mirror of https://github.com/docker/cli.git
310 lines
11 KiB
Go
310 lines
11 KiB
Go
package trust
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"io/ioutil"
|
|
"os"
|
|
"runtime"
|
|
"testing"
|
|
|
|
"github.com/docker/cli/cli/config"
|
|
"github.com/docker/cli/cli/trust"
|
|
"github.com/docker/cli/internal/test"
|
|
notaryfake "github.com/docker/cli/internal/test/notary"
|
|
"github.com/theupdateframework/notary"
|
|
"github.com/theupdateframework/notary/client"
|
|
"github.com/theupdateframework/notary/client/changelist"
|
|
"github.com/theupdateframework/notary/passphrase"
|
|
"github.com/theupdateframework/notary/trustpinning"
|
|
"github.com/theupdateframework/notary/tuf/data"
|
|
"gotest.tools/assert"
|
|
is "gotest.tools/assert/cmp"
|
|
"gotest.tools/skip"
|
|
)
|
|
|
|
const passwd = "password"
|
|
|
|
func TestTrustSignCommandErrors(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
args []string
|
|
expectedError string
|
|
}{
|
|
{
|
|
name: "not-enough-args",
|
|
expectedError: "requires exactly 1 argument",
|
|
},
|
|
{
|
|
name: "too-many-args",
|
|
args: []string{"image", "tag"},
|
|
expectedError: "requires exactly 1 argument",
|
|
},
|
|
{
|
|
name: "sha-reference",
|
|
args: []string{"870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
|
|
expectedError: "invalid repository name",
|
|
},
|
|
{
|
|
name: "invalid-img-reference",
|
|
args: []string{"ALPINE:latest"},
|
|
expectedError: "invalid reference format",
|
|
},
|
|
{
|
|
name: "no-tag",
|
|
args: []string{"reg/img"},
|
|
expectedError: "No tag specified for reg/img",
|
|
},
|
|
{
|
|
name: "digest-reference",
|
|
args: []string{"ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2"},
|
|
expectedError: "cannot use a digest reference for IMAGE:TAG",
|
|
},
|
|
}
|
|
// change to a tmpdir
|
|
tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
config.SetDir(tmpDir)
|
|
for _, tc := range testCases {
|
|
cmd := newSignCommand(
|
|
test.NewFakeCli(&fakeClient{}))
|
|
cmd.SetArgs(tc.args)
|
|
cmd.SetOutput(ioutil.Discard)
|
|
assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
|
|
}
|
|
}
|
|
|
|
func TestTrustSignCommandOfflineErrors(t *testing.T) {
|
|
cli := test.NewFakeCli(&fakeClient{})
|
|
cli.SetNotaryClient(notaryfake.GetOfflineNotaryRepository)
|
|
cmd := newSignCommand(cli)
|
|
cmd.SetArgs([]string{"reg-name.io/image:tag"})
|
|
cmd.SetOutput(ioutil.Discard)
|
|
assert.ErrorContains(t, cmd.Execute(), "client is offline")
|
|
}
|
|
|
|
func TestGetOrGenerateNotaryKey(t *testing.T) {
|
|
tmpDir, err := ioutil.TempDir("", "notary-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
|
|
assert.NilError(t, err)
|
|
|
|
// repo is empty, try making a root key
|
|
rootKeyA, err := getOrGenerateNotaryKey(notaryRepo, data.CanonicalRootRole)
|
|
assert.NilError(t, err)
|
|
assert.Check(t, rootKeyA != nil)
|
|
|
|
// we should only have one newly generated key
|
|
allKeys := notaryRepo.GetCryptoService().ListAllKeys()
|
|
assert.Check(t, is.Len(allKeys, 1))
|
|
assert.Check(t, notaryRepo.GetCryptoService().GetKey(rootKeyA.ID()) != nil)
|
|
|
|
// this time we should get back the same key if we ask for another root key
|
|
rootKeyB, err := getOrGenerateNotaryKey(notaryRepo, data.CanonicalRootRole)
|
|
assert.NilError(t, err)
|
|
assert.Check(t, rootKeyB != nil)
|
|
|
|
// we should only have one newly generated key
|
|
allKeys = notaryRepo.GetCryptoService().ListAllKeys()
|
|
assert.Check(t, is.Len(allKeys, 1))
|
|
assert.Check(t, notaryRepo.GetCryptoService().GetKey(rootKeyB.ID()) != nil)
|
|
|
|
