Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add content trust tests for run command 

Signed-off-by: Guillaume Le Floch <glfloch@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
glefloch 2019-01-02 07:32:52 +00:00 committed by Sebastiaan van Stijn
parent d443b74091
commit 348f24cae6
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
e2e/container/run_test.go
View File

@ -50,9 +50,85 @@ func TestRunWithContentTrust(t *testing.T) {
})
}
func TestUntrustedRun(t *testing.T) {
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := registryPrefix + "/alpine:untrusted"
// tag the image and upload it to the private registry
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
defer func() {
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}()
// try trusted run on untrusted tag
result := icmd.RunCmd(
icmd.Command("docker", "run", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Expected{
ExitCode: 125,
Err: "does not have trust data for",
})
}
func TestTrustedRunFromBadTrustServer(t *testing.T) {
evilImageName := registryPrefix + "/evil-alpine:latest"
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
// tag the image and upload it to the private registry
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
fixtures.WithConfig(dir.Path()),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithTrust,
fixtures.WithNotary,
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// try run
icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// init a client with the evil-server and a new trust dir
evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
defer evilNotaryDir.Remove()
// tag the same image and upload it to the private registry but signed with evil notary server
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
fixtures.WithConfig(evilNotaryDir.Path()),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
fixtures.WithConfig(evilNotaryDir.Path()),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithTrust,
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// try running with the original client from the evil notary server. This should failed
// because the new root is invalid
icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
).Assert(t, icmd.Expected{
ExitCode: 125,
Err: "could not rotate trust to a new trusted root",
})
}
// TODO: create this with registry API instead of engine API
func createRemoteImage(t *testing.T) string {
image := "registry:5000/alpine:test-run-pulls"
image := registryPrefix + "/alpine:test-run-pulls"
icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)