We use cookies to ensure you get the best experience on our website
Начало Каталог Помощ
Регистрация Вход
0ct0pu5
/
moby
1
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
ИН на ревизия: c10f6ef43f
Клонове Маркери
moby
/
integration-cli
/
docker_cli_pull_trusted_test.go

docker_cli_pull_trusted_test.go 11 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272 
  1. package main
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 	"io/ioutil"
    6. 

  6. 	"time"
    7. 

  7. 

  8. 	"github.com/docker/docker/integration-cli/checker"
    9. 

  9. 	"github.com/docker/docker/pkg/testutil"
    10. 

  10. 	icmd "github.com/docker/docker/pkg/testutil/cmd"
    11. 

  11. 	"github.com/go-check/check"
    12. 

  12. )
    13. 

  13. 

  14. func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
    15. 

  15. 	repoName := s.setupTrustedImage(c, "trusted-pull")
    16. 

  16. 

  17. 	// Try pull
    18. 

  18. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
    19. 

  19. 

  20. 	dockerCmd(c, "rmi", repoName)
    21. 

  21. 	// Try untrusted pull to ensure we pushed the tag to the registry
    22. 

  22. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded)
    23. 

  23. }
    24. 

  24. 

  25. func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) {
    26. 

  26. 	repoName := s.setupTrustedImage(c, "trusted-isolated-pull")
    27. 

  27. 

  28. 	// Try pull (run from isolated directory without trust information)
    29. 

  29. 	icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
    30. 

  30. 

  31. 	dockerCmd(c, "rmi", repoName)
    32. 

  32. }
    33. 

  33. 

  34. func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {
    35. 

  35. 	repoName := fmt.Sprintf("%v/dockercliuntrusted/pulltest:latest", privateRegistryURL)
    36. 

  36. 	// tag the image and upload it to the private registry
    37. 

  37. 	dockerCmd(c, "tag", "busybox", repoName)
    38. 

  38. 	dockerCmd(c, "push", repoName)
    39. 

  39. 	dockerCmd(c, "rmi", repoName)
    40. 

  40. 

  41. 	// Try trusted pull on untrusted tag
    42. 

  42. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    43. 

  43. 		ExitCode: 1,
    44. 

  44. 		Err:      "Error: remote trust data does not exist",
    45. 

  45. 	})
    46. 

  46. }
    47. 

  47. 

  48. func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
    49. 

  49. 	c.Skip("Currently changes system time, causing instability")
    50. 

  50. 	repoName := s.setupTrustedImage(c, "trusted-cert-expired")
    51. 

  51. 

  52. 	// Certificates have 10 years of expiration
    53. 

  53. 	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)
    54. 

  54. 

  55. 	testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
    56. 

  56. 		// Try pull
    57. 

  57. 		icmd.RunCmd(icmd.Cmd{
    58. 

  58. 			Command: []string{dockerBinary, "pull", repoName},
    59. 

  59. 		}, trustedCmd).Assert(c, icmd.Expected{
    60. 

  60. 			ExitCode: 1,
    61. 

  61. 			Err:      "could not validate the path to a trusted root",
    62. 

  62. 		})
    63. 

  63. 	})
    64. 

  64. 

  65. 	testutil.RunAtDifferentDate(elevenYearsFromNow, func() {
    66. 

  66. 		// Try pull
    67. 

  67. 		icmd.RunCmd(icmd.Cmd{
    68. 

  68. 			Command: []string{dockerBinary, "pull", "--disable-content-trust", repoName},
    69. 

  69. 		}, trustedCmd).Assert(c, SuccessDownloaded)
    70. 

  70. 	})
    71. 

  71. }
    72. 

  72. 

  73. func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {
    74. 

  74. 	repoName := fmt.Sprintf("%v/dockerclievilpull/trusted:latest", privateRegistryURL)
    75. 

  75. 	evilLocalConfigDir, err := ioutil.TempDir("", "evil-local-config-dir")
    76. 

  76. 	if err != nil {
    77. 

  77. 		c.Fatalf("Failed to create local temp dir")
    78. 

  78. 	}
    79. 

  79. 

  80. 	// tag the image and upload it to the private registry
    81. 

  81. 	dockerCmd(c, "tag", "busybox", repoName)
    82. 

  82. 

  83. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
    84. 

  84. 	dockerCmd(c, "rmi", repoName)
    85. 

  85. 

  86. 	// Try pull
    87. 

  87. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
    88. 

  88. 	dockerCmd(c, "rmi", repoName)
    89. 

