зеркало из https://github.com/microsoft/docker.git
Merge pull request #32740 from vdemeester/integration-trusted-cmd-cli
Use `cli` for trusted related command
This commit is contained in:
Коммит
83ee902ecc
|
@ -4200,21 +4200,20 @@ func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) {
|
|||
|
||||
// push a different tag to the releases role
|
||||
otherTag := fmt.Sprintf("%s:other", repoName)
|
||||
dockerCmd(c, "tag", "busybox", otherTag)
|
||||
cli.DockerCmd(c, "tag", "busybox", otherTag)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", otherTag), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
|
||||
s.assertTargetInRoles(c, repoName, "other", "targets/releases")
|
||||
s.assertTargetNotInRoles(c, repoName, "other", "targets")
|
||||
|
||||
out, status := dockerCmd(c, "rmi", otherTag)
|
||||
c.Assert(status, check.Equals, 0, check.Commentf("docker rmi failed: %s", out))
|
||||
cli.DockerCmd(c, "rmi", otherTag)
|
||||
|
||||
dockerFile := fmt.Sprintf(`
|
||||
FROM %s
|
||||
RUN []
|
||||
`, otherTag)
|
||||
name := "testtrustedbuildreleasesrole"
|
||||
buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
||||
cli.BuildCmd(c, name, trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
||||
Out: fmt.Sprintf("FROM %s@sha", repoName),
|
||||
})
|
||||
}
|
||||
|
@ -4232,14 +4231,13 @@ func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *che
|
|||
|
||||
// push a different tag to the other role
|
||||
otherTag := fmt.Sprintf("%s:other", repoName)
|
||||
dockerCmd(c, "tag", "busybox", otherTag)
|
||||
cli.DockerCmd(c, "tag", "busybox", otherTag)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", otherTag), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.Docker(cli.Args("push", otherTag), trustedCmd).Assert(c, icmd.Success)
|
||||
s.assertTargetInRoles(c, repoName, "other", "targets/other")
|
||||
s.assertTargetNotInRoles(c, repoName, "other", "targets")
|
||||
|
||||
out, status := dockerCmd(c, "rmi", otherTag)
|
||||
c.Assert(status, check.Equals, 0, check.Commentf("docker rmi failed: %s", out))
|
||||
cli.DockerCmd(c, "rmi", otherTag)
|
||||
|
||||
dockerFile := fmt.Sprintf(`
|
||||
FROM %s
|
||||
|
@ -4247,7 +4245,7 @@ func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *che
|
|||
`, otherTag)
|
||||
|
||||
name := "testtrustedbuildotherrole"
|
||||
buildImage(name, trustedBuild, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Build(name), trustedCmd, build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
})
|
||||
}
|
||||
|
|
|
@ -14,7 +14,6 @@ import (
|
|||
"github.com/docker/docker/integration-cli/cli/build"
|
||||
"github.com/docker/docker/integration-cli/cli/build/fakecontext"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
"github.com/docker/docker/pkg/testutil"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
"github.com/docker/go-connections/nat"
|
||||
"github.com/go-check/check"
|
||||
|
@ -295,24 +294,23 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
|
|||
repoName := s.setupTrustedImage(c, "trusted-create")
|
||||
|
||||
// Try create
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try untrusted create to ensure we pushed the tag to the registry
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "create", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
|
||||
cli.Docker(cli.Args("create", "--disable-content-trust=true", repoName)).Assert(c, SuccessDownloadedOnStderr)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercliuntrusted/createtest", privateRegistryURL)
|
||||
withTagName := fmt.Sprintf("%s:latest", repoName)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", withTagName)
|
||||
dockerCmd(c, "push", withTagName)
|
||||
dockerCmd(c, "rmi", withTagName)
|
||||
cli.DockerCmd(c, "tag", "busybox", withTagName)
|
||||
cli.DockerCmd(c, "push", withTagName)
|
||||
cli.DockerCmd(c, "rmi", withTagName)
|
||||
|
||||
// Try trusted create on untrusted tag
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "create", withTagName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("create", withTagName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: fmt.Sprintf("does not have trust data for %s", repoName),
