github.com/rita33cool1/iot-system-gateway@v0.0.0-20200911033302-e65bde238cc5/docker-engine/integration/plugin/authz/authz_plugin_v2_test.go

github.com/rita33cool1/iot-system-gateway@v0.0.0-20200911033302-e65bde238cc5/docker-engine/integration/plugin/authz/authz_plugin_v2_test.go (about)

     1  // +build !windows
     2  
     3  package authz // import "github.com/docker/docker/integration/plugin/authz"
     4  
     5  import (
     6  	"context"
     7  	"fmt"
     8  	"io/ioutil"
     9  	"os"
    10  	"strings"
    11  	"testing"
    12  
    13  	"github.com/docker/docker/api/types"
    14  	"github.com/docker/docker/api/types/filters"
    15  	volumetypes "github.com/docker/docker/api/types/volume"
    16  	"github.com/docker/docker/client"
    17  	"github.com/docker/docker/integration/internal/container"
    18  	"github.com/docker/docker/integration/internal/requirement"
    19  	"github.com/gotestyourself/gotestyourself/assert"
    20  	"github.com/gotestyourself/gotestyourself/skip"
    21  )
    22  
    23  var (
    24  	authzPluginName            = "riyaz/authz-no-volume-plugin"
    25  	authzPluginTag             = "latest"
    26  	authzPluginNameWithTag     = authzPluginName + ":" + authzPluginTag
    27  	authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest"
    28  	nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin"
    29  )
    30  
    31  func setupTestV2(t *testing.T) func() {
    32  	skip.IfCondition(t, testEnv.DaemonInfo.OSType != "linux")
    33  	skip.IfCondition(t, !requirement.HasHubConnectivity(t))
    34  
    35  	teardown := setupTest(t)
    36  
    37  	d.Start(t)
    38  
    39  	return teardown
    40  }
    41  
    42  func TestAuthZPluginV2AllowNonVolumeRequest(t *testing.T) {
    43  	skip.IfCondition(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
    44  	defer setupTestV2(t)()
    45  
    46  	client, err := d.NewClient()
    47  	assert.NilError(t, err)
    48  
    49  	ctx := context.Background()
    50  
    51  	// Install authz plugin
    52  	err = pluginInstallGrantAllPermissions(client, authzPluginNameWithTag)
    53  	assert.NilError(t, err)
    54  	// start the daemon with the plugin and load busybox, --net=none build fails otherwise
    55  	// because it needs to pull busybox
    56  	d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
    57  	d.LoadBusybox(t)
    58  
    59  	// Ensure docker run command and accompanying docker ps are successful
    60  	cID := container.Run(t, ctx, client)
    61  
    62  	_, err = client.ContainerInspect(ctx, cID)
    63  	assert.NilError(t, err)
    64  }
    65  
    66  func TestAuthZPluginV2Disable(t *testing.T) {
    67  	skip.IfCondition(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
    68  	defer setupTestV2(t)()
    69  
    70  	client, err := d.NewClient()
    71  	assert.NilError(t, err)
    72  
    73  	// Install authz plugin
    74  	err = pluginInstallGrantAllPermissions(client, authzPluginNameWithTag)
    75  	assert.NilError(t, err)
    76  
    77  	d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
    78  	d.LoadBusybox(t)
    79  
    80  	_, err = client.VolumeCreate(context.Background(), volumetypes.VolumesCreateBody{Driver: "local"})
    81  	assert.Assert(t, err != nil)
    82  	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
    83  
    84  	// disable the plugin
    85  	err = client.PluginDisable(context.Background(), authzPluginNameWithTag, types.PluginDisableOptions{})
    86  	assert.NilError(t, err)
    87  
    88  	// now test to see if the docker api works.
    89  	_, err = client.VolumeCreate(context.Background(), volumetypes.VolumesCreateBody{Driver: "local"})
    90  	assert.NilError(t, err)
    91  }
    92  
    93  func TestAuthZPluginV2RejectVolumeRequests(t *testing.T) {
    94  	skip.IfCondition(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
    95  	defer setupTestV2(t)()
    96  
    97  	client, err := d.NewClient()
    98  	assert.NilError(t, err)
    99  
   100  	// Install authz plugin
   101  	err = pluginInstallGrantAllPermissions(client, authzPluginNameWithTag)
   102  	assert.NilError(t, err)
   103  
   104  	// restart the daemon with the plugin
   105  	d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
   106  
   107  	_, err = client.VolumeCreate(context.Background(), volumetypes.VolumesCreateBody{Driver: "local"})
   108  	assert.Assert(t, err != nil)
   109  	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
   110  
   111  	_, err = client.VolumeList(context.Background(), filters.Args{})
   112  	assert.Assert(t, err != nil)
   113  	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
   114  
   115  	// The plugin will block the command before it can determine the volume does not exist
   116  	err = client.VolumeRemove(context.Background(), "test", false)
   117  	assert.Assert(t, err != nil)
   118  	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
   119  
   120  	_, err = client.VolumeInspect(context.Background(), "test")
   121  	assert.Assert(t, err != nil)
   122  	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
   123  
   124  	_, err = client.VolumesPrune(context.Background(), filters.Args{})
   125  	assert.Assert(t, err != nil)
   126  	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
   127  }
   128  
   129  func TestAuthZPluginV2BadManifestFailsDaemonStart(t *testing.T) {
   130  	skip.IfCondition(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
   131  	defer setupTestV2(t)()
   132  
   133  	client, err := d.NewClient()
   134  	assert.NilError(t, err)
   135  
   136  	// Install authz plugin with bad manifest
   137  	err = pluginInstallGrantAllPermissions(client, authzPluginBadManifestName)
   138  	assert.NilError(t, err)
   139  
   140  	// start the daemon with the plugin, it will error
   141  	err = d.RestartWithError("--authorization-plugin=" + authzPluginBadManifestName)
   142  	assert.Assert(t, err != nil)
   143  
   144  	// restarting the daemon without requiring the plugin will succeed
   145  	d.Start(t)
   146  }
   147  
   148  func TestAuthZPluginV2NonexistentFailsDaemonStart(t *testing.T) {
   149  	defer setupTestV2(t)()
   150  
   151  	// start the daemon with a non-existent authz plugin, it will error
   152  	err := d.RestartWithError("--authorization-plugin=" + nonexistentAuthzPluginName)
   153  	assert.Assert(t, err != nil)
   154  
   155  	// restarting the daemon without requiring the plugin will succeed
   156  	d.Start(t)
   157  }
   158  
   159  func pluginInstallGrantAllPermissions(client client.APIClient, name string) error {
   160  	ctx := context.Background()
   161  	options := types.PluginInstallOptions{
   162  		RemoteRef:            name,
   163  		AcceptAllPermissions: true,
   164  	}
   165  	responseReader, err := client.PluginInstall(ctx, "", options)
   166  	if err != nil {
   167  		return err
   168  	}
   169  	defer responseReader.Close()
   170  	// we have to read the response out here because the client API
   171  	// actually starts a goroutine which we can only be sure has
   172  	// completed when we get EOF from reading responseBody
   173  	_, err = ioutil.ReadAll(responseReader)
   174  	return err
   175  }