9 år sedan · ca57f4e6a8
--- a/api/client/trust.go
+++ b/api/client/trust.go
@@ -339,6 +339,7 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr
 
				 		if err != nil {
			
 
				 			return notaryError(repoInfo.FullName(), err)
			
 
				 		}
			
 
				+		logrus.Debugf("retrieving target for %s role\n", t.Role)
			
 
				 		r, err := convertTarget(t.Target)
			
 
				 		if err != nil {
			
 
				 			return err
			
@@ -510,7 +511,6 @@ func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository,
 
				 		// Also don't bother checking the keys if we can't add the target
			
 
				 		// to this role due to path restrictions
			
 
				 		if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) {
			
 
				-			fmt.Println("skipping", delegationRole.Name)
			
 
				 			continue
			
 
				 		}
			
 
				 
			
--- a/integration-cli/check_test.go
+++ b/integration-cli/check_test.go
@@ -2,8 +2,11 @@ package main
 
				 
			
 
				 import (
			
 
				 	"fmt"
			
 
				+	"os"
			
 
				+	"path/filepath"
			
 
				 	"testing"
			
 
				 
			
 
				+	"github.com/docker/docker/cliconfig"
			
 
				 	"github.com/docker/docker/pkg/reexec"
			
 
				 	"github.com/go-check/check"
			
 
				 )
			
@@ -206,5 +209,8 @@ func (s *DockerTrustSuite) TearDownTest(c *check.C) {
 
				 	if s.not != nil {
			
 
				 		s.not.Close()
			
 
				 	}
			
 
				+
			
 
				+	// Remove trusted keys and metadata after test
			
 
				+	os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))
			
 
				 	s.ds.TearDownTest(c)
			
 
				 }
			
--- a/integration-cli/docker_cli_pull_trusted_test.go
+++ b/integration-cli/docker_cli_pull_trusted_test.go
@@ -254,3 +254,56 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
 
				 	_, err = inspectFieldWithError(imageID, "Id")
			
 
				 	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
			
 
				 }
			
 
				+
			
 
				+func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
			
 
				+	repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
			
 
				+	targetName := fmt.Sprintf("%s:latest", repoName)
			
 
				+	pwd := "12345678"
			
 
				+
			
 
				+	// Push with targets first, initializing the repo
			
 
				+	dockerCmd(c, "tag", "busybox", targetName)
			
 
				+	pushCmd := exec.Command(dockerBinary, "push", targetName)
			
 
				+	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
			
 
				+	out, _, err := runCommandWithOutput(pushCmd)
			
 
				+	c.Assert(err, check.IsNil, check.Commentf(out))
			
 
				+
			
 
				+	// Try pull, check we retrieve from targets role
			
 
				+	pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName)
			
 
				+	s.trustedCmd(pullCmd)
			
 
				+	out, _, err = runCommandWithOutput(pullCmd)
			
 
				+	c.Assert(err, check.IsNil, check.Commentf(out))
			
 
				+	c.Assert(out, checker.Contains, "retrieving target for targets role")
			
 
				+
			
 
				+	// Now we'll create the releases role, and try pushing and pulling
			
 
				+	s.notaryCreateDelegation(c, repoName, pwd, "targets/releases", s.not.keys[0].Public)
			
 
				+	s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
			
 
				+	s.notaryPublish(c, repoName, pwd)
			
 
				+
			
 
				+	// Push, should sign with targets/releases
			
 
				+	dockerCmd(c, "tag", "busybox", targetName)
			
 
				+	pushCmd = exec.Command(dockerBinary, "push", targetName)
			
 
				+	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
			
 
				+	out, _, err = runCommandWithOutput(pushCmd)
			
 
				+
			
 
				+	// Try pull, check we retrieve from targets/releases role
			
 
				+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)
			
 
				+	s.trustedCmd(pullCmd)
			
 
				+	out, _, err = runCommandWithOutput(pullCmd)
			
 
				+	c.Assert(out, checker.Contains, "retrieving target for targets/releases role")
			
 
				+
			
 
				+	// Create another delegation that we'll sign with
			
 
				+	s.notaryCreateDelegation(c, repoName, pwd, "targets/other", s.not.keys[1].Public)
			
 
				+	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
			
 
				+	s.notaryPublish(c, repoName, pwd)
			
 
				+
			
 
				+	dockerCmd(c, "tag", "busybox", targetName)
			
 
				+	pushCmd = exec.Command(dockerBinary, "push", targetName)
			
 
				+	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
			
 
				+	out, _, err = runCommandWithOutput(pushCmd)
			
 
				+
			
 
				+	// Try pull, check we retrieve from targets/releases role
			
 
				+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)
			
 
				+	s.trustedCmd(pullCmd)
			
 
				+	out, _, err = runCommandWithOutput(pullCmd)
			
 
				+	c.Assert(out, checker.Contains, "retrieving target for targets/releases role")
			
 
				+}
			
--- a/integration-cli/docker_cli_push_test.go
+++ b/integration-cli/docker_cli_push_test.go
@@ -631,7 +631,7 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c
 
				 	pushCmd := exec.Command(dockerBinary, "push", targetName)
			
 
				 	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
			
 
				 	out, _, err := runCommandWithOutput(pushCmd)
			
 
				-	c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeed but should have failed:\n%s", out))
			
 
				+	c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeeded but should have failed:\n%s", out))
			
 
				 	c.Assert(out, checker.Contains, "no valid signing keys",
			
 
				 		check.Commentf("Missing expected output on trusted push without keys"))
			
 
				 }