github.com/stevegt/moby@v1.13.1/integration-cli/docker_cli_authz_plugin_v2_test.go

github.com/stevegt/moby@v1.13.1/integration-cli/docker_cli_authz_plugin_v2_test.go (about)

     1  // +build !windows
     2  
     3  package main
     4  
     5  import (
     6  	"fmt"
     7  	"strings"
     8  
     9  	"github.com/docker/docker/pkg/integration/checker"
    10  	"github.com/go-check/check"
    11  )
    12  
    13  var (
    14  	authzPluginName            = "riyaz/authz-no-volume-plugin"
    15  	authzPluginTag             = "latest"
    16  	authzPluginNameWithTag     = authzPluginName + ":" + authzPluginTag
    17  	authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest"
    18  	nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin"
    19  )
    20  
    21  func init() {
    22  	check.Suite(&DockerAuthzV2Suite{
    23  		ds: &DockerSuite{},
    24  	})
    25  }
    26  
    27  type DockerAuthzV2Suite struct {
    28  	ds *DockerSuite
    29  	d  *Daemon
    30  }
    31  
    32  func (s *DockerAuthzV2Suite) SetUpTest(c *check.C) {
    33  	testRequires(c, DaemonIsLinux, Network)
    34  	s.d = NewDaemon(c)
    35  	c.Assert(s.d.Start(), check.IsNil)
    36  }
    37  
    38  func (s *DockerAuthzV2Suite) TearDownTest(c *check.C) {
    39  	s.d.Stop()
    40  	s.ds.TearDownTest(c)
    41  }
    42  
    43  func (s *DockerAuthzV2Suite) TestAuthZPluginAllowNonVolumeRequest(c *check.C) {
    44  	testRequires(c, DaemonIsLinux, IsAmd64, Network)
    45  	// Install authz plugin
    46  	_, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag)
    47  	c.Assert(err, checker.IsNil)
    48  	// start the daemon with the plugin and load busybox, --net=none build fails otherwise
    49  	// because it needs to pull busybox
    50  	c.Assert(s.d.Restart("--authorization-plugin="+authzPluginNameWithTag), check.IsNil)
    51  	c.Assert(s.d.LoadBusybox(), check.IsNil)
    52  
    53  	// defer disabling the plugin
    54  	defer func() {
    55  		c.Assert(s.d.Restart(), check.IsNil)
    56  		_, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag)
    57  		c.Assert(err, checker.IsNil)
    58  		_, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag)
    59  		c.Assert(err, checker.IsNil)
    60  	}()
    61  
    62  	// Ensure docker run command and accompanying docker ps are successful
    63  	out, err := s.d.Cmd("run", "-d", "busybox", "top")
    64  	c.Assert(err, check.IsNil)
    65  
    66  	id := strings.TrimSpace(out)
    67  
    68  	out, err = s.d.Cmd("ps")
    69  	c.Assert(err, check.IsNil)
    70  	c.Assert(assertContainerList(out, []string{id}), check.Equals, true)
    71  }
    72  
    73  func (s *DockerAuthzV2Suite) TestAuthZPluginRejectVolumeRequests(c *check.C) {
    74  	testRequires(c, DaemonIsLinux, IsAmd64, Network)
    75  	// Install authz plugin
    76  	_, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginNameWithTag)
    77  	c.Assert(err, checker.IsNil)
    78  
    79  	// restart the daemon with the plugin
    80  	c.Assert(s.d.Restart("--authorization-plugin="+authzPluginNameWithTag), check.IsNil)
    81  
    82  	// defer disabling the plugin
    83  	defer func() {
    84  		c.Assert(s.d.Restart(), check.IsNil)
    85  		_, err = s.d.Cmd("plugin", "disable", authzPluginNameWithTag)
    86  		c.Assert(err, checker.IsNil)
    87  		_, err = s.d.Cmd("plugin", "rm", authzPluginNameWithTag)
    88  		c.Assert(err, checker.IsNil)
    89  	}()
    90  
    91  	out, err := s.d.Cmd("volume", "create")
    92  	c.Assert(err, check.NotNil)
    93  	c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
    94  
    95  	out, err = s.d.Cmd("volume", "ls")
    96  	c.Assert(err, check.NotNil)
    97  	c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
    98  
    99  	// The plugin will block the command before it can determine the volume does not exist
   100  	out, err = s.d.Cmd("volume", "rm", "test")
   101  	c.Assert(err, check.NotNil)
   102  	c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
   103  
   104  	out, err = s.d.Cmd("volume", "inspect", "test")
   105  	c.Assert(err, check.NotNil)
   106  	c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
   107  
   108  	out, err = s.d.Cmd("volume", "prune", "-f")
   109  	c.Assert(err, check.NotNil)
   110  	c.Assert(out, checker.Contains, fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag))
   111  }
   112  
   113  func (s *DockerAuthzV2Suite) TestAuthZPluginBadManifestFailsDaemonStart(c *check.C) {
   114  	testRequires(c, DaemonIsLinux, IsAmd64, Network)
   115  	// Install authz plugin with bad manifest
   116  	_, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", authzPluginBadManifestName)
   117  	c.Assert(err, checker.IsNil)
   118  
   119  	// start the daemon with the plugin, it will error
   120  	c.Assert(s.d.Restart("--authorization-plugin="+authzPluginBadManifestName), check.NotNil)
   121  
   122  	// restarting the daemon without requiring the plugin will succeed
   123  	c.Assert(s.d.Restart(), check.IsNil)
   124  }
   125  
   126  func (s *DockerAuthzV2Suite) TestNonexistentAuthZPluginFailsDaemonStart(c *check.C) {
   127  	testRequires(c, DaemonIsLinux, Network)
   128  	// start the daemon with a non-existent authz plugin, it will error
   129  	c.Assert(s.d.Restart("--authorization-plugin="+nonexistentAuthzPluginName), check.NotNil)
   130  
   131  	// restarting the daemon without requiring the plugin will succeed
   132  	c.Assert(s.d.Restart(), check.IsNil)
   133  }