github.com/xdlianrong208/docker-ce-comments@v17.12.1-ce-rc2+incompatible/components/engine/integration-cli/docker_cli_push_test.go (about) 1 package main 2 3 import ( 4 "archive/tar" 5 "fmt" 6 "io/ioutil" 7 "net/http" 8 "net/http/httptest" 9 "os" 10 "path/filepath" 11 "strings" 12 "sync" 13 14 "github.com/docker/distribution/reference" 15 "github.com/docker/docker/cli/config" 16 "github.com/docker/docker/integration-cli/checker" 17 "github.com/docker/docker/integration-cli/cli" 18 "github.com/docker/docker/integration-cli/cli/build" 19 "github.com/go-check/check" 20 "github.com/gotestyourself/gotestyourself/icmd" 21 ) 22 23 // Pushing an image to a private registry. 24 func testPushBusyboxImage(c *check.C) { 25 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 26 // tag the image to upload it to the private registry 27 dockerCmd(c, "tag", "busybox", repoName) 28 // push the image to the registry 29 dockerCmd(c, "push", repoName) 30 } 31 32 func (s *DockerRegistrySuite) TestPushBusyboxImage(c *check.C) { 33 testPushBusyboxImage(c) 34 } 35 36 func (s *DockerSchema1RegistrySuite) TestPushBusyboxImage(c *check.C) { 37 testPushBusyboxImage(c) 38 } 39 40 // pushing an image without a prefix should throw an error 41 func (s *DockerSuite) TestPushUnprefixedRepo(c *check.C) { 42 out, _, err := dockerCmdWithError("push", "busybox") 43 c.Assert(err, check.NotNil, check.Commentf("pushing an unprefixed repo didn't result in a non-zero exit status: %s", out)) 44 } 45 46 func testPushUntagged(c *check.C) { 47 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 48 expected := "An image does not exist locally with the tag" 49 50 out, _, err := dockerCmdWithError("push", repoName) 51 c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out)) 52 c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) 53 } 54 55 func (s *DockerRegistrySuite) TestPushUntagged(c *check.C) { 56 testPushUntagged(c) 57 } 58 59 func (s *DockerSchema1RegistrySuite) TestPushUntagged(c *check.C) { 60 testPushUntagged(c) 61 } 62 63 func testPushBadTag(c *check.C) { 64 repoName := fmt.Sprintf("%v/dockercli/busybox:latest", privateRegistryURL) 65 expected := "does not exist" 66 67 out, _, err := dockerCmdWithError("push", repoName) 68 c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out)) 69 c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) 70 } 71 72 func (s *DockerRegistrySuite) TestPushBadTag(c *check.C) { 73 testPushBadTag(c) 74 } 75 76 func (s *DockerSchema1RegistrySuite) TestPushBadTag(c *check.C) { 77 testPushBadTag(c) 78 } 79 80 func testPushMultipleTags(c *check.C) { 81 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 82 repoTag1 := fmt.Sprintf("%v/dockercli/busybox:t1", privateRegistryURL) 83 repoTag2 := fmt.Sprintf("%v/dockercli/busybox:t2", privateRegistryURL) 84 // tag the image and upload it to the private registry 85 dockerCmd(c, "tag", "busybox", repoTag1) 86 87 dockerCmd(c, "tag", "busybox", repoTag2) 88 89 dockerCmd(c, "push", repoName) 90 91 // Ensure layer list is equivalent for repoTag1 and repoTag2 92 out1, _ := dockerCmd(c, "pull", repoTag1) 93 94 imageAlreadyExists := ": Image already exists" 95 var out1Lines []string 96 for _, outputLine := range strings.Split(out1, "\n") { 97 if strings.Contains(outputLine, imageAlreadyExists) { 98 out1Lines = append(out1Lines, outputLine) 99 } 100 } 101 102 out2, _ := dockerCmd(c, "pull", repoTag2) 103 104 var out2Lines []string 105 for _, outputLine := range strings.Split(out2, "\n") { 106 if strings.Contains(outputLine, imageAlreadyExists) { 107 out1Lines = append(out1Lines, outputLine) 108 } 109 } 110 c.Assert(out2Lines, checker.HasLen, len(out1Lines)) 111 112 for i := range out1Lines { 113 c.Assert(out1Lines[i], checker.Equals, out2Lines[i]) 114 } 115 } 116 117 func (s *DockerRegistrySuite) TestPushMultipleTags(c *check.C) { 118 testPushMultipleTags(c) 119 } 120 121 func (s *DockerSchema1RegistrySuite) TestPushMultipleTags(c *check.C) { 122 testPushMultipleTags(c) 123 } 124 125 func testPushEmptyLayer(c *check.C) { 126 repoName := fmt.Sprintf("%v/dockercli/emptylayer", privateRegistryURL) 127 emptyTarball, err := ioutil.TempFile("", "empty_tarball") 128 c.Assert(err, check.IsNil, check.Commentf("Unable to create test file")) 129 130 tw := tar.NewWriter(emptyTarball) 131 err = tw.Close() 132 c.Assert(err, check.IsNil, check.Commentf("Error creating empty tarball")) 133 134 freader, err := os.Open(emptyTarball.Name()) 135 c.Assert(err, check.IsNil, check.Commentf("Could not open test tarball")) 136 defer freader.Close() 137 138 icmd.RunCmd(icmd.Cmd{ 139 Command: []string{dockerBinary, "import", "-", repoName}, 140 Stdin: freader, 141 }).Assert(c, icmd.Success) 142 143 // Now verify we can push it 144 out, _, err := dockerCmdWithError("push", repoName) 145 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out)) 146 } 147 148 func (s *DockerRegistrySuite) TestPushEmptyLayer(c *check.C) { 149 testPushEmptyLayer(c) 150 } 151 152 func (s *DockerSchema1RegistrySuite) TestPushEmptyLayer(c *check.C) { 153 testPushEmptyLayer(c) 154 } 155 156 // testConcurrentPush pushes multiple tags to the same repo 157 // concurrently. 