|
||||
})
|
||||
|
@ -322,36 +320,10 @@ func (s *DockerTrustSuite) TestTrustedIsolatedCreate(c *check.C) {
|
|||
repoName := s.setupTrustedImage(c, "trusted-isolated-create")
|
||||
|
||||
// Try create
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.Docker(cli.Args("--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
defer os.RemoveAll("/tmp/docker-isolated-create")
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {
|
||||
c.Skip("Currently changes system time, causing instability")
|
||||
repoName := s.setupTrustedImage(c, "trusted-create-expired")
|
||||
|
||||
// Certificates have 10 years of expiration
|
||||
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||
|
||||
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try create
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "create", repoName},
|
||||
}, trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "could not validate the path to a trusted root",
|
||||
})
|
||||
})
|
||||
|
||||
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try create
|
||||
result := icmd.RunCmd(icmd.Command(dockerBinary, "create", "--disable-content-trust", repoName), trustedCmd)
|
||||
c.Assert(result.Error, check.Not(check.IsNil))
|
||||
c.Assert(string(result.Combined()), checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted create in the distant future:\n%s", result.Combined()))
|
||||
|
||||
})
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
|
||||
|
@ -360,16 +332,13 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
|
|||
c.Assert(err, check.IsNil)
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try create
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Kill the notary server, start a new "evil" one.
|
||||
s.not.Close()
|
||||
|
@ -378,13 +347,13 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {
|
|||
|
||||
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
|
||||
// tag an image and upload it to the private registry
|
||||
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
|
||||
|
||||
// Push up to the new server
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Now, try creating with the original client from this new trust server. This should fail because the new root is invalid.
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("create", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "could not rotate trust to a new trusted root",
|
||||
})
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/docker/docker/integration-cli/checker"
|
||||
"github.com/docker/docker/integration-cli/cli"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
"github.com/go-check/check"
|
||||
)
|
||||
|
@ -304,31 +305,26 @@ func (s *DockerTrustSuite) TestPluginTrustedInstall(c *check.C) {
|
|||
|
||||
trustedName := s.setupTrustedplugin(c, pNameWithTag, "trusted-plugin-install")
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Out: trustedName,
|
||||
})
|
||||
|
||||
out, _, err := dockerCmdWithError("plugin", "ls")
|
||||
c.Assert(err, checker.IsNil)
|
||||
out := cli.DockerCmd(c, "plugin", "ls").Combined()
|
||||
c.Assert(out, checker.Contains, "true")
|
||||
|
||||
out, _, err = dockerCmdWithError("plugin", "disable", trustedName)
|
||||
c.Assert(err, checker.IsNil)
|
||||
out = cli.DockerCmd(c, "plugin", "disable", trustedName).Combined()
|
||||
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
|
||||
|
||||
out, _, err = dockerCmdWithError("plugin", "enable", trustedName)
|
||||
c.Assert(err, checker.IsNil)
|
||||
out = cli.DockerCmd(c, "plugin", "enable", trustedName).Combined()
|
||||
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
|
||||
|
||||
out, _, err = dockerCmdWithError("plugin", "rm", "-f", trustedName)
|
||||
c.Assert(err, checker.IsNil)
|
||||
out = cli.DockerCmd(c, "plugin", "rm", "-f", trustedName).Combined()
|
||||
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName)
|
||||
|
||||
// Try untrusted pull to ensure we pushed the tag to the registry
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded)
|
||||
cli.Docker(cli.Args("plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded)
|
||||
|
||||
