2018-03-06 05:15:18 -05:00
|
|
|
package container
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/docker/cli/e2e/internal/fixtures"
|
2018-05-17 07:11:59 -04:00
|
|
|
"github.com/docker/cli/internal/test/environment"
|
2018-06-08 12:24:26 -04:00
|
|
|
"gotest.tools/icmd"
|
|
|
|
"gotest.tools/skip"
|
2018-03-06 05:15:18 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestCreateWithContentTrust(t *testing.T) {
|
2018-05-17 07:11:59 -04:00
|
|
|
skip.If(t, environment.RemoteDaemon())
|
|
|
|
|
2018-03-06 05:15:18 -05:00
|
|
|
dir := fixtures.SetupConfigFile(t)
|
|
|
|
defer dir.Remove()
|
|
|
|
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
|
|
|
|
}()
|
|
|
|
|
|
|
|
result := icmd.RunCmd(
|
|
|
|
icmd.Command("docker", "create", image),
|
|
|
|
fixtures.WithConfig(dir.Path()),
|
|
|
|
fixtures.WithTrust,
|
|
|
|
fixtures.WithNotary,
|
|
|
|
)
|
|
|
|
result.Assert(t, icmd.Expected{
|
|
|
|
Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-11-07 07:42:43 -05:00
|
|
|
func TestTrustedCreateFromUnreachableTrustServer(t *testing.T) {
|
|
|
|
dir := fixtures.SetupConfigFile(t)
|
|
|
|
defer dir.Remove()
|
|
|
|
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
|
|
|
|
|
|
|
|
result := icmd.RunCmd(
|
|
|
|
icmd.Command("docker", "create", image),
|
|
|
|
fixtures.WithConfig(dir.Path()),
|
|
|
|
fixtures.WithTrust,
|
|
|
|
fixtures.WithNotaryServer("https://notary.invalid"),
|
|
|
|
)
|
|
|
|
result.Assert(t, icmd.Expected{
|
|
|
|
ExitCode: 1,
|
|
|
|
Err: "error contacting notary server",
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTrustedCreateFromBadTrustServer(t *testing.T) {
|
|
|
|
evilImageName := "registry:5000/evil-alpine:latest"
|
|
|
|
dir := fixtures.SetupConfigFile(t)
|
|
|
|
defer dir.Remove()
|
|
|
|
|
|
|
|
// tag the image and upload it to the private registry
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
|
|
|
|
fixtures.WithConfig(dir.Path()),
|
|
|
|
).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
|
|
|
|
fixtures.WithConfig(dir.Path()),
|
|
|
|
fixtures.WithPassphrase("root_password", "repo_password"),
|
|
|
|
fixtures.WithTrust,
|
|
|
|
fixtures.WithNotary,
|
|
|
|
).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
|
|
|
|
|
|
|
|
// try create
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "create", evilImageName),
|
|
|
|
fixtures.WithConfig(dir.Path()),
|
|
|
|
fixtures.WithTrust,
|
|
|
|
fixtures.WithNotary,
|
|
|
|
).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
|
|
|
|
|
|
|
|
// init a client with the evil-server and a new trust dir
|
|
|
|
evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
|
|
|
|
defer evilNotaryDir.Remove()
|
|
|
|
|
|
|
|
// tag the same image and upload it to the private registry but signed with evil notary server
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
|
|
|
|
fixtures.WithConfig(evilNotaryDir.Path()),
|
|
|
|
).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
|
|
|
|
fixtures.WithConfig(evilNotaryDir.Path()),
|
|
|
|
fixtures.WithPassphrase("root_password", "repo_password"),
|
|
|
|
fixtures.WithTrust,
|
|
|
|
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
|
|
|
|
).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
|
|
|
|
|
|
|
|
// try creating with the original client from the evil notary server. This should failed
|
|
|
|
// because the new root is invalid
|
|
|
|
icmd.RunCmd(icmd.Command("docker", "create", evilImageName),
|
|
|
|
fixtures.WithConfig(dir.Path()),
|
|
|
|
fixtures.WithTrust,
|
|
|
|
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
|
|
|
|
).Assert(t, icmd.Expected{
|
|
|
|
ExitCode: 1,
|
|
|
|
Err: "could not rotate trust to a new trusted root",
|
|
|
|
})
|
|
|
|
}
|