github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/tests/rkt_trust_test.go

github.com/blixtra/rkt@v0.8.1-0.20160204105720-ab0d1add1a43/tests/rkt_trust_test.go (about)

     1  // Copyright 2015 The rkt Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package main
    16  
    17  import (
    18  	"fmt"
    19  	"os"
    20  	"testing"
    21  
    22  	"github.com/coreos/rkt/tests/testutils"
    23  )
    24  
    25  func runImage(t *testing.T, ctx *testutils.RktRunCtx, imageFile string, expected string, shouldFail bool) {
    26  	cmd := fmt.Sprintf(`%s --debug run --mds-register=false %s`, ctx.Cmd(), imageFile)
    27  	runRktAndCheckOutput(t, cmd, expected, shouldFail)
    28  }
    29  
    30  func TestTrust(t *testing.T) {
    31  	imageFile := patchTestACI("rkt-inspect-trust1.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-prefix.com/my-app")
    32  	defer os.Remove(imageFile)
    33  
    34  	imageFile2 := patchTestACI("rkt-inspect-trust2.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-alternative.com/my-app")
    35  	defer os.Remove(imageFile2)
    36  
    37  	ctx := testutils.NewRktRunCtx()
    38  	defer ctx.Cleanup()
    39  
    40  	t.Logf("Run the non-signed image: it should fail\n")
    41  	runImage(t, ctx, imageFile, "error opening signature file", true)
    42  
    43  	t.Logf("Sign the images\n")
    44  	ascFile := runSignImage(t, imageFile, 1)
    45  	defer os.Remove(ascFile)
    46  	ascFile = runSignImage(t, imageFile2, 1)
    47  	defer os.Remove(ascFile)
    48  
    49  	t.Logf("Run the signed image without trusting the key: it should fail\n")
    50  	runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true)
    51  
    52  	t.Logf("Trust the key with the wrong prefix\n")
    53  	runRktTrust(t, ctx, "wrong-prefix.com/my-app", 1)
    54  
    55  	t.Logf("Run a signed image with the key installed in the wrong prefix: it should fail\n")
    56  	runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true)
    57  
    58  	t.Logf("Trust the key with the correct prefix, but wrong key\n")
    59  	runRktTrust(t, ctx, "rkt-prefix.com/my-app", 2)
    60  
    61  	t.Logf("Run a signed image with the wrong key installed: it should fail\n")
    62  	runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true)
    63  
    64  	t.Logf("Trust the key with the correct prefix\n")
    65  	runRktTrust(t, ctx, "rkt-prefix.com/my-app", 1)
    66  
    67  	t.Logf("Finally, run successfully the signed image\n")
    68  	runImage(t, ctx, imageFile, "Hello", false)
    69  	runImage(t, ctx, imageFile2, "openpgp: signature made by unknown entity", true)
    70  
    71  	t.Logf("Trust the key on unrelated prefixes\n")
    72  	runRktTrust(t, ctx, "foo.com", 1)
    73  	runRktTrust(t, ctx, "example.com/my-app", 1)
    74  
    75  	t.Logf("But still only the first image can be executed\n")
    76  	runImage(t, ctx, imageFile, "Hello", false)
    77  	runImage(t, ctx, imageFile2, "openpgp: signature made by unknown entity", true)
    78  
    79  	t.Logf("Trust the key for all images (rkt trust --root)\n")
    80  	runRktTrust(t, ctx, "", 1)
    81  
    82  	t.Logf("Now both images can be executed\n")
    83  	runImage(t, ctx, imageFile, "Hello", false)
    84  	runImage(t, ctx, imageFile2, "Hello", false)
    85  }