
}
func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) {
repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Push with wrong passphrases
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{
cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not find necessary signing keys",
})
}
func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) {
c.Skip("Currently changes system time, causing instability")
repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Snapshots last for three years. This should be expired
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
testutil.RunAtDifferentDate(fourYearsLater, func() {
// Push with wrong passphrases
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "push", repoName},
}, trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "repository out-of-date",
})
})
}
func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) {
c.Skip("Currently changes system time, causing instability")
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
// Push with default passphrases
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// The timestamps expire in two weeks. Lets check three
threeWeeksLater := time.Now().Add(time.Hour * 24 * 21)
// Should succeed because the server transparently re-signs one
testutil.RunAtDifferentDate(threeWeeksLater, func() {
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName),
trustedCmd).Assert(c, SuccessSigningAndPushing)
})
}
func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) {
testRequires(c, NotaryHosting)
repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL)
@ -434,9 +390,9 @@ func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C)
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
cli.DockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// check to make sure that the target has been added to targets/releases and not targets
s.assertTargetInRoles(c, repoName, "latest", "targets/releases")
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
@ -444,7 +400,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C)
// Try pull after push
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust"))
icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
Out: "Status: Image is up to date",
})
}
@ -468,9 +424,9 @@ func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c
s.notaryPublish(c, repoName)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
cli.DockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// check to make sure that the target has been added to targets/role1 and targets/role2, and
// not targets (because there are delegations) or targets/role3 (due to missing key) or
@ -482,7 +438,7 @@ func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust"))
// pull should fail because none of these are the releases role
icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
})
}
@ -504,9 +460,9 @@ func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *
s.notaryPublish(c, repoName)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
cli.DockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// check to make sure that the target has been added to targets/role1 and targets/role4, and
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
@ -518,7 +474,7 @@ func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust"))
// pull should fail because none of these are the releases role
icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
})
}
@ -534,9 +490,9 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c
// do not import any delegations key
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", targetName)
cli.DockerCmd(c, "tag", "busybox", targetName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "no valid signing keys",
})

57
integration-cli/docker_cli_run_test.go
View file

@ -3165,11 +3165,11 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
repoName := s.setupTrustedImage(c, "trusted-run")
// Try run
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Try untrusted run to ensure we pushed the tag to the registry
icmd.RunCmd(icmd.Command(dockerBinary, "run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
cli.Docker(cli.Args("run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
}
func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
@ -3177,44 +3177,17 @@ func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
testRequires(c, DaemonIsLinux)
repoName := fmt.Sprintf("%v/dockercliuntrusted/runtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
dockerCmd(c, "push", repoName)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
// Try trusted run on untrusted tag
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 125,
Err: "does not have trust data for",
})
}
func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {
// Windows does not support this functionality
testRequires(c, DaemonIsLinux)
c.Skip("Currently changes system time, causing instability")
repoName := s.setupTrustedImage(c, "trusted-run-expired")
// Certificates have 10 years of expiration
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
// Try run
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "run", repoName},
}, trustedCmd).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "could not validate the path to a trusted root",
})
})
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
// Try run
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "run", "--disable-content-trust", repoName},
}, trustedCmd).Assert(c, SuccessDownloaded)
})
}
func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
// Windows does not support this functionality
testRequires(c, DaemonIsLinux)
@ -3225,14 +3198,14 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
}
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
// Try run
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, SuccessTagging)
dockerCmd(c, "rmi", repoName)
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
cli.DockerCmd(c, "rmi", repoName)
// Kill the notary server, start a new "evil" one.
s.not.Close()
@ -3243,13 +3216,13 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
// tag an image and upload it to the private registry
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
// Push up to the new server
icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
// Now, try running with the original client from this new trust server. This should fail because the new root is invalid.
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
ExitCode: 125,
Err: "could not rotate trust to a new trusted root",
})

39
integration-cli/docker_cli_swarm_test.go
View file

@ -1539,8 +1539,7 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) {
repoName := s.trustSuite.setupTrustedImage(c, "trusted-pull")
name := "trusted"
serviceCmd := d.Command("-D", "service", "create", "--name", name, repoName, "top")
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "service", "create", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
Err: "resolved image tag to",
})
@ -1552,13 +1551,12 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) {
repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
dockerCmd(c, "push", repoName)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
name = "untrusted"
serviceCmd = d.Command("service", "create", "--name", name, repoName, "top")
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("service", "create", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})
@ -1576,34 +1574,31 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceUpdate(c *check.C) {
name := "myservice"
// Create a service without content trust
_, err := d.Cmd("service", "create", "--name", name, repoName, "top")
c.Assert(err, checker.IsNil)
cli.Docker(cli.Args("service", "create", "--name", name, repoName, "top"), cli.Daemon(d.Daemon)).Assert(c, icmd.Success)
out, err := d.Cmd("service", "inspect", "--pretty", name)
c.Assert(err, checker.IsNil, check.Commentf(out))
result := cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon))
c.Assert(result.Error, checker.IsNil, check.Commentf(result.Combined()))
// Daemon won't insert the digest because this is disabled by
// DOCKER_SERVICE_PREFER_OFFLINE_IMAGE.
c.Assert(out, check.Not(checker.Contains), repoName+"@", check.Commentf(out))
c.Assert(result.Combined(), check.Not(checker.Contains), repoName+"@", check.Commentf(result.Combined()))
serviceCmd := d.Command("-D", "service", "update", "--image", repoName, name)
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("-D", "service", "update", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
Err: "resolved image tag to",
})
out, err = d.Cmd("service", "inspect", "--pretty", name)
c.Assert(err, checker.IsNil, check.Commentf(out))
c.Assert(out, checker.Contains, repoName+"@", check.Commentf(out))
cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
Out: repoName + "@",
})
// Try trusted service update on an untrusted tag.
repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
dockerCmd(c, "push", repoName)
dockerCmd(c, "rmi", repoName)
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.DockerCmd(c, "push", repoName)
cli.DockerCmd(c, "rmi", repoName)
serviceCmd = d.Command("service", "update", "--image", repoName, name)
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
cli.Docker(cli.Args("service", "update", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Error: remote trust data does not exist",
})