// The key we retrieved should be identical to the one we generated
|
|
assert.Check(t, is.DeepEqual(rootKeyA.Public(), rootKeyB.Public()))
|
|
|
|
// Now also try with a delegation key
|
|
releasesKey, err := getOrGenerateNotaryKey(notaryRepo, trust.ReleasesRole)
|
|
assert.NilError(t, err)
|
|
assert.Check(t, releasesKey != nil)
|
|
|
|
// we should now have two keys
|
|
allKeys = notaryRepo.GetCryptoService().ListAllKeys()
|
|
assert.Check(t, is.Len(allKeys, 2))
|
|
assert.Check(t, notaryRepo.GetCryptoService().GetKey(releasesKey.ID()) != nil)
|
|
// The key we retrieved should be identical to the one we generated
|
|
assert.Check(t, releasesKey != rootKeyA)
|
|
assert.Check(t, releasesKey != rootKeyB)
|
|
}
|
|
|
|
func TestAddStageSigners(t *testing.T) {
|
|
skip.If(t, runtime.GOOS == "windows", "FIXME: not supported currently")
|
|
tmpDir, err := ioutil.TempDir("", "notary-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
|
|
assert.NilError(t, err)
|
|
|
|
// stage targets/user
|
|
userRole := data.RoleName("targets/user")
|
|
userKey := data.NewPublicKey("algoA", []byte("a"))
|
|
err = addStagedSigner(notaryRepo, userRole, []data.PublicKey{userKey})
|
|
assert.NilError(t, err)
|
|
// check the changelist for four total changes: two on targets/releases and two on targets/user
|
|
cl, err := notaryRepo.GetChangelist()
|
|
assert.NilError(t, err)
|
|
changeList := cl.List()
|
|
assert.Check(t, is.Len(changeList, 4))
|
|
// ordering is deterministic:
|
|
|
|
// first change is for targets/user key creation
|
|
newSignerKeyChange := changeList[0]
|
|
expectedJSON, err := json.Marshal(&changelist.TUFDelegation{
|
|
NewThreshold: notary.MinThreshold,
|
|
AddKeys: data.KeyList([]data.PublicKey{userKey}),
|
|
})
|
|
assert.NilError(t, err)
|
|
expectedChange := changelist.NewTUFChange(
|
|
changelist.ActionCreate,
|
|
userRole,
|
|
changelist.TypeTargetsDelegation,
|
|
"", // no path for delegations
|
|
expectedJSON,
|
|
)
|
|
assert.Check(t, is.DeepEqual(expectedChange, newSignerKeyChange))
|
|
|
|
// second change is for targets/user getting all paths
|
|
newSignerPathsChange := changeList[1]
|
|
expectedJSON, err = json.Marshal(&changelist.TUFDelegation{
|
|
AddPaths: []string{""},
|
|
})
|
|
assert.NilError(t, err)
|
|
expectedChange = changelist.NewTUFChange(
|
|
changelist.ActionCreate,
|
|
userRole,
|
|
changelist.TypeTargetsDelegation,
|
|
"", // no path for delegations
|
|
expectedJSON,
|
|
)
|
|
assert.Check(t, is.DeepEqual(expectedChange, newSignerPathsChange))
|
|
|
|
releasesRole := data.RoleName("targets/releases")
|
|
|
|
// third change is for targets/releases key creation
|
|
releasesKeyChange := changeList[2]
|
|
expectedJSON, err = json.Marshal(&changelist.TUFDelegation{
|
|
NewThreshold: notary.MinThreshold,
|
|
AddKeys: data.KeyList([]data.PublicKey{userKey}),
|
|
})
|
|
assert.NilError(t, err)
|
|
expectedChange = changelist.NewTUFChange(
|
|
changelist.ActionCreate,
|
|
releasesRole,
|
|
changelist.TypeTargetsDelegation,
|
|
"", // no path for delegations
|
|
expectedJSON,
|
|
)
|
|
assert.Check(t, is.DeepEqual(expectedChange, releasesKeyChange))
|
|
|
|
// fourth change is for targets/releases getting all paths
|
|
releasesPathsChange := changeList[3]
|
|
expectedJSON, err = json.Marshal(&changelist.TUFDelegation{
|
|
AddPaths: []string{""},
|
|
})
|
|
assert.NilError(t, err)
|
|
expectedChange = changelist.NewTUFChange(
|
|
changelist.ActionCreate,
|
|
releasesRole,
|
|
changelist.TypeTargetsDelegation,
|
|
"", // no path for delegations
|
|
expectedJSON,
|
|
)
|
|
