2014-02-25 16:17:48 +00:00
package main
import (
2015-05-01 22:01:10 +00:00
"archive/tar"
2014-02-25 16:17:48 +00:00
"fmt"
2015-01-24 21:08:47 +00:00
"io/ioutil"
2016-03-14 20:11:35 +00:00
"net/http"
"net/http/httptest"
2015-01-24 21:08:47 +00:00
"os"
2014-02-25 16:17:48 +00:00
"os/exec"
2015-12-24 00:34:46 +00:00
"path/filepath"
2015-01-13 18:46:32 +00:00
"strings"
"time"
2015-01-24 21:08:47 +00:00
2016-06-09 09:00:41 +00:00
"github.com/docker/distribution/reference"
2015-12-24 00:34:46 +00:00
"github.com/docker/docker/cliconfig"
2015-10-13 12:01:58 +00:00
"github.com/docker/docker/pkg/integration/checker"
2015-04-18 16:46:47 +00:00
"github.com/go-check/check"
2014-02-25 16:17:48 +00:00
)
2015-07-07 08:10:37 +00:00
// Pushing an image to a private registry.
2015-12-18 23:06:23 +00:00
func testPushBusyboxImage ( c * check . C ) {
2015-01-13 18:46:32 +00:00
repoName := fmt . Sprintf ( "%v/dockercli/busybox" , privateRegistryURL )
2015-02-27 02:23:50 +00:00
// tag the image to upload it to the private registry
2015-07-14 06:35:36 +00:00
dockerCmd ( c , "tag" , "busybox" , repoName )
// push the image to the registry
dockerCmd ( c , "push" , repoName )
2014-02-25 16:17:48 +00:00
}
2015-12-18 23:06:23 +00:00
func ( s * DockerRegistrySuite ) TestPushBusyboxImage ( c * check . C ) {
testPushBusyboxImage ( c )
}
func ( s * DockerSchema1RegistrySuite ) TestPushBusyboxImage ( c * check . C ) {
testPushBusyboxImage ( c )
}
2014-02-25 16:17:48 +00:00
// pushing an image without a prefix should throw an error
2015-04-18 16:46:47 +00:00
func ( s * DockerSuite ) TestPushUnprefixedRepo ( c * check . C ) {
2015-10-13 12:01:58 +00:00
out , _ , err := dockerCmdWithError ( "push" , "busybox" )
c . Assert ( err , check . NotNil , check . Commentf ( "pushing an unprefixed repo didn't result in a non-zero exit status: %s" , out ) )
2015-01-13 18:46:32 +00:00
}
2015-12-18 23:06:23 +00:00
func testPushUntagged ( c * check . C ) {
2015-01-13 18:46:32 +00:00
repoName := fmt . Sprintf ( "%v/dockercli/busybox" , privateRegistryURL )
2016-04-03 20:25:07 +00:00
expected := "An image does not exist locally with the tag"
2015-10-13 12:01:58 +00:00
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( "pushing the image to the private registry should have failed: output %q" , out ) )
c . Assert ( out , checker . Contains , expected , check . Commentf ( "pushing the image failed" ) )
2015-01-13 18:46:32 +00:00
}
2015-12-18 23:06:23 +00:00
func ( s * DockerRegistrySuite ) TestPushUntagged ( c * check . C ) {
testPushUntagged ( c )
}
func ( s * DockerSchema1RegistrySuite ) TestPushUntagged ( c * check . C ) {
testPushUntagged ( c )
}
func testPushBadTag ( c * check . C ) {
2015-01-30 22:20:32 +00:00
repoName := fmt . Sprintf ( "%v/dockercli/busybox:latest" , privateRegistryURL )
expected := "does not exist"
2015-07-14 06:35:36 +00:00
2015-10-13 12:01:58 +00:00
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( "pushing the image to the private registry should have failed: output %q" , out ) )
c . Assert ( out , checker . Contains , expected , check . Commentf ( "pushing the image failed" ) )
2015-01-30 22:20:32 +00:00
}
2015-12-18 23:06:23 +00:00
func ( s * DockerRegistrySuite ) TestPushBadTag ( c * check . C ) {
testPushBadTag ( c )
}
func ( s * DockerSchema1RegistrySuite ) TestPushBadTag ( c * check . C ) {
testPushBadTag ( c )
}
func testPushMultipleTags ( c * check . C ) {
2015-01-30 22:20:32 +00:00
repoName := fmt . Sprintf ( "%v/dockercli/busybox" , privateRegistryURL )
repoTag1 := fmt . Sprintf ( "%v/dockercli/busybox:t1" , privateRegistryURL )
repoTag2 := fmt . Sprintf ( "%v/dockercli/busybox:t2" , privateRegistryURL )
2015-04-23 08:50:41 +00:00
// tag the image and upload it to the private registry
2015-07-14 06:35:36 +00:00
dockerCmd ( c , "tag" , "busybox" , repoTag1 )
2015-01-30 22:20:32 +00:00