44
integration-cli/trust_server_test.go
View file

@ -13,6 +13,7 @@ import (
cliconfig "github.com/docker/docker/cli/config"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
icmd "github.com/docker/docker/pkg/testutil/cmd"
"github.com/docker/go-connections/tlsconfig"
"github.com/go-check/check"
@ -47,14 +48,6 @@ var SuccessDownloaded = icmd.Expected{
Out: "Status: Downloaded",
}
var SuccessTaggingOnStderr = icmd.Expected{
Err: "Tagging",
}
var SuccessSigningAndPushingOnStderr = icmd.Expected{
Err: "Signing and pushing trust metadata",
}
var SuccessDownloadedOnStderr = icmd.Expected{
Err: "Status: Downloaded",
}
@ -190,21 +183,24 @@ func (t *testNotary) Close() {
os.RemoveAll(t.dir)
}
func trustedCmd(cmd *icmd.Cmd) {
func trustedCmd(cmd *icmd.Cmd) func() {
pwd := "12345678"
cmd.Env = append(cmd.Env, trustEnv(notaryURL, pwd, pwd)...)
return nil
}
func trustedCmdWithServer(server string) func(*icmd.Cmd) {
return func(cmd *icmd.Cmd) {
func trustedCmdWithServer(server string) func(*icmd.Cmd) func() {
return func(cmd *icmd.Cmd) func() {
pwd := "12345678"
cmd.Env = append(cmd.Env, trustEnv(server, pwd, pwd)...)
return nil
}
}
func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) {
return func(cmd *icmd.Cmd) {
func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) func() {
return func(cmd *icmd.Cmd) func() {
cmd.Env = append(cmd.Env, trustEnv(notaryURL, rootPwd, repositoryPwd)...)
return nil
}
}
@ -221,28 +217,18 @@ func trustEnv(server, rootPwd, repositoryPwd string) []string {
func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string {
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
if out, status := dockerCmd(c, "rmi", repoName); status != 0 {
c.Fatalf("Error removing image %q\n%s", repoName, out)
}
cli.DockerCmd(c, "tag", "busybox", repoName)
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "rmi", repoName)
return repoName
}
func (s *DockerTrustSuite) setupTrustedplugin(c *check.C, source, name string) string {
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
// tag the image and upload it to the private registry
dockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", repoName, source)
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
if out, status := dockerCmd(c, "plugin", "rm", "-f", repoName); status != 0 {
c.Fatalf("Error removing plugin %q\n%s", repoName, out)
}
cli.DockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", repoName, source)
cli.Docker(cli.Args("plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
cli.DockerCmd(c, "plugin", "rm", "-f", repoName)
return repoName
}

15
pkg/testutil/utils.go
View file

@ -16,7 +16,6 @@ import (
"github.com/docker/docker/pkg/stringutils"
"github.com/docker/docker/pkg/system"
icmd "github.com/docker/docker/pkg/testutil/cmd"
)
// IsKilled process the specified error and returns whether the process was killed or not.
@ -212,20 +211,6 @@ func (c *ChannelBuffer) ReadTimeout(p []byte, n time.Duration) (int, error) {
}
}
// RunAtDifferentDate runs the specified function with the given time.
// It changes the date of the system, which can led to weird behaviors.
func RunAtDifferentDate(date time.Time, block func()) {
// Layout for date. MMDDhhmmYYYY
const timeLayout = "010203042006"
// Ensure we bring time back to now
now := time.Now().Format(timeLayout)
defer icmd.RunCommand("date", now)
icmd.RunCommand("date", date.Format(timeLayout))
block()
return
}
// ReadBody read the specified ReadCloser content and returns it
func ReadBody(b io.ReadCloser) ([]byte, error) {
defer b.Close()

22
pkg/testutil/utils_test.go
View file

@ -339,25 +339,3 @@ func TestChannelBuffer(t *testing.T) {
t.Fatalf("Expected '%s', got '%s'", expected, string(b))
}
}
// FIXME doesn't work
// func TestRunAtDifferentDate(t *testing.T) {
// var date string
// // Layout for date. MMDDhhmmYYYY
// const timeLayout = "20060102"
// expectedDate := "20100201"
// theDate, err := time.Parse(timeLayout, expectedDate)
// if err != nil {
// t.Fatal(err)
// }
// RunAtDifferentDate(theDate, func() {
// cmd := exec.Command("date", "+%Y%M%d")
// out, err := cmd.Output()
// if err != nil {
// t.Fatal(err)
// }
// date = string(out)
// })
// }