p4u1/docker-cli
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

e2e: remove DCT tests

Browse Source 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
2025-10-28 20:28:38 +01:00
parent 918ec8c48a
commit c98d9647d3
36 changed files with 6 additions and 1453 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
e2e/compose-env.yaml
View File

@ -9,19 +9,3 @@ services:
command: ['--insecure-registry=registry:5000', '--experimental']
environment:
- DOCKER_TLS_CERTDIR=
notary-server:
build:
context: ./testdata
dockerfile: Dockerfile.notary-server
ports:
- 4443:4443
command: ['notary-server', '-config=/fixtures/notary-config.json']
evil-notary-server:
build:
context: ./testdata
dockerfile: Dockerfile.evil-notary-server
ports:
- 4444:4443
command: ['notary-server', '-config=/fixtures/notary-config.json']

95
e2e/container/create_test.go
View File

@ -1,107 +1,12 @@
package container
import (
"fmt"
"testing"
"github.com/docker/cli/e2e/internal/fixtures"
"github.com/docker/cli/internal/test/environment"
"gotest.tools/v3/icmd"
"gotest.tools/v3/skip"
)
func TestCreateWithContentTrust(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
defer func() {
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}()
result := icmd.RunCmd(
icmd.Command("docker", "create", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Expected{
Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
})
}
func TestTrustedCreateFromUnreachableTrustServer(t *testing.T) {
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
result := icmd.RunCmd(
icmd.Command("docker", "create", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer("https://notary.invalid"),
)
result.Assert(t, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
}
func TestTrustedCreateFromBadTrustServer(t *testing.T) {
evilImageName := "registry:5000/evil-alpine:latest"
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
// tag the image and upload it to the private registry
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
fixtures.WithConfig(dir.Path()),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithTrust,
fixtures.WithNotary,
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// try create
icmd.RunCmd(icmd.Command("docker", "create", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// init a client with the evil-server and a new trust dir
evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
defer evilNotaryDir.Remove()
// tag the same image and upload it to the private registry but signed with evil notary server
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
fixtures.WithConfig(evilNotaryDir.Path()),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
fixtures.WithConfig(evilNotaryDir.Path()),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithTrust,
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// try creating with the original client from the evil notary server. This should failed
// because the new root is invalid
icmd.RunCmd(icmd.Command("docker", "create", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
).Assert(t, icmd.Expected{
ExitCode: 1,
Err: "could not rotate trust to a new trusted root",
})
}
func TestCreateWithEmptySourceVolume(t *testing.T) {
icmd.RunCmd(icmd.Command("docker", "create", "-v", ":/volume", fixtures.AlpineImage)).
Assert(t, icmd.Expected{

99
e2e/container/run_test.go
View File

@ -2,7 +2,6 @@ package container
import (
"bytes"
"fmt"
"io"
"math/rand"
"os/exec"
@ -90,104 +89,6 @@ func TestRunInvalidEntrypointWithAutoremove(t *testing.T) {
}
}
func TestRunWithContentTrust(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest")
defer func() {
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}()
result := icmd.RunCmd(
icmd.Command("docker", "run", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Expected{
Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
})
}
func TestUntrustedRun(t *testing.T) {
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := registryPrefix + "/alpine:untrusted"
// tag the image and upload it to the private registry
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
defer func() {
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}()
// try trusted run on untrusted tag
result := icmd.RunCmd(
icmd.Command("docker", "run", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Expected{
ExitCode: 125,
Err: "does not have trust data for",
})
}
func TestTrustedRunFromBadTrustServer(t *testing.T) {
evilImageName := registryPrefix + "/evil-alpine:latest"
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
// tag the image and upload it to the private registry
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
fixtures.WithConfig(dir.Path()),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithTrust,
fixtures.WithNotary,
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// try run
icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// init a client with the evil-server and a new trust dir
evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
defer evilNotaryDir.Remove()
// tag the same image and upload it to the private registry but signed with evil notary server
icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
fixtures.WithConfig(evilNotaryDir.Path()),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
fixtures.WithConfig(evilNotaryDir.Path()),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithTrust,
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
// try running with the original client from the evil notary server. This should failed
// because the new root is invalid
icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
).Assert(t, icmd.Expected{
ExitCode: 125,
Err: "could not rotate trust to a new trusted root",
})
}
// TODO: create this with registry API instead of engine API
func createRemoteImage(t *testing.T) string {
t.Helper()

8
e2e/global/cli_test.go
View File

@ -89,7 +89,6 @@ func TestPromptExitCode(t *testing.T) {
defaultCmdOpts := []icmd.CmdOp{
fixtures.WithConfig(dir.Path()),
fixtures.WithNotary,
}
testCases := []struct {
@ -131,13 +130,6 @@ func TestPromptExitCode(t *testing.T) {
return icmd.Command("docker", "system", "prune")
},
},
{
name: "revoke trust",
run: func(t *testing.T) icmd.Cmd {
t.Helper()
return icmd.Command("docker", "trust", "revoke", "example/trust-demo")
},
},
{
name: "plugin install",
run: func(t *testing.T) icmd.Cmd {

67
e2e/image/pull_test.go
View File

@ -4,81 +4,16 @@ import (
"testing"
"github.com/docker/cli/e2e/internal/fixtures"
"github.com/docker/cli/internal/test/environment"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/golden"
"gotest.tools/v3/icmd"
"gotest.tools/v3/skip"
)
const registryPrefix = "registry:5000"
func TestPullWithContentTrust(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
// Digests in golden files are linux/amd64 specific.
// TODO: Fix this test and make it work on all platforms.
environment.SkipIfNotPlatform(t, "linux/amd64")
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-pull", "latest")
defer func() {
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}()
result := icmd.RunCmd(icmd.Command("docker", "pull", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Success)
golden.Assert(t, result.Stderr(), "pull-with-content-trust-err.golden")
golden.Assert(t, result.Stdout(), "pull-with-content-trust.golden")
}
func TestPullQuiet(t *testing.T) {
result := icmd.RunCommand("docker", "pull", "--quiet", fixtures.AlpineImage)
result.Assert(t, icmd.Success)
assert.Check(t, is.Equal(result.Stdout(), "registry:5000/alpine:frozen\n"))
assert.Check(t, is.Equal(result.Stdout(), registryPrefix+"/alpine:frozen\n"))
assert.Check(t, is.Equal(result.Stderr(), ""))
}
func TestPullWithContentTrustUsesCacheWhenNotaryUnavailable(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-pull-unreachable", "latest")
defer func() {
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}()
result := icmd.RunCmd(icmd.Command("docker", "pull", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer("https://invalidnotaryserver"),
)
result.Assert(t, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
// Do valid trusted pull to warm cache
result = icmd.RunCmd(icmd.Command("docker", "pull", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Success)
result = icmd.RunCommand("docker", "rmi", image)
result.Assert(t, icmd.Success)
// Try pull again with invalid notary server, should use cache
result = icmd.RunCmd(icmd.Command("docker", "pull", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer("https://invalidnotaryserver"),
)
result.Assert(t, icmd.Success)
}