2015-07-14 06:35:36 +00:00
dockerCmd ( c , "tag" , "busybox" , repoTag2 )
2015-08-13 01:32:23 +00:00
dockerCmd ( c , "push" , repoName )
2015-08-13 01:36:46 +00:00
// Ensure layer list is equivalent for repoTag1 and repoTag2
out1 , _ := dockerCmd ( c , "pull" , repoTag1 )
2015-10-13 12:01:58 +00:00
2015-08-13 01:36:46 +00:00
imageAlreadyExists := ": Image already exists"
var out1Lines [ ] string
for _ , outputLine := range strings . Split ( out1 , "\n" ) {
if strings . Contains ( outputLine , imageAlreadyExists ) {
out1Lines = append ( out1Lines , outputLine )
}
}
out2 , _ := dockerCmd ( c , "pull" , repoTag2 )
2015-10-13 12:01:58 +00:00
2015-08-13 01:36:46 +00:00
var out2Lines [ ] string
for _ , outputLine := range strings . Split ( out2 , "\n" ) {
if strings . Contains ( outputLine , imageAlreadyExists ) {
out1Lines = append ( out1Lines , outputLine )
}
}
2015-10-13 12:01:58 +00:00
c . Assert ( out2Lines , checker . HasLen , len ( out1Lines ) )
2015-08-13 01:36:46 +00:00
for i := range out1Lines {
2015-10-13 12:01:58 +00:00
c . Assert ( out1Lines [ i ] , checker . Equals , out2Lines [ i ] )
2015-08-13 01:36:46 +00:00
}
2015-01-30 22:20:32 +00:00
}
2015-12-18 23:06:23 +00:00
func ( s * DockerRegistrySuite ) TestPushMultipleTags ( c * check . C ) {
testPushMultipleTags ( c )
}
func ( s * DockerSchema1RegistrySuite ) TestPushMultipleTags ( c * check . C ) {
testPushMultipleTags ( c )
}
func testPushEmptyLayer ( c * check . C ) {
2015-01-24 21:08:47 +00:00
repoName := fmt . Sprintf ( "%v/dockercli/emptylayer" , privateRegistryURL )
emptyTarball , err := ioutil . TempFile ( "" , "empty_tarball" )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Unable to create test file" ) )
2015-01-24 21:08:47 +00:00
tw := tar . NewWriter ( emptyTarball )
err = tw . Close ( )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Error creating empty tarball" ) )
2015-01-24 21:08:47 +00:00
freader , err := os . Open ( emptyTarball . Name ( ) )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Could not open test tarball" ) )
2015-01-24 21:08:47 +00:00
importCmd := exec . Command ( dockerBinary , "import" , "-" , repoName )
importCmd . Stdin = freader
out , _ , err := runCommandWithOutput ( importCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "import failed: %q" , out ) )
2015-01-24 21:08:47 +00:00
// Now verify we can push it
2015-10-13 12:01:58 +00:00
out , _ , err = dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . IsNil , check . Commentf ( "pushing the image to the private registry has failed: %s" , out ) )
2015-01-24 21:08:47 +00:00
}
2015-07-20 05:56:10 +00:00
2015-12-18 23:06:23 +00:00
func ( s * DockerRegistrySuite ) TestPushEmptyLayer ( c * check . C ) {
testPushEmptyLayer ( c )
}
func ( s * DockerSchema1RegistrySuite ) TestPushEmptyLayer ( c * check . C ) {
testPushEmptyLayer ( c )
}
2016-03-01 18:56:05 +00:00
// testConcurrentPush pushes multiple tags to the same repo
// concurrently.
func testConcurrentPush ( c * check . C ) {
repoName := fmt . Sprintf ( "%v/dockercli/busybox" , privateRegistryURL )
repos := [ ] string { }
for _ , tag := range [ ] string { "push1" , "push2" , "push3" } {
repo := fmt . Sprintf ( "%v:%v" , repoName , tag )
_ , err := buildImage ( repo , fmt . Sprintf ( `
FROM busybox
ENTRYPOINT [ "/bin/echo" ]
ENV FOO foo
ENV BAR bar
CMD echo % s
` , repo ) , true )
c . Assert ( err , checker . IsNil )
repos = append ( repos , repo )
}
// Push tags, in parallel
results := make ( chan error )
for _ , repo := range repos {
go func ( repo string ) {
_ , _ , err := runCommandWithOutput ( exec . Command ( dockerBinary , "push" , repo ) )
results <- err
} ( repo )
}
for range repos {
err := <- results
c . Assert ( err , checker . IsNil , check . Commentf ( "concurrent push failed with error: %v" , err ) )
}
// Clear local images store.
