Add an integration test for docker being able to push to a repo with delegations.
Signed-off-by: cyli <cyli@twistedmatrix.com>
This commit is contained in:
cyli
Riyaz Faizullabhoy
parent
1c125f50cf
commit
1db0c7bb01
4 changed files with 114 additions and 8 deletions
|
|
@ -160,6 +160,8 @@ RUN set -x \
|
||||||
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_COMMIT") \
|
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_COMMIT") \
|
||||||
&& GOPATH="$GOPATH/src/github.com/docker/notary/Godeps/_workspace:$GOPATH" \
|
&& GOPATH="$GOPATH/src/github.com/docker/notary/Godeps/_workspace:$GOPATH" \
|
||||||
go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \
|
go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \
|
||||||
|
&& GOPATH="$GOPATH/src/github.com/docker/notary/Godeps/_workspace:$GOPATH" \
|
||||||
|
go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \
|
||||||
&& rm -rf "$GOPATH"
|
&& rm -rf "$GOPATH"
|
||||||
|
|
||||||
# Get the "docker-py" source so we can run their integration tests
|
# Get the "docker-py" source so we can run their integration tests
|
||||||
|
|
|
||||||
|
|
@ -195,15 +195,17 @@ func convertTarget(t client.Target) (target, error) {
|
||||||
|
|
||||||
func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
|
func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
|
||||||
aliasMap := map[string]string{
|
aliasMap := map[string]string{
|
||||||
"root": "root",
|
"root": "root",
|
||||||
"snapshot": "repository",
|
"snapshot": "repository",
|
||||||
"targets": "repository",
|
"targets": "repository",
|
||||||
|
"targets/releases": "repository",
|
||||||
}
|
}
|
||||||
baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out, aliasMap)
|
baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out, aliasMap)
|
||||||
env := map[string]string{
|
env := map[string]string{
|
||||||
"root": os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
|
"root": os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
|
||||||
"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
|
"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
|
||||||
"targets": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
|
"targets": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
|
||||||
|
"targets/releases": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
|
||||||
}
|
}
|
||||||
|
|
||||||
// Backwards compatibility with old env names. We should remove this in 1.10
|
// Backwards compatibility with old env names. We should remove this in 1.10
|
||||||
|
|
@ -213,10 +215,11 @@ func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
|
||||||
fmt.Fprintf(cli.err, "[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE\n")
|
fmt.Fprintf(cli.err, "[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE\n")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if env["snapshot"] == "" || env["targets"] == "" {
|
if env["snapshot"] == "" || env["targets"] == "" || env["targets/releases"] == "" {
|
||||||
if passphrase := os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"); passphrase != "" {
|
if passphrase := os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"); passphrase != "" {
|
||||||
env["snapshot"] = passphrase
|
env["snapshot"] = passphrase
|
||||||
env["targets"] = passphrase
|
env["targets"] = passphrase
|
||||||
|
env["targets/releases"] = passphrase
|
||||||
fmt.Fprintf(cli.err, "[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE\n")
|
fmt.Fprintf(cli.err, "[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE\n")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,9 +6,11 @@ import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/docker/docker/cliconfig"
|
||||||
"github.com/docker/docker/pkg/integration/checker"
|
"github.com/docker/docker/pkg/integration/checker"
|
||||||
"github.com/go-check/check"
|
"github.com/go-check/check"
|
||||||
)
|
)
|
||||||
|
|
@ -324,3 +326,35 @@ func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) {
|
||||||
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with expired timestamp"))
|
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with expired timestamp"))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegation(c *check.C) {
|
||||||
|
repoName := fmt.Sprintf("%v/dockerclireleasedelegation/trusted", privateRegistryURL)
|
||||||
|
targetName := fmt.Sprintf("%s:latest", repoName)
|
||||||
|
pwd := "12345678"
|
||||||
|
s.setupDelegations(c, repoName, pwd)
|
||||||
|
|
||||||
|
// tag the image and upload it to the private registry
|
||||||
|
dockerCmd(c, "tag", "busybox", targetName)
|
||||||
|
|
||||||
|
pushCmd := exec.Command(dockerBinary, "-D", "push", targetName)
|
||||||
|
s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)
|
||||||
|
out, _, err := runCommandWithOutput(pushCmd)
|
||||||
|
c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))
|
||||||
|
c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag"))
|
||||||
|
|
||||||
|
// Try pull after push
|
||||||
|
pullCmd := exec.Command(dockerBinary, "pull", targetName)
|
||||||
|
s.trustedCmd(pullCmd)
|
||||||
|
out, _, err = runCommandWithOutput(pullCmd)
|
||||||
|
c.Assert(err, check.IsNil, check.Commentf(out))
|
||||||
|
c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out))
|
||||||
|
|
||||||
|
// check to make sure that the target has been added to targets/releases and not targets
|
||||||
|
contents, err := ioutil.ReadFile(filepath.Join(cliconfig.ConfigDir(), "trust/tuf", repoName, "metadata/targets.json"))
