0ct0pu5
/
moby


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355
							package main

import (
	"archive/tar"
	"context"
	"fmt"
	"net/http"
	"net/http/httptest"
	"os"
	"strings"
	"sync"
	"testing"

	"github.com/distribution/reference"
	"github.com/docker/docker/api/types/versions"
	"github.com/docker/docker/integration-cli/cli"
	"github.com/docker/docker/integration-cli/cli/build"
	"gotest.tools/v3/assert"
	is "gotest.tools/v3/assert/cmp"
	"gotest.tools/v3/icmd"
)

type DockerCLIPushSuite struct {
	ds *DockerSuite
}

func (s *DockerCLIPushSuite) TearDownTest(ctx context.Context, c *testing.T) {
	s.ds.TearDownTest(ctx, c)
}

func (s *DockerCLIPushSuite) OnTimeout(c *testing.T) {
	s.ds.OnTimeout(c)
}

func (s *DockerRegistrySuite) TestPushBusyboxImage(c *testing.T) {
	const imgRepo = privateRegistryURL + "/dockercli/busybox"
	// tag the image to upload it to the private registry
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	// push the image to the registry
	cli.DockerCmd(c, "push", imgRepo)
}

// pushing an image without a prefix should throw an error
func (s *DockerCLIPushSuite) TestPushUnprefixedRepo(c *testing.T) {
	out, _, err := dockerCmdWithError("push", "busybox")
	assert.ErrorContains(c, err, "", "pushing an unprefixed repo didn't result in a non-zero exit status: %s", out)
}

func (s *DockerRegistrySuite) TestPushUntagged(c *testing.T) {
	const imgRepo = privateRegistryURL + "/dockercli/busybox"

	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", "pushing the image to the private registry should have failed: output %q", out)
	const expected = "An image does not exist locally with the tag"
	assert.Assert(c, strings.Contains(out, expected), "pushing the image failed")
}

func (s *DockerRegistrySuite) TestPushBadTag(c *testing.T) {
	const imgRepo = privateRegistryURL + "/dockercli/busybox:latest"

	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", "pushing the image to the private registry should have failed: output %q", out)
	const expected = "does not exist"
	assert.Assert(c, strings.Contains(out, expected), "pushing the image failed")
}

func (s *DockerRegistrySuite) TestPushMultipleTags(c *testing.T) {
	const imgRepo = privateRegistryURL + "/dockercli/busybox"
	const repoTag1 = imgRepo + ":t1"
	const repoTag2 = imgRepo + ":t2"
	// tag the image and upload it to the private registry
	cli.DockerCmd(c, "tag", "busybox", repoTag1)
	cli.DockerCmd(c, "tag", "busybox", repoTag2)

	args := []string{"push"}
	if versions.GreaterThanOrEqualTo(DockerCLIVersion(c), "20.10.0") {
		// 20.10 CLI removed implicit push all tags and requires the "--all" flag
		args = append(args, "--all-tags")
	}
	args = append(args, imgRepo)

	cli.DockerCmd(c, args...)

	imageAlreadyExists := ": Image already exists"

	// Ensure layer list is equivalent for repoTag1 and repoTag2
	out1 := cli.DockerCmd(c, "push", repoTag1).Combined()
	var out1Lines []string
	for _, outputLine := range strings.Split(out1, "\n") {
		if strings.Contains(outputLine, imageAlreadyExists) {
			out1Lines = append(out1Lines, outputLine)
		}
	}

	out2 := cli.DockerCmd(c, "push", repoTag2).Combined()
	var out2Lines []string
	for _, outputLine := range strings.Split(out2, "\n") {
		if strings.Contains(outputLine, imageAlreadyExists) {
			out2Lines = append(out2Lines, outputLine)
		}
	}
	assert.DeepEqual(c, out1Lines, out2Lines)
}

func (s *DockerRegistrySuite) TestPushEmptyLayer(c *testing.T) {
	const imgRepo = privateRegistryURL + "/dockercli/emptylayer"

	emptyTarball, err := os.CreateTemp("", "empty_tarball")
	assert.NilError(c, err, "Unable to create test file")

	tw := tar.NewWriter(emptyTarball)
	err = tw.Close()
	assert.NilError(c, err, "Error creating empty tarball")

	freader, err := os.Open(emptyTarball.Name())
	assert.NilError(c, err, "Could not open test tarball")
	defer freader.Close()

	icmd.RunCmd(icmd.Cmd{
		Command: []string{dockerBinary, "import", "-", imgRepo},
		Stdin:   freader,
	}).Assert(c, icmd.Success)

