From 348f24cae682e1dc465bfb10e872e8de2a36321d Mon Sep 17 00:00:00 2001 From: glefloch Date: Wed, 2 Jan 2019 07:32:52 +0000 Subject: [PATCH] Add content trust tests for run command Signed-off-by: Guillaume Le Floch Signed-off-by: Sebastiaan van Stijn --- e2e/container/run_test.go | 78 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/e2e/container/run_test.go b/e2e/container/run_test.go index 68a3e40027..1c809eb0d5 100644 --- a/e2e/container/run_test.go +++ b/e2e/container/run_test.go @@ -50,9 +50,85 @@ func TestRunWithContentTrust(t *testing.T) { }) } +func TestUntrustedRun(t *testing.T) { + dir := fixtures.SetupConfigFile(t) + defer dir.Remove() + image := registryPrefix + "/alpine:untrusted" + // tag the image and upload it to the private registry + icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success) + defer func() { + icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success) + }() + + // try trusted run on untrusted tag + result := icmd.RunCmd( + icmd.Command("docker", "run", image), + fixtures.WithConfig(dir.Path()), + fixtures.WithTrust, + fixtures.WithNotary, + ) + result.Assert(t, icmd.Expected{ + ExitCode: 125, + Err: "does not have trust data for", + }) +} + +func TestTrustedRunFromBadTrustServer(t *testing.T) { + evilImageName := registryPrefix + "/evil-alpine:latest" + dir := fixtures.SetupConfigFile(t) + defer dir.Remove() + + // tag the image and upload it to the private registry + icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName), + fixtures.WithConfig(dir.Path()), + ).Assert(t, icmd.Success) + icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName), + fixtures.WithConfig(dir.Path()), + fixtures.WithPassphrase("root_password", "repo_password"), + fixtures.WithTrust, + fixtures.WithNotary, + ).Assert(t, icmd.Success) + icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) + + // try run + icmd.RunCmd(icmd.Command("docker", "run", evilImageName), + fixtures.WithConfig(dir.Path()), + fixtures.WithTrust, + fixtures.WithNotary, + ).Assert(t, icmd.Success) + icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) + + // init a client with the evil-server and a new trust dir + evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL) + defer evilNotaryDir.Remove() + + // tag the same image and upload it to the private registry but signed with evil notary server + icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName), + fixtures.WithConfig(evilNotaryDir.Path()), + ).Assert(t, icmd.Success) + icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName), + fixtures.WithConfig(evilNotaryDir.Path()), + fixtures.WithPassphrase("root_password", "repo_password"), + fixtures.WithTrust, + fixtures.WithNotaryServer(fixtures.EvilNotaryURL), + ).Assert(t, icmd.Success) + icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) + + // try running with the original client from the evil notary server. This should failed + // because the new root is invalid + icmd.RunCmd(icmd.Command("docker", "run", evilImageName), + fixtures.WithConfig(dir.Path()), + fixtures.WithTrust, + fixtures.WithNotaryServer(fixtures.EvilNotaryURL), + ).Assert(t, icmd.Expected{ + ExitCode: 125, + Err: "could not rotate trust to a new trusted root", + }) +} + // TODO: create this with registry API instead of engine API func createRemoteImage(t *testing.T) string { - image := "registry:5000/alpine:test-run-pulls" + image := registryPrefix + "/alpine:test-run-pulls" icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success) icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success) icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)