Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DockerCLI/cli/command/trust/inspect_test.go

479 lines
19 KiB
Go
Raw Blame History

package trust
import (
"encoding/hex"
"io/ioutil"
"testing"
"github.com/docker/cli/cli/trust"
"github.com/docker/cli/internal/test"
"github.com/docker/cli/internal/test/testutil"
dockerClient "github.com/docker/docker/client"
"github.com/docker/notary"
"github.com/docker/notary/client"
"github.com/docker/notary/tuf/data"
"github.com/stretchr/testify/assert"
)
type fakeClient struct {
dockerClient.Client
}
func TestTrustInspectCommandErrors(t *testing.T) {
testCases := []struct {
name string
args []string
expectedError string
}{
{
name: "not-enough-args",
expectedError: "requires exactly 1 argument",
},
{
name: "too-many-args",
args: []string{"remote1", "remote2"},
expectedError: "requires exactly 1 argument",
},
{
name: "sha-reference",
args: []string{"870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
expectedError: "invalid repository name",
},
{
name: "invalid-img-reference",
args: []string{"ALPINE"},
expectedError: "invalid reference format",
},
}
for _, tc := range testCases {
cmd := newInspectCommand(
test.NewFakeCli(&fakeClient{}))
cmd.SetArgs(tc.args)
cmd.SetOutput(ioutil.Discard)
testutil.ErrorContains(t, cmd.Execute(), tc.expectedError)
}
}
func TestTrustInspectCommandOfflineErrors(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getOfflineNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"nonexistent-reg-name.io/image"})
cmd.SetOutput(ioutil.Discard)
testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
cli = test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getOfflineNotaryRepository)
cmd = newInspectCommand(cli)
cmd.SetArgs([]string{"nonexistent-reg-name.io/image:tag"})
cmd.SetOutput(ioutil.Discard)
testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
}
func TestTrustInspectCommandUninitializedErrors(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getUninitializedNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"reg/unsigned-img"})
cmd.SetOutput(ioutil.Discard)
testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img")
cli = test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getUninitializedNotaryRepository)
cmd = newInspectCommand(cli)
cmd.SetArgs([]string{"reg/unsigned-img:tag"})
cmd.SetOutput(ioutil.Discard)
testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img:tag")
}
func TestTrustInspectCommandEmptyNotaryRepoErrors(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getEmptyTargetsNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"reg/img:unsigned-tag"})
cmd.SetOutput(ioutil.Discard)
assert.NoError(t, cmd.Execute())
assert.Contains(t, cli.OutBuffer().String(), "No signatures for reg/img:unsigned-tag")
assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for reg/img:")
cli = test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getEmptyTargetsNotaryRepository)
cmd = newInspectCommand(cli)
cmd.SetArgs([]string{"reg/img"})
cmd.SetOutput(ioutil.Discard)
assert.NoError(t, cmd.Execute())
assert.Contains(t, cli.OutBuffer().String(), "No signatures for reg/img")
assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for reg/img:")
}
func TestTrustInspectCommandFullRepoWithoutSigners(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getLoadedWithNoSignersNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"signed-repo"})
assert.NoError(t, cmd.Execute())
// Check for the signed tag headers
assert.Contains(t, cli.OutBuffer().String(), "SIGNED TAG")
assert.Contains(t, cli.OutBuffer().String(), "DIGEST")
assert.Contains(t, cli.OutBuffer().String(), "SIGNERS")
// Check for the signer headers
assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for signed-repo:")
assert.Contains(t, cli.OutBuffer().String(), "(Repo Admin)")
// no delegations on this repo
assert.NotContains(t, cli.OutBuffer().String(), "List of signers and their keys:")
}
func TestTrustInspectCommandOneTagWithoutSigners(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getLoadedWithNoSignersNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"signed-repo:green"})
assert.NoError(t, cmd.Execute())
assert.Contains(t, cli.OutBuffer().String(), "SIGNED TAG")
assert.Contains(t, cli.OutBuffer().String(), "DIGEST")