158 func testConcurrentPush(c *check.C) { 159 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 160 161 repos := []string{} 162 for _, tag := range []string{"push1", "push2", "push3"} { 163 repo := fmt.Sprintf("%v:%v", repoName, tag) 164 buildImageSuccessfully(c, repo, build.WithDockerfile(fmt.Sprintf(` 165 FROM busybox 166 ENTRYPOINT ["/bin/echo"] 167 ENV FOO foo 168 ENV BAR bar 169 CMD echo %s 170 `, repo))) 171 repos = append(repos, repo) 172 } 173 174 // Push tags, in parallel 175 results := make(chan error) 176 177 for _, repo := range repos { 178 go func(repo string) { 179 result := icmd.RunCommand(dockerBinary, "push", repo) 180 results <- result.Error 181 }(repo) 182 } 183 184 for range repos { 185 err := <-results 186 c.Assert(err, checker.IsNil, check.Commentf("concurrent push failed with error: %v", err)) 187 } 188 189 // Clear local images store. 190 args := append([]string{"rmi"}, repos...) 191 dockerCmd(c, args...) 192 193 // Re-pull and run individual tags, to make sure pushes succeeded 194 for _, repo := range repos { 195 dockerCmd(c, "pull", repo) 196 dockerCmd(c, "inspect", repo) 197 out, _ := dockerCmd(c, "run", "--rm", repo) 198 c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo) 199 } 200 } 201 202 func (s *DockerRegistrySuite) TestConcurrentPush(c *check.C) { 203 testConcurrentPush(c) 204 } 205 206 func (s *DockerSchema1RegistrySuite) TestConcurrentPush(c *check.C) { 207 testConcurrentPush(c) 208 } 209 210 func (s *DockerRegistrySuite) TestCrossRepositoryLayerPush(c *check.C) { 211 sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 212 // tag the image to upload it to the private registry 213 dockerCmd(c, "tag", "busybox", sourceRepoName) 214 // push the image to the registry 215 out1, _, err := dockerCmdWithError("push", sourceRepoName) 216 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1)) 217 // ensure that none of the layers were mounted from another repository during push 218 c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false) 219 220 digest1 := reference.DigestRegexp.FindString(out1) 221 c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 222 223 destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL) 224 // retag the image to upload the same layers to another repo in the same registry 225 dockerCmd(c, "tag", "busybox", destRepoName) 226 // push the image to the registry 227 out2, _, err := dockerCmdWithError("push", destRepoName) 228 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 229 // ensure that layers were mounted from the first repo during push 230 c.Assert(strings.Contains(out2, "Mounted from dockercli/busybox"), check.Equals, true) 231 232 digest2 := reference.DigestRegexp.FindString(out2) 233 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 234 c.Assert(digest1, check.Equals, digest2) 235 236 // ensure that pushing again produces the same digest 237 out3, _, err := dockerCmdWithError("push", destRepoName) 238 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 239 240 digest3 := reference.DigestRegexp.FindString(out3) 241 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 242 c.Assert(digest3, check.Equals, digest2) 243 244 // ensure that we can pull and run the cross-repo-pushed repository 245 dockerCmd(c, "rmi", destRepoName) 246 dockerCmd(c, "pull", destRepoName) 247 out4, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world") 248 c.Assert(out4, check.Equals, "hello world") 249 } 250 251 func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c *check.C) { 252 sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 253 // tag the image to upload it to the private registry 254 dockerCmd(c, "tag", "busybox", sourceRepoName) 255 // push the image to the registry 256 out1, _, err := dockerCmdWithError("push", sourceRepoName) 257 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1)) 258 // ensure that none of the layers were mounted from another repository during push 259 c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false) 260 261 digest1 := reference.DigestRegexp.FindString(out1) 262 c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 263 264 destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL) 265 // retag the image to upload the same layers to another repo in the same registry 266 