args := append ( [ ] string { "rmi" } , repos ... )
dockerCmd ( c , args ... )
// Re-pull and run individual tags, to make sure pushes succeeded
for _ , repo := range repos {
dockerCmd ( c , "pull" , repo )
dockerCmd ( c , "inspect" , repo )
out , _ := dockerCmd ( c , "run" , "--rm" , repo )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "/bin/sh -c echo " + repo )
}
}
func ( s * DockerRegistrySuite ) TestConcurrentPush ( c * check . C ) {
testConcurrentPush ( c )
}
func ( s * DockerSchema1RegistrySuite ) TestConcurrentPush ( c * check . C ) {
testConcurrentPush ( c )
}
2016-01-05 22:17:42 +00:00
func ( s * DockerRegistrySuite ) TestCrossRepositoryLayerPush ( c * check . C ) {
sourceRepoName := fmt . Sprintf ( "%v/dockercli/busybox" , privateRegistryURL )
// tag the image to upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , sourceRepoName )
// push the image to the registry
out1 , _ , err := dockerCmdWithError ( "push" , sourceRepoName )
c . Assert ( err , check . IsNil , check . Commentf ( "pushing the image to the private registry has failed: %s" , out1 ) )
// ensure that none of the layers were mounted from another repository during push
c . Assert ( strings . Contains ( out1 , "Mounted from" ) , check . Equals , false )
2016-06-09 09:00:41 +00:00
digest1 := reference . DigestRegexp . FindString ( out1 )
2016-01-20 19:39:32 +00:00
c . Assert ( len ( digest1 ) , checker . GreaterThan , 0 , check . Commentf ( "no digest found for pushed manifest" ) )
2016-01-05 22:17:42 +00:00
destRepoName := fmt . Sprintf ( "%v/dockercli/crossrepopush" , privateRegistryURL )
// retag the image to upload the same layers to another repo in the same registry
dockerCmd ( c , "tag" , "busybox" , destRepoName )
// push the image to the registry
out2 , _ , err := dockerCmdWithError ( "push" , destRepoName )
c . Assert ( err , check . IsNil , check . Commentf ( "pushing the image to the private registry has failed: %s" , out2 ) )
// ensure that layers were mounted from the first repo during push
c . Assert ( strings . Contains ( out2 , "Mounted from dockercli/busybox" ) , check . Equals , true )
2016-06-09 09:00:41 +00:00
digest2 := reference . DigestRegexp . FindString ( out2 )
2016-01-20 19:39:32 +00:00
c . Assert ( len ( digest2 ) , checker . GreaterThan , 0 , check . Commentf ( "no digest found for pushed manifest" ) )
c . Assert ( digest1 , check . Equals , digest2 )
2016-07-06 10:17:19 +00:00
// ensure that pushing again produces the same digest
out3 , _ , err := dockerCmdWithError ( "push" , destRepoName )
c . Assert ( err , check . IsNil , check . Commentf ( "pushing the image to the private registry has failed: %s" , out2 ) )
digest3 := reference . DigestRegexp . FindString ( out3 )
c . Assert ( len ( digest2 ) , checker . GreaterThan , 0 , check . Commentf ( "no digest found for pushed manifest" ) )
c . Assert ( digest3 , check . Equals , digest2 )
2016-01-14 03:34:27 +00:00
// ensure that we can pull and run the cross-repo-pushed repository
2016-01-05 22:17:42 +00:00
dockerCmd ( c , "rmi" , destRepoName )
dockerCmd ( c , "pull" , destRepoName )
2016-07-06 10:17:19 +00:00
out4 , _ := dockerCmd ( c , "run" , destRepoName , "echo" , "-n" , "hello world" )
c . Assert ( out4 , check . Equals , "hello world" )
2016-01-05 22:17:42 +00:00
}
func ( s * DockerSchema1RegistrySuite ) TestCrossRepositoryLayerPushNotSupported ( c * check . C ) {
sourceRepoName := fmt . Sprintf ( "%v/dockercli/busybox" , privateRegistryURL )
// tag the image to upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , sourceRepoName )
// push the image to the registry
out1 , _ , err := dockerCmdWithError ( "push" , sourceRepoName )
c . Assert ( err , check . IsNil , check . Commentf ( "pushing the image to the private registry has failed: %s" , out1 ) )
// ensure that none of the layers were mounted from another repository during push
c . Assert ( strings . Contains ( out1 , "Mounted from" ) , check . Equals , false )
2016-06-09 09:00:41 +00:00
digest1 := reference . DigestRegexp . FindString ( out1 )
2016-01-20 19:39:32 +00:00
c . Assert ( len ( digest1 ) , checker . GreaterThan , 0 , check . Commentf ( "no digest found for pushed manifest" ) )
2016-01-05 22:17:42 +00:00
destRepoName := fmt . Sprintf ( "%v/dockercli/crossrepopush" , privateRegistryURL )
// retag the image to upload the same layers to another repo in the same registry
dockerCmd ( c , "tag" , "busybox" , destRepoName )
// push the image to the registry
out2 , _ , err := dockerCmdWithError ( "push" , destRepoName )
c . Assert ( err , check . IsNil , check . Commentf ( "pushing the image to the private registry has failed: %s" , out2 ) )