out, _, err = dockerCmdWithError("plugin", "ls")
|
||||
c.Assert(err, checker.IsNil)
|
||||
out = cli.DockerCmd(c, "plugin", "ls").Combined()
|
||||
c.Assert(out, checker.Contains, "true")
|
||||
|
||||
}
|
||||
|
@ -338,12 +334,12 @@ func (s *DockerTrustSuite) TestPluginUntrustedInstall(c *check.C) {
|
|||
|
||||
pluginName := fmt.Sprintf("%v/dockercliuntrusted/plugintest:latest", privateRegistryURL)
|
||||
// install locally and push to private registry
|
||||
dockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", pluginName, pNameWithTag)
|
||||
dockerCmd(c, "plugin", "push", pluginName)
|
||||
dockerCmd(c, "plugin", "rm", "-f", pluginName)
|
||||
cli.DockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", pluginName, pNameWithTag)
|
||||
cli.DockerCmd(c, "plugin", "push", pluginName)
|
||||
cli.DockerCmd(c, "plugin", "rm", "-f", pluginName)
|
||||
|
||||
// Try trusted install on untrusted plugin
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "Error: remote trust data does not exist",
|
||||
})
|
||||
|
|
|
@ -3,11 +3,10 @@ package main
|
|||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"time"
|
||||
|
||||
"github.com/docker/docker/integration-cli/checker"
|
||||
"github.com/docker/docker/integration-cli/cli"
|
||||
"github.com/docker/docker/integration-cli/cli/build"
|
||||
"github.com/docker/docker/pkg/testutil"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
"github.com/go-check/check"
|
||||
)
|
||||
|
@ -16,61 +15,36 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
|
|||
repoName := s.setupTrustedImage(c, "trusted-pull")
|
||||
|
||||
// Try pull
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
// Try untrusted pull to ensure we pushed the tag to the registry
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
|
||||
cli.Docker(cli.Args("pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) {
|
||||
repoName := s.setupTrustedImage(c, "trusted-isolated-pull")
|
||||
|
||||
// Try pull (run from isolated directory without trust information)
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.Docker(cli.Args("--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercliuntrusted/pulltest:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "push", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try trusted pull on untrusted tag
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "Error: remote trust data does not exist",
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
|
||||
c.Skip("Currently changes system time, causing instability")
|
||||
repoName := s.setupTrustedImage(c, "trusted-cert-expired")
|
||||
|
||||
// Certificates have 10 years of expiration
|
||||
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||
|
||||
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try pull
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "pull", repoName},
|
||||
}, trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "could not validate the path to a trusted root",
|
||||
})
|
||||
})
|
||||
|
||||
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try pull
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "pull", "--disable-content-trust", repoName},
|
||||
}, trustedCmd).Assert(c, SuccessDownloaded)
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclievilpull/trusted:latest", privateRegistryURL)
|
||||
evilLocalConfigDir, err := ioutil.TempDir("", "evil-local-config-dir")
|
||||
|
@ -79,14 +53,14 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
|
|||
}
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try pull
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Kill the notary server, start a new "evil" one.
|
||||
s.not.Close()
|
||||
|
@ -96,71 +70,46 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
|
|||
|
||||
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
|
||||
// tag an image and upload it to the private registry
|
||||
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
|
||||
|
||||
// Push up to the new server
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Now, try pulling with the original client from this new trust server. This should fail because the new root is invalid.