422
e2e/image/push_test.go
View File

@ -1,85 +1,11 @@
package image
import (
"fmt"
"os"
"strings"
"testing"
"github.com/docker/cli/e2e/internal/fixtures"
"github.com/docker/cli/internal/test/environment"
"github.com/docker/cli/internal/test/output"
"gotest.tools/v3/assert"
"gotest.tools/v3/fs"
"gotest.tools/v3/golden"
"gotest.tools/v3/icmd"
"gotest.tools/v3/skip"
)
const (
notary = "/usr/local/bin/notary"
pubkey1 = "./testdata/notary/delgkey1.crt"
privkey1 = "./testdata/notary/delgkey1.key"
pubkey2 = "./testdata/notary/delgkey2.crt"
privkey2 = "./testdata/notary/delgkey2.key"
pubkey3 = "./testdata/notary/delgkey3.crt"
privkey3 = "./testdata/notary/delgkey3.key"
pubkey4 = "./testdata/notary/delgkey4.crt"
privkey4 = "./testdata/notary/delgkey4.key"
)
func TestPushAllTags(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
// Compared digests are linux/amd64 specific.
// TODO: Fix this test and make it work on all platforms.
environment.SkipIfNotPlatform(t, "linux/amd64")
_ = createImage(t, "push-all-tags", "latest", "v1", "v1.0", "v1.0.1")
result := icmd.RunCmd(icmd.Command("docker", "push", "--all-tags", registryPrefix+"/push-all-tags"))
result.Assert(t, icmd.Success)
golden.Assert(t, result.Stderr(), "push-with-content-trust-err.golden")
output.Assert(t, result.Stdout(), map[int]func(string) error{
0: output.Equals("The push refers to repository [registry:5000/push-all-tags]"),
1: output.Equals("7cd52847ad77: Preparing"),
3: output.Equals("latest: digest: sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 size: 528"),
6: output.Equals("v1: digest: sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 size: 528"),
9: output.Equals("v1.0: digest: sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 size: 528"),
12: output.Equals("v1.0.1: digest: sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 size: 528"),
})
}
func TestPushWithContentTrust(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
// Compared digests are linux/amd64 specific.
// TODO: Fix this test and make it work on all platforms.
environment.SkipIfNotPlatform(t, "linux/amd64")
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := createImage(t, "trust-push", "latest")
result := icmd.RunCmd(icmd.Command("docker", "push", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
fixtures.WithPassphrase("foo", "bar"),
)
result.Assert(t, icmd.Success)
golden.Assert(t, result.Stderr(), "push-with-content-trust-err.golden")
output.Assert(t, result.Stdout(), map[int]func(string) error{
0: output.Equals("The push refers to repository [registry:5000/trust-push]"),
1: output.Equals("7cd52847ad77: Preparing"),
3: output.Equals("latest: digest: sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 size: 528"),
4: output.Equals("Signing and pushing trust metadata"),
5: output.Equals(`Finished initializing "registry:5000/trust-push"`),
6: output.Equals("Successfully signed registry:5000/trust-push:latest"),
})
}
func TestPushQuietErrors(t *testing.T) {
result := icmd.RunCmd(icmd.Command("docker", "push", "--quiet", "nosuchimage"))
result.Assert(t, icmd.Expected{
@ -87,351 +13,3 @@ func TestPushQuietErrors(t *testing.T) {
Err: "An image does not exist locally with the tag: nosuchimage",
})
}
func TestPushWithContentTrustUnreachableServer(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := createImage(t, "trust-push-unreachable", "latest")
result := icmd.RunCmd(icmd.Command("docker", "push", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotaryServer("https://invalidnotaryserver"),
)
result.Assert(t, icmd.Expected{
ExitCode: 1,
Err: "error contacting notary server",
})
}
func TestPushWithContentTrustExistingTag(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
image := createImage(t, "trust-push-existing", "latest")
result := icmd.RunCmd(icmd.Command("docker", "push", image))
result.Assert(t, icmd.Success)
result = icmd.RunCmd(icmd.Command("docker", "push", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
fixtures.WithPassphrase("foo", "bar"),
)
result.Assert(t, icmd.Expected{
Out: "Signing and pushing trust metadata",
})
// Re-push
result = icmd.RunCmd(icmd.Command("docker", "push", image),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
fixtures.WithPassphrase("foo", "bar"),
)
result.Assert(t, icmd.Expected{
Out: "Signing and pushing trust metadata",
})
}
func TestPushWithContentTrustReleasesDelegationOnly(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
role := "targets/releases"
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
copyPrivateKey(t, dir.Join("trust", "private"), privkey1)
notaryDir := setupNotaryConfig(t, dir)
defer notaryDir.Remove()
homeDir := fs.NewDir(t, "push_test_home")
defer notaryDir.Remove()
baseRef := fmt.Sprintf("%s/%s", registryPrefix, "trust-push-releases-delegation")
targetRef := fmt.Sprintf("%s:%s", baseRef, "latest")
// Init repository
notaryInit(t, notaryDir, homeDir, baseRef)
// Add delegation key (public key)
notaryAddDelegation(t, notaryDir, homeDir, baseRef, role, pubkey1)
// Publish it
notaryPublish(t, notaryDir, homeDir, baseRef)
// Import private key
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, role, privkey1)
// Tag & push with content trust
icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, targetRef).Assert(t, icmd.Success)
result := icmd.RunCmd(icmd.Command("docker", "push", targetRef),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
fixtures.WithPassphrase("foo", "foo"),
)
result.Assert(t, icmd.Expected{
Out: "Signing and pushing trust metadata",
})
targetsInRole := notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, role)
assert.Assert(t, targetsInRole["latest"] == role, "%v", targetsInRole)
targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets")
assert.Assert(t, targetsInRole["latest"] != "targets", "%v", targetsInRole)
result = icmd.RunCmd(icmd.Command("docker", "pull", targetRef),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Success)
}
func TestPushWithContentTrustSignsAllFirstLevelRolesWeHaveKeysFor(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
copyPrivateKey(t, dir.Join("trust", "private"), privkey1)
copyPrivateKey(t, dir.Join("trust", "private"), privkey2)
copyPrivateKey(t, dir.Join("trust", "private"), privkey3)
notaryDir := setupNotaryConfig(t, dir)
defer notaryDir.Remove()
homeDir := fs.NewDir(t, "push_test_home")
defer notaryDir.Remove()
baseRef := fmt.Sprintf("%s/%s", registryPrefix, "trust-push-releases-first-roles")
targetRef := fmt.Sprintf("%s:%s", baseRef, "latest")
// Init repository
notaryInit(t, notaryDir, homeDir, baseRef)
// Add delegation key (public key)
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role1", pubkey1)
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role2", pubkey2)
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role3", pubkey3)
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role1/subrole", pubkey3)
// Import private key
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role1", privkey1)
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role2", privkey2)
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role1/subrole", privkey3)
// Publish it
notaryPublish(t, notaryDir, homeDir, baseRef)
// Tag & push with content trust
icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, targetRef).Assert(t, icmd.Success)
result := icmd.RunCmd(icmd.Command("docker", "push", targetRef),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
fixtures.WithPassphrase("foo", "foo"),
)
result.Assert(t, icmd.Expected{
Out: "Signing and pushing trust metadata",
})
// check to make sure that the target has been added to targets/role1 and targets/role2, and
// not targets (because there are delegations) or targets/role3 (due to missing key) or
// targets/role1/subrole (due to it being a second level delegation)
targetsInRole := notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role1")
assert.Assert(t, targetsInRole["latest"] == "targets/role1", "%v", targetsInRole)
targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role2")
assert.Assert(t, targetsInRole["latest"] == "targets/role2", "%v", targetsInRole)
targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets")
assert.Assert(t, targetsInRole["latest"] != "targets", "%v", targetsInRole)
assert.NilError(t, os.RemoveAll(dir.Join("trust")))
// Try to pull, should fail because non of these are the release role
// FIXME(vdemeester) should be unit test
result = icmd.RunCmd(icmd.Command("docker", "pull", targetRef),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Expected{
ExitCode: 1,
})
}
func TestPushWithContentTrustSignsForRolesWithKeysAndValidPaths(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
copyPrivateKey(t, dir.Join("trust", "private"), privkey1)
copyPrivateKey(t, dir.Join("trust", "private"), privkey2)
copyPrivateKey(t, dir.Join("trust", "private"), privkey3)
copyPrivateKey(t, dir.Join("trust", "private"), privkey4)
notaryDir := setupNotaryConfig(t, dir)
defer notaryDir.Remove()
homeDir := fs.NewDir(t, "push_test_home")
defer notaryDir.Remove()
baseRef := fmt.Sprintf("%s/%s", registryPrefix, "trust-push-releases-keys-valid-paths")
targetRef := fmt.Sprintf("%s:%s", baseRef, "latest")
// Init repository
notaryInit(t, notaryDir, homeDir, baseRef)
// Add delegation key (public key)
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role1", pubkey1, "l", "z")
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role2", pubkey2, "x", "y")
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role3", pubkey3, "latest")
notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role4", pubkey4, "latest")
// Import private keys (except 3rd key)
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role1", privkey1)
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role2", privkey2)
notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role4", privkey4)
// Publish it
notaryPublish(t, notaryDir, homeDir, baseRef)
// Tag & push with content trust
icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, targetRef).Assert(t, icmd.Success)
result := icmd.RunCmd(icmd.Command("docker", "push", targetRef),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
fixtures.WithPassphrase("foo", "foo"),
)
result.Assert(t, icmd.Expected{
Out: "Signing and pushing trust metadata",
})
// check to make sure that the target has been added to targets/role1 and targets/role4, and
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
// targets/role3 (due to missing key)
targetsInRole := notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role1")
assert.Assert(t, targetsInRole["latest"] == "targets/role1", "%v", targetsInRole)
targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role4")
assert.Assert(t, targetsInRole["latest"] == "targets/role4", "%v", targetsInRole)
targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets")
assert.Assert(t, targetsInRole["latest"] != "targets", "%v", targetsInRole)
assert.NilError(t, os.RemoveAll(dir.Join("trust")))
// Try to pull, should fail because non of these are the release role
// FIXME(vdemeester) should be unit test
result = icmd.RunCmd(icmd.Command("docker", "pull", targetRef),
fixtures.WithConfig(dir.Path()),
fixtures.WithTrust,
fixtures.WithNotary,
)
result.Assert(t, icmd.Expected{
ExitCode: 1,
})
}
func createImage(t *testing.T, repo string, tags ...string) string {
t.Helper()
icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
for _, tag := range tags {
image := fmt.Sprintf("%s/%s:%s", registryPrefix, repo, tag)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
}
return fmt.Sprintf("%s/%s:%s", registryPrefix, repo, tags[0])
}
//nolint:unparam
func withNotaryPassphrase(pwd string) func(*icmd.Cmd) {
return func(c *icmd.Cmd) {
c.Env = append(c.Env, []string{
"NOTARY_ROOT_PASSPHRASE=" + pwd,
"NOTARY_TARGETS_PASSPHRASE=" + pwd,
"NOTARY_SNAPSHOT_PASSPHRASE=" + pwd,
"NOTARY_DELEGATION_PASSPHRASE=" + pwd,
}...)
}
}
func notaryImportPrivateKey(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef, role, privkey string) {
t.Helper()
icmd.RunCmd(
icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "key", "import", privkey, "-g", baseRef, "-r", role),
withNotaryPassphrase("foo"),
fixtures.WithHome(homeDir.Path()),
).Assert(t, icmd.Success)
}
func notaryPublish(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef string) {
t.Helper()
icmd.RunCmd(
icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "publish", baseRef),
withNotaryPassphrase("foo"),
fixtures.WithHome(homeDir.Path()),
).Assert(t, icmd.Success)
}
func notaryAddDelegation(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef, role, pubkey string, paths ...string) {
t.Helper()
pathsArg := "--all-paths"
if len(paths) > 0 {
pathsArg = "--paths=" + strings.Join(paths, ",")
}
icmd.RunCmd(
icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "delegation", "add", baseRef, role, pubkey, pathsArg),
withNotaryPassphrase("foo"),
fixtures.WithHome(homeDir.Path()),
).Assert(t, icmd.Success)
}
func notaryInit(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef string) {
t.Helper()
icmd.RunCmd(
icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "init", baseRef),
withNotaryPassphrase("foo"),
fixtures.WithHome(homeDir.Path()),
).Assert(t, icmd.Success)
}
func notaryListTargetsInRole(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef, role string) map[string]string {
t.Helper()
result := icmd.RunCmd(
icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "list", baseRef, "-r", role),
fixtures.WithHome(homeDir.Path()),
)
out := result.Combined()
// should look something like:
// NAME DIGEST SIZE (BYTES) ROLE
// ------------------------------------------------------------------------------------------------------
// latest 24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56 1377 targets
targets := make(map[string]string)
// no target
lines := strings.Split(strings.TrimSpace(out), "\n")
if len(lines) == 1 && strings.Contains(out, "No targets present in this repository.") {
return targets
}
// otherwise, there is at least one target
assert.Assert(t, len(lines) >= 3, "output is %s", out)
for _, line := range lines[2:] {
tokens := strings.Fields(line)
assert.Assert(t, len(tokens) == 4)
targets[tokens[0]] = tokens[3]
}
return targets
}
func setupNotaryConfig(t *testing.T, dockerConfigDir fs.Dir) *fs.Dir {
t.Helper()
return fs.NewDir(t, "notary_test", fs.WithMode(0o700),
fs.WithFile("client-config.json", fmt.Sprintf(`
{
"trust_dir": "%s",
"remote_server": {
"url": "%s"
}
}`, dockerConfigDir.Join("trust"), fixtures.NotaryURL)),
)
}
func copyPrivateKey(t *testing.T, dir, source string) {
t.Helper()
icmd.RunCommand("/bin/cp", source, dir).Assert(t, icmd.Success)
}