// schema1 registry should not support cross-repo layer mounts, so ensure that this does not happen
2016-02-22 19:27:17 +00:00
c . Assert ( strings . Contains ( out2 , "Mounted from" ) , check . Equals , false )
2016-01-05 22:17:42 +00:00
2016-06-09 09:00:41 +00:00
digest2 := reference . DigestRegexp . FindString ( out2 )
2016-01-20 19:39:32 +00:00
c . Assert ( len ( digest2 ) , checker . GreaterThan , 0 , check . Commentf ( "no digest found for pushed manifest" ) )
2016-06-09 09:00:41 +00:00
c . Assert ( digest1 , check . Not ( check . Equals ) , digest2 )
2016-01-20 19:39:32 +00:00
2016-01-14 03:34:27 +00:00
// ensure that we can pull and run the second pushed repository
2016-01-05 22:17:42 +00:00
dockerCmd ( c , "rmi" , destRepoName )
dockerCmd ( c , "pull" , destRepoName )
2016-01-14 03:34:27 +00:00
out3 , _ := dockerCmd ( c , "run" , destRepoName , "echo" , "-n" , "hello world" )
c . Assert ( out3 , check . Equals , "hello world" )
2016-01-05 22:17:42 +00:00
}
2015-07-20 05:56:10 +00:00
func ( s * DockerTrustSuite ) TestTrustedPush ( c * check . C ) {
2016-01-27 01:52:36 +00:00
repoName := fmt . Sprintf ( "%v/dockerclitrusted/pushtest:latest" , privateRegistryURL )
2015-07-20 05:56:10 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmd ( pushCmd )
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Error running trusted push: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push" ) )
2015-12-19 02:47:35 +00:00
// Try pull after push
pullCmd := exec . Command ( dockerBinary , "pull" , repoName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
c . Assert ( err , check . IsNil , check . Commentf ( out ) )
2016-06-27 17:09:57 +00:00
c . Assert ( string ( out ) , checker . Contains , "Status: Image is up to date" , check . Commentf ( out ) )
2016-03-03 00:51:32 +00:00
// Assert that we rotated the snapshot key to the server by checking our local keystore
contents , err := ioutil . ReadDir ( filepath . Join ( cliconfig . ConfigDir ( ) , "trust/private/tuf_keys" , privateRegistryURL , "dockerclitrusted/pushtest" ) )
c . Assert ( err , check . IsNil , check . Commentf ( "Unable to read local tuf key files" ) )
// Check that we only have 1 key (targets key)
c . Assert ( contents , checker . HasLen , 1 )
2015-07-20 05:56:10 +00:00
}
2015-07-22 03:36:22 +00:00
2015-10-09 19:14:34 +00:00
func ( s * DockerTrustSuite ) TestTrustedPushWithEnvPasswords ( c * check . C ) {
2015-12-19 02:47:35 +00:00
repoName := fmt . Sprintf ( "%v/dockerclienv/trusted:latest" , privateRegistryURL )
2015-10-09 19:14:34 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmdWithPassphrases ( pushCmd , "12345678" , "12345678" )
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Error running trusted push: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push" ) )
2015-12-19 02:47:35 +00:00
// Try pull after push
pullCmd := exec . Command ( dockerBinary , "pull" , repoName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
c . Assert ( err , check . IsNil , check . Commentf ( out ) )
2016-06-27 17:09:57 +00:00
c . Assert ( string ( out ) , checker . Contains , "Status: Image is up to date" , check . Commentf ( out ) )
2015-10-09 19:14:34 +00:00
}
2015-12-05 10:42:46 +00:00
func ( s * DockerTrustSuite ) TestTrustedPushWithFailingServer ( c * check . C ) {
2016-01-27 01:52:36 +00:00
repoName := fmt . Sprintf ( "%v/dockerclitrusted/failingserver:latest" , privateRegistryURL )
2015-07-22 03:36:22 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
2016-06-02 21:58:53 +00:00
// Using a name that doesn't resolve to an address makes this test faster
s . trustedCmdWithServer ( pushCmd , "https://server.invalid:81/" )
2015-07-22 03:36:22 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( "Missing error while running trusted push w/ no server" ) )
c . Assert ( out , checker . Contains , "error contacting notary server" , check . Commentf ( "Missing expected output on trusted push" ) )
2015-07-22 03:36:22 +00:00
}
func ( s * DockerTrustSuite ) TestTrustedPushWithoutServerAndUntrusted ( c * check . C ) {
2016-01-27 01:52:36 +00:00
repoName := fmt . Sprintf ( "%v/dockerclitrusted/trustedandnot:latest" , privateRegistryURL )
2015-07-22 03:36:22 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
2015-07-24 08:59:42 +00:00
pushCmd := exec . Command ( dockerBinary , "push" , "--disable-content-trust" , repoName )
2016-06-02 21:58:53 +00:00
// Using a name that doesn't resolve to an address makes this test faster
s . trustedCmdWithServer ( pushCmd , "https://server.invalid" )
2015-07-22 03:36:22 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push with no server and --disable-content-trust failed: %s\n%s" , err , out ) )
c . Assert ( out , check . Not ( checker . Contains ) , "Error establishing connection to notary repository" , check . Commentf ( "Missing expected output on trusted push with --disable-content-trust:" ) )
2015-07-22 03:36:22 +00:00
}
func ( s * DockerTrustSuite ) TestTrustedPushWithExistingTag ( c * check . C ) {
2015-12-19 02:47:35 +00:00
repoName := fmt . Sprintf ( "%v/dockerclitag/trusted:latest" , privateRegistryURL )
2015-07-22 03:36:22 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
dockerCmd ( c , "push" , repoName )
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmd ( pushCmd )
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with existing tag" ) )
2015-12-19 02:47:35 +00:00
// Try pull after push
pullCmd := exec . Command ( dockerBinary , "pull" , repoName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
c . Assert ( err , check . IsNil , check . Commentf ( out ) )
2016-06-27 17:09:57 +00:00
c . Assert ( string ( out ) , checker . Contains , "Status: Image is up to date" , check . Commentf ( out ) )
2015-07-22 03:36:22 +00:00
}
2015-07-22 18:39:35 +00:00
func ( s * DockerTrustSuite ) TestTrustedPushWithExistingSignedTag ( c * check . C ) {
repoName := fmt . Sprintf ( "%v/dockerclipushpush/trusted:latest" , privateRegistryURL )
2015-07-22 03:36:22 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
2015-07-22 18:39:35 +00:00
// Do a trusted push
2015-07-22 03:36:22 +00:00
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
2015-07-22 18:39:35 +00:00
s . trustedCmd ( pushCmd )
2015-07-22 03:36:22 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with existing tag" ) )
2015-07-22 03:36:22 +00:00
2015-07-22 18:39:35 +00:00
// Do another trusted push
pushCmd = exec . Command ( dockerBinary , "push" , repoName )
2015-07-22 03:36:22 +00:00
s . trustedCmd ( pushCmd )
2015-07-22 18:39:35 +00:00
out , _ , err = runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with existing tag" ) )
2015-07-22 18:39:35 +00:00
dockerCmd ( c , "rmi" , repoName )
// Try pull to ensure the double push did not break our ability to pull
pullCmd := exec . Command ( dockerBinary , "pull" , repoName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Error running trusted pull: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Status: Downloaded" , check . Commentf ( "Missing expected output on trusted pull with --disable-content-trust" ) )
2015-07-22 18:39:35 +00:00
2015-07-22 03:36:22 +00:00
}
2015-07-22 18:39:35 +00:00
func ( s * DockerTrustSuite ) TestTrustedPushWithIncorrectPassphraseForNonRoot ( c * check . C ) {
repoName := fmt . Sprintf ( "%v/dockercliincorretpwd/trusted:latest" , privateRegistryURL )
2015-07-22 03:36:22 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
2015-07-22 18:39:35 +00:00
// Push with default passphrases
2015-07-22 03:36:22 +00:00
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
2015-07-22 18:39:35 +00:00
s . trustedCmd ( pushCmd )
2015-07-22 03:36:22 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push:\n%s" , out ) )
2015-07-22 18:39:35 +00:00
// Push with wrong passphrases
pushCmd = exec . Command ( dockerBinary , "push" , repoName )
2015-07-31 22:01:50 +00:00
s . trustedCmdWithPassphrases ( pushCmd , "12345678" , "87654321" )
2015-07-22 18:39:35 +00:00
out , _ , err = runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( "Error missing from trusted push with short targets passphrase: \n%s" , out ) )
2015-11-12 20:09:31 +00:00
c . Assert ( out , checker . Contains , "could not find necessary signing keys" , check . Commentf ( "Missing expected output on trusted push with short targets/snapsnot passphrase" ) )
2015-07-22 03:36:22 +00:00
}
2015-07-23 01:46:59 +00:00
func ( s * DockerTrustSuite ) TestTrustedPushWithExpiredSnapshot ( c * check . C ) {
2015-07-29 19:09:40 +00:00
c . Skip ( "Currently changes system time, causing instability" )
2015-07-23 01:46:59 +00:00
repoName := fmt . Sprintf ( "%v/dockercliexpiredsnapshot/trusted:latest" , privateRegistryURL )
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
// Push with default passphrases
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmd ( pushCmd )
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push" ) )
2015-07-23 01:46:59 +00:00
// Snapshots last for three years. This should be expired
fourYearsLater := time . Now ( ) . Add ( time . Hour * 24 * 365 * 4 )
runAtDifferentDate ( fourYearsLater , func ( ) {
// Push with wrong passphrases
pushCmd = exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmd ( pushCmd )
out , _ , err = runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( "Error missing from trusted push with expired snapshot: \n%s" , out ) )
c . Assert ( out , checker . Contains , "repository out-of-date" , check . Commentf ( "Missing expected output on trusted push with expired snapshot" ) )
2015-07-23 01:46:59 +00:00
} )
}
func ( s * DockerTrustSuite ) TestTrustedPushWithExpiredTimestamp ( c * check . C ) {
2015-07-29 19:09:40 +00:00
c . Skip ( "Currently changes system time, causing instability" )
2015-07-23 01:46:59 +00:00
repoName := fmt . Sprintf ( "%v/dockercliexpiredtimestamppush/trusted:latest" , privateRegistryURL )
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , repoName )
// Push with default passphrases
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmd ( pushCmd )
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push" ) )
2015-07-23 01:46:59 +00:00
// The timestamps expire in two weeks. Lets check three
threeWeeksLater := time . Now ( ) . Add ( time . Hour * 24 * 21 )
// Should succeed because the server transparently re-signs one
runAtDifferentDate ( threeWeeksLater , func ( ) {
pushCmd := exec . Command ( dockerBinary , "push" , repoName )
s . trustedCmd ( pushCmd )
out , _ , err := runCommandWithOutput ( pushCmd )
2015-10-13 12:01:58 +00:00
c . Assert ( err , check . IsNil , check . Commentf ( "Error running trusted push: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with expired timestamp" ) )
2015-07-23 01:46:59 +00:00
} )
}
2015-12-24 00:34:46 +00:00
2016-03-07 19:48:11 +00:00
func ( s * DockerTrustSuite ) TestTrustedPushWithReleasesDelegationOnly ( c * check . C ) {
2016-03-11 22:11:35 +00:00
testRequires ( c , NotaryHosting )
2016-03-07 19:48:11 +00:00
repoName := fmt . Sprintf ( "%v/dockerclireleasedelegationinitfirst/trusted" , privateRegistryURL )
2015-12-24 00:34:46 +00:00
targetName := fmt . Sprintf ( "%s:latest" , repoName )
2016-03-17 02:59:18 +00:00
s . notaryInitRepo ( c , repoName )
s . notaryCreateDelegation ( c , repoName , "targets/releases" , s . not . keys [ 0 ] . Public )
s . notaryPublish ( c , repoName )
2016-03-07 19:48:11 +00:00
s . notaryImportKey ( c , repoName , "targets/releases" , s . not . keys [ 0 ] . Private )
2015-12-24 00:34:46 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , targetName )
2016-03-07 19:48:11 +00:00
pushCmd := exec . Command ( dockerBinary , "push" , targetName )
2016-03-17 02:59:18 +00:00
s . trustedCmd ( pushCmd )
2015-12-24 00:34:46 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with existing tag" ) )
2016-03-17 02:59:18 +00:00
// check to make sure that the target has been added to targets/releases and not targets
s . assertTargetInRoles ( c , repoName , "latest" , "targets/releases" )
s . assertTargetNotInRoles ( c , repoName , "latest" , "targets" )
2015-12-24 00:34:46 +00:00
// Try pull after push
2016-03-07 19:48:11 +00:00
os . RemoveAll ( filepath . Join ( cliconfig . ConfigDir ( ) , "trust" ) )
2015-12-24 00:34:46 +00:00
pullCmd := exec . Command ( dockerBinary , "pull" , targetName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
c . Assert ( err , check . IsNil , check . Commentf ( out ) )
2016-06-27 17:09:57 +00:00
c . Assert ( string ( out ) , checker . Contains , "Status: Image is up to date" , check . Commentf ( out ) )
2016-03-07 19:48:11 +00:00
}
func ( s * DockerTrustSuite ) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor ( c * check . C ) {
testRequires ( c , NotaryHosting )
repoName := fmt . Sprintf ( "%v/dockerclimanyroles/trusted" , privateRegistryURL )
targetName := fmt . Sprintf ( "%s:latest" , repoName )
2016-03-17 02:59:18 +00:00
s . notaryInitRepo ( c , repoName )
s . notaryCreateDelegation ( c , repoName , "targets/role1" , s . not . keys [ 0 ] . Public )
s . notaryCreateDelegation ( c , repoName , "targets/role2" , s . not . keys [ 1 ] . Public )
s . notaryCreateDelegation ( c , repoName , "targets/role3" , s . not . keys [ 2 ] . Public )
2016-03-07 19:48:11 +00:00
// import everything except the third key
s . notaryImportKey ( c , repoName , "targets/role1" , s . not . keys [ 0 ] . Private )
s . notaryImportKey ( c , repoName , "targets/role2" , s . not . keys [ 1 ] . Private )
2016-03-17 02:59:18 +00:00
s . notaryCreateDelegation ( c , repoName , "targets/role1/subrole" , s . not . keys [ 3 ] . Public )
2016-03-07 19:48:11 +00:00
s . notaryImportKey ( c , repoName , "targets/role1/subrole" , s . not . keys [ 3 ] . Private )
2016-03-17 02:59:18 +00:00
s . notaryPublish ( c , repoName )
2016-03-07 19:48:11 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , targetName )
pushCmd := exec . Command ( dockerBinary , "push" , targetName )
2016-03-17 02:59:18 +00:00
s . trustedCmd ( pushCmd )
2016-03-07 19:48:11 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with existing tag" ) )