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "could not rotate trust to a new trusted root",
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) {
|
||||
c.Skip("Currently changes system time, causing instability")
|
||||
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppull/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
// Push with default passphrases
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Snapshots last for three years. This should be expired
|
||||
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
|
||||
|
||||
testutil.RunAtDifferentDate(fourYearsLater, func() {
|
||||
// Try pull
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "pull", repoName},
|
||||
}, trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "repository out-of-date",
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedOfflinePull(c *check.C) {
|
||||
repoName := s.setupTrustedImage(c, "trusted-offline-pull")
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "error contacting notary server",
|
||||
})
|
||||
// Do valid trusted pull to warm cache
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try pull again with invalid notary server, should use cache
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, "trusted-pull-delete")
|
||||
// tag the image and upload it to the private registry
|
||||
buildImageSuccessfully(c, repoName, build.WithDockerfile(`
|
||||
cli.BuildCmd(c, repoName, build.WithDockerfile(`
|
||||
FROM busybox
|
||||
CMD echo trustedpulldelete
|
||||
`))
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try pull
|
||||
result := icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd)
|
||||
result.Assert(c, icmd.Success)
|
||||
result := cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Success)
|
||||
|
||||
matches := digestRegex.FindStringSubmatch(result.Combined())
|
||||
c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", result.Combined()))
|
||||
|
@ -174,7 +123,7 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
|
|||
c.Assert(byDigestID, checker.Equals, imageID)
|
||||
|
||||
// rmi of tag should also remove the digest reference
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
_, err := inspectFieldWithError(imageByDigest, "Id")
|
||||
c.Assert(err, checker.NotNil, check.Commentf("digest reference should have been removed"))
|
||||
|
@ -189,12 +138,12 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
|
|||
targetName := fmt.Sprintf("%s:latest", repoName)
|
||||
|
||||
// Push with targets first, initializing the repo
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
s.assertTargetInRoles(c, repoName, "latest", "targets")
|
||||
|
||||
// Try pull, check we retrieve from targets role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Err: "retrieving target for targets role",
|
||||
})
|
||||
|
||||
|
@ -205,21 +154,21 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
|
|||
|
||||
// try a pull, check that we can still pull because we can still read the
|
||||
// old tag in the targets role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Err: "retrieving target for targets role",
|
||||
})
|
||||
|
||||
// try a pull -a, check that it succeeds because we can still pull from the
|
||||
// targets role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
|
||||
|
||||
// Push, should sign with targets/releases
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases")
|
||||
|
||||
// Try pull, check we retrieve from targets/releases role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Err: "retrieving target for targets/releases role",
|
||||
})
|
||||
|
||||
|
@ -228,12 +177,12 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
|
|||
s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
|
||||
s.notaryPublish(c, repoName)
|
||||
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other")
|
||||
|
||||
// Try pull, check we retrieve from targets/releases role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Err: "retrieving target for targets/releases role",
|
||||
})
|
||||
}
|
||||
|
@ -251,22 +200,22 @@ func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C
|
|||
s.notaryPublish(c, repoName)
|
||||
|
||||
// Push should write to the delegation role, not targets
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Success)
|
||||
s.assertTargetInRoles(c, repoName, "latest", "targets/other")
|
||||
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
|
||||
|
||||
// Try pull - we should fail, since pull will only pull from the targets/releases
|
||||
// role or the targets role
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.Docker(cli.Args("-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "No trust data for",
|
||||
})
|
||||
|
||||
// try a pull -a: we should fail since pull will only pull from the targets/releases
|
||||
// role or the targets role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "No trusted tags for",
|
||||
})
|
||||
|
|
|
@ -3,6 +3,13 @@ package main
|
|||
import (
|
||||
"archive/tar"
|
||||
"fmt"
|
||||
"github.com/docker/distribution/reference"
|
||||
cliconfig "github.com/docker/docker/cli/config"
|
||||
"github.com/docker/docker/integration-cli/checker"
|
||||
"github.com/docker/docker/integration-cli/cli"
|
||||
"github.com/docker/docker/integration-cli/cli/build"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
"github.com/go-check/check"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
|
@ -10,15 +17,6 @@ import (
|
|||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/docker/distribution/reference"
|
||||
cliconfig "github.com/docker/docker/cli/config"
|
||||
"github.com/docker/docker/integration-cli/checker"
|
||||
"github.com/docker/docker/integration-cli/cli/build"
|
||||
"github.com/docker/docker/pkg/testutil"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
"github.com/go-check/check"
|
||||
)
|
||||
|
||||
// Pushing an image to a private registry.