  89. 

  90. 	// Kill the notary server, start a new "evil" one.
    91. 

  91. 	s.not.Close()
    92. 

  92. 	s.not, err = newTestNotary(c)
    93. 

  93. 

  94. 	c.Assert(err, check.IsNil, check.Commentf("Restarting notary server failed."))
    95. 

  95. 

  96. 	// In order to make an evil server, lets re-init a client (with a different trust dir) and push new data.
    97. 

  97. 	// tag an image and upload it to the private registry
    98. 

  98. 	dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName)
    99. 

  99. 

  100. 	// Push up to the new server
    101. 

  101. 	icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
    102. 

  102. 

  103. 	// Now, try pulling with the original client from this new trust server. This should fail because the new root is invalid.
    104. 

  104. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    105. 

  105. 		ExitCode: 1,
    106. 

  106. 		Err:      "could not rotate trust to a new trusted root",
    107. 

  107. 	})
    108. 

  108. }
    109. 

  109. 

  110. func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) {
    111. 

  111. 	c.Skip("Currently changes system time, causing instability")
    112. 

  112. 	repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppull/trusted:latest", privateRegistryURL)
    113. 

  113. 	// tag the image and upload it to the private registry
    114. 

  114. 	dockerCmd(c, "tag", "busybox", repoName)
    115. 

  115. 

  116. 	// Push with default passphrases
    117. 

  117. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
    118. 

  118. 	dockerCmd(c, "rmi", repoName)
    119. 

  119. 

  120. 	// Snapshots last for three years. This should be expired
    121. 

  121. 	fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4)
    122. 

  122. 

  123. 	testutil.RunAtDifferentDate(fourYearsLater, func() {
    124. 

  124. 		// Try pull
    125. 

  125. 		icmd.RunCmd(icmd.Cmd{
    126. 

  126. 			Command: []string{dockerBinary, "pull", repoName},
    127. 

  127. 		}, trustedCmd).Assert(c, icmd.Expected{
    128. 

  128. 			ExitCode: 1,
    129. 

  129. 			Err:      "repository out-of-date",
    130. 

  130. 		})
    131. 

  131. 	})
    132. 

  132. }
    133. 

  133. 

  134. func (s *DockerTrustSuite) TestTrustedOfflinePull(c *check.C) {
    135. 

  135. 	repoName := s.setupTrustedImage(c, "trusted-offline-pull")
    136. 

  136. 

  137. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{
    138. 

  138. 		ExitCode: 1,
    139. 

  139. 		Err:      "error contacting notary server",
    140. 

  140. 	})
    141. 

  141. 	// Do valid trusted pull to warm cache
    142. 

  142. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging)
    143. 

  143. 	dockerCmd(c, "rmi", repoName)
    144. 

  144. 

  145. 	// Try pull again with invalid notary server, should use cache
    146. 

  146. 	icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging)
    147. 

  147. }
    148. 

  148. 

  149. func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {
    150. 

  150. 	repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, "trusted-pull-delete")
    151. 

  151. 	// tag the image and upload it to the private registry
    152. 

  152. 	buildImageSuccessfully(c, repoName, withDockerfile(`
    153. 

  153.                     FROM busybox
    154. 

  154.                     CMD echo trustedpulldelete
    155. 

  155.                 `))
    156. 

  156. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing)
    157. 

  157. 

  158. 	dockerCmd(c, "rmi", repoName)
    159. 

  159. 

  160. 	// Try pull
    161. 

  161. 	result := icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd)
    162. 

  162. 	result.Assert(c, icmd.Success)
    163. 

  163. 

  164. 	matches := digestRegex.FindStringSubmatch(result.Combined())
    165. 

  165. 	c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", result.Combined()))
    166. 

  166. 	pullDigest := matches[1]
    167. 

  167. 

  168. 	imageID := inspectField(c, repoName, "Id")
    169. 

  169. 

  170. 	imageByDigest := repoName + "@" + pullDigest
    171. 

  171. 	byDigestID := inspectField(c, imageByDigest, "Id")
    172. 

  172. 

  173. 	c.Assert(byDigestID, checker.Equals, imageID)
    174. 

  174. 

  175. 	// rmi of tag should also remove the digest reference
    176. 

  176. 	dockerCmd(c, "rmi", repoName)
    177. 

  177. 

  178. 	_, err := inspectFieldWithError(imageByDigest, "Id")
    179. 