21
e2e/image/testdata/notary/delgkey1.crt vendored
View File

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIJAP2EcMN2UXPcMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ4
WhcNMjYwNjI4MTc0ODQ4WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgewhaYs
Ke5s2AM7xxKrT4A6n7hW17qSnBjonCcPcwTFmYqIOdxWjYITgJuHrTwB4ZhBqWS7
tTsUUu6hWLMeB7Uo5/GEQAAZspKkT9G/rNKF9lbWK9PPhGGkeR01c/Q932m92Hsn
fCQ0Pp/OzD3nVTh0v9HKk+PObNMOCcqG87eYs4ylPRxs0RrE/rP+bEGssKQSbeCZ
wazDnO+kiatVgKQZ2CK23iFdRE1z2rzqVDeaFWdvBqrRdWnkOZClhlLgEQ5nK2yV
B6tSqOiI3MmHyHzIkGOQJp2/s7Pe0ckEkzsjTsJW8oKHlBBl6pRxHIKzNN4VFbeB
vvYvrogrDrC/owIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFoHfukRa6qGk1ncON64Z
ASKlZdkwDQYJKoZIhvcNAQELBQADggEBAEq9Adpd03CPmpbRtTAJGAkjjLFr60sV
2r+/l/m9R31ZCN9ymM9nxToQ8zfMdeAh/nnPcErziil2gDVqXueCNDkRj09tmDIE
Q1Oc92uyNZNgcECow77cKZCTZSTku+qsJrYaykH5vSnia8ltcKj8inJedIcpBR+p
608HEQvF0Eg5eaLPJwH48BCb0Gqdri1dJgrNnqptz7MDr8M+u7tHVulbAd3YxLlq
JH1W2bkVUx6esbn/MUE5HL5iTuOYREEINvBSmLdmmFkampmCnCB/bDEyJeL9bAkt
ZPIi0UNSnqFKLSP1Vf8AGLXt6iO7+1OGvtsDXEEYdXVOMsSXZtUuT7A=
-----END CERTIFICATE-----

