zotregistry.dev/zot@v1.4.4-0.20240314164342-eec277e14d20/test/blackbox/detect_manifest_collision.bats (about) 1 # Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci" 2 # Makefile target installs & checks all necessary tooling 3 # Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites() 4 5 load helpers_zot 6 7 function verify_prerequisites { 8 if [ ! $(command -v htpasswd) ]; then 9 echo "you need to install htpasswd as a prerequisite to running the tests" >&3 10 return 1 11 fi 12 13 return 0 14 } 15 16 function setup_file() { 17 # Verify prerequisites are available 18 if ! $(verify_prerequisites); then 19 exit 1 20 fi 21 22 # Download test data to folder common for the entire suite, not just this file 23 skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36 24 25 # Setup zot server 26 local zot_root_dir=${BATS_FILE_TMPDIR}/zot 27 local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json 28 local oci_data_dir=${BATS_FILE_TMPDIR}/oci 29 local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd 30 mkdir -p ${zot_root_dir} 31 mkdir -p ${oci_data_dir} 32 zot_port=$(get_free_port) 33 echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port 34 htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file} 35 cat > ${zot_config_file}<<EOF 36 { 37 "distSpecVersion": "1.1.0", 38 "storage": { 39 "rootDirectory": "${zot_root_dir}" 40 }, 41 "http": { 42 "address": "127.0.0.1", 43 "port": "${zot_port}", 44 "auth": { 45 "htpasswd": { 46 "path": "${zot_htpasswd_file}" 47 } 48 }, 49 "accessControl": { 50 "repositories": { 51 "**": { 52 "anonymousPolicy": [ 53 "read", 54 "create", 55 "delete", 56 "detectManifestCollision" 57 ], 58 "policies": [ 59 { 60 "users": [ 61 "${AUTH_USER}" 62 ], 63 "actions": [ 64 "read", 65 "create", 66 "delete" 67 ] 68 } 69 ] 70 } 71 } 72 } 73 }, 74 "log": { 75 "level": "debug", 76 "output": "${BATS_FILE_TMPDIR}/zot.log" 77 } 78 } 79 EOF 80 zot_serve ${ZOT_PATH} ${zot_config_file} 81 wait_zot_reachable ${zot_port} 82 } 83 84 function teardown() { 85 # conditionally printing on failure is possible from teardown but not from from teardown_file 86 cat ${BATS_FILE_TMPDIR}/zot.log 87 } 88 89 function teardown_file() { 90 zot_stop_all 91 } 92 93 @test "push 2 images with same manifest with user policy" { 94 zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` 95 run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \ 96 oci:${TEST_DATA_DIR}/busybox:1.36 \ 97 docker://127.0.0.1:${zot_port}/busybox:1.36 98 [ "$status" -eq 0 ] 99 100 run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \ 101 oci:${TEST_DATA_DIR}/busybox:1.36 \ 102 docker://127.0.0.1:${zot_port}/busybox:latest 103 [ "$status" -eq 0 ] 104 } 105 106 @test "skopeo delete image with anonymous policy should fail" { 107 zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` 108 # skopeo deletes by digest, so it should fail with detectManifestCollision policy 109 run skopeo --insecure-policy delete --tls-verify=false \ 110 docker://127.0.0.1:${zot_port}/busybox:1.36 111 [ "$status" -eq 1 ] 112 # conflict status code 113 [[ "$output" == *"manifest invalid"* ]] 114 } 115 116 @test "regctl delete image with anonymous policy should fail" { 117 zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` 118 run regctl registry set localhost:${zot_port} --tls disabled 119 [ "$status" -eq 0 ] 120 121 run regctl image delete localhost:${zot_port}/busybox:1.36 --force-tag-dereference 122 [ "$status" -eq 1 ] 123 # conflict status code 124 [[ "$output" == *"409"* ]] 125 } 126 127 @test "delete image with user policy should work" { 128 zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` 129 # should work without detectManifestCollision policy 130 run skopeo --insecure-policy delete --creds ${AUTH_USER}:${AUTH_PASS} --tls-verify=false \ 131 docker://127.0.0.1:${zot_port}/busybox:1.36 132 [ "$status" -eq 0 ] 133 }