|
||||
|
@ -285,12 +283,12 @@ func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c
|
|||
func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Try pull after push
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Out: "Status: Image is up to date",
|
||||
})
|
||||
|
||||
|
@ -304,12 +302,12 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
|
|||
func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Try pull after push
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Out: "Status: Image is up to date",
|
||||
})
|
||||
}
|
||||
|
@ -317,10 +315,10 @@ func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
|
|||
func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
// Using a name that doesn't resolve to an address makes this test faster
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "error contacting notary server",
|
||||
})
|
||||
|
@ -329,9 +327,9 @@ func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) {
|
|||
func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
result := icmd.RunCmd(icmd.Command(dockerBinary, "push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/"))
|
||||
result := cli.Docker(cli.Args("push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/"))
|
||||
result.Assert(c, icmd.Success)
|
||||
c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:"))
|
||||
}
|
||||
|
@ -339,13 +337,13 @@ func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C)
|
|||
func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "push", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Try pull after push
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Out: "Status: Image is up to date",
|
||||
})
|
||||
}
|
||||
|
@ -353,76 +351,34 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
|
|||
func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
// Do a trusted push
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Do another trusted push
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try pull to ensure the double push did not break our ability to pull
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessDownloaded)
|
||||
cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessDownloaded)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) {
|
||||
repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
// Push with default passphrases
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Push with wrong passphrases
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "could not find necessary signing keys",
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) {
|
||||
c.Skip("Currently changes system time, causing instability")
|
||||
repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
// Push with default passphrases
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Snapshots last for three years. This should be expired
|
||||
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
|
||||
|
||||
testutil.RunAtDifferentDate(fourYearsLater, func() {
|
||||
// Push with wrong passphrases
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "push", repoName},
|
||||
}, trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "repository out-of-date",
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) {
|
||||
c.Skip("Currently changes system time, causing instability")
|
||||
repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
// Push with default passphrases
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// The timestamps expire in two weeks. Lets check three
|
||||
threeWeeksLater := time.Now().Add(time.Hour * 24 * 21)
|
||||
|
||||
// Should succeed because the server transparently re-signs one
|
||||
testutil.RunAtDifferentDate(threeWeeksLater, func() {
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName),
|
||||
trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) {
|
||||
testRequires(c, NotaryHosting)
|
||||
repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL)
|
||||
|
@ -434,9 +390,9 @@ func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C)
|
|||
s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
// check to make sure that the target has been added to targets/releases and not targets
|
||||
s.assertTargetInRoles(c, repoName, "latest", "targets/releases")
|
||||
s.assertTargetNotInRoles(c, repoName, "latest", "targets")
|
||||
|
@ -444,7 +400,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C)
|
|||
// Try pull after push
|
||||
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust"))
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
Out: "Status: Image is up to date",
|
||||
})
|
||||
}
|
||||
|
@ -468,9 +424,9 @@ func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c
|
|||
s.notaryPublish(c, repoName)
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// check to make sure that the target has been added to targets/role1 and targets/role2, and
|
||||
// not targets (because there are delegations) or targets/role3 (due to missing key) or
|
||||
|
@ -482,7 +438,7 @@ func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c
|
|||
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust"))
|
||||
|
||||
// pull should fail because none of these are the releases role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
})
|
||||
}
|
||||
|
@ -504,9 +460,9 @@ func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *
|
|||
s.notaryPublish(c, repoName)
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// check to make sure that the target has been added to targets/role1 and targets/role4, and
|
||||
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