27
e2e/image/testdata/notary/delgkey1.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvgewhaYsKe5s2AM7xxKrT4A6n7hW17qSnBjonCcPcwTFmYqI
OdxWjYITgJuHrTwB4ZhBqWS7tTsUUu6hWLMeB7Uo5/GEQAAZspKkT9G/rNKF9lbW
K9PPhGGkeR01c/Q932m92HsnfCQ0Pp/OzD3nVTh0v9HKk+PObNMOCcqG87eYs4yl
PRxs0RrE/rP+bEGssKQSbeCZwazDnO+kiatVgKQZ2CK23iFdRE1z2rzqVDeaFWdv
BqrRdWnkOZClhlLgEQ5nK2yVB6tSqOiI3MmHyHzIkGOQJp2/s7Pe0ckEkzsjTsJW
8oKHlBBl6pRxHIKzNN4VFbeBvvYvrogrDrC/owIDAQABAoIBAB/o8KZwsgfUhqh7
WoViSCwQb0e0z7hoFwhpUl4uXPTGf1v6HEgDDPG0PwwgkdbwNaypQZVtWevj4NTQ
R326jjdjH1xbfQa2PZpz722L3jDqJR6plEtFxRoIv3KrCffPsrgabIu2mnnJJpDB
ixtW5cq0sT4ov2i4H0i85CWWwbSY/G/MHsvCuK9PhoCj9uToVqrf1KrAESE5q4fh
mPSYUL99KVnj7SZkUz+79rc8sLLPVks3szZACMlm1n05ZTj/d6Nd2ZZUO45DllIj
1XJghfWmnChrB/P/KYXgQ3Y9BofIAw1ra2y3wOZeqRFNsbmojcGldfdtN/iQzhEj
uk4ThokCgYEA9FTmv36N8qSPWuqX/KzkixDQ8WrDGohcB54kK98Wx4ijXx3i38SY
tFjO8YUS9GVo1+UgmRjZbzVX7xeum6+TdBBwOjNOxEQ4tzwiQBWDdGpli8BccdJ2
OOIVxSslWhiUWfpYloXVetrR88iHbT882g795pbonDaJdXSLnij4UW8CgYEAxxrr
QFpsmOEZvI/yPSOGdG7A1RIsCeH+cEOf4cKghs7+aCtAHlIweztNOrqirl3oKI1r
I0zQl46WsaW8S/y99v9lmmnZbWwqLa4vIu0NWs0zaZdzKZw3xljMhgp4Ge69hHa2
utCtAxcX+7q/yLlHoTiYwKdxX54iLkheCB8csw0CgYEAleEG820kkjXUIodJ2JwO
Tihwo8dEC6CeI6YktizRgnEVFqH0rCOjMO5Rc+KX8AfNOrK5PnD54LguSuKSH7qi
j04OKgWTSd43lF90+y63RtCFnibQDpp2HwrBJAQFk7EEP/XMJfnPLN/SbuMSADgM
kg8kPTFRW5Iw3DYz9z9WpE0CgYAkn6/8Q2XMbUOFqti9JEa8Lg8sYk5VdwuNbPMA
3QMYKQUk9ieyLB4c3Nik3+XCuyVUKEc31A5egmz3umu7cn8i6vGuiJ/k/8t2YZ7s
Bry5Ihu95Yzab5DW3Eiqs0xKQN79ebS9AluAwQO5Wy2h52rknfuDHIm/M+BHsSoS
xl5KFQKBgQCokCsYuX1z2GojHw369/R2aX3ovCGuHqy4k7fWxUrpHTHvth2+qNPr
84qLJ9rLWoZE5sUiZ5YdwCgW877EdfkT+v4aaBX79ixso5VdqgJ/PdnoNntah/Vq
njQiW1skn6/P5V/eyimN2n0VsyBr/zMDEtYTRP/Tb1zi/njFLQkZEA==
-----END RSA PRIVATE KEY-----

21
e2e/image/testdata/notary/delgkey2.crt vendored
View File

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIJAIq8naKlYAQfMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ4
WhcNMjYwNjI4MTc0ODQ4WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY2EWYTW
5VHipw08t675upmD6a+akiuZ1z+XpuOxZCgjZ0aHfoOe8wGKg3Ohz7UCBdD5Mob/
L/qvRlsCaqPHGZKIyyX1HDO4mpuQQFBhYxt+ZAO3AaawEUOw2rwwMDEjLnDDTSZM
z8jxCMvsJjBDqgb8g3z+AmjducQ/OH6llldgHIBY8ioRbROCL2PGgqywWq2fThav
c70YMxtKviBGDNCouYeQ8JMK/PuLwPNDXNQAagFHVARXiUv/ILHk7ImYnSGJUcuk
JTUGN2MBnpY0eakg7i+4za8sjjqOdn+2I6aVzlGJDSiRP72nkg/cE4BqMl9FrMwK
9iS8xa9yMDLUvwIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUvQzzFmh3Sv3HcdExY3wx
/1u6JLAwDQYJKoZIhvcNAQELBQADggEBAJcmDme2Xj/HPUPwaN/EyCmjhY73EiHO
x6Pm16tscg5JGn5A+u3CZ1DmxUYl8Hp6MaW/sWzdtL0oKJg76pynadCWh5EacFR8
u+2GV/IcN9mSX6JQzvrqbjSqo5/FehqBD+W5h3euwwApWA3STAadYeyEfmdOA3SQ
W1vzrA1y7i8qgTqeJ7UX1sEAXlIhBK2zPYaMB+en+ZOiPyNxJYj6IDdGdD2paC9L
6H9wKC+GAUTSdCWp89HP7ETSXEGr94AXkrwU+qNsiN+OyK8ke0EMngEPh5IQoplw
/7zEZCth3oKxvR1/4S5LmTVaHI2ZlbU4q9bnY72G4tw8YQr2gcBGo4w=
-----END CERTIFICATE-----

27
e2e/image/testdata/notary/delgkey2.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAyY2EWYTW5VHipw08t675upmD6a+akiuZ1z+XpuOxZCgjZ0aH
foOe8wGKg3Ohz7UCBdD5Mob/L/qvRlsCaqPHGZKIyyX1HDO4mpuQQFBhYxt+ZAO3
AaawEUOw2rwwMDEjLnDDTSZMz8jxCMvsJjBDqgb8g3z+AmjducQ/OH6llldgHIBY
8ioRbROCL2PGgqywWq2fThavc70YMxtKviBGDNCouYeQ8JMK/PuLwPNDXNQAagFH
VARXiUv/ILHk7ImYnSGJUcukJTUGN2MBnpY0eakg7i+4za8sjjqOdn+2I6aVzlGJ
DSiRP72nkg/cE4BqMl9FrMwK9iS8xa9yMDLUvwIDAQABAoIBAHmffvzx7ydESWwa
zcfdu26BkptiTvjjfJrqEd4wSewxWGPKqJqMXE8xX99A2KTZClZuKuH1mmnecQQY
iRXGrK9ewFMuHYGeKEiLlPlqR8ohXhyGLVm+t0JDwaXMp5t9G0i73O5iLTm5fNGd
FGxa9YnVW20Q8MqNczbVGH1D1zInhxzzOyFzBd4bBBJ8PdrUdyLpd7+RxY2ghnbT
p9ZANR2vk5zmDLJgZx72n/u+miJWuhY6p0v3Vq4z/HHgdhf+K6vpDdzTcYlA0rO4
c/c+RKED3ZadGUD5QoLsmEN0e3FVSMPN1kt4ZRTqWfH8f2X4mLz33aBryTjktP6+
1rX6ThECgYEA74wc1Tq23B5R0/GaMm1AK3Ko2zzTD8wK7NSCElh2dls02B+GzrEB
aE3A2GMQSuzb+EA0zkipwANBaqs3ZemH5G1pu4hstQsXCMd4jAJn0TmTXlplXBCf
PSc8ZUU6XcJENRr9Q7O9/TGlgahX+z0ndxYx/CMCsSu7XsMg4IZsbAcCgYEA12Vb
wKOVG15GGp7pMshr+2rQfVimARUP4gf3JnQmenktI4PfdnMW3a4L3DEHfLhIerwT
6lRp/NpxSADmuT4h1UO1l2lc+gmTVPw0Vbl6VwHpgS5Kfu4ZyM6n3S66f/dE4nu7
hQF9yZz7vn5Agghak4p6a1wC1gdMzR1tvxFzk4kCgYByBMTskWfcWeok8Yitm+bB
R3Ar+kWT7VD97SCETusD5uG+RTNLSmEbHnc+B9kHcLo67YS0800pAeOvPBPARGnU
RmffRU5I1iB+o0MzkSmNItSMQoagTaEd4IEUyuC/I+qHRHNsOC+kRm86ycAm67LP
MhdUpe1wGxqyPjp15EXTHQKBgDKzFu+3EWfJvvKRKQ7dAh3BvKVkcl6a2Iw5l8Ej
YdM+JpPPfI/i8yTmzL/dgoem0Nii4IUtrWzo9fUe0TAVId2S/HFRSaNJEbbVTnRH
HjbQqmfPv5U08jjD+9siHp/0UfCFc1QRT8xe+RqTmReCY9+KntoaZEiAm2FEZgqt
TukRAoGAf7QqbTP5/UH1KSkX89F5qy/6GS3pw6TLj9Ufm/l/NO8Um8gag6YhEKWR
7HpkpCqjfWj8Av8ESR9cqddPGrbdqXFm9z7dCjlAd5T3Q3h/h+v+JzLQWbsI6WOb
SsOSWNyE006ZZdIiFwO6GfxpLI24sVtYKgyob6Q71oxSqfnrnT0=
-----END RSA PRIVATE KEY-----

