github.com/jiasir/docker@v1.3.3-0.20170609024000-252e610103e7/integration-cli/docker_cli_authz_plugin_v2_test.go (about) 1 // +build !windows 2 3 package main 4 5 import ( 6 "fmt" 7 "strings" 8 9 "github.com/docker/docker/integration-cli/checker" 10 "github.com/docker/docker/integration-cli/daemon" 11 "github.com/go-check/check" 12 ) 13 14 var ( 15 authzPluginName = "riyaz/authz-no-volume-plugin" 16 authzPluginTag = "latest" 17 authzPluginNameWithTag = authzPluginName + ":" + authzPluginTag 18 authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest" 19 nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin" 20 ) 21 22 func init() { 23 check.Suite(&DockerAuthzV2Suite{ 24 ds: &DockerSuite{}, 25 }) 26 } 27 28 type DockerAuthzV2Suite struct { 29 ds *DockerSuite 30 d *daemon.Daemon 31 } 32 33 func (s *DockerAuthzV2Suite) SetUpTest(c *check.C) { 34 testRequires(c, DaemonIsLinux, Network) 35 s.d = daemon.New(c, dockerBinary, dockerdBinary, daemon.Config{ 36 Experimental: testEnv.ExperimentalDaemon(), 37 }) 38 s.d.Start(c) 39 } 40 41 func (s *DockerAuthzV2Suite) TearDownTest(c *check.C) { 42 if s.d != nil { 43 s.d.Stop(c) 44 s.ds.TearDownTest(c) 45 } 46 } 47 48 func (s *DockerAuthzV2Suite) TestAuthZPluginAllowNonVolumeRequest(c *check.C) { 49 testRequires(c, DaemonIsLinux, IsAmd64, Network) 50 // Install authz plugin 51 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 52 c.Assert(err, checker.IsNil) 53 // start the daemon with the plugin and load busybox, --net=none build fails otherwise 54 // because it needs to pull busybox 55 s.d.Restart(c, "--authorization-plugin="+authzPluginNameWithTag) 56 c.Assert(s.d.LoadBusybox(), check.IsNil) 57 58 // defer disabling the plugin 59 defer func() { 60 s.d.Restart(c) 61 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 62 c.Assert(err, checker.IsNil) 63 _, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag) 64 c.Assert(err, checker.IsNil) 65 }() 66 67 // Ensure docker run command and accompanying docker ps are successful 68 out, err := s.d.Cmd("run", "-d", "busybox", "top") 69 c.Assert(err, check.IsNil) 70 71 id := strings.TrimSpace(out) 72 73 out, err = s.d.Cmd("ps") 74 c.Assert(err, check.IsNil) 75 c.Assert(assertContainerList(out, []string{id}), check.Equals, true) 76 } 77 78 func (s *DockerAuthzV2Suite) TestAuthZPluginDisable(c *check.C) { 79 testRequires(c, DaemonIsLinux, IsAmd64, Network) 80 // Install authz plugin 81 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 82 c.Assert(err, checker.IsNil) 83 // start the daemon with the plugin and load busybox, --net=none build fails otherwise 84 // because it needs to pull busybox 85 s.d.Restart(c, "--authorization-plugin="+authzPluginNameWithTag) 86 c.Assert(s.d.LoadBusybox(), check.IsNil) 87 88 // defer removing the plugin 89 defer func() { 90 s.d.Restart(c) 91 _, err = s.d.Cmd("plugin", "rm", "-f", authzPluginNameWithTag) 92 c.Assert(err, checker.IsNil) 93 }() 94 95 out, err := s.d.Cmd("volume", "create") 96 c.Assert(err, check.NotNil) 97 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 98 99 // disable the plugin 100 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 101 c.Assert(err, checker.IsNil) 102 103 // now test to see if the docker api works. 104 _, err = s.d.Cmd("volume", "create") 105 c.Assert(err, checker.IsNil) 106 } 107 108 func (s *DockerAuthzV2Suite) TestAuthZPluginRejectVolumeRequests(c *check.C) { 109 testRequires(c, DaemonIsLinux, IsAmd64, Network) 110 // Install authz plugin 111 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 112 c.Assert(err, checker.IsNil) 113 114 // restart the daemon with the plugin 115 s.d.Restart(c, "--authorization-plugin="+authzPluginNameWithTag) 116 117 // defer disabling the plugin 118 defer func() { 119 s.d.Restart(c) 120 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 121 c.Assert(err, checker.IsNil) 122 _, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag) 123 c.Assert(err, checker.IsNil) 124 }() 125 126 out, err := s.d.Cmd("volume", "create") 127 c.Assert(err, check.NotNil) 128 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 129 130 out, err = s.d.Cmd("volume", "ls") 131 c.Assert(err, check.NotNil) 132 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 133 134 // The plugin will block the command before it can determine the volume does not exist 135 out, err = s.d.Cmd("volume", "rm", "test") 136 c.Assert(err, check.NotNil) 137 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 138 139 out, err = s.d.Cmd("volume", "inspect", "test") 140 c.Assert(err, check.NotNil) 141 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 142 143 out, err = s.d.Cmd("volume", "prune", "-f") 144 c.Assert(err, check.NotNil) 145 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 146 } 147 148 func (s *DockerAuthzV2Suite) TestAuthZPluginBadManifestFailsDaemonStart(c *check.C) { 149 testRequires(c, DaemonIsLinux, IsAmd64, Network) 150 // Install authz plugin with bad manifest 151 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginBadManifestName) 152 c.Assert(err, checker.IsNil) 153 154 // start the daemon with the plugin, it will error 155 c.Assert(s.d.RestartWithError("--authorization-plugin="+authzPluginBadManifestName), check.NotNil) 156 157 // restarting the daemon without requiring the plugin will succeed 158 s.d.Restart(c) 159 } 160 161 func (s *DockerAuthzV2Suite) TestNonexistentAuthZPluginFailsDaemonStart(c *check.C) { 162 testRequires(c, DaemonIsLinux, Network) 163 // start the daemon with a non-existent authz plugin, it will error 164 c.Assert(s.d.RestartWithError("--authorization-plugin="+nonexistentAuthzPluginName), check.NotNil) 165 166 // restarting the daemon without requiring the plugin will succeed 167 s.d.Start(c) 168 }