|
||||
|
@ -518,7 +474,7 @@ func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *
|
|||
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust"))
|
||||
|
||||
// pull should fail because none of these are the releases role
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
})
|
||||
}
|
||||
|
@ -534,9 +490,9 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c
|
|||
// do not import any delegations key
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", targetName)
|
||||
cli.DockerCmd(c, "tag", "busybox", targetName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "no valid signing keys",
|
||||
})
|
||||
|
|
|
@ -3165,11 +3165,11 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
|
|||
repoName := s.setupTrustedImage(c, "trusted-run")
|
||||
|
||||
// Try run
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try untrusted run to ensure we pushed the tag to the registry
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
|
||||
cli.Docker(cli.Args("run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr)
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
|
||||
|
@ -3177,44 +3177,17 @@ func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {
|
|||
testRequires(c, DaemonIsLinux)
|
||||
repoName := fmt.Sprintf("%v/dockercliuntrusted/runtest:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "push", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try trusted run on untrusted tag
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 125,
|
||||
Err: "does not have trust data for",
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {
|
||||
// Windows does not support this functionality
|
||||
testRequires(c, DaemonIsLinux)
|
||||
c.Skip("Currently changes system time, causing instability")
|
||||
repoName := s.setupTrustedImage(c, "trusted-run-expired")
|
||||
|
||||
// Certificates have 10 years of expiration
|
||||
elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
|
||||
|
||||
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try run
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "run", repoName},
|
||||
}, trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "could not validate the path to a trusted root",
|
||||
})
|
||||
})
|
||||
|
||||
testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
|
||||
// Try run
|
||||
icmd.RunCmd(icmd.Cmd{
|
||||
Command: []string{dockerBinary, "run", "--disable-content-trust", repoName},
|
||||
}, trustedCmd).Assert(c, SuccessDownloaded)
|
||||
})
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
|
||||
// Windows does not support this functionality
|
||||
testRequires(c, DaemonIsLinux)
|
||||
|
@ -3225,14 +3198,14 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
|
|||
}
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Try run
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, SuccessTagging)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
// Kill the notary server, start a new "evil" one.
|
||||
s.not.Close()
|
||||
|
@ -3243,13 +3216,13 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {
|
|||
|
||||
// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
|
||||
// tag an image and upload it to the private registry
|
||||
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
|
||||
|
||||
// Push up to the new server
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.Docker(cli.Args("--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
// Now, try running with the original client from this new trust server. This should fail because the new root is invalid.
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("run", repoName), trustedCmd).Assert(c, icmd.Expected{
|
||||
ExitCode: 125,
|
||||
Err: "could not rotate trust to a new trusted root",
|
||||
})
|
||||
|
|
|
@ -1539,8 +1539,7 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) {
|
|||
repoName := s.trustSuite.setupTrustedImage(c, "trusted-pull")
|
||||
|
||||
name := "trusted"
|
||||
serviceCmd := d.Command("-D", "service", "create", "--name", name, repoName, "top")
|
||||
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "service", "create", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
||||
Err: "resolved image tag to",
|
||||
})
|
||||
|
||||
|
@ -1552,13 +1551,12 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) {
|
|||
|
||||
repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "push", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
name = "untrusted"
|
||||
serviceCmd = d.Command("service", "create", "--name", name, repoName, "top")
|
||||
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("service", "create", "--name", name, repoName, "top"), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "Error: remote trust data does not exist",
|
||||
})
|
||||
|
@ -1576,34 +1574,31 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceUpdate(c *check.C) {
|
|||
name := "myservice"
|
||||
|
||||
// Create a service without content trust
|
||||
_, err := d.Cmd("service", "create", "--name", name, repoName, "top")
|
||||
c.Assert(err, checker.IsNil)
|
||||
cli.Docker(cli.Args("service", "create", "--name", name, repoName, "top"), cli.Daemon(d.Daemon)).Assert(c, icmd.Success)
|
||||
|
||||
out, err := d.Cmd("service", "inspect", "--pretty", name)
|
||||
c.Assert(err, checker.IsNil, check.Commentf(out))
|
||||
result := cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon))
|
||||
c.Assert(result.Error, checker.IsNil, check.Commentf(result.Combined()))
|
||||
// Daemon won't insert the digest because this is disabled by
|
||||
// DOCKER_SERVICE_PREFER_OFFLINE_IMAGE.