21
e2e/image/testdata/notary/delgkey3.crt vendored
View File

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIJAKHt/jxiWqMtMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ5
WhcNMjYwNjI4MTc0ODQ5WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqfbJk2Dk
C9FJVjV2+Q2CQrJphG3vFc1Qlu9jgVA5RhGmF9jJzetsclsV/95nBhinIGcSmPQA
l318G7Bz/cG/6O2n5+hj+S1+YOvQweReZj3d4kCeS86SOyLNTpMD9gsF0S8nR1RN
h0jD4t1vxAVeGD1o61U8/k0O5eDoeOfOSWZagKk5PhyrMZgNip4IrG46umCkFlrw
zMMcgQdwTQXywPqkr/LmYpqT1WpMlzHYTQEY8rKorIJQbPtHVYdr4UxYnNmk6fbU
biEP1DQlwjBWcFTsDLqXKP/K+e3O0/e/hMB0y7Tj9fZ7Viw0t5IKXZPsxMhwknUT
9vmPzIJO6NiniwIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdTXRP1EzxQ+UDZSoheVo
Mobud1cwDQYJKoZIhvcNAQELBQADggEBADV9asTWWdbmpkeRuKyi0xGho39ONK88
xxkFlco766BVgemo/rGQj3oPuw6M6SzHFoJ6JUPjmLiAQDIGEU/2/b6LcOuLjP+4
YejCcDTY3lSW/HMNoAmzr2foo/LngNGfe/qhVFUqV7GjFT9+XzFFBfIZ1cQiL2ed
kc8rgQxFPwWXFCSwaENWeFnMDugkd+7xanoAHq8GsJpg5fTruDTmJkUqC2RNiMLn
WM7QaqW7+lmUnMnc1IBoz0hFhgoiadWM/1RQxx51zTVw6Au1koIm4ZXu5a+/WyC8
K1+HyUbc0AVaDaRBpRSOR9aHRwLGh6WQ4aUZQNyJroc999qfYrDEEV8=
-----END CERTIFICATE-----

27
e2e/image/testdata/notary/delgkey3.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqfbJk2DkC9FJVjV2+Q2CQrJphG3vFc1Qlu9jgVA5RhGmF9jJ
zetsclsV/95nBhinIGcSmPQAl318G7Bz/cG/6O2n5+hj+S1+YOvQweReZj3d4kCe
S86SOyLNTpMD9gsF0S8nR1RNh0jD4t1vxAVeGD1o61U8/k0O5eDoeOfOSWZagKk5
PhyrMZgNip4IrG46umCkFlrwzMMcgQdwTQXywPqkr/LmYpqT1WpMlzHYTQEY8rKo
rIJQbPtHVYdr4UxYnNmk6fbUbiEP1DQlwjBWcFTsDLqXKP/K+e3O0/e/hMB0y7Tj
9fZ7Viw0t5IKXZPsxMhwknUT9vmPzIJO6NiniwIDAQABAoIBAQCAr/ed3A2umO7T
FDYZik3nXBiiiW4t7r+nGGgZ3/kNgY1lnuHlROxehXLZwbX1mrLnyML/BjhwezV9
7ZNVPd6laVPpNj6DyxtWHRZ5yARlm1Al39E7CpQTrF0QsiWcpGnqIa62xjDRTpnq
askV/Q5qggyvqmE9FnFCQpEiAjlhvp7F0kVHVJm9s3MK3zSyR0UTZ3cpYus2Jr2z
OotHgAMHq5Hgb3dvxOeE2xRMeYAVDujbkNzXm2SddAtiRdLhWDh7JIr3zXhp0HyN
4rLOyhlgz00oIGeDt/C0q3fRmghr3iZOG+7m2sUx0FD1Ru1dI9v2A+jYmIVNW6+x
YJk5PzxJAoGBANDj7AGdcHSci/LDBPoTTUiz3uucAd27/IJma/iy8mdbVfOAb0Fy
PRSPvoozlpZyOxg2J4eH/o4QxQR4lVKtnLKZLNHK2tg3LarwyBX1LiI3vVlB+DT1
AmV8i5bJAckDhqFeEH5qdWZFi03oZsSXWEqX5iMYCrdK5lTZggcrFZeHAoGBANBL
fkk3knAdcVfTYpmHx18GBi2AsCWTd20KD49YBdbVy0Y2Jaa1EJAmGWpTUKdYx40R
H5CuGgcAviXQz3bugdTU1I3tAclBtpJNU7JkhuE+Epz0CM/6WERJrE0YxcGQA5ui
6fOguFyiXD1/85jrDBOKy74aoS7lYz9r/a6eqmjdAoGBAJpm/nmrIAZx+Ff2ouUe
A1Ar9Ch/Zjm5zEmu3zwzOU4AiyWz14iuoktifNq2iyalRNz+mnVpplToPFizsNwu
C9dPtXtU0DJlhtIFrD/evLz6KnGhe4/ZUm4lgyBvb2xfuNHqL5Lhqelwmil6EQxb
Oh3Y7XkfOjyFln89TwlxZUJdAoGAJRMa4kta7EvBTeGZLjyltvsqhFTghX+vBSCC
ToBbYbbiHJgssXSPAylU4sD7nR3HPwuqM6VZip+OOMrm8oNXZpuPTce+xqTEq1vK
JvmPrG3RAFDLdMFZjqYSXhKnuGE60yv3Ol8EEbDwfB3XLQPBPYU56Jdy0xcPSE2f
dMJXEJ0CgYEAisZw0nXw6lFeYecu642EGuU0wv1O9i21p7eho9QwOcsoTl4Q9l+M
M8iBv+qTHO+D19l4JbkGvy2H2diKoYduUFACcuiFYs8fjrT+4Z6DyOQAQGAf6Ylw
BFbU15k6KbA9v4mZDfd1tY9x62L/XO55ZxYG+J+q0e26tEThgD8cEog=
-----END RSA PRIVATE KEY-----

21
e2e/image/testdata/notary/delgkey4.crt vendored
View File

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIJANae++ZkUEWMMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ5
WhcNMjYwNjI4MTc0ODQ5WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqULAjgba
Y2I10WfqdmYnPfEqEe6iMDbzcgECb2xKafXcI4ltkQj1iO4zBTs0Ft9EzXFc5ZBh
pTjZrL6vrIa0y/CH2BiIHBJ0wRHx/40HXp4DSj3HZpVOlEMI3npRfBGNIBllUaRN
PWG7zL7DcKMIepBfPXyjBsxzH3yNiISq0W5hSiy+ImhSo3aipJUHHcp9Z9NgvpNC
3QvnxsGKRnECmDRDlxkq+FQu9Iqs/HWFYWgyfcsw+YTrWZq3qVnnqUouHO//c9PG
Ry3sZSDU97MwvkjvWys1e01Xvd3AbHx08YAsxih58i/OBKe81eD9NuZDP2KrjTxI
5xkXKhj6DV2NnQIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDt95hiqbQvi0KcvZGAUu
VisnztQwDQYJKoZIhvcNAQELBQADggEBAGi7qHai7MWbfeu6SlXhzIP3AIMa8TMi
lp/+mvPUFPswIVqYJ71MAN8uA7CTH3z50a2vYupGeOEtZqVJeRf+xgOEpwycncxp
Qz6wc6TWPVIoT5q1Hqxw1RD2MyKL+Y+QBDYwFxFkthpDMlX48I9frcqoJUWFxBF2
lnRr/cE7BbPE3sMbXV3wGPlH7+eUf+CgzXJo2HB6THzagyEgNrDiz/0rCQa1ipFd
mNU3D/U6BFGmJNxhvSOtXX9escg8yjr05YwwzokHS2K4jE0ZuJPBd50C/Rvo3Mf4
0h7/2Q95e7d42zPe9WYPu2F8KTWsf4r+6ddhKrKhYzXIcTAfHIOiO+U=
-----END CERTIFICATE-----

27
e2e/image/testdata/notary/delgkey4.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqULAjgbaY2I10WfqdmYnPfEqEe6iMDbzcgECb2xKafXcI4lt
kQj1iO4zBTs0Ft9EzXFc5ZBhpTjZrL6vrIa0y/CH2BiIHBJ0wRHx/40HXp4DSj3H
ZpVOlEMI3npRfBGNIBllUaRNPWG7zL7DcKMIepBfPXyjBsxzH3yNiISq0W5hSiy+
ImhSo3aipJUHHcp9Z9NgvpNC3QvnxsGKRnECmDRDlxkq+FQu9Iqs/HWFYWgyfcsw
+YTrWZq3qVnnqUouHO//c9PGRy3sZSDU97MwvkjvWys1e01Xvd3AbHx08YAsxih5
8i/OBKe81eD9NuZDP2KrjTxI5xkXKhj6DV2NnQIDAQABAoIBAGK0ZKnuYSiXux60
5MvK4pOCsa/nY3mOcgVHhW4IzpRgJdIrcFOlz9ncXrBsSAIWjX7o3u2Ydvjs4DOW
t8d6frB3QiDInYcRVDjLCD6otWV97Bk9Ua0G4N4hAWkMF7ysV4oihS1JDSoAdo39
qOdki6s9yeyHZGKwk2oHLlowU5TxQMBA8DHmxqBII1HTm+8xRz45bcEqRXydYSUn
P1JuSU9jFqdylxU+Nrq6ehslMQ3y7qNWQyiLGxu6EmR+vgrzSU0s3iAOqCHthaOS
VBBXPL3DNEYUS+0QGnGrACuJhanOMBfdiO6Orelx6ZzWZm38PNGv0yBt0WCM+8/A
TtQNGkECgYEA1LqR6AH9XikUQ0+rM4526BgVuYqtjw21h4Lj9alaA+YTQntBBJOv
iAcUpnJiV4T8jzAMLeqpK8R/rbxRnK5S9jOV2gr+puk4L6tH46cgahBUESDigDp8
6vK8ur6ubBcXNPh3AT6rsPj+Ph2EU3raqiYdouvCdga/OCYZb+jr6UkCgYEAy7Cr
l8WssI/8/ORcQ4MFJFNyfz/Y2beNXyLd1PX0H+wRSiGcKzeUuTHNtzFFpMbrK/nx
ZOPCT2ROdHsBHzp1L+WquCb0fyMVSiYiXBU+VCFDbUU5tBr3ycTc7VwuFPENOiha
IdlWgew/aW110FQHIaqe9g+htRe+mXe++faZtbUCgYB/MSJmNzJX53XvHSZ/CBJ+
iVAMBSfq3caJRLCqRNzGcf1YBbwFUYxlZ95n+wJj0+byckcF+UW3HqE8rtmZNf3y
qTtTCLnj8JQgpGeybU4LPMIXD7N9+fqQvBwuCC7gABpnGJyHCQK9KNNTLnDdPRqb
G3ki3ZYC3dvdZaJV8E2FyQKBgQCMa5Mf4kqWvezueo+QizZ0QILibqWUEhIH0AWV
1qkhiKCytlDvCjYhJdBnxjP40Jk3i+t6XfmKud/MNTAk0ywOhQoYQeKz8v+uSnPN
f2ekn/nXzq1lGGJSWsDjcXTjQvqXaVIZm7cjgjaE+80IfaUc9H75qvUT3vaq3f5u
XC7DMQKBgQDMAzCCpWlEPbZoFMl6F49+7jG0/TiqM/WRUSQnNtufPMbrR9Je4QM1
L1UCANCPaHFOncKYer15NfIV1ctt5MZKImevDsUaQO8CUlO+dzd5H8KvHw9E29gA
B22v8k3jIjsYeRL+UJ/sBnWHgxdAe/NEM+TdlP2oP9D1gTifutPqAg==
-----END RSA PRIVATE KEY-----

18
e2e/image/testdata/notary/gen.sh vendored
View File

@ -1,18 +0,0 @@
for selfsigned in delgkey1 delgkey2 delgkey3 delgkey4; do
subj='/C=US/ST=CA/L=SanFrancisco/O=Docker/CN=delegation'
openssl genrsa -out "${selfsigned}.key" 2048
openssl req -new -key "${selfsigned}.key" -out "${selfsigned}.csr" -sha256 -subj "${subj}"
cat > "${selfsigned}.cnf" <<EOL
[selfsigned]
basicConstraints = critical,CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage=codeSigning
subjectKeyIdentifier=hash
EOL
openssl x509 -req -days 3560 -in "${selfsigned}.csr" -signkey "${selfsigned}.key" -sha256 \
-out "${selfsigned}.crt" -extfile "${selfsigned}.cnf" -extensions selfsigned
rm "${selfsigned}.cnf" "${selfsigned}.csr"
done

19
e2e/image/testdata/notary/localhost.cert vendored
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDCTCCAfOgAwIBAgIQTOoFF+ypXwgdXnXHuCTvYDALBgkqhkiG9w0BAQswJjER
MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDcxNzE5
NDg1M1oXDTE4MDcwMTE5NDg1M1owJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQBgNV
BAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDO
qvTBAi0ApXLfe90ApJkdkRGwF838Qzt1UFSxomu5fHRV6l3FjX5XCVHiFQ4w3ROh
dMOu9NahfGLJv9VvWU2MV3YoY9Y7lIXpKwnK1v064wuls4nPh13BUWKQKofcY/e2
qaSPd6/qmSRc/kJUvOI9jZMSX6ZRPu9K4PCqm2CivlbLq9UYuo1AbRGfuqHRvTxg
mQG7WQCzGSvSjuSg5qX3TEh0HckTczJG9ODULNRWNE7ld0W4sfv4VF8R7Uc/G7LO
8QwLCZ9TIl3gYMPCrhUL3Q6z9Jnn1SQS4mhDnPi6ugRYO1X8k3jjdxV9C2sXwUvN
OZI1rLEWl9TJNA7ZXtMCAwEAAaM2MDQwDgYDVR0PAQH/BAQDAgCgMAwGA1UdEwEB
/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAsGCSqGSIb3DQEBCwOCAQEAH6iq
kM2+UMukGDLEQKHHiauioWJlHDlLXv76bJiNfjSz94B/2XOQMb9PT04//tnGUyPK
K8Dx7RoxSodU6T5VRiz/A36mLOvt2t3bcL/1nHf9sAOHcexGtnCbQbW91V7RKfIL
sjiLNFDkQ9VfVNY+ynQptZoyH1sy07+dplfkIiPzRs5WuVAnEGsX3r6BrhgUITzi
g1B4kpmGZIohP4m6ZEBY5xuo/NQ0+GhjAENQMU38GpuoMyFS0i0dGcbx8weqnI/B
Er/qa0+GE/rBnWY8TiRow8dzpneSFQnUZpJ4EwD9IoOIDHo7k2Nbz2P50HMiCXZf
4RqzctVssRlrRVnO5w==
-----END CERTIFICATE-----

27
e2e/image/testdata/notary/localhost.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwM6q9MECLQClct973QCkmR2REbAXzfxDO3VQVLGia7l8dFXq
XcWNflcJUeIVDjDdE6F0w6701qF8Ysm/1W9ZTYxXdihj1juUhekrCcrW/TrjC6Wz
ic+HXcFRYpAqh9xj97appI93r+qZJFz+QlS84j2NkxJfplE+70rg8KqbYKK+Vsur
1Ri6jUBtEZ+6odG9PGCZAbtZALMZK9KO5KDmpfdMSHQdyRNzMkb04NQs1FY0TuV3
Rbix+/hUXxHtRz8bss7xDAsJn1MiXeBgw8KuFQvdDrP0mefVJBLiaEOc+Lq6BFg7
VfyTeON3FX0LaxfBS805kjWssRaX1Mk0Dtle0wIDAQABAoIBAHbuhNHZROhRn70O
Ui9vOBki/dt1ThnH5AkHQngb4t6kWjrAzILvW2p1cdBKr0ZDqftz+rzCbVD/5+Rg
Iq8bsnB9g23lWEBMHD/GJsAxmRA3hNooamk11IBmwTcVSsbnkdq5mEdkICYphjHC
Ey0DbEf6RBxWlx3WvAWLoNmTw6iFaOCH8IyLavPpe7kLbZc219oNUw2qjCnCXCZE
/NuViADHJBPN8r7g1gmyclJmTumdUK6oHgXEMMPe43vhReGcgcReK9QZjnTcIXPM
4oJOraw+BtoZXVvvIPnC+5ntoLFOzjIzM0kaveReZbdgffqF4zy2vRfCHhWssanc
7a0xR4ECgYEA3Xuvcqy5Xw+v/jVCO0VZj++Z7apA78dY4tWsPx5/0DUTTziTlXkC
ADduEbwX6HgZ/iLvA9j4C3Z4mO8qByby/6UoBU8NEe+PQt6fT7S+dKSP4uy5ZxVM
i5opkEyrJsMbve9Jrlj4bk5CICsydrZ+SBFHnpNGjbduGQick5LORWECgYEA3trt
gepteDGiUYmnnBgjbYtcD11RvpKC8Z/QwGnzN5vk4eBu8r7DkMcLN+SiHjAovlJo
r5j3EbF8sla1zBf/yySdQZFqUGcwtw7MaAKCLdhQl5WsViNMIx6p2OJapu0dzbv2
KTXrnoRCafcH92k0dUX1ahE9eyc8KX6VhbWwXLMCgYATGCCuEDoC+gVAMzM8jOQF
xrBMjwr+IP+GvskUv/pg5tJ9V/FRR5dmkWDJ4p9lCUWkZTqZ6FCqHFKVTLkg2LjG
VWS34HLOAwskxrCRXJG22KEW/TWWr31j46yFpjZzJwrzOvftMfpo+BI3V8IH/f+x
EtxLzYKdoRy6x8VH67YgwQKBgHor2vjV45142FuK83AHa6SqOZXSuvWWrGJ6Ep7p
doSN2jRaLXi2S9AaznOdy6JxFGUCGJHrcccpXgsGrjNtFLXxJKTFa1sYtwQkALsk
ZOltJQF09D1krGC0driHntrUMvqOiKye+sS0DRS6cIuaCUAhUiELwoC5SaoV0zKy
IDUxAoGAOK8Xq+3/sqe79vTpw25RXl+nkAmOAeKjqf3Kh6jbnBhr81rmefyKXB9a
uj0b980tzUnliwA5cCOsyxfN2vASvMnJxFE721QZI04arlcPFHcFqCtmNnUYTcLp
0hgn/yLZptcoxpy+eTBu3eNsxz1Bu/Tx/198+2Wr3MbtGpLNIcA=
-----END RSA PRIVATE KEY-----

1
e2e/image/testdata/pull-with-content-trust-err.golden vendored
View File

@ -1 +0,0 @@
Tagging registry:5000/trust-pull@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501 as registry:5000/trust-pull:latest

5
e2e/image/testdata/pull-with-content-trust.golden vendored
View File

@ -1,5 +0,0 @@
Pull (1 of 1): registry:5000/trust-pull:latest@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501
registry:5000/trust-pull@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501: Pulling from trust-pull
Digest: sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501
Status: Downloaded newer image for registry:5000/trust-pull@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501
registry:5000/trust-pull:latest

0
e2e/image/testdata/push-with-content-trust-err.golden vendored
View File

89
e2e/internal/fixtures/fixtures.go
View File

@ -1,7 +1,6 @@
package fixtures
import (
"fmt"
"os"
"testing"
@ -11,42 +10,21 @@ import (
)
const (
// NotaryURL is the location of the notary server
NotaryURL = "https://notary-server:4443"
// EvilNotaryURL is the location of the evil notary server
EvilNotaryURL = "https://evil-notary-server:4444"
// AlpineImage is an image in the test registry
AlpineImage = "registry:5000/alpine:frozen"
// AlpineSha is the sha of the alpine image
AlpineSha = "e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501" // #nosec G101 -- ignoring: Potential hardcoded credentials (gosec)
// BusyboxImage is an image in the test registry
BusyboxImage = "registry:5000/busybox:frozen"
// BusyboxSha is the sha of the busybox image
BusyboxSha = "030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af" // #nosec G101 -- ignoring: Potential hardcoded credentials (gosec)
)
// SetupConfigFile creates a config.json file for testing
func SetupConfigFile(t *testing.T) fs.Dir {
t.Helper()
return SetupConfigWithNotaryURL(t, "trust_test", NotaryURL)
}
// SetupConfigWithNotaryURL creates a config.json file for testing in the given path
// with the given notaryURL
func SetupConfigWithNotaryURL(t *testing.T, path, notaryURL string) fs.Dir {
t.Helper()
dir := fs.NewDir(t, path, fs.WithMode(0o700), fs.WithFile("config.json", fmt.Sprintf(`
{
"auths": {
"registry:5000": {
"auth": "ZWlhaXM6cGFzc3dvcmQK"
},
"%s": {
"auth": "ZWlhaXM6cGFzc3dvcmQK"
}
dir := fs.NewDir(t, "trust_test", fs.WithMode(0o700), fs.WithFile("config.json", `{
"auths": {
"registry:5000": {
"auth": "ZWlhaXM6cGFzc3dvcmQK"
}
}
`, notaryURL)), fs.WithDir("trust", fs.WithDir("private")))
}}`), fs.WithDir("trust", fs.WithDir("private")))
return *dir
}
@ -57,26 +35,6 @@ func WithConfig(dir string) func(cmd *icmd.Cmd) {
}
}
// WithPassphrase sets environment variables for passphrases
func WithPassphrase(rootPwd, repositoryPwd string) func(cmd *icmd.Cmd) {
return func(cmd *icmd.Cmd) {
addEnvs(cmd,
"DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="+rootPwd,
"DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="+repositoryPwd,
)
}
}
// WithTrust sets DOCKER_CONTENT_TRUST to 1
func WithTrust(cmd *icmd.Cmd) {
addEnvs(cmd, "DOCKER_CONTENT_TRUST=1")
}
// WithNotary sets the location of the notary server
func WithNotary(cmd *icmd.Cmd) {
addEnvs(cmd, "DOCKER_CONTENT_TRUST_SERVER="+NotaryURL)
}
// WithHome sets the HOME environment variable
func WithHome(path string) func(*icmd.Cmd) {
return func(cmd *icmd.Cmd) {
@ -84,43 +42,6 @@ func WithHome(path string) func(*icmd.Cmd) {
}
}
// WithNotaryServer sets the location of the notary server
func WithNotaryServer(notaryURL string) func(*icmd.Cmd) {
return func(cmd *icmd.Cmd) {
addEnvs(cmd, "DOCKER_CONTENT_TRUST_SERVER="+notaryURL)
}
}
// CreateMaskedTrustedRemoteImage creates a remote image that is signed with
// content trust, then pushes a different untrusted image at the same tag.
func CreateMaskedTrustedRemoteImage(t *testing.T, registryPrefix, repo, tag string) string {
t.Helper()
image := createTrustedRemoteImage(t, registryPrefix, repo, tag)
createNamedUnsignedImageFromBusyBox(t, image)
return image
}
func createTrustedRemoteImage(t *testing.T, registryPrefix, repo, tag string) string {
t.Helper()
image := fmt.Sprintf("%s/%s:%s", registryPrefix, repo, tag)
icmd.RunCommand("docker", "image", "pull", AlpineImage).Assert(t, icmd.Success)
icmd.RunCommand("docker", "image", "tag", AlpineImage, image).Assert(t, icmd.Success)
result := icmd.RunCmd(
icmd.Command("docker", "image", "push", image),
WithPassphrase("root_password", "repo_password"), WithTrust, WithNotary)
result.Assert(t, icmd.Success)
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
return image
}
func createNamedUnsignedImageFromBusyBox(t *testing.T, image string) {
t.Helper()
icmd.RunCommand("docker", "image", "pull", BusyboxImage).Assert(t, icmd.Success)
icmd.RunCommand("docker", "image", "tag", BusyboxImage, image).Assert(t, icmd.Success)
icmd.RunCommand("docker", "image", "push", image).Assert(t, icmd.Success)
icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
}
// addEnvs adds environment variables to cmd, making sure to preserve the
// current os.Environ(), which would otherwise be omitted (for non-empty .Env).
func addEnvs(cmd *icmd.Cmd, envs ...string) {

1
e2e/plugin/plugin_test.go
View File

@ -31,7 +31,6 @@ func TestCreatePushPull(t *testing.T) {
icmd.RunCommand("docker", "plugin", "create", pluginName, pluginDir).Assert(t, icmd.Success)
result := icmd.RunCmd(icmd.Command("docker", "plugin", "push", pluginName),
fixtures.WithConfig(dir.Path()),
fixtures.WithPassphrase("foo", "bar"),
)
result.Assert(t, icmd.Expected{
Out: fmt.Sprintf("The push refers to repository [%s]", pluginName),

7
e2e/testdata/Dockerfile.evil-notary-server vendored
View File

@ -1,7 +0,0 @@
# syntax=docker/dockerfile:1
ARG NOTARY_VERSION=0.6.1
FROM notary:server-${NOTARY_VERSION}
COPY ./notary-evil/ /fixtures/

20
e2e/testdata/Dockerfile.gencerts vendored
View File

@ -1,20 +0,0 @@
# syntax=docker/dockerfile:1
ARG GO_VERSION=1.25.3
FROM golang:${GO_VERSION}-alpine AS generated
ENV GOTOOLCHAIN=local
RUN go install github.com/dmcgowan/quicktls@master
WORKDIR /tmp/gencerts/notary
RUN --mount=type=bind,source=e2e/testdata/notary,target=/tmp/gencerts/notary,rw <<EOT
set -eu
mkdir -p ../notary-evil /out
quicktls -exp 87600h -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
cat ca.pem >> notary-server.cert
mv ca.pem root-ca.cert
cp notary-server.cert notary-server.key root-ca.cert ../notary-evil
cp -r /tmp/gencerts/notary* /out/
EOT
FROM scratch
COPY --from=generated /out /

7
e2e/testdata/Dockerfile.notary-server vendored
View File

@ -1,7 +0,0 @@
# syntax=docker/dockerfile:1
ARG NOTARY_VERSION=0.6.1
FROM notary:server-${NOTARY_VERSION}
COPY ./notary/ /fixtures/

19
e2e/testdata/notary-evil/notary-config.json vendored
View File

@ -1,19 +0,0 @@
{
"server": {
"http_addr": "evil-notary-server:4444",
"tls_key_file": "./notary-server.key",
"tls_cert_file": "./notary-server.cert"
},
"trust_service": {
"type": "local",
"hostname": "",
"port": "",
"key_algorithm": "ed25519"
},
"logging": {
"level": "debug"
},
"storage": {
"backend": "memory"
}
}

40
e2e/testdata/notary-evil/notary-server.cert vendored
View File

@ -1,40 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
sK8jZi441ojEJ7OaggGPheO3mCU=
-----END CERTIFICATE-----

27
e2e/testdata/notary-evil/notary-server.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
-----END RSA PRIVATE KEY-----

19
e2e/testdata/notary-evil/root-ca.cert vendored
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
sK8jZi441ojEJ7OaggGPheO3mCU=
-----END CERTIFICATE-----

19
e2e/testdata/notary/notary-config.json vendored
View File

@ -1,19 +0,0 @@
{
"server": {
"http_addr": "notary-server:4443",
"tls_key_file": "./notary-server.key",
"tls_cert_file": "./notary-server.cert"
},
"trust_service": {
"type": "local",
"hostname": "",
"port": "",
"key_algorithm": "ed25519"
},
"logging": {
"level": "debug"
},
"storage": {
"backend": "memory"
}
}

40
e2e/testdata/notary/notary-server.cert vendored
View File

@ -1,40 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
sK8jZi441ojEJ7OaggGPheO3mCU=
-----END CERTIFICATE-----

27
e2e/testdata/notary/notary-server.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
-----END RSA PRIVATE KEY-----

19
e2e/testdata/notary/root-ca.cert vendored
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
sK8jZi441ojEJ7OaggGPheO3mCU=
-----END CERTIFICATE-----

17
e2e/trust/main_test.go
View File

@ -1,17 +0,0 @@
package trust
import (
"fmt"
"os"
"testing"
"github.com/docker/cli/internal/test/environment"
)
func TestMain(m *testing.M) {
if err := environment.Setup(); err != nil {
fmt.Println(err.Error())
os.Exit(3)
}
os.Exit(m.Run())
}

72
e2e/trust/revoke_test.go
View File

@ -1,72 +0,0 @@
package trust
import (
"testing"
"github.com/docker/cli/e2e/internal/fixtures"
"github.com/docker/cli/internal/test/environment"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/fs"
"gotest.tools/v3/icmd"
"gotest.tools/v3/skip"
)
const (
revokeImage = "registry:5000/revoke:v1"
revokeRepo = "registry:5000/revokerepo"
)
func TestRevokeImage(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
setupTrustedImagesForRevoke(t, dir)
result := icmd.RunCmd(
icmd.Command("docker", "trust", "revoke", revokeImage),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithNotary, fixtures.WithConfig(dir.Path()))
result.Assert(t, icmd.Success)
assert.Check(t, is.Contains(result.Stdout(), "Successfully deleted signature for registry:5000/revoke:v1"))
}
func TestRevokeRepo(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
setupTrustedImagesForRevokeRepo(t, dir)
result := icmd.RunCmd(
icmd.Command("docker", "trust", "revoke", revokeRepo, "-y"),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithNotary, fixtures.WithConfig(dir.Path()))
result.Assert(t, icmd.Success)
assert.Check(t, is.Contains(result.Stdout(), "Successfully deleted signature for registry:5000/revoke"))
}
func setupTrustedImagesForRevoke(t *testing.T, dir fs.Dir) {
t.Helper()
icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, revokeImage).Assert(t, icmd.Success)
icmd.RunCmd(
icmd.Command("docker", "-D", "trust", "sign", revokeImage),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithConfig(dir.Path()), fixtures.WithNotary).Assert(t, icmd.Success)
}
func setupTrustedImagesForRevokeRepo(t *testing.T, dir fs.Dir) {
t.Helper()
icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, revokeRepo+":v1").Assert(t, icmd.Success)
icmd.RunCmd(
icmd.Command("docker", "-D", "trust", "sign", revokeRepo+":v1"),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithConfig(dir.Path()), fixtures.WithNotary).Assert(t, icmd.Success)
icmd.RunCmd(icmd.Command("docker", "pull", fixtures.BusyboxImage)).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.BusyboxImage, revokeRepo+":v2").Assert(t, icmd.Success)
icmd.RunCmd(
icmd.Command("docker", "-D", "trust", "sign", revokeRepo+":v2"),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithConfig(dir.Path()), fixtures.WithNotary).Assert(t, icmd.Success)
}

67
e2e/trust/sign_test.go
View File

@ -1,67 +0,0 @@
package trust
import (
"testing"
"github.com/docker/cli/e2e/internal/fixtures"
"github.com/docker/cli/internal/test/environment"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/fs"
"gotest.tools/v3/icmd"
"gotest.tools/v3/skip"
)
const (
localImage = "registry:5000/signlocal:v1"
signImage = "registry:5000/sign:v1"
)
func TestSignLocalImage(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
// Digests in golden files are linux/amd64 specific.
// TODO: Fix this test and make it work on all platforms.
environment.SkipIfNotPlatform(t, "linux/amd64")
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, signImage).Assert(t, icmd.Success)
result := icmd.RunCmd(
icmd.Command("docker", "trust", "sign", signImage),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithConfig(dir.Path()), fixtures.WithNotary)
result.Assert(t, icmd.Success)
assert.Check(t, is.Contains(result.Stdout(), "v1: digest: sha256:"+fixtures.AlpineSha))
}
func TestSignWithLocalFlag(t *testing.T) {
skip.If(t, environment.RemoteDaemon())
// Digests in golden files are linux/amd64 specific.
// TODO: Fix this test and make it work on all platforms.
environment.SkipIfNotPlatform(t, "linux/amd64")
dir := fixtures.SetupConfigFile(t)
defer dir.Remove()
setupTrustedImageForOverwrite(t, dir)
result := icmd.RunCmd(
icmd.Command("docker", "trust", "sign", "--local", localImage),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithConfig(dir.Path()), fixtures.WithNotary)
result.Assert(t, icmd.Success)
assert.Check(t, is.Contains(result.Stdout(), "v1: digest: sha256:"+fixtures.BusyboxSha))
}
func setupTrustedImageForOverwrite(t *testing.T, dir fs.Dir) {
t.Helper()
icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.AlpineImage, localImage).Assert(t, icmd.Success)
result := icmd.RunCmd(
icmd.Command("docker", "-D", "trust", "sign", localImage),
fixtures.WithPassphrase("root_password", "repo_password"),
fixtures.WithConfig(dir.Path()), fixtures.WithNotary)
result.Assert(t, icmd.Success)
assert.Check(t, is.Contains(result.Stdout(), "v1: digest: sha256:"+fixtures.AlpineSha))
icmd.RunCmd(icmd.Command("docker", "pull", fixtures.BusyboxImage)).Assert(t, icmd.Success)
icmd.RunCommand("docker", "tag", fixtures.BusyboxImage, localImage).Assert(t, icmd.Success)
}