2016-03-17 02:59:18 +00:00
// check to make sure that the target has been added to targets/role1 and targets/role2, and
// not targets (because there are delegations) or targets/role3 (due to missing key) or
// targets/role1/subrole (due to it being a second level delegation)
s . assertTargetInRoles ( c , repoName , "latest" , "targets/role1" , "targets/role2" )
s . assertTargetNotInRoles ( c , repoName , "latest" , "targets" )
2016-03-07 19:48:11 +00:00
// Try pull after push
os . RemoveAll ( filepath . Join ( cliconfig . ConfigDir ( ) , "trust" ) )
2016-03-17 02:59:18 +00:00
// pull should fail because none of these are the releases role
2016-03-07 19:48:11 +00:00
pullCmd := exec . Command ( dockerBinary , "pull" , targetName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
2016-03-17 02:59:18 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
2016-03-07 19:48:11 +00:00
}
func ( s * DockerTrustSuite ) TestTrustedPushSignsForRolesWithKeysAndValidPaths ( c * check . C ) {
repoName := fmt . Sprintf ( "%v/dockerclirolesbykeysandpaths/trusted" , privateRegistryURL )
targetName := fmt . Sprintf ( "%s:latest" , repoName )
2016-03-17 02:59:18 +00:00
s . notaryInitRepo ( c , repoName )
s . notaryCreateDelegation ( c , repoName , "targets/role1" , s . not . keys [ 0 ] . Public , "l" , "z" )
s . notaryCreateDelegation ( c , repoName , "targets/role2" , s . not . keys [ 1 ] . Public , "x" , "y" )
s . notaryCreateDelegation ( c , repoName , "targets/role3" , s . not . keys [ 2 ] . Public , "latest" )
s . notaryCreateDelegation ( c , repoName , "targets/role4" , s . not . keys [ 3 ] . Public , "latest" )
2015-12-24 00:34:46 +00:00
2016-03-07 19:48:11 +00:00
// import everything except the third key
s . notaryImportKey ( c , repoName , "targets/role1" , s . not . keys [ 0 ] . Private )
s . notaryImportKey ( c , repoName , "targets/role2" , s . not . keys [ 1 ] . Private )
s . notaryImportKey ( c , repoName , "targets/role4" , s . not . keys [ 3 ] . Private )
2016-03-17 02:59:18 +00:00
s . notaryPublish ( c , repoName )
2016-03-07 19:48:11 +00:00
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , targetName )
pushCmd := exec . Command ( dockerBinary , "push" , targetName )
2016-03-17 02:59:18 +00:00
s . trustedCmd ( pushCmd )
2016-03-07 19:48:11 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
c . Assert ( err , check . IsNil , check . Commentf ( "trusted push failed: %s\n%s" , err , out ) )
c . Assert ( out , checker . Contains , "Signing and pushing trust metadata" , check . Commentf ( "Missing expected output on trusted push with existing tag" ) )
2016-03-17 02:59:18 +00:00
// check to make sure that the target has been added to targets/role1 and targets/role4, and
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
// targets/role3 (due to missing key)
s . assertTargetInRoles ( c , repoName , "latest" , "targets/role1" , "targets/role4" )
s . assertTargetNotInRoles ( c , repoName , "latest" , "targets" )
2016-03-07 19:48:11 +00:00
// Try pull after push
os . RemoveAll ( filepath . Join ( cliconfig . ConfigDir ( ) , "trust" ) )
2016-03-17 02:59:18 +00:00
// pull should fail because none of these are the releases role
2016-03-07 19:48:11 +00:00
pullCmd := exec . Command ( dockerBinary , "pull" , targetName )
s . trustedCmd ( pullCmd )
out , _ , err = runCommandWithOutput ( pullCmd )
2016-03-17 02:59:18 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
2016-03-07 19:48:11 +00:00
}
func ( s * DockerTrustSuite ) TestTrustedPushDoesntSignTargetsIfDelegationsExist ( c * check . C ) {
testRequires ( c , NotaryHosting )
repoName := fmt . Sprintf ( "%v/dockerclireleasedelegationnotsignable/trusted" , privateRegistryURL )
targetName := fmt . Sprintf ( "%s:latest" , repoName )
2016-03-17 02:59:18 +00:00
s . notaryInitRepo ( c , repoName )
s . notaryCreateDelegation ( c , repoName , "targets/role1" , s . not . keys [ 0 ] . Public )
s . notaryPublish ( c , repoName )
2016-03-07 19:48:11 +00:00
// do not import any delegations key
// tag the image and upload it to the private registry
dockerCmd ( c , "tag" , "busybox" , targetName )
pushCmd := exec . Command ( dockerBinary , "push" , targetName )
2016-03-17 02:59:18 +00:00
s . trustedCmd ( pushCmd )
2016-03-07 19:48:11 +00:00
out , _ , err := runCommandWithOutput ( pushCmd )
2016-03-17 02:59:18 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( "trusted push succeeded but should have failed:\n%s" , out ) )
2016-03-07 19:48:11 +00:00
c . Assert ( out , checker . Contains , "no valid signing keys" ,
check . Commentf ( "Missing expected output on trusted push without keys" ) )
2016-03-17 02:59:18 +00:00
s . assertTargetNotInRoles ( c , repoName , "latest" , "targets" , "targets/role1" )
