2017-10-06 19:32:57 -04:00
|
|
|
package image
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"testing"
|
|
|
|
|
2017-10-10 17:04:32 -04:00
|
|
|
"github.com/gotestyourself/gotestyourself/golden"
|
2017-10-06 19:32:57 -04:00
|
|
|
"github.com/gotestyourself/gotestyourself/icmd"
|
|
|
|
)
|
|
|
|
|
|
|
|
const notaryURL = "https://notary-server:4443"
|
|
|
|
const registryPrefix = "registry:5000"
|
|
|
|
|
|
|
|
const alpineImage = "registry:5000/alpine:3.6"
|
|
|
|
const busyboxImage = "registry:5000/busybox:1.27.2"
|
|
|
|
|
|
|
|
func TestPullWithContentTrust(t *testing.T) {
|
2017-10-10 17:04:32 -04:00
|
|
|
image := createMaskedTrustedRemoteImage(t, "trust", "latest")
|
2017-10-06 19:32:57 -04:00
|
|
|
|
2017-10-10 17:04:32 -04:00
|
|
|
result := icmd.RunCmd(icmd.Command("docker", "pull", image), withTrustNoPassphrase)
|
|
|
|
result.Assert(t, icmd.Expected{Err: icmd.None})
|
|
|
|
golden.Assert(t, result.Stdout(), "pull-with-content-trust.golden")
|
|
|
|
}
|
2017-10-06 19:32:57 -04:00
|
|
|
|
2017-10-10 17:04:32 -04:00
|
|
|
// createMaskedTrustedRemoteImage creates a remote image that is signed with
|
|
|
|
// content trust, then pushes a different untrusted image at the same tag.
|
|
|
|
func createMaskedTrustedRemoteImage(t *testing.T, repo, tag string) string {
|
|
|
|
image := createTrustedRemoteImage(t, repo, tag)
|
2017-10-10 15:00:52 -04:00
|
|
|
createNamedUnsignedImageFromBusyBox(t, image)
|
2017-10-10 17:04:32 -04:00
|
|
|
return image
|
2017-10-06 19:32:57 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func createTrustedRemoteImage(t *testing.T, repo, tag string) string {
|
|
|
|
image := fmt.Sprintf("%s/%s:%s", registryPrefix, repo, tag)
|
|
|
|
icmd.RunCommand("docker", "pull", alpineImage).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCommand("docker", "tag", alpineImage, image).Assert(t, icmd.Success)
|
2017-10-10 17:04:32 -04:00
|
|
|
result := icmd.RunCmd(
|
|
|
|
icmd.Command("docker", "push", image),
|
|
|
|
withTrustAndPassphrase("root_password", "repo_password"))
|
|
|
|
result.Assert(t, icmd.Success)
|
2017-10-06 19:32:57 -04:00
|
|
|
icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success)
|
|
|
|
return image
|
|
|
|
}
|
|
|
|
|
2017-10-10 15:00:52 -04:00
|
|
|
func createNamedUnsignedImageFromBusyBox(t *testing.T, image string) {
|
|
|
|
icmd.RunCommand("docker", "pull", busyboxImage).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCommand("docker", "tag", busyboxImage, image).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)
|
|
|
|
icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success)
|
|
|
|
}
|
|
|
|
|
2017-10-10 17:04:32 -04:00
|
|
|
func withTrustAndPassphrase(rootPwd, repositoryPwd string) func(cmd *icmd.Cmd) {
|
|
|
|
return func(cmd *icmd.Cmd) {
|
|
|
|
env := append(os.Environ(),
|
|
|
|
"DOCKER_CONTENT_TRUST=1",
|
|
|
|
"DOCKER_CONTENT_TRUST_SERVER="+notaryURL,
|
|
|
|
"DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="+rootPwd,
|
|
|
|
"DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="+repositoryPwd,
|
|
|
|
)
|
|
|
|
cmd.Env = append(cmd.Env, env...)
|
|
|
|
}
|
2017-10-06 19:32:57 -04:00
|
|
|
}
|
|
|
|
|
2017-10-10 17:04:32 -04:00
|
|
|
func withTrustNoPassphrase(cmd *icmd.Cmd) {
|
|
|
|
env := append(os.Environ(),
|
2017-10-06 19:32:57 -04:00
|
|
|
"DOCKER_CONTENT_TRUST=1",
|
2017-10-10 17:04:32 -04:00
|
|
|
"DOCKER_CONTENT_TRUST_SERVER="+notaryURL,
|
|
|
|
)
|
2017-10-06 19:32:57 -04:00
|
|
|
cmd.Env = append(cmd.Env, env...)
|
|
|
|
}
|