assert.Contains(t, cli.OutBuffer().String(), "SIGNERS")
// Check for the signer headers
assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for signed-repo:")
// make sure the tag isn't included
assert.NotContains(t, cli.OutBuffer().String(), "Administrative keys for signed-repo:green")
assert.Contains(t, cli.OutBuffer().String(), "green")
assert.Contains(t, cli.OutBuffer().String(), "(Repo Admin)")
// no delegations on this repo
assert.NotContains(t, cli.OutBuffer().String(), "alice")
assert.NotContains(t, cli.OutBuffer().String(), "bob")
assert.NotContains(t, cli.OutBuffer().String(), "List of signers and their keys:")
}
func TestTrustInspectCommandFullRepoWithSigners(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getLoadedNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"signed-repo"})
assert.NoError(t, cmd.Execute())
// Check for the signed tag headers and contents
assert.Contains(t, cli.OutBuffer().String(), "SIGNED TAG")
assert.Contains(t, cli.OutBuffer().String(), "DIGEST")
assert.Contains(t, cli.OutBuffer().String(), "SIGNERS")
assert.Contains(t, cli.OutBuffer().String(), "blue 626c75652d646967657374 alice")
assert.Contains(t, cli.OutBuffer().String(), "green 677265656e2d646967657374 (Repo Admin)")
assert.Contains(t, cli.OutBuffer().String(), "red 7265642d646967657374 alice, bob")
// Check for the signer headers and contents
assert.Contains(t, cli.OutBuffer().String(), "List of signers and their keys:")
assert.Contains(t, cli.OutBuffer().String(), "SIGNER")
assert.Contains(t, cli.OutBuffer().String(), "KEYS")
assert.Contains(t, cli.OutBuffer().String(), "alice A")
assert.Contains(t, cli.OutBuffer().String(), "bob B")
assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for signed-repo:")
}
func TestTrustInspectCommandUnsignedTagInSignedRepo(t *testing.T) {
cli := test.NewFakeCli(&fakeClient{})
cli.SetNotaryClient(getLoadedNotaryRepository)
cmd := newInspectCommand(cli)
cmd.SetArgs([]string{"signed-repo:unsigned"})
assert.NoError(t, cmd.Execute())
// Check that the signatures table does not show up, and instead we get the message
assert.Contains(t, cli.OutBuffer().String(), "No signatures for signed-repo:unsigned")
assert.NotContains(t, cli.OutBuffer().String(), "SIGNED TAG")
assert.NotContains(t, cli.OutBuffer().String(), "DIGEST")
assert.NotContains(t, cli.OutBuffer().String(), "SIGNERS")
// Check for the signer headers and contents
assert.Contains(t, cli.OutBuffer().String(), "List of signers and their keys:")
assert.Contains(t, cli.OutBuffer().String(), "SIGNER")
assert.Contains(t, cli.OutBuffer().String(), "KEYS")
assert.Contains(t, cli.OutBuffer().String(), "alice A")
assert.Contains(t, cli.OutBuffer().String(), "bob B")
assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for signed-repo:")
assert.NotContains(t, cli.OutBuffer().String(), "Administrative keys for signed-repo:unsigned")
}
func TestNotaryRoleToSigner(t *testing.T) {
assert.Equal(t, releasedRoleName, notaryRoleToSigner(data.CanonicalTargetsRole))
assert.Equal(t, releasedRoleName, notaryRoleToSigner(trust.ReleasesRole))
assert.Equal(t, "signer", notaryRoleToSigner("targets/signer"))
assert.Equal(t, "docker/signer", notaryRoleToSigner("targets/docker/signer"))
// It's nonsense for other base roles to have signed off on a target, but this function leaves role names intact
for _, role := range data.BaseRoles {
if role == data.CanonicalTargetsRole {
continue
}
assert.Equal(t, role.String(), notaryRoleToSigner(role))
}
assert.Equal(t, "notarole", notaryRoleToSigner(data.RoleName("notarole")))
}
// check if a role name is "released": either targets/releases or targets TUF roles
func TestIsReleasedTarget(t *testing.T) {
assert.True(t, isReleasedTarget(trust.ReleasesRole))
for _, role := range data.BaseRoles {
assert.Equal(t, role == data.CanonicalTargetsRole, isReleasedTarget(role))
}
assert.False(t, isReleasedTarget(data.RoleName("targets/not-releases")))
assert.False(t, isReleasedTarget(data.RoleName("random")))
assert.False(t, isReleasedTarget(data.RoleName("targets/releases/subrole")))
}
// creates a mock delegation with a given name and no keys
func mockDelegationRoleWithName(name string) data.DelegationRole {
baseRole := data.NewBaseRole(
data.RoleName(name),
notary.MinThreshold,
)