|
||||
c.Assert(out, check.Not(checker.Contains), repoName+"@", check.Commentf(out))
|
||||
c.Assert(result.Combined(), check.Not(checker.Contains), repoName+"@", check.Commentf(result.Combined()))
|
||||
|
||||
serviceCmd := d.Command("-D", "service", "update", "--image", repoName, name)
|
||||
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("-D", "service", "update", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
||||
Err: "resolved image tag to",
|
||||
})
|
||||
|
||||
out, err = d.Cmd("service", "inspect", "--pretty", name)
|
||||
c.Assert(err, checker.IsNil, check.Commentf(out))
|
||||
c.Assert(out, checker.Contains, repoName+"@", check.Commentf(out))
|
||||
cli.Docker(cli.Args("service", "inspect", "--pretty", name), cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
||||
Out: repoName + "@",
|
||||
})
|
||||
|
||||
// Try trusted service update on an untrusted tag.
|
||||
|
||||
repoName = fmt.Sprintf("%v/untrustedservicecreate/createtest:latest", privateRegistryURL)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
dockerCmd(c, "push", repoName)
|
||||
dockerCmd(c, "rmi", repoName)
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.DockerCmd(c, "push", repoName)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
|
||||
serviceCmd = d.Command("service", "update", "--image", repoName, name)
|
||||
icmd.RunCmd(serviceCmd, trustedCmd).Assert(c, icmd.Expected{
|
||||
cli.Docker(cli.Args("service", "update", "--image", repoName, name), trustedCmd, cli.Daemon(d.Daemon)).Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "Error: remote trust data does not exist",
|
||||
})
|
||||
|
|
|
@ -13,6 +13,7 @@ import (
|
|||
|
||||
cliconfig "github.com/docker/docker/cli/config"
|
||||
"github.com/docker/docker/integration-cli/checker"
|
||||
"github.com/docker/docker/integration-cli/cli"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
"github.com/docker/go-connections/tlsconfig"
|
||||
"github.com/go-check/check"
|
||||
|
@ -47,14 +48,6 @@ var SuccessDownloaded = icmd.Expected{
|
|||
Out: "Status: Downloaded",
|
||||
}
|
||||
|
||||
var SuccessTaggingOnStderr = icmd.Expected{
|
||||
Err: "Tagging",
|
||||
}
|
||||
|
||||
var SuccessSigningAndPushingOnStderr = icmd.Expected{
|
||||
Err: "Signing and pushing trust metadata",
|
||||
}
|
||||
|
||||
var SuccessDownloadedOnStderr = icmd.Expected{
|
||||
Err: "Status: Downloaded",
|
||||
}
|
||||
|
@ -190,21 +183,24 @@ func (t *testNotary) Close() {
|
|||
os.RemoveAll(t.dir)
|
||||
}
|
||||
|
||||
func trustedCmd(cmd *icmd.Cmd) {
|
||||
func trustedCmd(cmd *icmd.Cmd) func() {
|
||||
pwd := "12345678"
|
||||
cmd.Env = append(cmd.Env, trustEnv(notaryURL, pwd, pwd)...)
