mirror of https://github.com/docker/cli.git
Merge pull request #1596 from glefloch/951-run-trust-tests
Add content trust tests for run command
This commit is contained in:
commit
74fb129a73
|
@ -50,9 +50,85 @@ func TestRunWithContentTrust(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestUntrustedRun(t *testing.T) {
|
||||
dir := fixtures.SetupConfigFile(t)
|
||||
defer dir.Remove()
|
||||
image := registryPrefix + "/alpine:untrusted"
|
||||
// tag the image and upload it to the private registry
|
||||
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
|
||||
defer func() {
|
||||
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
|
||||
}()
|
||||
|
||||
// try trusted run on untrusted tag
|
||||
result := icmd.RunCmd(
|
||||
icmd.Command("docker", "run", image),
|
||||
fixtures.WithConfig(dir.Path()),
|
||||
fixtures.WithTrust,
|
||||
fixtures.WithNotary,
|
||||
)
|
||||
result.Assert(t, icmd.Expected{
|
||||
ExitCode: 125,
|
||||
Err: "does not have trust data for",
|
||||
})
|
||||
}
|
||||
|
||||
func TestTrustedRunFromBadTrustServer(t *testing.T) {
|
||||
evilImageName := registryPrefix + "/evil-alpine:latest"
|
||||
dir := fixtures.SetupConfigFile(t)
|
||||
defer dir.Remove()
|
||||
|
||||
// tag the image and upload it to the private registry
|
||||
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
|
||||
fixtures.WithConfig(dir.Path()),
|
||||
).Assert(t, icmd.Success)
|
||||
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
|
||||
fixtures.WithConfig(dir.Path()),
|
||||
fixtures.WithPassphrase("root_password", "repo_password"),
|
||||
fixtures.WithTrust,
|
||||
fixtures.WithNotary,
|
||||
).Assert(t, icmd.Success)
|
||||
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
|
||||
|
||||
// try run
|
||||
icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
|
||||
fixtures.WithConfig(dir.Path()),
|
||||
fixtures.WithTrust,
|
||||
fixtures.WithNotary,
|
||||
).Assert(t, icmd.Success)
|
||||
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
|
||||
|
||||
// init a client with the evil-server and a new trust dir
|
||||
evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
|
||||
defer evilNotaryDir.Remove()
|
||||
|
||||
// tag the same image and upload it to the private registry but signed with evil notary server
|
||||
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
|
||||
fixtures.WithConfig(evilNotaryDir.Path()),
|
||||
).Assert(t, icmd.Success)
|
||||
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
|
||||
fixtures.WithConfig(evilNotaryDir.Path()),
|
||||
fixtures.WithPassphrase("root_password", "repo_password"),
|
||||
fixtures.WithTrust,
|
||||
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
|
||||
).Assert(t, icmd.Success)
|
||||
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
|
||||
|
||||
// try running with the original client from the evil notary server. This should failed
|
||||
// because the new root is invalid
|
||||
icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
|
||||
fixtures.WithConfig(dir.Path()),
|
||||
fixtures.WithTrust,
|
||||
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
|
||||
).Assert(t, icmd.Expected{
|
||||
ExitCode: 125,
|
||||
Err: "could not rotate trust to a new trusted root",
|
||||
})
|
||||
}
|
||||
|
||||
// TODO: create this with registry API instead of engine API
|
||||
func createRemoteImage(t *testing.T) string {
|
||||
image := "registry:5000/alpine:test-run-pulls"
|
||||
image := registryPrefix + "/alpine:test-run-pulls"
|
||||
icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
|
||||
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
|
||||
icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)
|
||||
|
|
Loading…
Reference in New Issue