return data.DelegationRole{baseRole, []string{}}
}
func TestMatchEmptySignatures(t *testing.T) {
// first try empty targets
emptyTgts := []client.TargetSignedStruct{}
matchedSigRows := matchReleasedSignatures(emptyTgts)
assert.Empty(t, matchedSigRows)
}
func TestMatchUnreleasedSignatures(t *testing.T) {
// try an "unreleased" target with 3 signatures, 0 rows will appear
unreleasedTgts := []client.TargetSignedStruct{}
tgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
unreleasedTgts = append(unreleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: tgt})
}
matchedSigRows := matchReleasedSignatures(unreleasedTgts)
assert.Empty(t, matchedSigRows)
}
func TestMatchOneReleasedSingleSignature(t *testing.T) {
// now try only 1 "released" target with no additional sigs, 1 row will appear with 0 signers
oneReleasedTgt := []client.TargetSignedStruct{}
// make and append the "released" target to our mock input
releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: releasedTgt})
// make and append 3 non-released signatures on the "unreleased" target
unreleasedTgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: unreleasedTgt})
}
matchedSigRows := matchReleasedSignatures(oneReleasedTgt)
assert.Len(t, matchedSigRows, 1)
outputRow := matchedSigRows[0]
// Empty signers because "targets/releases" doesn't show up
assert.Empty(t, outputRow.Signers)
assert.Equal(t, releasedTgt.Name, outputRow.TagName)
assert.Equal(t, hex.EncodeToString(releasedTgt.Hashes[notary.SHA256]), outputRow.HashHex)
}
func TestMatchOneReleasedMultiSignature(t *testing.T) {
// now try only 1 "released" target with 3 additional sigs, 1 row will appear with 3 signers
oneReleasedTgt := []client.TargetSignedStruct{}
// make and append the "released" target to our mock input
releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: releasedTgt})
// make and append 3 non-released signatures on both the "released" and "unreleased" targets
unreleasedTgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: unreleasedTgt})
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: releasedTgt})
}
matchedSigRows := matchReleasedSignatures(oneReleasedTgt)
assert.Len(t, matchedSigRows, 1)
outputRow := matchedSigRows[0]
// We should have three signers
assert.Equal(t, outputRow.Signers, []string{"a", "b", "c"})
assert.Equal(t, releasedTgt.Name, outputRow.TagName)
assert.Equal(t, hex.EncodeToString(releasedTgt.Hashes[notary.SHA256]), outputRow.HashHex)
}
func TestMatchMultiReleasedMultiSignature(t *testing.T) {
// now try 3 "released" targets with additional sigs to show 3 rows as follows:
// target-a is signed by targets/releases and targets/a - a will be the signer
// target-b is signed by targets/releases, targets/a, targets/b - a and b will be the signers
// target-c is signed by targets/releases, targets/a, targets/b, targets/c - a, b, and c will be the signers
multiReleasedTgts := []client.TargetSignedStruct{}
// make target-a, target-b, and target-c
targetA := client.Target{Name: "target-a", Hashes: data.Hashes{notary.SHA256: []byte("target-a-hash")}}
targetB := client.Target{Name: "target-b", Hashes: data.Hashes{notary.SHA256: []byte("target-b-hash")}}
targetC := client.Target{Name: "target-c", Hashes: data.Hashes{notary.SHA256: []byte("target-c-hash")}}
// have targets/releases "sign" on all of these targets so they are released
multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: targetA})
multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: targetB})
multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: targetC})
// targets/a signs off on all three targets (target-a, target-b, target-c):
for _, tgt := range []client.Target{targetA, targetB, targetC} {
multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/a"), Target: tgt})
}
// targets/b signs off on the final two targets (target-b, target-c):
for _, tgt := range []client.Target{targetB, targetC} {
multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/b"), Target: tgt})
}
// targets/c only signs off on the last target (target-c):
multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/c"), Target: targetC})
matchedSigRows := matchReleasedSignatures(multiReleasedTgts)
assert.Len(t, matchedSigRows, 3)
// note that the output is sorted by tag name, so we can reliably index to validate data:
