github.com/nullne/docker@v1.13.0-rc1/integration-cli/docker_cli_authz_plugin_v2_test.go (about) 1 // +build !windows 2 3 package main 4 5 import ( 6 "fmt" 7 "strings" 8 9 "github.com/docker/docker/pkg/integration/checker" 10 "github.com/go-check/check" 11 ) 12 13 var ( 14 authzPluginName = "riyaz/authz-no-volume-plugin" 15 authzPluginTag = "latest" 16 authzPluginNameWithTag = authzPluginName + ":" + authzPluginTag 17 authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest" 18 nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin" 19 ) 20 21 func init() { 22 check.Suite(&DockerAuthzV2Suite{ 23 ds: &DockerSuite{}, 24 }) 25 } 26 27 type DockerAuthzV2Suite struct { 28 ds *DockerSuite 29 d *Daemon 30 } 31 32 func (s *DockerAuthzV2Suite) SetUpTest(c *check.C) { 33 testRequires(c, DaemonIsLinux, Network) 34 s.d = NewDaemon(c) 35 c.Assert(s.d.Start(), check.IsNil) 36 } 37 38 func (s *DockerAuthzV2Suite) TearDownTest(c *check.C) { 39 s.d.Stop() 40 s.ds.TearDownTest(c) 41 } 42 43 func (s *DockerAuthzV2Suite) TestAuthZPluginAllowNonVolumeRequest(c *check.C) { 44 // Install authz plugin 45 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 46 c.Assert(err, checker.IsNil) 47 // start the daemon with the plugin and load busybox, --net=none build fails otherwise 48 // because it needs to pull busybox 49 c.Assert(s.d.Restart("--authorization-plugin="+authzPluginNameWithTag), check.IsNil) 50 c.Assert(s.d.LoadBusybox(), check.IsNil) 51 52 // defer disabling the plugin 53 defer func() { 54 c.Assert(s.d.Restart(), check.IsNil) 55 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 56 c.Assert(err, checker.IsNil) 57 _, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag) 58 c.Assert(err, checker.IsNil) 59 }() 60 61 // Ensure docker run command and accompanying docker ps are successful 62 out, err := s.d.Cmd("run", "-d", "busybox", "top") 63 c.Assert(err, check.IsNil) 64 65 id := strings.TrimSpace(out) 66 67 out, err = s.d.Cmd("ps") 68 c.Assert(err, check.IsNil) 69 c.Assert(assertContainerList(out, []string{id}), check.Equals, true) 70 } 71 72 func (s *DockerAuthzV2Suite) TestAuthZPluginRejectVolumeRequests(c *check.C) { 73 // Install authz plugin 74 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 75 c.Assert(err, checker.IsNil) 76 77 // restart the daemon with the plugin 78 c.Assert(s.d.Restart("--authorization-plugin="+authzPluginNameWithTag), check.IsNil) 79 80 // defer disabling the plugin 81 defer func() { 82 c.Assert(s.d.Restart(), check.IsNil) 83 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 84 c.Assert(err, checker.IsNil) 85 _, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag) 86 c.Assert(err, checker.IsNil) 87 }() 88 89 out, err := s.d.Cmd("volume", "create") 90 c.Assert(err, check.NotNil) 91 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 92 93 out, err = s.d.Cmd("volume", "ls") 94 c.Assert(err, check.NotNil) 95 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 96 97 // The plugin will block the command before it can determine the volume does not exist 98 out, err = s.d.Cmd("volume", "rm", "test") 99 c.Assert(err, check.NotNil) 100 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 101 102 out, err = s.d.Cmd("volume", "inspect", "test") 103 c.Assert(err, check.NotNil) 104 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 105 106 out, err = s.d.Cmd("volume", "prune", "-f") 107 c.Assert(err, check.NotNil) 108 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 109 } 110 111 func (s *DockerAuthzV2Suite) TestAuthZPluginBadManifestFailsDaemonStart(c *check.C) { 112 // Install authz plugin with bad manifest 113 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginBadManifestName) 114 c.Assert(err, checker.IsNil) 115 116 // start the daemon with the plugin, it will error 117 c.Assert(s.d.Restart("--authorization-plugin="+authzPluginBadManifestName), check.NotNil) 118 119 // restarting the daemon without requiring the plugin will succeed 120 c.Assert(s.d.Restart(), check.IsNil) 121 } 122 123 func (s *DockerAuthzV2Suite) TestNonexistentAuthZPluginFailsDaemonStart(c *check.C) { 124 // start the daemon with a non-existent authz plugin, it will error 125 c.Assert(s.d.Restart("--authorization-plugin="+nonexistentAuthzPluginName), check.NotNil) 126 127 // restarting the daemon without requiring the plugin will succeed 128 c.Assert(s.d.Restart(), check.IsNil) 129 }