dockerCmd(c, "tag", "busybox", destRepoName) 267 // push the image to the registry 268 out2, _, err := dockerCmdWithError("push", destRepoName) 269 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 270 // schema1 registry should not support cross-repo layer mounts, so ensure that this does not happen 271 c.Assert(strings.Contains(out2, "Mounted from"), check.Equals, false) 272 273 digest2 := reference.DigestRegexp.FindString(out2) 274 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 275 c.Assert(digest1, check.Not(check.Equals), digest2) 276 277 // ensure that we can pull and run the second pushed repository 278 dockerCmd(c, "rmi", destRepoName) 279 dockerCmd(c, "pull", destRepoName) 280 out3, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world") 281 c.Assert(out3, check.Equals, "hello world") 282 } 283 284 func (s *DockerTrustSuite) TestTrustedPush(c *check.C) { 285 c.Skip("Blacklisting for Docker CE") 286 repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL) 287 // tag the image and upload it to the private registry 288 cli.DockerCmd(c, "tag", "busybox", repoName) 289 290 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 291 292 // Try pull after push 293 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 294 Out: "Status: Image is up to date", 295 }) 296 297 // Assert that we rotated the snapshot key to the server by checking our local keystore 298 contents, err := ioutil.ReadDir(filepath.Join(config.Dir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest")) 299 c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files")) 300 // Check that we only have 1 key (targets key) 301 c.Assert(contents, checker.HasLen, 1) 302 } 303 304 func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) { 305 repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL) 306 // tag the image and upload it to the private registry 307 cli.DockerCmd(c, "tag", "busybox", repoName) 308 309 cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing) 310 311 // Try pull after push 312 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 313 Out: "Status: Image is up to date", 314 }) 315 } 316 317 func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) { 318 repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL) 319 // tag the image and upload it to the private registry 320 cli.DockerCmd(c, "tag", "busybox", repoName) 321 322 // Using a name that doesn't resolve to an address makes this test faster 323 cli.Docker(cli.Args("push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{ 324 ExitCode: 1, 325 Err: "error contacting notary server", 326 }) 327 } 328 329 func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) { 330 repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL) 331 // tag the image and upload it to the private registry 332 cli.DockerCmd(c, "tag", "busybox", repoName) 333 334 result := cli.Docker(cli.Args("push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/")) 335 result.Assert(c, icmd.Success) 336 c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:")) 337 } 338 339 func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) { 340 repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL) 341 // tag the image and upload it to the private registry 342 cli.DockerCmd(c, "tag", "busybox", repoName) 343 cli.DockerCmd(c, "push", repoName) 344 345 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 346 347 // Try pull after push 348 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 349 Out: "Status: Image is up to date", 350 }) 351 } 352 353 func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) { 354 repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL) 355 // tag the image and upload it to the private registry 356 cli.DockerCmd(c, "tag", "busybox", repoName) 357 358 // Do a trusted push 359 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 360 361 // Do another trusted push 362 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 363 cli.DockerCmd(c, "rmi", repoName) 364 365 // Try pull to ensure the double push did not break our ability to pull 366 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessDownloaded) 367 } 368 369 func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) { 370 c.Skip("Blacklisting for Docker CE") 371 repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL) 372 // tag the image and upload it to the private registry 373 cli.DockerCmd(c, "tag", "busybox", repoName) 374 375 // Push with default passphrases 376 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 377 378 // Push with wrong passphrases 379 cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{ 380 ExitCode: 1, 381 Err: "could not find necessary signing keys", 382 }) 383 } 384 385 