assert.Check(t, is.DeepEqual(expectedChange, releasesPathsChange))
|
|
}
|
|
|
|
func TestGetSignedManifestHashAndSize(t *testing.T) {
|
|
tmpDir, err := ioutil.TempDir("", "notary-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
|
|
assert.NilError(t, err)
|
|
target := &client.Target{}
|
|
target.Hashes, target.Length, err = getSignedManifestHashAndSize(notaryRepo, "test")
|
|
assert.Error(t, err, "client is offline")
|
|
}
|
|
|
|
func TestGetReleasedTargetHashAndSize(t *testing.T) {
|
|
oneReleasedTgt := []client.TargetSignedStruct{}
|
|
// make and append 3 non-released signatures on the "unreleased" target
|
|
unreleasedTgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
|
|
for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
|
|
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: unreleasedTgt})
|
|
}
|
|
_, _, err := getReleasedTargetHashAndSize(oneReleasedTgt, "unreleased")
|
|
assert.Error(t, err, "No valid trust data for unreleased")
|
|
releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
|
|
oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: releasedTgt})
|
|
hash, _, _ := getReleasedTargetHashAndSize(oneReleasedTgt, "unreleased")
|
|
assert.Check(t, is.DeepEqual(data.Hashes{notary.SHA256: []byte("released-hash")}, hash))
|
|
|
|
}
|
|
|
|
func TestCreateTarget(t *testing.T) {
|
|
tmpDir, err := ioutil.TempDir("", "notary-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
|
|
assert.NilError(t, err)
|
|
_, err = createTarget(notaryRepo, "")
|
|
assert.Error(t, err, "No tag specified")
|
|
_, err = createTarget(notaryRepo, "1")
|
|
assert.Error(t, err, "client is offline")
|
|
}
|
|
|
|
func TestGetExistingSignatureInfoForReleasedTag(t *testing.T) {
|
|
tmpDir, err := ioutil.TempDir("", "notary-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
|
|
assert.NilError(t, err)
|
|
_, err = getExistingSignatureInfoForReleasedTag(notaryRepo, "test")
|
|
assert.Error(t, err, "client is offline")
|
|
}
|
|
|
|
func TestPrettyPrintExistingSignatureInfo(t *testing.T) {
|
|
buf := bytes.NewBuffer(nil)
|
|
signers := []string{"Bob", "Alice", "Carol"}
|
|
existingSig := trustTagRow{trustTagKey{"tagName", "abc123"}, signers}
|
|
prettyPrintExistingSignatureInfo(buf, existingSig)
|
|
|
|
assert.Check(t, is.Contains(buf.String(), "Existing signatures for tag tagName digest abc123 from:\nAlice, Bob, Carol"))
|
|
}
|
|
|
|
func TestSignCommandChangeListIsCleanedOnError(t *testing.T) {
|
|
tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
|
|
assert.NilError(t, err)
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
config.SetDir(tmpDir)
|
|
cli := test.NewFakeCli(&fakeClient{})
|
|
cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
|
|
cmd := newSignCommand(cli)
|
|
cmd.SetArgs([]string{"ubuntu:latest"})
|
|
cmd.SetOutput(ioutil.Discard)
|
|
|
|
err = cmd.Execute()
|
|
assert.Assert(t, err != nil)
|
|
|
|
notaryRepo, err := client.NewFileCachedRepository(tmpDir, "docker.io/library/ubuntu", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
|
|
assert.NilError(t, err)
|
|
cl, err := notaryRepo.GetChangelist()
|
|
assert.NilError(t, err)
|
|
assert.Check(t, is.Equal(len(cl.List()), 0))
|
|
}
|
|
|
|
func TestSignCommandLocalFlag(t *testing.T) {
|
|
cli := test.NewFakeCli(&fakeClient{})
|
|
cli.SetNotaryClient(notaryfake.GetEmptyTargetsNotaryRepository)
|
|
cmd := newSignCommand(cli)
|
|
cmd.SetArgs([]string{"--local", "reg-name.io/image:red"})
|
|
cmd.SetOutput(ioutil.Discard)
|
|
assert.ErrorContains(t, cmd.Execute(), "error contacting notary server: dial tcp: lookup reg-name.io")
|
|
|
|
}
|