  179. 	c.Assert(err, checker.NotNil, check.Commentf("digest reference should have been removed"))
    180. 

  180. 

  181. 	_, err = inspectFieldWithError(imageID, "Id")
    182. 

  182. 	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
    183. 

  183. }
    184. 

  184. 

  185. func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {
    186. 

  186. 	testRequires(c, NotaryHosting)
    187. 

  187. 	repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)
    188. 

  188. 	targetName := fmt.Sprintf("%s:latest", repoName)
    189. 

  189. 

  190. 	// Push with targets first, initializing the repo
    191. 

  191. 	dockerCmd(c, "tag", "busybox", targetName)
    192. 

  192. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
    193. 

  193. 	s.assertTargetInRoles(c, repoName, "latest", "targets")
    194. 

  194. 

  195. 	// Try pull, check we retrieve from targets role
    196. 

  196. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    197. 

  197. 		Err: "retrieving target for targets role",
    198. 

  198. 	})
    199. 

  199. 

  200. 	// Now we'll create the releases role, and try pushing and pulling
    201. 

  201. 	s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)
    202. 

  202. 	s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)
    203. 

  203. 	s.notaryPublish(c, repoName)
    204. 

  204. 

  205. 	// try a pull, check that we can still pull because we can still read the
    206. 

  206. 	// old tag in the targets role
    207. 

  207. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    208. 

  208. 		Err: "retrieving target for targets role",
    209. 

  209. 	})
    210. 

  210. 

  211. 	// try a pull -a, check that it succeeds because we can still pull from the
    212. 

  212. 	// targets role
    213. 

  213. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success)
    214. 

  214. 

  215. 	// Push, should sign with targets/releases
    216. 

  216. 	dockerCmd(c, "tag", "busybox", targetName)
    217. 

  217. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
    218. 

  218. 	s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases")
    219. 

  219. 

  220. 	// Try pull, check we retrieve from targets/releases role
    221. 

  221. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    222. 

  222. 		Err: "retrieving target for targets/releases role",
    223. 

  223. 	})
    224. 

  224. 

  225. 	// Create another delegation that we'll sign with
    226. 

  226. 	s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[1].Public)
    227. 

  227. 	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)
    228. 

  228. 	s.notaryPublish(c, repoName)
    229. 

  229. 

  230. 	dockerCmd(c, "tag", "busybox", targetName)
    231. 

  231. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
    232. 

  232. 	s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other")
    233. 

  233. 

  234. 	// Try pull, check we retrieve from targets/releases role
    235. 

  235. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    236. 

  236. 		Err: "retrieving target for targets/releases role",
    237. 

  237. 	})
    238. 

  238. }
    239. 

  239. 

  240. func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C) {
    241. 

  241. 	testRequires(c, NotaryHosting)
    242. 

  242. 	repoName := fmt.Sprintf("%v/dockerclipullotherdelegation/trusted", privateRegistryURL)
    243. 

  243. 	targetName := fmt.Sprintf("%s:latest", repoName)
    244. 

  244. 

  245. 	// We'll create a repo first with a non-release delegation role, so that when we
    246. 

  246. 	// push we'll sign it into the delegation role
    247. 

  247. 	s.notaryInitRepo(c, repoName)
    248. 

  248. 	s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public)
    249. 

  249. 	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private)
    250. 

  250. 	s.notaryPublish(c, repoName)
    251. 

  251. 

  252. 	// Push should write to the delegation role, not targets
    253. 

  253. 	dockerCmd(c, "tag", "busybox", targetName)
    254. 

  254. 	icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success)
    255. 

  255. 	s.assertTargetInRoles(c, repoName, "latest", "targets/other")
    256. 

  256. 	s.assertTargetNotInRoles(c, repoName, "latest", "targets")
    257. 

  257. 

  258. 	// Try pull - we should fail, since pull will only pull from the targets/releases
    259. 

  259. 	// role or the targets role
    260. 

  260. 	dockerCmd(c, "tag", "busybox", targetName)
    261. 

  261. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{
    262. 

  262. 		ExitCode: 1,
    263. 

  263. 		Err:      "No trust data for",
    264. 

  264. 	})
    265. 

  265. 

  266. 	// try a pull -a: we should fail since pull will only pull from the targets/releases
    267. 

  267. 	// role or the targets role
    268. 

  268. 	icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{
    269. 

  269. 		ExitCode: 1,
    270. 

  270. 		Err:      "No trusted tags for",
    271. 

  271. 	})
    272. 

  272. }
    273.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5