func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) { 386 testRequires(c, NotaryHosting) 387 repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL) 388 targetName := fmt.Sprintf("%s:latest", repoName) 389 s.notaryInitRepo(c, repoName) 390 s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) 391 s.notaryPublish(c, repoName) 392 393 s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) 394 395 // tag the image and upload it to the private registry 396 cli.DockerCmd(c, "tag", "busybox", targetName) 397 398 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 399 // check to make sure that the target has been added to targets/releases and not targets 400 s.assertTargetInRoles(c, repoName, "latest", "targets/releases") 401 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 402 403 // Try pull after push 404 os.RemoveAll(filepath.Join(config.Dir(), "trust")) 405 406 cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 407 Out: "Status: Image is up to date", 408 }) 409 } 410 411 func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) { 412 testRequires(c, NotaryHosting) 413 repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL) 414 targetName := fmt.Sprintf("%s:latest", repoName) 415 s.notaryInitRepo(c, repoName) 416 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) 417 s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public) 418 s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public) 419 420 // import everything except the third key 421 s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) 422 s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) 423 424 s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public) 425 s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private) 426 427 s.notaryPublish(c, repoName) 428 429 // tag the image and upload it to the private registry 430 cli.DockerCmd(c, "tag", "busybox", targetName) 431 432 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 433 434 // check to make sure that the target has been added to targets/role1 and targets/role2, and 435 // not targets (because there are delegations) or targets/role3 (due to missing key) or 436 // targets/role1/subrole (due to it being a second level delegation) 437 s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2") 438 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 439 440 // Try pull after push 441 os.RemoveAll(filepath.Join(config.Dir(), "trust")) 442 443 // pull should fail because none of these are the releases role 444 cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 445 ExitCode: 1, 446 }) 447 } 448 449 func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) { 450 repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL) 451 targetName := fmt.Sprintf("%s:latest", repoName) 452 s.notaryInitRepo(c, repoName) 453 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z") 454 s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y") 455 s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest") 456 s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest") 457 458 // import everything except the third key 459 s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) 460 s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) 461 s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private) 462 463 s.notaryPublish(c, repoName) 464 465 // tag the image and upload it to the private registry 466 cli.DockerCmd(c, "tag", "busybox", targetName) 467 468 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 469 470 // check to make sure that the target has been added to targets/role1 and targets/role4, and 471 // not targets (because there are delegations) or targets/role2 (due to path restrictions) or 472 // targets/role3 (due to missing key) 473 s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4") 474 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 475 476 // Try pull after push 477 os.RemoveAll(filepath.Join(config.Dir(), "trust")) 478 479 // pull should fail because none of these are the releases role 480 cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 481 ExitCode: 1, 482 }) 483 } 484 485 func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) { 486 testRequires(c, NotaryHosting) 487 repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL) 488 targetName := fmt.Sprintf("%s:latest", repoName) 489 s.notaryInitRepo(c, repoName) 490 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) 491 s.notaryPublish(c, repoName) 492 493 // do not import any delegations key 494 495 // tag the image and upload it to the private registry 496 cli.DockerCmd(c, "tag", "busybox", targetName) 497 498 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Expected{ 499 ExitCode: 1, 500 Err: "no valid signing keys", 501 }) 502 s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1") 503 } 504 505 func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) { 506 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 507 dockerCmd(c, "tag", "busybox", repoName) 508 out, _, err := dockerCmdWithError("push", repoName) 509 c.Assert(err, check.NotNil, check.Commentf(out)) 510 c.Assert(out, check.Not(checker.Contains), "Retrying") 511 c.Assert(out, checker.Contains, "no basic auth credentials") 512 } 513 514 // This may be flaky but it's needed not to regress on unauthorized push, see #21054 515 func (s *DockerSuite) TestPushToCentralRegistryUnauthorized(c *check.C) { 516 testRequires(c, Network) 517 repoName := "test/busybox" 518 dockerCmd(c, "tag", "busybox", repoName) 519 out, _, err := dockerCmdWithError("push", repoName) 520 c.Assert(err, check.NotNil, check.Commentf(out)) 521 c.Assert(out, check.Not(checker.Contains), "Retrying") 522 } 523 524 func getTestTokenService(status int, body string, retries int) *httptest.Server { 525 var mu sync.Mutex 526 return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 527 mu.Lock() 528 if retries > 0 { 529 w.WriteHeader(http.StatusServiceUnavailable) 530 w.Header().Set("Content-Type", "application/json") 531 w.Write([]byte(`{"errors":[{"code":"UNAVAILABLE","message":"cannot create token at this time"}]}`)) 532 retries-- 533 } else { 534 w.WriteHeader(status) 535 w.Header().Set("Content-Type", "application/json") 536 w.Write([]byte(body)) 537 } 538 mu.Unlock() 539 })) 540 } 541 542 func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *check.C) { 543 ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0) 544 defer ts.Close() 545 s.setupRegistryWithTokenService(c, ts.URL) 546 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 547 dockerCmd(c, "tag", "busybox", repoName) 548 out, _, err := dockerCmdWithError("push", repoName) 549 c.Assert(err, check.NotNil, check.Commentf(out)) 550 c.Assert(out, checker.Not(checker.Contains), "Retrying") 551 c.Assert(out, checker.Contains, "unauthorized: a message") 552 } 553 554 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *check.C) { 555 ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`, 0) 556 defer ts.Close() 557 s.setupRegistryWithTokenService(c, ts.URL) 558 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 559 dockerCmd(c, "tag", "busybox", repoName) 560 out, _, err := dockerCmdWithError("push", repoName) 561 c.Assert(err, check.NotNil, check.Commentf(out)) 562 c.Assert(out, checker.Not(checker.Contains), "Retrying") 563 split := strings.Split(out, "\n") 564 c.Assert(split[len(split)-2], check.Equals, "unauthorized: authentication required") 565 } 566 567 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *check.C) { 568 ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 3) 569 defer ts.Close() 570 s.setupRegistryWithTokenService(c, ts.URL) 571 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 572 dockerCmd(c, "tag", "busybox", repoName) 573 out, _, err := dockerCmdWithError("push", repoName) 574 c.Assert(err, check.NotNil, check.Commentf(out)) 575 // TODO: isolate test so that it can be guaranteed that the 503 will trigger xfer retries 576 //c.Assert(out, checker.Contains, "Retrying") 577 //c.Assert(out, checker.Not(checker.Contains), "Retrying in 15") 578 split := strings.Split(out, "\n") 579 c.Assert(split[len(split)-2], check.Equals, "toomanyrequests: out of tokens") 580 } 581 582 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *check.C) { 583 ts := getTestTokenService(http.StatusForbidden, `no way`, 0) 584 defer ts.Close() 585 s.setupRegistryWithTokenService(c, ts.URL) 586 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 587 dockerCmd(c, "tag", "busybox", repoName) 588 out, _, err := dockerCmdWithError("push", repoName) 589 c.Assert(err, check.NotNil, check.Commentf(out)) 590 c.Assert(out, checker.Not(checker.Contains), "Retrying") 591 split := strings.Split(out, "\n") 592 c.Assert(split[len(split)-2], checker.Contains, "error parsing HTTP 403 response body: ") 593 } 594 595 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *check.C) { 596 ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`, 0) 597 defer ts.Close() 598 s.setupRegistryWithTokenService(c, ts.URL) 599 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 600 dockerCmd(c, "tag", "busybox", repoName) 601 out, _, err := dockerCmdWithError("push", repoName) 602 c.Assert(err, check.NotNil, check.Commentf(out)) 603 c.Assert(out, checker.Not(checker.Contains), "Retrying") 604 split := strings.Split(out, "\n") 605 c.Assert(split[len(split)-2], check.Equals, "authorization server did not include a token in the response") 606 }