Add test for targets/releases preference when pulling
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy
cyli
parent
497a58e6e4
commit
ca57f4e6a8
|
|
@ -339,6 +339,7 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr
|
|||
if err != nil {
|
||||
return notaryError(repoInfo.FullName(), err)
|
||||
}
|
||||
logrus.Debugf("retrieving target for %s role\n", t.Role)
|
||||
r, err := convertTarget(t.Target)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -510,7 +511,6 @@ func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository,
|
|||
// Also don't bother checking the keys if we can't add the target
|
||||
// to this role due to path restrictions
|
||||
if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) {
|
||||
fmt.Println("skipping", delegationRole.Name)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2,8 +2,11 @@ package main
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/docker/docker/cliconfig"
|
||||
"github.com/docker/docker/pkg/reexec"
|
||||
"github.com/go-check/check"
|
||||
)
|
||||
|
|
@ -206,5 +209,8 @@ func (s *DockerTrustSuite) TearDownTest(c *check.C) {
|
|||
if s.not != nil {
|
||||
s.not.Close()
|
||||
}
|
||||
|
||||
// Remove trusted keys and metadata after test
|
||||
os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))
|
||||
s.ds.TearDownTest(c)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -254,3 +254,56 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
|
|||
_, err = inspectFieldWithError(imageID, "Id")
|
||||
c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
|
||||
targetName := fmt.Sprintf("%s:latest", repoName)
|
||||
pwd := "12345678"
|
||||
|
||||
// Push with targets first, initializing the repo
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
pushCmd := exec.Command(dockerBinary, "push", targetName)
|
||||
s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
c.Assert(err, check.IsNil, check.Commentf(out))
|
||||
|
||||
// Try pull, check we retrieve from targets role
|
||||
pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName)
|
||||
s.trustedCmd(pullCmd)
|
||||
out, _, err = runCommandWithOutput(pullCmd)
|
||||
c.Assert(err, check.IsNil, check.Commentf(out))
|
||||
c.Assert(out, checker.Contains, "retrieving target for targets role")
|
||||
|
||||
// Now we'll create the releases role, and try pushing and pulling
|
||||
s.notaryCreateDelegation(c, repoName, pwd, "targets/releases", s.not.keys[0].Public)
|
||||
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
|
||||
s.notaryPublish(c, repoName, pwd)
|
||||
|
||||
// Push, should sign with targets/releases
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
pushCmd = exec.Command(dockerBinary, "push", targetName)
|
||||
s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
|
||||
out, _, err = runCommandWithOutput(pushCmd)
|
||||
|
||||
// Try pull, check we retrieve from targets/releases role
|
||||
pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)
|
||||
s.trustedCmd(pullCmd)
|
||||
out, _, err = runCommandWithOutput(pullCmd)
|
||||
c.Assert(out, checker.Contains, "retrieving target for targets/releases role")
|
||||
|
||||
// Create another delegation that we'll sign with
|
||||
s.notaryCreateDelegation(c, repoName, pwd, "targets/other", s.not.keys[1].Public)
|
||||
s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
|
||||
s.notaryPublish(c, repoName, pwd)
|
||||
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
pushCmd = exec.Command(dockerBinary, "push", targetName)
|
||||
s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
|
||||
out, _, err = runCommandWithOutput(pushCmd)
|
||||
|
||||
// Try pull, check we retrieve from targets/releases role
|
||||
pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)
|
||||
s.trustedCmd(pullCmd)
|
||||
out, _, err = runCommandWithOutput(pullCmd)
|
||||
c.Assert(out, checker.Contains, "retrieving target for targets/releases role")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -631,7 +631,7 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c
|
|||
pushCmd := exec.Command(dockerBinary, "push", targetName)
|
||||
s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
|
||||
out, _, err := runCommandWithOutput(pushCmd)
|
||||
c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeed but should have failed:\n%s", out))
|
||||
c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeeded but should have failed:\n%s", out))
|
||||
c.Assert(out, checker.Contains, "no valid signing keys",
|
||||
check.Commentf("Missing expected output on trusted push without keys"))
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue