github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/e2e/container/create_test.go (about) 1 package container 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/docker/cli/e2e/internal/fixtures" 8 "github.com/docker/cli/internal/test/environment" 9 "gotest.tools/v3/icmd" 10 "gotest.tools/v3/skip" 11 ) 12 13 func TestCreateWithContentTrust(t *testing.T) { 14 skip.If(t, environment.RemoteDaemon()) 15 16 dir := fixtures.SetupConfigFile(t) 17 defer dir.Remove() 18 image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest") 19 20 defer func() { 21 icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success) 22 }() 23 24 result := icmd.RunCmd( 25 icmd.Command("docker", "create", image), 26 fixtures.WithConfig(dir.Path()), 27 fixtures.WithTrust, 28 fixtures.WithNotary, 29 ) 30 result.Assert(t, icmd.Expected{ 31 Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]), 32 }) 33 } 34 35 func TestTrustedCreateFromUnreachableTrustServer(t *testing.T) { 36 dir := fixtures.SetupConfigFile(t) 37 defer dir.Remove() 38 image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest") 39 40 result := icmd.RunCmd( 41 icmd.Command("docker", "create", image), 42 fixtures.WithConfig(dir.Path()), 43 fixtures.WithTrust, 44 fixtures.WithNotaryServer("https://notary.invalid"), 45 ) 46 result.Assert(t, icmd.Expected{ 47 ExitCode: 1, 48 Err: "error contacting notary server", 49 }) 50 } 51 52 func TestTrustedCreateFromBadTrustServer(t *testing.T) { 53 evilImageName := "registry:5000/evil-alpine:latest" 54 dir := fixtures.SetupConfigFile(t) 55 defer dir.Remove() 56 57 // tag the image and upload it to the private registry 58 icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName), 59 fixtures.WithConfig(dir.Path()), 60 ).Assert(t, icmd.Success) 61 icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName), 62 fixtures.WithConfig(dir.Path()), 63 fixtures.WithPassphrase("root_password", "repo_password"), 64 fixtures.WithTrust, 65 fixtures.WithNotary, 66 ).Assert(t, icmd.Success) 67 icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) 68 69 // try create 70 icmd.RunCmd(icmd.Command("docker", "create", evilImageName), 71 fixtures.WithConfig(dir.Path()), 72 fixtures.WithTrust, 73 fixtures.WithNotary, 74 ).Assert(t, icmd.Success) 75 icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) 76 77 // init a client with the evil-server and a new trust dir 78 evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL) 79 defer evilNotaryDir.Remove() 80 81 // tag the same image and upload it to the private registry but signed with evil notary server 82 icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName), 83 fixtures.WithConfig(evilNotaryDir.Path()), 84 ).Assert(t, icmd.Success) 85 icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName), 86 fixtures.WithConfig(evilNotaryDir.Path()), 87 fixtures.WithPassphrase("root_password", "repo_password"), 88 fixtures.WithTrust, 89 fixtures.WithNotaryServer(fixtures.EvilNotaryURL), 90 ).Assert(t, icmd.Success) 91 icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) 92 93 // try creating with the original client from the evil notary server. This should failed 94 // because the new root is invalid 95 icmd.RunCmd(icmd.Command("docker", "create", evilImageName), 96 fixtures.WithConfig(dir.Path()), 97 fixtures.WithTrust, 98 fixtures.WithNotaryServer(fixtures.EvilNotaryURL), 99 ).Assert(t, icmd.Expected{ 100 ExitCode: 1, 101 Err: "could not rotate trust to a new trusted root", 102 }) 103 }