DockerCLI/e2e/container/run_test.go

package container

import (
	"fmt"
	"testing"

	"github.com/docker/cli/e2e/internal/fixtures"
	"github.com/docker/cli/internal/test/environment"
	"gotest.tools/assert"
	is "gotest.tools/assert/cmp"
	"gotest.tools/golden"
	"gotest.tools/icmd"
	"gotest.tools/skip"
)

const registryPrefix = "registry:5000"

func TestRunAttachedFromRemoteImageAndRemove(t *testing.T) {
	skip.If(t, environment.RemoteDaemon())

	image := createRemoteImage(t)

	result := icmd.RunCommand("docker", "run", "--rm", image,
		"echo", "this", "is", "output")

	result.Assert(t, icmd.Success)
	assert.Check(t, is.Equal("this is output\n", result.Stdout()))
	golden.Assert(t, result.Stderr(), "run-attached-from-remote-and-remove.golden")
}

func TestRunWithContentTrust(t *testing.T) {
	skip.If(t, environment.RemoteDaemon())

	dir := fixtures.SetupConfigFile(t)
	defer dir.Remove()
	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest")

	defer func() {
		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
	}()

	result := icmd.RunCmd(
		icmd.Command("docker", "run", image),
		fixtures.WithConfig(dir.Path()),
		fixtures.WithTrust,
		fixtures.WithNotary,
	)
	result.Assert(t, icmd.Expected{
		Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
	})
}

func TestUntrustedRun(t *testing.T) {
	dir := fixtures.SetupConfigFile(t)
	defer dir.Remove()
	image := registryPrefix + "/alpine:untrusted"
	// tag the image and upload it to the private registry
	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
	defer func() {
		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
	}()

	// try trusted run on untrusted tag
	result := icmd.RunCmd(
		icmd.Command("docker", "run", image),
		fixtures.WithConfig(dir.Path()),
		fixtures.WithTrust,
		fixtures.WithNotary,
	)
	result.Assert(t, icmd.Expected{
		ExitCode: 125,
		Err:      "does not have trust data for",
	})
}

func TestTrustedRunFromBadTrustServer(t *testing.T) {
	evilImageName := registryPrefix + "/evil-alpine:latest"
	dir := fixtures.SetupConfigFile(t)
	defer dir.Remove()

	// tag the image and upload it to the private registry
	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
		fixtures.WithConfig(dir.Path()),
	).Assert(t, icmd.Success)
	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
		fixtures.WithConfig(dir.Path()),
		fixtures.WithPassphrase("root_password", "repo_password"),
		fixtures.WithTrust,
		fixtures.WithNotary,
	).Assert(t, icmd.Success)
	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)

	// try run
	icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
		fixtures.WithConfig(dir.Path()),
		fixtures.WithTrust,
		fixtures.WithNotary,
	).Assert(t, icmd.Success)
	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)

	// init a client with the evil-server and a new trust dir
	evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
	defer evilNotaryDir.Remove()

	// tag the same image and upload it to the private registry but signed with evil notary server
	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
		fixtures.WithConfig(evilNotaryDir.Path()),
	).Assert(t, icmd.Success)
	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
		fixtures.WithConfig(evilNotaryDir.Path()),
		fixtures.WithPassphrase("root_password", "repo_password"),
		fixtures.WithTrust,
		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
	).Assert(t, icmd.Success)
	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)

	// try running with the original client from the evil notary server. This should failed
	// because the new root is invalid
	icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
		fixtures.WithConfig(dir.Path()),
		fixtures.WithTrust,
		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
	).Assert(t, icmd.Expected{
		ExitCode: 125,
		Err:      "could not rotate trust to a new trusted root",
	})
}

// TODO: create this with registry API instead of engine API
func createRemoteImage(t *testing.T) string {
	image := registryPrefix + "/alpine:test-run-pulls"
	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
	icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)
	icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success)
	return image
}
Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`package container`

			`import (`
			`"fmt"`
			`"testing"`

e2e tests: refactor using fixtures Signed-off-by: Kyle Spiers <kyle@spiers.me> 2017-11-13 20:18:04 -05:00			`"github.com/docker/cli/e2e/internal/fixtures"`
Make e2e test image - Build image that contains everything needed to run e2e tests - Add ability to run e2e tests against an endpoint Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2018-05-17 07:11:59 -04:00			`"github.com/docker/cli/internal/test/environment"`
Update tests to use gotest.tools 👼 Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2018-06-08 12:24:26 -04:00			`"gotest.tools/assert"`
			`is "gotest.tools/assert/cmp"`
			`"gotest.tools/golden"`
			`"gotest.tools/icmd"`
			`"gotest.tools/skip"`
Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`)`

Add more content trust tests Importing from moby's DockerTrustSuite tests. Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2018-03-06 05:15:18 -05:00			`const registryPrefix = "registry:5000"`

Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`func TestRunAttachedFromRemoteImageAndRemove(t *testing.T) {`
Make e2e test image - Build image that contains everything needed to run e2e tests - Add ability to run e2e tests against an endpoint Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2018-05-17 07:11:59 -04:00			`skip.If(t, environment.RemoteDaemon())`

Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`image := createRemoteImage(t)`

Handle some TODOs in tests Use more gotestyourself for `env.Patch`, and `icmd.RunCommand` Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2018-04-23 08:13:52 -04:00			`result := icmd.RunCommand("docker", "run", "--rm", image,`
			`"echo", "this", "is", "output")`
Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00
			`result.Assert(t, icmd.Success)`
Automated migration Signed-off-by: Daniel Nephin <dnephin@docker.com> 2018-03-05 18:53:52 -05:00			`assert.Check(t, is.Equal("this is output\n", result.Stdout()))`
Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`golden.Assert(t, result.Stderr(), "run-attached-from-remote-and-remove.golden")`
			`}`

Add more content trust tests Importing from moby's DockerTrustSuite tests. Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2018-03-06 05:15:18 -05:00			`func TestRunWithContentTrust(t *testing.T) {`
Make e2e test image - Build image that contains everything needed to run e2e tests - Add ability to run e2e tests against an endpoint Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2018-05-17 07:11:59 -04:00			`skip.If(t, environment.RemoteDaemon())`

Add more content trust tests Importing from moby's DockerTrustSuite tests. Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2018-03-06 05:15:18 -05:00			`dir := fixtures.SetupConfigFile(t)`
			`defer dir.Remove()`
			`image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest")`

			`defer func() {`
			`icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)`
			`}()`

			`result := icmd.RunCmd(`
			`icmd.Command("docker", "run", image),`
			`fixtures.WithConfig(dir.Path()),`
			`fixtures.WithTrust,`
			`fixtures.WithNotary,`
			`)`
			`result.Assert(t, icmd.Expected{`
			`Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),`
			`})`
			`}`

Add content trust tests for run command Signed-off-by: Guillaume Le Floch <glfloch@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-01-02 02:32:52 -05:00			`func TestUntrustedRun(t *testing.T) {`
			`dir := fixtures.SetupConfigFile(t)`
			`defer dir.Remove()`
			`image := registryPrefix + "/alpine:untrusted"`
			`// tag the image and upload it to the private registry`
			`icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)`
			`defer func() {`
			`icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)`
			`}()`

			`// try trusted run on untrusted tag`
			`result := icmd.RunCmd(`
			`icmd.Command("docker", "run", image),`
			`fixtures.WithConfig(dir.Path()),`
			`fixtures.WithTrust,`
			`fixtures.WithNotary,`
			`)`
			`result.Assert(t, icmd.Expected{`
			`ExitCode: 125,`
			`Err: "does not have trust data for",`
			`})`
			`}`

			`func TestTrustedRunFromBadTrustServer(t *testing.T) {`
			`evilImageName := registryPrefix + "/evil-alpine:latest"`
			`dir := fixtures.SetupConfigFile(t)`
			`defer dir.Remove()`

			`// tag the image and upload it to the private registry`
			`icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),`
			`fixtures.WithConfig(dir.Path()),`
			`).Assert(t, icmd.Success)`
			`icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),`
			`fixtures.WithConfig(dir.Path()),`
			`fixtures.WithPassphrase("root_password", "repo_password"),`
			`fixtures.WithTrust,`
			`fixtures.WithNotary,`
			`).Assert(t, icmd.Success)`
			`icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)`

			`// try run`
			`icmd.RunCmd(icmd.Command("docker", "run", evilImageName),`
			`fixtures.WithConfig(dir.Path()),`
			`fixtures.WithTrust,`
			`fixtures.WithNotary,`
			`).Assert(t, icmd.Success)`
			`icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)`

			`// init a client with the evil-server and a new trust dir`
			`evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)`
			`defer evilNotaryDir.Remove()`

			`// tag the same image and upload it to the private registry but signed with evil notary server`
			`icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),`
			`fixtures.WithConfig(evilNotaryDir.Path()),`
			`).Assert(t, icmd.Success)`
			`icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),`
			`fixtures.WithConfig(evilNotaryDir.Path()),`
			`fixtures.WithPassphrase("root_password", "repo_password"),`
			`fixtures.WithTrust,`
			`fixtures.WithNotaryServer(fixtures.EvilNotaryURL),`
			`).Assert(t, icmd.Success)`
			`icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)`

			`// try running with the original client from the evil notary server. This should failed`
			`// because the new root is invalid`
			`icmd.RunCmd(icmd.Command("docker", "run", evilImageName),`
			`fixtures.WithConfig(dir.Path()),`
			`fixtures.WithTrust,`
			`fixtures.WithNotaryServer(fixtures.EvilNotaryURL),`
			`).Assert(t, icmd.Expected{`
			`ExitCode: 125,`
			`Err: "could not rotate trust to a new trusted root",`
			`})`
			`}`

Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`// TODO: create this with registry API instead of engine API`
			`func createRemoteImage(t *testing.T) string {`
Add content trust tests for run command Signed-off-by: Guillaume Le Floch <glfloch@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-01-02 02:32:52 -05:00			`image := registryPrefix + "/alpine:test-run-pulls"`
e2e tests: refactor using fixtures Signed-off-by: Kyle Spiers <kyle@spiers.me> 2017-11-13 20:18:04 -05:00			`icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)`
			`icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)`
Add an end-to-end test for container run for testing attach, remove, and pull image when missing. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-09-01 17:52:41 -04:00			`icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)`
			`icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success)`
			`return image`
			`}`