|
||||||
|
c.Assert(err, check.IsNil, check.Commentf("Unable to read targets metadata"))
|
||||||
|
c.Assert(strings.Contains(string(contents), `"latest"`), checker.False, check.Commentf(string(contents)))
|
||||||
|
|
||||||
|
contents, err = ioutil.ReadFile(filepath.Join(cliconfig.ConfigDir(), "trust/tuf", repoName, "metadata/targets/releases.json"))
|
||||||
|
c.Assert(err, check.IsNil, check.Commentf("Unable to read targets/releases metadata"))
|
||||||
|
c.Assert(string(contents), checker.Contains, `"latest"`, check.Commentf(string(contents)))
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -11,11 +11,16 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/docker/go-connections/tlsconfig"
|
"github.com/docker/docker/cliconfig"
|
||||||
|
"github.com/docker/docker/pkg/tlsconfig"
|
||||||
|
"github.com/docker/notary/client"
|
||||||
|
"github.com/docker/notary/passphrase"
|
||||||
|
"github.com/docker/notary/tuf/data"
|
||||||
"github.com/go-check/check"
|
"github.com/go-check/check"
|
||||||
)
|
)
|
||||||
|
|
||||||
var notaryBinary = "notary-server"
|
var notaryBinary = "notary-server"
|
||||||
|
var notaryClientBinary = "notary"
|
||||||
|
|
||||||
type testNotary struct {
|
type testNotary struct {
|
||||||
cmd *exec.Cmd
|
cmd *exec.Cmd
|
||||||
|
|
@ -26,6 +31,7 @@ const notaryHost = "localhost:4443"
|
||||||
const notaryURL = "https://" + notaryHost
|
const notaryURL = "https://" + notaryHost
|
||||||
|
|
||||||
func newTestNotary(c *check.C) (*testNotary, error) {
|
func newTestNotary(c *check.C) (*testNotary, error) {
|
||||||
|
// generate server config
|
||||||
template := `{
|
template := `{
|
||||||
"server": {
|
"server": {
|
||||||
"http_addr": "%s",
|
"http_addr": "%s",
|
||||||
|
|
@ -51,6 +57,7 @@ func newTestNotary(c *check.C) (*testNotary, error) {
|
||||||
}
|
}
|
||||||
confPath := filepath.Join(tmp, "config.json")
|
confPath := filepath.Join(tmp, "config.json")
|
||||||
config, err := os.Create(confPath)
|
config, err := os.Create(confPath)
|
||||||
|
defer config.Close()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -64,6 +71,26 @@ func newTestNotary(c *check.C) (*testNotary, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// generate client config
|
||||||
|
clientConfPath := filepath.Join(tmp, "client-config.json")
|
||||||
|
clientConfig, err := os.Create(clientConfPath)
|
||||||
|
defer clientConfig.Close()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
template = `{
|
||||||
|
"trust_dir" : "%s",
|
||||||
|
"remote_server": {
|
||||||
|
"url": "%s",
|
||||||
|
"skipTLSVerify": true
|
||||||
|
}
|
||||||
|
}`
|
||||||
|
if _, err = fmt.Fprintf(clientConfig, template, filepath.Join(cliconfig.ConfigDir(), "trust"), notaryURL); err != nil {
|
||||||
|
os.RemoveAll(tmp)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// run notary-server
|
||||||
cmd := exec.Command(notaryBinary, "-config", confPath)
|
cmd := exec.Command(notaryBinary, "-config", confPath)
|
||||||
if err := cmd.Start(); err != nil {
|
if err := cmd.Start(); err != nil {
|
||||||
os.RemoveAll(tmp)
|
os.RemoveAll(tmp)
|
||||||
|
|
@ -183,3 +210,43 @@ func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string {
|
||||||
|
|
||||||
return repoName
|
return repoName
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func notaryClientEnv(cmd *exec.Cmd, rootPwd, repositoryPwd string) {
|
||||||
|
env := []string{
|
||||||
|
fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", rootPwd),
|
||||||
|
fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", repositoryPwd),
|
||||||
|
fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", repositoryPwd),
|
||||||
|
}
|
||||||
|
cmd.Env = append(os.Environ(), env...)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DockerTrustSuite) setupDelegations(c *check.C, repoName, pwd string) {
|
||||||
|
initCmd := exec.Command(notaryClientBinary, "-c", filepath.Join(s.not.dir, "client-config.json"), "init", repoName)
|
||||||
|
notaryClientEnv(initCmd, pwd, pwd)
|
||||||
|
out, _, err := runCommandWithOutput(initCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error initializing notary repository: %s\n", out)
|
||||||
|
}
|
||||||
|
|
||||||
|
// no command line for this, so build by hand
|
||||||
|
nRepo, err := client.NewNotaryRepository(filepath.Join(cliconfig.ConfigDir(), "trust"), repoName, notaryURL, nil, passphrase.ConstantRetriever(pwd))
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error creating notary repository: %s\n", err)
|
||||||
|
}
|
||||||
|
delgKey, err := nRepo.CryptoService.Create("targets/releases", data.ECDSAKey)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error creating delegation key: %s\n", err)
|
||||||
|
}
|
||||||
|
err = nRepo.AddDelegation("targets/releases", 1, []data.PublicKey{delgKey}, []string{""})
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error creating delegation: %s\n", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// publishing first simulates the client pushing to a repo that they have been given delegated access to
|
||||||
|
pubCmd := exec.Command(notaryClientBinary, "-c", filepath.Join(s.not.dir, "client-config.json"), "publish", repoName)
|
||||||
|
notaryClientEnv(pubCmd, pwd, pwd)
|
||||||
|
out, _, err = runCommandWithOutput(pubCmd)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("Error publishing notary repository: %s\n", out)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue