github.com/flavio/docker@v0.1.3-0.20170117145210-f63d1a6eec47/integration-cli/docker_cli_push_test.go (about) 1 package main 2 3 import ( 4 "archive/tar" 5 "fmt" 6 "io/ioutil" 7 "net/http" 8 "net/http/httptest" 9 "os" 10 "path/filepath" 11 "strings" 12 "sync" 13 "time" 14 15 "github.com/docker/distribution/reference" 16 cliconfig "github.com/docker/docker/cli/config" 17 "github.com/docker/docker/integration-cli/checker" 18 "github.com/docker/docker/pkg/testutil" 19 icmd "github.com/docker/docker/pkg/testutil/cmd" 20 "github.com/go-check/check" 21 ) 22 23 // Pushing an image to a private registry. 24 func testPushBusyboxImage(c *check.C) { 25 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 26 // tag the image to upload it to the private registry 27 dockerCmd(c, "tag", "busybox", repoName) 28 // push the image to the registry 29 dockerCmd(c, "push", repoName) 30 } 31 32 func (s *DockerRegistrySuite) TestPushBusyboxImage(c *check.C) { 33 testPushBusyboxImage(c) 34 } 35 36 func (s *DockerSchema1RegistrySuite) TestPushBusyboxImage(c *check.C) { 37 testPushBusyboxImage(c) 38 } 39 40 // pushing an image without a prefix should throw an error 41 func (s *DockerSuite) TestPushUnprefixedRepo(c *check.C) { 42 out, _, err := dockerCmdWithError("push", "busybox") 43 c.Assert(err, check.NotNil, check.Commentf("pushing an unprefixed repo didn't result in a non-zero exit status: %s", out)) 44 } 45 46 func testPushUntagged(c *check.C) { 47 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 48 expected := "An image does not exist locally with the tag" 49 50 out, _, err := dockerCmdWithError("push", repoName) 51 c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out)) 52 c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) 53 } 54 55 func (s *DockerRegistrySuite) TestPushUntagged(c *check.C) { 56 testPushUntagged(c) 57 } 58 59 func (s *DockerSchema1RegistrySuite) TestPushUntagged(c *check.C) { 60 testPushUntagged(c) 61 } 62 63 func testPushBadTag(c *check.C) { 64 repoName := fmt.Sprintf("%v/dockercli/busybox:latest", privateRegistryURL) 65 expected := "does not exist" 66 67 out, _, err := dockerCmdWithError("push", repoName) 68 c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out)) 69 c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) 70 } 71 72 func (s *DockerRegistrySuite) TestPushBadTag(c *check.C) { 73 testPushBadTag(c) 74 } 75 76 func (s *DockerSchema1RegistrySuite) TestPushBadTag(c *check.C) { 77 testPushBadTag(c) 78 } 79 80 func testPushMultipleTags(c *check.C) { 81 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 82 repoTag1 := fmt.Sprintf("%v/dockercli/busybox:t1", privateRegistryURL) 83 repoTag2 := fmt.Sprintf("%v/dockercli/busybox:t2", privateRegistryURL) 84 // tag the image and upload it to the private registry 85 dockerCmd(c, "tag", "busybox", repoTag1) 86 87 dockerCmd(c, "tag", "busybox", repoTag2) 88 89 dockerCmd(c, "push", repoName) 90 91 // Ensure layer list is equivalent for repoTag1 and repoTag2 92 out1, _ := dockerCmd(c, "pull", repoTag1) 93 94 imageAlreadyExists := ": Image already exists" 95 var out1Lines []string 96 for _, outputLine := range strings.Split(out1, "\n") { 97 if strings.Contains(outputLine, imageAlreadyExists) { 98 out1Lines = append(out1Lines, outputLine) 99 } 100 } 101 102 out2, _ := dockerCmd(c, "pull", repoTag2) 103 104 var out2Lines []string 105 for _, outputLine := range strings.Split(out2, "\n") { 106 if strings.Contains(outputLine, imageAlreadyExists) { 107 out1Lines = append(out1Lines, outputLine) 108 } 109 } 110 c.Assert(out2Lines, checker.HasLen, len(out1Lines)) 111 112 for i := range out1Lines { 113 c.Assert(out1Lines[i], checker.Equals, out2Lines[i]) 114 } 115 } 116 117 func (s *DockerRegistrySuite) TestPushMultipleTags(c *check.C) { 118 testPushMultipleTags(c) 119 } 120 121 func (s *DockerSchema1RegistrySuite) TestPushMultipleTags(c *check.C) { 122 testPushMultipleTags(c) 123 } 124 125 func testPushEmptyLayer(c *check.C) { 126 repoName := fmt.Sprintf("%v/dockercli/emptylayer", privateRegistryURL) 127 emptyTarball, err := ioutil.TempFile("", "empty_tarball") 128 c.Assert(err, check.IsNil, check.Commentf("Unable to create test file")) 129 130 tw := tar.NewWriter(emptyTarball) 131 err = tw.Close() 132 c.Assert(err, check.IsNil, check.Commentf("Error creating empty tarball")) 133 134 freader, err := os.Open(emptyTarball.Name()) 135 c.Assert(err, check.IsNil, check.Commentf("Could not open test tarball")) 136 defer freader.Close() 137 138 icmd.RunCmd(icmd.Cmd{ 139 Command: []string{dockerBinary, "import", "-", repoName}, 140 Stdin: freader, 141 }).Assert(c, icmd.Success) 142 143 // Now verify we can push it 144 out, _, err := dockerCmdWithError("push", repoName) 145 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out)) 146 } 147 148 func (s *DockerRegistrySuite) TestPushEmptyLayer(c *check.C) { 149 testPushEmptyLayer(c) 150 } 151 152 func (s *DockerSchema1RegistrySuite) TestPushEmptyLayer(c *check.C) { 153 testPushEmptyLayer(c) 154 } 155 156 // testConcurrentPush pushes multiple tags to the same repo 157 // concurrently. 158 func testConcurrentPush(c *check.C) { 159 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 160 161 repos := []string{} 162 for _, tag := range []string{"push1", "push2", "push3"} { 163 repo := fmt.Sprintf("%v:%v", repoName, tag) 164 _, err := buildImage(repo, fmt.Sprintf(` 165 FROM busybox 166 ENTRYPOINT ["/bin/echo"] 167 ENV FOO foo 168 ENV BAR bar 169 CMD echo %s 170 `, repo), true) 171 c.Assert(err, checker.IsNil) 172 repos = append(repos, repo) 173 } 174 175 // Push tags, in parallel 176 results := make(chan error) 177 178 for _, repo := range repos { 179 go func(repo string) { 180 result := icmd.RunCommand(dockerBinary, "push", repo) 181 results <- result.Error 182 }(repo) 183 } 184 185 for range repos { 186 err := <-results 187 c.Assert(err, checker.IsNil, check.Commentf("concurrent push failed with error: %v", err)) 188 } 189 190 // Clear local images store. 191 args := append([]string{"rmi"}, repos...) 192 dockerCmd(c, args...) 193 194 // Re-pull and run individual tags, to make sure pushes succeeded 195 for _, repo := range repos { 196 dockerCmd(c, "pull", repo) 197 dockerCmd(c, "inspect", repo) 198 out, _ := dockerCmd(c, "run", "--rm", repo) 199 c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo) 200 } 201 } 202 203 func (s *DockerRegistrySuite) TestConcurrentPush(c *check.C) { 204 testConcurrentPush(c) 205 } 206 207 func (s *DockerSchema1RegistrySuite) TestConcurrentPush(c *check.C) { 208 testConcurrentPush(c) 209 } 210 211 func (s *DockerRegistrySuite) TestCrossRepositoryLayerPush(c *check.C) { 212 sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 213 // tag the image to upload it to the private registry 214 dockerCmd(c, "tag", "busybox", sourceRepoName) 215 // push the image to the registry 216 out1, _, err := dockerCmdWithError("push", sourceRepoName) 217 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1)) 218 // ensure that none of the layers were mounted from another repository during push 219 c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false) 220 221 digest1 := reference.DigestRegexp.FindString(out1) 222 c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 223 224 destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL) 225 // retag the image to upload the same layers to another repo in the same registry 226 dockerCmd(c, "tag", "busybox", destRepoName) 227 // push the image to the registry 228 out2, _, err := dockerCmdWithError("push", destRepoName) 229 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 230 // ensure that layers were mounted from the first repo during push 231 c.Assert(strings.Contains(out2, "Mounted from dockercli/busybox"), check.Equals, true) 232 233 digest2 := reference.DigestRegexp.FindString(out2) 234 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 235 c.Assert(digest1, check.Equals, digest2) 236 237 // ensure that pushing again produces the same digest 238 out3, _, err := dockerCmdWithError("push", destRepoName) 239 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 240 241 digest3 := reference.DigestRegexp.FindString(out3) 242 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 243 c.Assert(digest3, check.Equals, digest2) 244 245 // ensure that we can pull and run the cross-repo-pushed repository 246 dockerCmd(c, "rmi", destRepoName) 247 dockerCmd(c, "pull", destRepoName) 248 out4, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world") 249 c.Assert(out4, check.Equals, "hello world") 250 } 251 252 func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c *check.C) { 253 sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 254 // tag the image to upload it to the private registry 255 dockerCmd(c, "tag", "busybox", sourceRepoName) 256 // push the image to the registry 257 out1, _, err := dockerCmdWithError("push", sourceRepoName) 258 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1)) 259 // ensure that none of the layers were mounted from another repository during push 260 c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false) 261 262 digest1 := reference.DigestRegexp.FindString(out1) 263 c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 264 265 destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL) 266 // retag the image to upload the same layers to another repo in the same registry 267 dockerCmd(c, "tag", "busybox", destRepoName) 268 // push the image to the registry 269 out2, _, err := dockerCmdWithError("push", destRepoName) 270 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 271 // schema1 registry should not support cross-repo layer mounts, so ensure that this does not happen 272 c.Assert(strings.Contains(out2, "Mounted from"), check.Equals, false) 273 274 digest2 := reference.DigestRegexp.FindString(out2) 275 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 276 c.Assert(digest1, check.Not(check.Equals), digest2) 277 278 // ensure that we can pull and run the second pushed repository 279 dockerCmd(c, "rmi", destRepoName) 280 dockerCmd(c, "pull", destRepoName) 281 out3, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world") 282 c.Assert(out3, check.Equals, "hello world") 283 } 284 285 func (s *DockerTrustSuite) TestTrustedPush(c *check.C) { 286 repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL) 287 // tag the image and upload it to the private registry 288 dockerCmd(c, "tag", "busybox", repoName) 289 290 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 291 292 // Try pull after push 293 icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 294 Out: "Status: Image is up to date", 295 }) 296 297 // Assert that we rotated the snapshot key to the server by checking our local keystore 298 contents, err := ioutil.ReadDir(filepath.Join(cliconfig.Dir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest")) 299 c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files")) 300 // Check that we only have 1 key (targets key) 301 c.Assert(contents, checker.HasLen, 1) 302 } 303 304 func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) { 305 repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL) 306 // tag the image and upload it to the private registry 307 dockerCmd(c, "tag", "busybox", repoName) 308 309 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing) 310 311 // Try pull after push 312 icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 313 Out: "Status: Image is up to date", 314 }) 315 } 316 317 func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) { 318 repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL) 319 // tag the image and upload it to the private registry 320 dockerCmd(c, "tag", "busybox", repoName) 321 322 // Using a name that doesn't resolve to an address makes this test faster 323 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{ 324 ExitCode: 1, 325 Err: "error contacting notary server", 326 }) 327 } 328 329 func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) { 330 repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL) 331 // tag the image and upload it to the private registry 332 dockerCmd(c, "tag", "busybox", repoName) 333 334 result := icmd.RunCmd(icmd.Command(dockerBinary, "push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/")) 335 result.Assert(c, icmd.Success) 336 c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:")) 337 } 338 339 func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) { 340 repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL) 341 // tag the image and upload it to the private registry 342 dockerCmd(c, "tag", "busybox", repoName) 343 dockerCmd(c, "push", repoName) 344 345 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 346 347 // Try pull after push 348 icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 349 Out: "Status: Image is up to date", 350 }) 351 } 352 353 func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) { 354 repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL) 355 // tag the image and upload it to the private registry 356 dockerCmd(c, "tag", "busybox", repoName) 357 358 // Do a trusted push 359 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 360 361 // Do another trusted push 362 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 363 dockerCmd(c, "rmi", repoName) 364 365 // Try pull to ensure the double push did not break our ability to pull 366 icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessDownloaded) 367 } 368 369 func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) { 370 repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL) 371 // tag the image and upload it to the private registry 372 dockerCmd(c, "tag", "busybox", repoName) 373 374 // Push with default passphrases 375 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 376 377 // Push with wrong passphrases 378 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{ 379 ExitCode: 1, 380 Err: "could not find necessary signing keys", 381 }) 382 } 383 384 func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) { 385 c.Skip("Currently changes system time, causing instability") 386 repoName := fmt.Sprintf("%v/dockercliexpiredsnapshot/trusted:latest", privateRegistryURL) 387 // tag the image and upload it to the private registry 388 dockerCmd(c, "tag", "busybox", repoName) 389 390 // Push with default passphrases 391 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 392 393 // Snapshots last for three years. This should be expired 394 fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4) 395 396 testutil.RunAtDifferentDate(fourYearsLater, func() { 397 // Push with wrong passphrases 398 icmd.RunCmd(icmd.Cmd{ 399 Command: []string{dockerBinary, "push", repoName}, 400 }, trustedCmd).Assert(c, icmd.Expected{ 401 ExitCode: 1, 402 Err: "repository out-of-date", 403 }) 404 }) 405 } 406 407 func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) { 408 c.Skip("Currently changes system time, causing instability") 409 repoName := fmt.Sprintf("%v/dockercliexpiredtimestamppush/trusted:latest", privateRegistryURL) 410 // tag the image and upload it to the private registry 411 dockerCmd(c, "tag", "busybox", repoName) 412 413 // Push with default passphrases 414 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 415 416 // The timestamps expire in two weeks. Lets check three 417 threeWeeksLater := time.Now().Add(time.Hour * 24 * 21) 418 419 // Should succeed because the server transparently re-signs one 420 testutil.RunAtDifferentDate(threeWeeksLater, func() { 421 icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), 422 trustedCmd).Assert(c, SuccessSigningAndPushing) 423 }) 424 } 425 426 func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) { 427 testRequires(c, NotaryHosting) 428 repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL) 429 targetName := fmt.Sprintf("%s:latest", repoName) 430 s.notaryInitRepo(c, repoName) 431 s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) 432 s.notaryPublish(c, repoName) 433 434 s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) 435 436 // tag the image and upload it to the private registry 437 dockerCmd(c, "tag", "busybox", targetName) 438 439 icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 440 // check to make sure that the target has been added to targets/releases and not targets 441 s.assertTargetInRoles(c, repoName, "latest", "targets/releases") 442 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 443 444 // Try pull after push 445 os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust")) 446 447 icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 448 Out: "Status: Image is up to date", 449 }) 450 } 451 452 func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) { 453 testRequires(c, NotaryHosting) 454 repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL) 455 targetName := fmt.Sprintf("%s:latest", repoName) 456 s.notaryInitRepo(c, repoName) 457 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) 458 s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public) 459 s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public) 460 461 // import everything except the third key 462 s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) 463 s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) 464 465 s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public) 466 s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private) 467 468 s.notaryPublish(c, repoName) 469 470 // tag the image and upload it to the private registry 471 dockerCmd(c, "tag", "busybox", targetName) 472 473 icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 474 475 // check to make sure that the target has been added to targets/role1 and targets/role2, and 476 // not targets (because there are delegations) or targets/role3 (due to missing key) or 477 // targets/role1/subrole (due to it being a second level delegation) 478 s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2") 479 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 480 481 // Try pull after push 482 os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust")) 483 484 // pull should fail because none of these are the releases role 485 icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 486 ExitCode: 1, 487 }) 488 } 489 490 func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) { 491 repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL) 492 targetName := fmt.Sprintf("%s:latest", repoName) 493 s.notaryInitRepo(c, repoName) 494 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z") 495 s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y") 496 s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest") 497 s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest") 498 499 // import everything except the third key 500 s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) 501 s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) 502 s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private) 503 504 s.notaryPublish(c, repoName) 505 506 // tag the image and upload it to the private registry 507 dockerCmd(c, "tag", "busybox", targetName) 508 509 icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 510 511 // check to make sure that the target has been added to targets/role1 and targets/role4, and 512 // not targets (because there are delegations) or targets/role2 (due to path restrictions) or 513 // targets/role3 (due to missing key) 514 s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4") 515 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 516 517 // Try pull after push 518 os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust")) 519 520 // pull should fail because none of these are the releases role 521 icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 522 ExitCode: 1, 523 }) 524 } 525 526 func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) { 527 testRequires(c, NotaryHosting) 528 repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL) 529 targetName := fmt.Sprintf("%s:latest", repoName) 530 s.notaryInitRepo(c, repoName) 531 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) 532 s.notaryPublish(c, repoName) 533 534 // do not import any delegations key 535 536 // tag the image and upload it to the private registry 537 dockerCmd(c, "tag", "busybox", targetName) 538 539 icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Expected{ 540 ExitCode: 1, 541 Err: "no valid signing keys", 542 }) 543 s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1") 544 } 545 546 func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) { 547 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 548 dockerCmd(c, "tag", "busybox", repoName) 549 out, _, err := dockerCmdWithError("push", repoName) 550 c.Assert(err, check.NotNil, check.Commentf(out)) 551 c.Assert(out, check.Not(checker.Contains), "Retrying") 552 c.Assert(out, checker.Contains, "no basic auth credentials") 553 } 554 555 // This may be flaky but it's needed not to regress on unauthorized push, see #21054 556 func (s *DockerSuite) TestPushToCentralRegistryUnauthorized(c *check.C) { 557 testRequires(c, Network) 558 repoName := "test/busybox" 559 dockerCmd(c, "tag", "busybox", repoName) 560 out, _, err := dockerCmdWithError("push", repoName) 561 c.Assert(err, check.NotNil, check.Commentf(out)) 562 c.Assert(out, check.Not(checker.Contains), "Retrying") 563 } 564 565 func getTestTokenService(status int, body string, retries int) *httptest.Server { 566 var mu sync.Mutex 567 return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 568 mu.Lock() 569 if retries > 0 { 570 w.WriteHeader(http.StatusServiceUnavailable) 571 w.Header().Set("Content-Type", "application/json") 572 w.Write([]byte(`{"errors":[{"code":"UNAVAILABLE","message":"cannot create token at this time"}]}`)) 573 retries-- 574 } else { 575 w.WriteHeader(status) 576 w.Header().Set("Content-Type", "application/json") 577 w.Write([]byte(body)) 578 } 579 mu.Unlock() 580 })) 581 } 582 583 func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *check.C) { 584 ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0) 585 defer ts.Close() 586 s.setupRegistryWithTokenService(c, ts.URL) 587 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 588 dockerCmd(c, "tag", "busybox", repoName) 589 out, _, err := dockerCmdWithError("push", repoName) 590 c.Assert(err, check.NotNil, check.Commentf(out)) 591 c.Assert(out, checker.Not(checker.Contains), "Retrying") 592 c.Assert(out, checker.Contains, "unauthorized: a message") 593 } 594 595 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *check.C) { 596 ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`, 0) 597 defer ts.Close() 598 s.setupRegistryWithTokenService(c, ts.URL) 599 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 600 dockerCmd(c, "tag", "busybox", repoName) 601 out, _, err := dockerCmdWithError("push", repoName) 602 c.Assert(err, check.NotNil, check.Commentf(out)) 603 c.Assert(out, checker.Not(checker.Contains), "Retrying") 604 split := strings.Split(out, "\n") 605 c.Assert(split[len(split)-2], check.Equals, "unauthorized: authentication required") 606 } 607 608 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *check.C) { 609 ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 4) 610 defer ts.Close() 611 s.setupRegistryWithTokenService(c, ts.URL) 612 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 613 dockerCmd(c, "tag", "busybox", repoName) 614 out, _, err := dockerCmdWithError("push", repoName) 615 c.Assert(err, check.NotNil, check.Commentf(out)) 616 c.Assert(out, checker.Contains, "Retrying") 617 c.Assert(out, checker.Not(checker.Contains), "Retrying in 15") 618 split := strings.Split(out, "\n") 619 c.Assert(split[len(split)-2], check.Equals, "toomanyrequests: out of tokens") 620 } 621 622 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *check.C) { 623 ts := getTestTokenService(http.StatusForbidden, `no way`, 0) 624 defer ts.Close() 625 s.setupRegistryWithTokenService(c, ts.URL) 626 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 627 dockerCmd(c, "tag", "busybox", repoName) 628 out, _, err := dockerCmdWithError("push", repoName) 629 c.Assert(err, check.NotNil, check.Commentf(out)) 630 c.Assert(out, checker.Not(checker.Contains), "Retrying") 631 split := strings.Split(out, "\n") 632 c.Assert(split[len(split)-2], checker.Contains, "error parsing HTTP 403 response body: ") 633 } 634 635 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *check.C) { 636 ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`, 0) 637 defer ts.Close() 638 s.setupRegistryWithTokenService(c, ts.URL) 639 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 640 dockerCmd(c, "tag", "busybox", repoName) 641 out, _, err := dockerCmdWithError("push", repoName) 642 c.Assert(err, check.NotNil, check.Commentf(out)) 643 c.Assert(out, checker.Not(checker.Contains), "Retrying") 644 split := strings.Split(out, "\n") 645 c.Assert(split[len(split)-2], check.Equals, "authorization server did not include a token in the response") 646 }