Merge pull request #20509 from estesp/cleanup-authz-test

Clean up authz integration-cli test

integration-cli/docker_cli_authz_unix_test.go

@@ -30,6 +30,10 @@ const (
 	containerListAPI    = "/containers/json"
 )
 
+var (
+	alwaysAllowed = []string{"/_ping", "/info"}
+)
+
 func init() {
 	check.Suite(&DockerAuthzSuite{
 		ds: &DockerSuite{},
@@ -74,12 +78,6 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
 	})
 
 	mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
-		if s.ctrl.reqRes.Err != "" {
-			w.WriteHeader(http.StatusInternalServerError)
-		}
-		b, err := json.Marshal(s.ctrl.reqRes)
-		c.Assert(err, check.IsNil)
-		w.Write(b)
 		defer r.Body.Close()
 		body, err := ioutil.ReadAll(r.Body)
 		c.Assert(err, check.IsNil)
@@ -96,16 +94,20 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
 		}
 
 		s.ctrl.requestsURIs = append(s.ctrl.requestsURIs, authReq.RequestURI)
-	})
 
-	mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
-		if s.ctrl.resRes.Err != "" {
+		reqRes := s.ctrl.reqRes
+		if isAllowed(authReq.RequestURI) {
+			reqRes = authorization.Response{Allow: true}
+		}
+		if reqRes.Err != "" {
 			w.WriteHeader(http.StatusInternalServerError)
 		}
-		b, err := json.Marshal(s.ctrl.resRes)
+		b, err := json.Marshal(reqRes)
 		c.Assert(err, check.IsNil)
 		w.Write(b)
+	})
 
+	mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
 		defer r.Body.Close()
 		body, err := ioutil.ReadAll(r.Body)
 		c.Assert(err, check.IsNil)
@@ -120,6 +122,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
 		if strings.HasSuffix(authReq.RequestURI, containerListAPI) {
 			s.ctrl.psResponseCnt++
 		}
+		resRes := s.ctrl.resRes
+		if isAllowed(authReq.RequestURI) {
+			resRes = authorization.Response{Allow: true}
+		}
+		if resRes.Err != "" {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		b, err := json.Marshal(resRes)
+		c.Assert(err, check.IsNil)
+		w.Write(b)
 	})
 
 	err := os.MkdirAll("/etc/docker/plugins", 0755)
@@ -130,6 +142,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
+// check for always allowed endpoints to not inhibit test framework functions
+func isAllowed(reqURI string) bool {
+	for _, endpoint := range alwaysAllowed {
+		if strings.HasSuffix(reqURI, endpoint) {
+			return true
+		}
+	}
+	return false
+}
+
 // assertAuthHeaders validates authentication headers are removed
 func assertAuthHeaders(c *check.C, headers map[string]string) error {
 	for k := range headers {
@@ -171,13 +193,10 @@ func (s *DockerAuthzSuite) TearDownSuite(c *check.C) {
 func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
 	// start the daemon and load busybox, --net=none build fails otherwise
 	// cause it needs to pull busybox
-	c.Assert(s.d.StartWithBusybox(), check.IsNil)
-	// restart the daemon and enable the plugin, otherwise busybox loading
-	// is blocked by the plugin itself
-	c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)
-
+	c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin), check.IsNil)
 	s.ctrl.reqRes.Allow = true
 	s.ctrl.resRes.Allow = true
+	c.Assert(s.d.LoadBusybox(), check.IsNil)
 
 	// Ensure command successful
 	out, err := s.d.Cmd("run", "-d", "busybox", "top")
@@ -234,12 +253,10 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowEventStream(c *check.C) {
 	testRequires(c, DaemonIsLinux)
 
 	// start the daemon and load busybox to avoid pulling busybox from Docker Hub
-	c.Assert(s.d.StartWithBusybox(), check.IsNil)
-	// restart the daemon and enable the authorization plugin, otherwise busybox loading
-	// is blocked by the plugin itself
-	c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)
+	c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin), check.IsNil)
 	s.ctrl.reqRes.Allow = true
 	s.ctrl.resRes.Allow = true
+	c.Assert(s.d.LoadBusybox(), check.IsNil)
 
 	startTime := strconv.FormatInt(daemonTime(c).Unix(), 10)
 	// Add another command to to enable event pipelining

integration-cli/docker_utils.go

@@ -321,24 +321,7 @@ func (d *Daemon) StartWithBusybox(arg ...string) error {
 	if err := d.Start(arg...); err != nil {
 		return err
 	}
-	bb := filepath.Join(d.folder, "busybox.tar")
-	if _, err := os.Stat(bb); err != nil {
-		if !os.IsNotExist(err) {
-			return fmt.Errorf("unexpected error on busybox.tar stat: %v", err)
-		}
-		// saving busybox image from main daemon
-		if err := exec.Command(dockerBinary, "save", "--output", bb, "busybox:latest").Run(); err != nil {
-			return fmt.Errorf("could not save busybox image: %v", err)
-		}
-	}
-	// loading busybox image to this daemon
-	if out, err := d.Cmd("load", "--input", bb); err != nil {
-		return fmt.Errorf("could not load busybox image: %s", out)
-	}
-	if err := os.Remove(bb); err != nil {
-		d.c.Logf("could not remove %s: %v", bb, err)
-	}
-	return nil
+	return d.LoadBusybox()
 }
 
 // Stop will send a SIGINT every second and wait for the daemon to stop.
@@ -413,6 +396,28 @@ func (d *Daemon) Restart(arg ...string) error {
 	return d.Start(arg...)
 }
 
+// LoadBusybox will load the stored busybox into a newly started daemon
+func (d *Daemon) LoadBusybox() error {
+	bb := filepath.Join(d.folder, "busybox.tar")
+	if _, err := os.Stat(bb); err != nil {
+		if !os.IsNotExist(err) {
+			return fmt.Errorf("unexpected error on busybox.tar stat: %v", err)
+		}
+		// saving busybox image from main daemon
+		if err := exec.Command(dockerBinary, "save", "--output", bb, "busybox:latest").Run(); err != nil {
+			return fmt.Errorf("could not save busybox image: %v", err)
+		}
+	}
+	// loading busybox image to this daemon
+	if out, err := d.Cmd("load", "--input", bb); err != nil {
+		return fmt.Errorf("could not load busybox image: %s", out)
+	}
+	if err := os.Remove(bb); err != nil {
+		d.c.Logf("could not remove %s: %v", bb, err)
+	}
+	return nil
+}
+
 func (d *Daemon) queryRootDir() (string, error) {
 	// update daemon root by asking /info endpoint (to support user
 	// namespaced daemon with root remapped uid.gid directory)