outputTargetA := matchedSigRows[0]
assert.Equal(t, outputTargetA.Signers, []string{"a"})
assert.Equal(t, targetA.Name, outputTargetA.TagName)
assert.Equal(t, hex.EncodeToString(targetA.Hashes[notary.SHA256]), outputTargetA.HashHex)
outputTargetB := matchedSigRows[1]
assert.Equal(t, outputTargetB.Signers, []string{"a", "b"})
assert.Equal(t, targetB.Name, outputTargetB.TagName)
assert.Equal(t, hex.EncodeToString(targetB.Hashes[notary.SHA256]), outputTargetB.HashHex)
outputTargetC := matchedSigRows[2]
assert.Equal(t, outputTargetC.Signers, []string{"a", "b", "c"})
assert.Equal(t, targetC.Name, outputTargetC.TagName)
assert.Equal(t, hex.EncodeToString(targetC.Hashes[notary.SHA256]), outputTargetC.HashHex)
}
func TestMatchReleasedSignatureFromTargets(t *testing.T) {
// now try only 1 "released" target with no additional sigs, one rows will appear
oneReleasedTgt := []client.TargetSignedStruct{}
// make and append the "released" target to our mock input
releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(data.CanonicalTargetsRole.String()), Target: releasedTgt})
matchedSigRows := matchReleasedSignatures(oneReleasedTgt)
assert.Len(t, matchedSigRows, 1)
outputRow := matchedSigRows[0]
// Empty signers because "targets" doesn't show up
assert.Empty(t, outputRow.Signers)
assert.Equal(t, releasedTgt.Name, outputRow.TagName)
assert.Equal(t, hex.EncodeToString(releasedTgt.Hashes[notary.SHA256]), outputRow.HashHex)
}
func TestGetSignerRolesWithKeyIDs(t *testing.T) {
roles := []data.Role{
{
RootRole: data.RootRole{
KeyIDs: []string{"key11"},
},
Name: "targets/alice",
},
{
RootRole: data.RootRole{
KeyIDs: []string{"key21", "key22"},
},
Name: "targets/releases",
},
{
RootRole: data.RootRole{
KeyIDs: []string{"key31"},
},
Name: data.CanonicalTargetsRole,
},
{
RootRole: data.RootRole{
KeyIDs: []string{"key41", "key01"},
},
Name: data.CanonicalRootRole,
},
{
RootRole: data.RootRole{
KeyIDs: []string{"key51"},
},
Name: data.CanonicalSnapshotRole,
},
{
RootRole: data.RootRole{
KeyIDs: []string{"key61"},
},
Name: data.CanonicalTimestampRole,
},
{
RootRole: data.RootRole{
KeyIDs: []string{"key71", "key72"},
},
Name: "targets/bob",
},
}
expectedSignerRoleToKeyIDs := map[string][]string{
"alice": {"key11"},
"bob": {"key71", "key72"},
}
var roleWithSigs []client.RoleWithSignatures
for _, role := range roles {
roleWithSig := client.RoleWithSignatures{Role: role, Signatures: nil}
roleWithSigs = append(roleWithSigs, roleWithSig)
}
signerRoleToKeyIDs := getDelegationRoleToKeyMap(roles)
assert.Equal(t, expectedSignerRoleToKeyIDs, signerRoleToKeyIDs)
}
func TestFormatAdminRole(t *testing.T) {
aliceRole := data.Role{
RootRole: data.RootRole{
KeyIDs: []string{"key11"},
},
Name: "targets/alice",
}
aliceRoleWithSigs := client.RoleWithSignatures{Role: aliceRole, Signatures: nil}
assert.Equal(t, "", formatAdminRole(aliceRoleWithSigs))
releasesRole := data.Role{
RootRole: data.RootRole{
KeyIDs: []string{"key11"},
},
Name: "targets/releases",
}
releasesRoleWithSigs := client.RoleWithSignatures{Role: releasesRole, Signatures: nil}
assert.Equal(t, "", formatAdminRole(releasesRoleWithSigs))
timestampRole := data.Role{
RootRole: data.RootRole{
KeyIDs: []string{"key11"},
},
Name: data.CanonicalTimestampRole,
}
timestampRoleWithSigs := client.RoleWithSignatures{Role: timestampRole, Signatures: nil}
assert.Equal(t, "", formatAdminRole(timestampRoleWithSigs))
snapshotRole := data.Role{
RootRole: data.RootRole{
KeyIDs: []string{"key11"},
},
Name: data.CanonicalSnapshotRole,
}
snapshotRoleWithSigs := client.RoleWithSignatures{Role: snapshotRole, Signatures: nil}
assert.Equal(t, "", formatAdminRole(snapshotRoleWithSigs))
rootRole := data.Role{
RootRole: data.RootRole{
KeyIDs: []string{"key11"},
},
Name: data.CanonicalRootRole,
}
rootRoleWithSigs := client.RoleWithSignatures{Role: rootRole, Signatures: nil}
assert.Equal(t, "Root Key:\tkey11\n", formatAdminRole(rootRoleWithSigs))
targetsRole := data.Role{
RootRole: data.RootRole{
KeyIDs: []string{"key99", "abc", "key11"},
},
Name: data.CanonicalTargetsRole,
}
targetsRoleWithSigs := client.RoleWithSignatures{Role: targetsRole, Signatures: nil}
assert.Equal(t, "Repository Key:\tabc, key11, key99\n", formatAdminRole(targetsRoleWithSigs))
}
Reference in New Issue View Git Blame Copy Permalink