Add test for targets/releases preference when pulling

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>

api/client/trust.go

@@ -339,6 +339,7 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr
 		if err != nil {
 			return notaryError(repoInfo.FullName(), err)
 		}
+		logrus.Debugf("retrieving target for %s role\n", t.Role)
 		r, err := convertTarget(t.Target)
 		if err != nil {
 			return err
@@ -510,7 +511,6 @@ func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository,
 		// Also don't bother checking the keys if we can't add the target
 		// to this role due to path restrictions
 		if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) {
-			fmt.Println("skipping", delegationRole.Name)
 			continue
 		}
 

integration-cli/check_test.go

@@ -2,8 +2,11 @@ package main
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
 	"testing"
 
+	"github.com/docker/docker/cliconfig"
 	"github.com/docker/docker/pkg/reexec"
 	"github.com/go-check/check"
 )
@@ -206,5 +209,8 @@ func (s *DockerTrustSuite) TearDownTest(c *check.C) {
 	if s.not != nil {
 		s.not.Close()
 	}
+
+	// Remove trusted keys and metadata after test
+	os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))
 	s.ds.TearDownTest(c)
 }

integration-cli/docker_cli_pull_trusted_test.go

@@ -254,3 +254,56 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
 	_, err = inspectFieldWithError(imageID, "Id")
 	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
 }
+
+func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
+	targetName := fmt.Sprintf("%s:latest", repoName)
+	pwd := "12345678"
+
+	// Push with targets first, initializing the repo
+	dockerCmd(c, "tag", "busybox", targetName)
+	pushCmd := exec.Command(dockerBinary, "push", targetName)
+	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
+	out, _, err := runCommandWithOutput(pushCmd)
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Try pull, check we retrieve from targets role
+	pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err = runCommandWithOutput(pullCmd)
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "retrieving target for targets role")
+
+	// Now we'll create the releases role, and try pushing and pulling
+	s.notaryCreateDelegation(c, repoName, pwd, "targets/releases", s.not.keys[0].Public)
+	s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
+	s.notaryPublish(c, repoName, pwd)
+
+	// Push, should sign with targets/releases
+	dockerCmd(c, "tag", "busybox", targetName)
+	pushCmd = exec.Command(dockerBinary, "push", targetName)
+	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
+	out, _, err = runCommandWithOutput(pushCmd)
+
+	// Try pull, check we retrieve from targets/releases role
+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err = runCommandWithOutput(pullCmd)
+	c.Assert(out, checker.Contains, "retrieving target for targets/releases role")
+
+	// Create another delegation that we'll sign with
+	s.notaryCreateDelegation(c, repoName, pwd, "targets/other", s.not.keys[1].Public)
+	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
+	s.notaryPublish(c, repoName, pwd)
+
+	dockerCmd(c, "tag", "busybox", targetName)
+	pushCmd = exec.Command(dockerBinary, "push", targetName)
+	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
+	out, _, err = runCommandWithOutput(pushCmd)
+
+	// Try pull, check we retrieve from targets/releases role
+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)
+	s.trustedCmd(pullCmd)
+	out, _, err = runCommandWithOutput(pullCmd)
+	c.Assert(out, checker.Contains, "retrieving target for targets/releases role")
+}

integration-cli/docker_cli_push_test.go

@@ -631,7 +631,7 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c
 	pushCmd := exec.Command(dockerBinary, "push", targetName)
 	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
 	out, _, err := runCommandWithOutput(pushCmd)
-	c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeed but should have failed:\n%s", out))
+	c.Assert(err, check.Not(check.IsNil), check.Commentf("trusted push succeeded but should have failed:\n%s", out))
 	c.Assert(out, checker.Contains, "no valid signing keys",
 		check.Commentf("Missing expected output on trusted push without keys"))
 }