2015-12-24 00:34:46 +00:00
}
2016-03-12 17:01:01 +00:00
2016-03-14 20:11:35 +00:00
func ( s * DockerRegistryAuthHtpasswdSuite ) TestPushNoCredentialsNoRetry ( c * check . C ) {
2016-03-12 17:01:01 +00:00
repoName := fmt . Sprintf ( "%s/busybox" , privateRegistryURL )
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
c . Assert ( out , check . Not ( checker . Contains ) , "Retrying" )
c . Assert ( out , checker . Contains , "no basic auth credentials" )
}
2016-03-12 19:34:07 +00:00
// This may be flaky but it's needed not to regress on unauthorized push, see #21054
func ( s * DockerSuite ) TestPushToCentralRegistryUnauthorized ( c * check . C ) {
testRequires ( c , Network )
repoName := "test/busybox"
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
2016-03-18 17:54:05 +00:00
c . Assert ( out , check . Not ( checker . Contains ) , "Retrying" )
2016-03-12 19:34:07 +00:00
}
2016-03-14 20:11:35 +00:00
2016-03-19 11:19:43 +00:00
func getTestTokenService ( status int , body string ) * httptest . Server {
return httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . WriteHeader ( status )
2016-03-14 20:11:35 +00:00
w . Header ( ) . Set ( "Content-Type" , "application/json" )
2016-03-19 11:19:43 +00:00
w . Write ( [ ] byte ( body ) )
2016-03-14 20:11:35 +00:00
} ) )
2016-03-19 11:19:43 +00:00
}
func ( s * DockerRegistryAuthTokenSuite ) TestPushTokenServiceUnauthResponse ( c * check . C ) {
ts := getTestTokenService ( http . StatusUnauthorized , ` { "errors": [ { "Code":"UNAUTHORIZED", "message": "a message", "detail": null}]} ` )
2016-03-14 20:11:35 +00:00
defer ts . Close ( )
s . setupRegistryWithTokenService ( c , ts . URL )
repoName := fmt . Sprintf ( "%s/busybox" , privateRegistryURL )
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
2016-03-19 11:19:43 +00:00
c . Assert ( out , checker . Not ( checker . Contains ) , "Retrying" )
2016-03-14 20:11:35 +00:00
c . Assert ( out , checker . Contains , "unauthorized: a message" )
}
2016-03-19 11:19:43 +00:00
func ( s * DockerRegistryAuthTokenSuite ) TestPushMisconfiguredTokenServiceResponseUnauthorized ( c * check . C ) {
ts := getTestTokenService ( http . StatusUnauthorized , ` { "error": "unauthorized"} ` )
defer ts . Close ( )
s . setupRegistryWithTokenService ( c , ts . URL )
repoName := fmt . Sprintf ( "%s/busybox" , privateRegistryURL )
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
c . Assert ( out , checker . Not ( checker . Contains ) , "Retrying" )
split := strings . Split ( out , "\n" )
c . Assert ( split [ len ( split ) - 2 ] , check . Equals , "unauthorized: authentication required" )
}
func ( s * DockerRegistryAuthTokenSuite ) TestPushMisconfiguredTokenServiceResponseError ( c * check . C ) {
ts := getTestTokenService ( http . StatusInternalServerError , ` { "error": "unexpected"} ` )
defer ts . Close ( )
s . setupRegistryWithTokenService ( c , ts . URL )
repoName := fmt . Sprintf ( "%s/busybox" , privateRegistryURL )
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
c . Assert ( out , checker . Contains , "Retrying" )
split := strings . Split ( out , "\n" )
c . Assert ( split [ len ( split ) - 2 ] , check . Equals , "received unexpected HTTP status: 500 Internal Server Error" )
}
func ( s * DockerRegistryAuthTokenSuite ) TestPushMisconfiguredTokenServiceResponseUnparsable ( c * check . C ) {
ts := getTestTokenService ( http . StatusForbidden , ` no way ` )
2016-03-14 20:11:35 +00:00
defer ts . Close ( )
s . setupRegistryWithTokenService ( c , ts . URL )
repoName := fmt . Sprintf ( "%s/busybox" , privateRegistryURL )
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
2016-03-19 11:19:43 +00:00
c . Assert ( out , checker . Not ( checker . Contains ) , "Retrying" )
split := strings . Split ( out , "\n" )
c . Assert ( split [ len ( split ) - 2 ] , checker . Contains , "error parsing HTTP 403 response body: " )
2016-03-14 20:11:35 +00:00
}
2016-03-18 17:54:05 +00:00
func ( s * DockerRegistryAuthTokenSuite ) TestPushMisconfiguredTokenServiceResponseNoToken ( c * check . C ) {
ts := getTestTokenService ( http . StatusOK , ` { "something": "wrong"} ` )
defer ts . Close ( )
s . setupRegistryWithTokenService ( c , ts . URL )
repoName := fmt . Sprintf ( "%s/busybox" , privateRegistryURL )
dockerCmd ( c , "tag" , "busybox" , repoName )
out , _ , err := dockerCmdWithError ( "push" , repoName )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
c . Assert ( out , checker . Not ( checker . Contains ) , "Retrying" )
split := strings . Split ( out , "\n" )
c . Assert ( split [ len ( split ) - 2 ] , check . Equals , "authorization server did not include a token in the response" )
}