	// Now verify we can push it
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.NilError(c, err, "pushing the image to the private registry has failed: %s", out)
}

// TestConcurrentPush pushes multiple tags to the same repo
// concurrently.
func (s *DockerRegistrySuite) TestConcurrentPush(c *testing.T) {
	const imgRepo = privateRegistryURL + "/dockercli/busybox"

	var repos []string
	for _, tag := range []string{"push1", "push2", "push3"} {
		repo := fmt.Sprintf("%v:%v", imgRepo, tag)
		buildImageSuccessfully(c, repo, build.WithDockerfile(fmt.Sprintf(`
	FROM busybox
	ENTRYPOINT ["/bin/echo"]
	ENV FOO foo
	ENV BAR bar
	CMD echo %s
`, repo)))
		repos = append(repos, repo)
	}

	// Push tags, in parallel
	results := make(chan error, len(repos))

	for _, repo := range repos {
		go func(repo string) {
			result := icmd.RunCommand(dockerBinary, "push", repo)
			results <- result.Error
		}(repo)
	}

	for range repos {
		err := <-results
		assert.NilError(c, err, "concurrent push failed with error: %v", err)
	}

	// Clear local images store.
	args := append([]string{"rmi"}, repos...)
	cli.DockerCmd(c, args...)

	// Re-pull and run individual tags, to make sure pushes succeeded
	for _, repo := range repos {
		cli.DockerCmd(c, "pull", repo)
		cli.DockerCmd(c, "inspect", repo)
		out := cli.DockerCmd(c, "run", "--rm", repo).Combined()
		assert.Equal(c, strings.TrimSpace(out), "/bin/sh -c echo "+repo)
	}
}

func (s *DockerRegistrySuite) TestCrossRepositoryLayerPush(c *testing.T) {
	const sourceRepoName = privateRegistryURL + "/crossrepopush/busybox"

	// tag the image to upload it to the private registry
	cli.DockerCmd(c, "tag", "busybox", sourceRepoName)
	// push the image to the registry
	out1, _, err := dockerCmdWithError("push", sourceRepoName)
	assert.NilError(c, err, "pushing the image to the private registry has failed: %s", out1)
	// ensure that none of the layers were mounted from another repository during push
	assert.Assert(c, !strings.Contains(out1, "Mounted from"))

	digest1 := reference.DigestRegexp.FindString(out1)
	assert.Assert(c, len(digest1) > 0, "no digest found for pushed manifest")

	const destRepoName = privateRegistryURL + "/crossrepopush/img"

	// retag the image to upload the same layers to another repo in the same registry
	cli.DockerCmd(c, "tag", "busybox", destRepoName)
	// push the image to the registry
	out2, _, err := dockerCmdWithError("push", destRepoName)
	assert.NilError(c, err, "pushing the image to the private registry has failed: %s", out2)

	// ensure that layers were mounted from the first repo during push
	assert.Assert(c, strings.Contains(out2, "Mounted from crossrepopush/busybox"))

	digest2 := reference.DigestRegexp.FindString(out2)
	assert.Assert(c, len(digest2) > 0, "no digest found for pushed manifest")
	assert.Equal(c, digest1, digest2)

	// ensure that pushing again produces the same digest
	out3, _, err := dockerCmdWithError("push", destRepoName)
	assert.NilError(c, err, "pushing the image to the private registry has failed: %s", out3)

	digest3 := reference.DigestRegexp.FindString(out3)
	assert.Assert(c, len(digest3) > 0, "no digest found for pushed manifest")
	assert.Equal(c, digest3, digest2)

	// ensure that we can pull and run the cross-repo-pushed repository
	cli.DockerCmd(c, "rmi", destRepoName)
	cli.DockerCmd(c, "pull", destRepoName)
	out4 := cli.DockerCmd(c, "run", destRepoName, "echo", "-n", "hello world").Combined()
	assert.Equal(c, out4, "hello world")
}

func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *testing.T) {
	const imgRepo = privateRegistryURL + "/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)
	assert.Assert(c, !strings.Contains(out, "Retrying"))
	assert.Assert(c, strings.Contains(out, "no basic auth credentials"))
}

