github.com/sld880311/docker@v0.0.0-20200524143708-d5593973a475/integration-cli/docker_cli_authz_plugin_v2_test.go (about) 1 // +build !windows 2 3 package main 4 5 import ( 6 "fmt" 7 "strings" 8 9 "github.com/docker/docker/pkg/integration/checker" 10 "github.com/go-check/check" 11 ) 12 13 var ( 14 authzPluginName = "riyaz/authz-no-volume-plugin" 15 authzPluginTag = "latest" 16 authzPluginNameWithTag = authzPluginName + ":" + authzPluginTag 17 authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest" 18 nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin" 19 ) 20 21 func init() { 22 check.Suite(&DockerAuthzV2Suite{ 23 ds: &DockerSuite{}, 24 }) 25 } 26 27 type DockerAuthzV2Suite struct { 28 ds *DockerSuite 29 d *Daemon 30 } 31 32 func (s *DockerAuthzV2Suite) SetUpTest(c *check.C) { 33 testRequires(c, DaemonIsLinux, Network) 34 s.d = NewDaemon(c) 35 c.Assert(s.d.Start(), check.IsNil) 36 } 37 38 func (s *DockerAuthzV2Suite) TearDownTest(c *check.C) { 39 s.d.Stop() 40 s.ds.TearDownTest(c) 41 } 42 43 func (s *DockerAuthzV2Suite) TestAuthZPluginAllowNonVolumeRequest(c *check.C) { 44 testRequires(c, DaemonIsLinux, IsAmd64, Network) 45 // Install authz plugin 46 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 47 c.Assert(err, checker.IsNil) 48 // start the daemon with the plugin and load busybox, --net=none build fails otherwise 49 // because it needs to pull busybox 50 c.Assert(s.d.Restart("--authorization-plugin="+authzPluginNameWithTag), check.IsNil) 51 c.Assert(s.d.LoadBusybox(), check.IsNil) 52 53 // defer disabling the plugin 54 defer func() { 55 c.Assert(s.d.Restart(), check.IsNil) 56 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 57 c.Assert(err, checker.IsNil) 58 _, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag) 59 c.Assert(err, checker.IsNil) 60 }() 61 62 // Ensure docker run command and accompanying docker ps are successful 63 out, err := s.d.Cmd("run", "-d", "busybox", "top") 64 c.Assert(err, check.IsNil) 65 66 id := strings.TrimSpace(out) 67 68 out, err = s.d.Cmd("ps") 69 c.Assert(err, check.IsNil) 70 c.Assert(assertContainerList(out, []string{id}), check.Equals, true) 71 } 72 73 func (s *DockerAuthzV2Suite) TestAuthZPluginRejectVolumeRequests(c *check.C) { 74 testRequires(c, DaemonIsLinux, IsAmd64, Network) 75 // Install authz plugin 76 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag) 77 c.Assert(err, checker.IsNil) 78 79 // restart the daemon with the plugin 80 c.Assert(s.d.Restart("--authorization-plugin="+authzPluginNameWithTag), check.IsNil) 81 82 // defer disabling the plugin 83 defer func() { 84 c.Assert(s.d.Restart(), check.IsNil) 85 _, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag) 86 c.Assert(err, checker.IsNil) 87 _, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag) 88 c.Assert(err, checker.IsNil) 89 }() 90 91 out, err := s.d.Cmd("volume", "create") 92 c.Assert(err, check.NotNil) 93 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 94 95 out, err = s.d.Cmd("volume", "ls") 96 c.Assert(err, check.NotNil) 97 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 98 99 // The plugin will block the command before it can determine the volume does not exist 100 out, err = s.d.Cmd("volume", "rm", "test") 101 c.Assert(err, check.NotNil) 102 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 103 104 out, err = s.d.Cmd("volume", "inspect", "test") 105 c.Assert(err, check.NotNil) 106 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 107 108 out, err = s.d.Cmd("volume", "prune", "-f") 109 c.Assert(err, check.NotNil) 110 c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)) 111 } 112 113 func (s *DockerAuthzV2Suite) TestAuthZPluginBadManifestFailsDaemonStart(c *check.C) { 114 testRequires(c, DaemonIsLinux, IsAmd64, Network) 115 // Install authz plugin with bad manifest 116 _, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginBadManifestName) 117 c.Assert(err, checker.IsNil) 118 119 // start the daemon with the plugin, it will error 120 c.Assert(s.d.Restart("--authorization-plugin="+authzPluginBadManifestName), check.NotNil) 121 122 // restarting the daemon without requiring the plugin will succeed 123 c.Assert(s.d.Restart(), check.IsNil) 124 } 125 126 func (s *DockerAuthzV2Suite) TestNonexistentAuthZPluginFailsDaemonStart(c *check.C) { 127 testRequires(c, DaemonIsLinux, Network) 128 // start the daemon with a non-existent authz plugin, it will error 129 c.Assert(s.d.Restart("--authorization-plugin="+nonexistentAuthzPluginName), check.NotNil) 130 131 // restarting the daemon without requiring the plugin will succeed 132 c.Assert(s.d.Restart(), check.IsNil) 133 }