|
||||
return nil
|
||||
}
|
||||
|
||||
func trustedCmdWithServer(server string) func(*icmd.Cmd) {
|
||||
return func(cmd *icmd.Cmd) {
|
||||
func trustedCmdWithServer(server string) func(*icmd.Cmd) func() {
|
||||
return func(cmd *icmd.Cmd) func() {
|
||||
pwd := "12345678"
|
||||
cmd.Env = append(cmd.Env, trustEnv(server, pwd, pwd)...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) {
|
||||
return func(cmd *icmd.Cmd) {
|
||||
func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) func() {
|
||||
return func(cmd *icmd.Cmd) func() {
|
||||
cmd.Env = append(cmd.Env, trustEnv(notaryURL, rootPwd, repositoryPwd)...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -221,28 +217,18 @@ func trustEnv(server, rootPwd, repositoryPwd string) []string {
|
|||
func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string {
|
||||
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "tag", "busybox", repoName)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
if out, status := dockerCmd(c, "rmi", repoName); status != 0 {
|
||||
c.Fatalf("Error removing image %q\n%s", repoName, out)
|
||||
}
|
||||
|
||||
cli.DockerCmd(c, "tag", "busybox", repoName)
|
||||
cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.DockerCmd(c, "rmi", repoName)
|
||||
return repoName
|
||||
}
|
||||
|
||||
func (s *DockerTrustSuite) setupTrustedplugin(c *check.C, source, name string) string {
|
||||
repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)
|
||||
// tag the image and upload it to the private registry
|
||||
dockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", repoName, source)
|
||||
|
||||
icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
|
||||
if out, status := dockerCmd(c, "plugin", "rm", "-f", repoName); status != 0 {
|
||||
c.Fatalf("Error removing plugin %q\n%s", repoName, out)
|
||||
}
|
||||
|
||||
cli.DockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", repoName, source)
|
||||
cli.Docker(cli.Args("plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
|
||||
cli.DockerCmd(c, "plugin", "rm", "-f", repoName)
|
||||
return repoName
|
||||
}
|
||||
|
||||
|
|
|
@ -16,7 +16,6 @@ import (
|
|||
|
||||
"github.com/docker/docker/pkg/stringutils"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
icmd "github.com/docker/docker/pkg/testutil/cmd"
|
||||
)
|
||||
|
||||
// IsKilled process the specified error and returns whether the process was killed or not.
|
||||
|
@ -212,20 +211,6 @@ func (c *ChannelBuffer) ReadTimeout(p []byte, n time.Duration) (int, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// RunAtDifferentDate runs the specified function with the given time.
|
||||
// It changes the date of the system, which can led to weird behaviors.
|
||||
func RunAtDifferentDate(date time.Time, block func()) {
|
||||
// Layout for date. MMDDhhmmYYYY
|
||||
const timeLayout = "010203042006"
|
||||
// Ensure we bring time back to now
|
||||
now := time.Now().Format(timeLayout)
|
||||
defer icmd.RunCommand("date", now)
|
||||
|
||||
icmd.RunCommand("date", date.Format(timeLayout))
|
||||
block()
|
||||
return
|
||||
}
|
||||
|
||||
// ReadBody read the specified ReadCloser content and returns it
|
||||
func ReadBody(b io.ReadCloser) ([]byte, error) {
|
||||
defer b.Close()
|
||||
|
|
|
@ -339,25 +339,3 @@ func TestChannelBuffer(t *testing.T) {
|
|||
t.Fatalf("Expected '%s', got '%s'", expected, string(b))
|
||||
}
|
||||
}
|
||||
|
||||
// FIXME doesn't work
|
||||
// func TestRunAtDifferentDate(t *testing.T) {
|
||||
// var date string
|
||||
|
||||
// // Layout for date. MMDDhhmmYYYY
|
||||
// const timeLayout = "20060102"
|
||||
// expectedDate := "20100201"
|
||||
// theDate, err := time.Parse(timeLayout, expectedDate)
|
||||
// if err != nil {
|
||||
// t.Fatal(err)
|
||||
// }
|
||||
|
||||
// RunAtDifferentDate(theDate, func() {
|
||||
// cmd := exec.Command("date", "+%Y%M%d")
|
||||
// out, err := cmd.Output()
|
||||
// if err != nil {
|
||||
// t.Fatal(err)
|
||||
// }
|
||||
// date = string(out)
|
||||
// })
|
||||
// }
|
||||
|
|
Загрузка…
Ссылка в новой задаче