Add more integration tests for trusted push and pull

Signed-off-by: Diogo Monica <diogo@docker.com>

integration-cli/docker_cli_pull_test.go

@@ -181,4 +181,38 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
 	if !strings.Contains(string(out), "Tagging") {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
+
+	dockerCmd(c, "rmi", repoName)
+
+	// Try untrusted pull to ensure we pushed the tag to the registry
+	pullCmd = exec.Command(dockerBinary, "pull", "--untrusted=true", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err = runCommandWithOutput(pullCmd)
+	if err != nil {
+		c.Fatalf("Error running trusted pull: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Status: Downloaded") {
+		c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+	dockerCmd(c, "push", repoName)
+	dockerCmd(c, "rmi", repoName)
+
+	// Try trusted pull on untrusted tag
+	pullCmd := exec.Command(dockerBinary, "pull", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err := runCommandWithOutput(pullCmd)
+	if err == nil {
+		c.Fatalf("Error expected when running trusted pull with:\n%s", out)
+	}
+
+	if !strings.Contains(string(out), "no trust data available") {
+		c.Fatalf("Missing expected output on trusted pull:\n%s", out)
+	}
 }

integration-cli/docker_cli_push_test.go

@@ -159,3 +159,109 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
 		c.Fatalf("Missing expected output on trusted push:\n%s", out)
 	}
 }
+
+func (s *DockerTrustSuite) TestTrustedPushWithoutServer(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmdWithServer(pushCmd, "example/")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err == nil {
+		c.Fatalf("Missing error while running trusted push w/ no server")
+	}
+
+	if !strings.Contains(string(out), "Error establishing connection to notary repository") {
+		c.Fatalf("Missing expected output on trusted push:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	s.trustedCmdWithServer(pushCmd, "example/")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push with no server and --untrusted failed: %s\n%s", err, out)
+	}
+
+	if strings.Contains(string(out), "Error establishing connection to notary repository") {
+		c.Fatalf("Missing expected output on trusted push with --untrusted:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+	dockerCmd(c, "push", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err != nil {
+		c.Fatalf("trusted push failed: %s\n%s", err, out)
+	}
+
+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {
+		c.Fatalf("Missing expected output on trusted push with existing tag:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithShortRootPassphrase(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmdWithPassphrases(pushCmd, "rootPwd", "", "")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err == nil {
+		c.Fatalf("Error missing from trusted push with short root passphrase")
+	}
+
+	if !strings.Contains(string(out), "tuf: insufficient signatures for Cryptoservice") {
+		c.Fatalf("Missing expected output on trusted push with short root passphrase:\n%s", out)
+	}
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithIncorrectRootPassphrase(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	// Push with default passphrase
+	pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	s.trustedCmd(pushCmd)
+	out, _, _ := runCommandWithOutput(pushCmd)
+	fmt.Println("OUTPUT: ", out)
+
+	// Push with incorrect passphrase
+	pushCmd = exec.Command(dockerBinary, "push", "--untrusted", repoName)
+	s.trustedCmd(pushCmd)
+	// s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "")
+	out, _, _ = runCommandWithOutput(pushCmd)
+	fmt.Println("OUTPUT2:", out)
+	c.Fail()
+}
+
+func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+
+	pushCmd := exec.Command(dockerBinary, "push", repoName)
+	s.trustedCmdWithPassphrases(pushCmd, "12345678", "short", "short")
+	out, _, err := runCommandWithOutput(pushCmd)
+	if err == nil {
+		c.Fatalf("Error missing from trusted push with short targets passphrase")
+	}
+
+	if !strings.Contains(string(out), "tuf: insufficient signatures for Cryptoservice") {
+		c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)
+	}
+}

integration-cli/trust_server.go

@@ -99,12 +99,25 @@ func (t *testNotary) Close() {
 }
 
 func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) {
+	pwd := "12345678"
+	trustCmdEnv(cmd, s.not.address(), pwd, pwd, pwd)
+}
+
+func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) {
+	pwd := "12345678"
+	trustCmdEnv(cmd, server, pwd, pwd, pwd)
+}
+func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, snapshotPwd, targetPwd string) {
+	trustCmdEnv(cmd, s.not.address(), rootPwd, snapshotPwd, targetPwd)
+}
+
+func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
 	env := []string{
 		"DOCKER_TRUST=1",
-		fmt.Sprintf("DOCKER_TRUST_SERVER=%s", s.not.address()),
-		"DOCKER_TRUST_ROOT_PASSPHRASE=12345678",
-		"DOCKER_TRUST_TARGET_PASSPHRASE=12345678",
-		"DOCKER_TRUST_SNAPSHOT_PASSPHRASE=12345678",
+		fmt.Sprintf("DOCKER_TRUST_SERVER=%s", server),
+		fmt.Sprintf("DOCKER_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
+		fmt.Sprintf("DOCKER_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
+		fmt.Sprintf("DOCKER_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
 	}
 	cmd.Env = append(os.Environ(), env...)
 }