// This may be flaky but it's needed not to regress on unauthorized push, see #21054
func (s *DockerCLIPushSuite) TestPushToCentralRegistryUnauthorized(c *testing.T) {
	testRequires(c, Network)

	const imgRepo = "test/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)
	assert.Assert(c, !strings.Contains(out, "Retrying"))
}

func getTestTokenService(status int, body string, retries int) *httptest.Server {
	var mu sync.Mutex
	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		mu.Lock()
		if retries > 0 {
			w.Header().Set("Content-Type", "application/json")
			w.WriteHeader(http.StatusServiceUnavailable)
			w.Write([]byte(`{"errors":[{"code":"UNAVAILABLE","message":"cannot create token at this time"}]}`))
			retries--
		} else {
			w.Header().Set("Content-Type", "application/json")
			w.WriteHeader(status)
			w.Write([]byte(body))
		}
		mu.Unlock()
	}))
}

func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *testing.T) {
	ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0)
	defer ts.Close()
	s.setupRegistryWithTokenService(c, ts.URL)

	const imgRepo = privateRegistryURL + "/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)

	assert.Check(c, !strings.Contains(out, "Retrying"))

	// Auth service errors are not part of the spec and containerd doesn't parse them.
	if testEnv.UsingSnapshotter() {
		assert.Check(c, is.Contains(out, "failed to authorize: failed to fetch anonymous token"))
		assert.Check(c, is.Contains(out, "401 Unauthorized"))
	} else {
		assert.Check(c, is.Contains(out, "unauthorized: a message"))
	}
}

func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *testing.T) {
	ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`, 0)
	defer ts.Close()
	s.setupRegistryWithTokenService(c, ts.URL)

	const imgRepo = privateRegistryURL + "/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)
	assert.Assert(c, !strings.Contains(out, "Retrying"))

	// Auth service errors are not part of the spec and containerd doesn't parse them.
	if testEnv.UsingSnapshotter() {
		assert.Check(c, is.Contains(out, "failed to authorize: failed to fetch anonymous token"))
		assert.Check(c, is.Contains(out, "401 Unauthorized"))
	} else {
		split := strings.Split(out, "\n")
		assert.Check(c, is.Contains(split[len(split)-2], "unauthorized: authentication required"))
	}
}

func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *testing.T) {
	ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 3)
	defer ts.Close()
	s.setupRegistryWithTokenService(c, ts.URL)

	const imgRepo = privateRegistryURL + "/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)
	// TODO: isolate test so that it can be guaranteed that the 503 will trigger xfer retries
	// assert.Assert(c, strings.Contains(out, "Retrying"))
	// assert.Assert(c, !strings.Contains(out, "Retrying in 15"))

	// Auth service errors are not part of the spec and containerd doesn't parse them.
	if testEnv.UsingSnapshotter() {
		assert.Check(c, is.Contains(out, "failed to authorize: failed to fetch anonymous token"))
		assert.Check(c, is.Contains(out, "503 Service Unavailable"))
	} else {
		split := strings.Split(out, "\n")
		assert.Check(c, is.Equal(split[len(split)-2], "toomanyrequests: out of tokens"))
	}
}

func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *testing.T) {
	ts := getTestTokenService(http.StatusForbidden, `no way`, 0)
	defer ts.Close()
	s.setupRegistryWithTokenService(c, ts.URL)

	const imgRepo = privateRegistryURL + "/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)
	assert.Check(c, !strings.Contains(out, "Retrying"))

	// Auth service errors are not part of the spec and containerd doesn't parse them.
	if testEnv.UsingSnapshotter() {
		assert.Check(c, is.Contains(out, "failed to authorize: failed to fetch anonymous token"))
		assert.Check(c, is.Contains(out, "403 Forbidden"))
	} else {
		split := strings.Split(out, "\n")
		assert.Check(c, is.Contains(split[len(split)-2], "error parsing HTTP 403 response body: "))
	}
}

func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *testing.T) {
	ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`, 0)
	defer ts.Close()
	s.setupRegistryWithTokenService(c, ts.URL)

	const imgRepo = privateRegistryURL + "/busybox"
	cli.DockerCmd(c, "tag", "busybox", imgRepo)
	out, _, err := dockerCmdWithError("push", imgRepo)
	assert.ErrorContains(c, err, "", out)
	assert.Assert(c, !strings.Contains(out, "Retrying"))
	split := strings.Split(out, "\n")
	assert.Check(c, is.Contains(split[len(split)-2], "authorization server did not include a token in the response"))
}