Add some content trust tests

[vdemeester]

Importing from moby's DockerTrustSuite tests.

This is still wip since there is some tests that are failing and some empty tests I did not yet migrate.
Also, there has been some slight changes between 17.06 and current docker/cli, so one some behavior, I'm not sure if it's supposed to fail or not (cc @n4ss @endophage)

See moby/moby#36515 for original tests that are supposed to be migrated.

Probably require #929 to be able to write unit tests for content trust..

Signed-off-by: Vincent Demeester vincent@sbr.pm

[dnephin]

why is it evil?

[vdemeester]

See https://github.com/moby/moby/pull/36515/files#diff-4b1e56bb77ac16f2ccf956fc24cf0a82L350 😛
Definitely open to name it something else, but I'll need to re-generate the certs 😅

[dnephin]

Maybe malicious? I'm not sure what the intent is here.

[codecov-io]

Codecov Report

Merging #924 into master will decrease coverage by 0.14%.
The diff coverage is 35.29%.

@@            Coverage Diff             @@
##           master     #924      +/-   ##
==========================================
- Coverage   53.92%   53.78%   -0.15%     
==========================================
  Files         262      262              
  Lines       16604    16601       -3     
==========================================
- Hits         8954     8929      -25     
- Misses       7049     7084      +35     
+ Partials      601      588      -13

[dnephin]

This is a ton of work. Thanks for porting these!

[dnephin]

Why do we need this in the dev image? Aren't we using a docker image for the notary server?

[vdemeester]

For some tests (to come), we need to use the notary client to set up the server in some state.

[dnephin]

Maybe add a TODO to move to a separate stage when we make this multi-stage? and document that it's only used from the e2e runner?

[vdemeester]

👍

[dnephin]

Maybe malicious? I'm not sure what the intent is here.

[dnephin]

Can we test error cases with unit tests?

I guess this is running now, so maybe just add a TODO?

[vdemeester]

yes, and we probably should, that's a good point. I only worked moving from the moby's integration to cli's e2e tests but those could definitely be unit tests instead 👼 (with just one e2e tests that validates the behavior against a real server)

[dnephin]

Can we keep this as pull_test.go ? We shouldn't have so many e2e tests that we need more than a single file per command.

[dnephin]

TestPullWithContentTrustUsesCacheWhenNotaryUnavailable ?

[dnephin]

If both create and run use exactly the same code, do we need e2e tests for both?

[n4ss]

I personally prefer too much tests than the opposite. Today they run the same code but we can catch an issue the day this is not true anymore (extremely unlikely I admit).

[dnephin]

ya, this is weird. I don't understand why it would hit notary if content trust is disabled.

[vdemeester]

Yep, but somehow, in moby, with 17.06, that's something it was doing 😅

[dnephin]

push_test.go ?

[dnephin]

There are way too many e2e tests here. It must be possible for some of these to be unit tests.

[dnephin]

TestInstallWithContentTrust

[vdemeester]

@endophage @n4ss what's the expected behavior here ? (the commented code comes from initial moby test suite, but fails on current docker/cli)

[vdemeester]

@endophage @n4ss what's the expected behavior here ? pretty sure it works as expected and the commented code should be gone, but somehow, in 17.06 it did act that way (i.e. even with --disable-content-trust it would fail)

[n4ss]

I don't know.. If you disable content trust, it shouldn't try to reach the notary server, right?

@endophage @cyli if you have more guesses?

[cyli]

Apologies for not getting to this sooner - if it was this test: https://github.com/moby/moby/pull/36515/files#diff-cf31c649a9e77c869ff8c6cdcec05f60L328, it looks like the intention was to test the --disable-content-trust flag in combination with the content trust environment variable to say that even with the environment variable set, if --disable-content-trust is passed, it doesn't use content trust. So the push should work, because it doesn't contact the notary server, hence it seem to be checking that there is no comment about the notary server being invalid (e.g. if it were going the path of content trust, the push should have failed with that error message).

[vdemeester]

@endophage @n4ss what's the expected behavior here ? (the commented code comes from initial moby test suite, but fails on current docker/cli)

[cyli]

Is that https://github.com/moby/moby/pull/36515/files#diff-cf31c649a9e77c869ff8c6cdcec05f60L368? If so, it's possible that the error message has changed - not sure what the failure on docker/cli was.

[dnephin]

LGTM when the commented code is removed (if it's not necessary anymore)

[vdemeester]

Updated with removing commented code (and cleaning some stuff not required for now)

[vdemeester]

The failure is weird 😱

17:18:22 --- FAIL: TestPushWithContentTrust (0.87s)
17:18:22 	push_test.go:43: assertion failed: 
17:18:22 		--- expected
17:18:22 		+++ actual
17:18:22 		@@ -1,6 +1,6 @@
17:18:22 		 The push refers to repository [registry:5000/trust-push]
17:18:22 		 5bef08742407: Preparing
17:18:22 		-5bef08742407: Mounted from trust-create
17:18:22 		+5bef08742407: Mounted from trust-pull-unreachable
17:18:22 		 latest: digest: sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d size: 528
17:18:22 		 Signing and pushing trust metadata
17:18:22 		 Finished initializing "registry:5000/trust-push"

PS: I have another Mounted from on my laptop..

[vdemeester]

We either need to clean the registry between each test or.. something else 😓

[dnephin]

We could use the line matching system from the image build test (https://github.com/docker/cli/blob/master/e2e/image/build_test.go#L31). Just needs to be renamed to assertLines or something like that.

[cyli]

Thank you so much for porting these @vdemeester! Apologies I didn't respond earlier. This all LGTM - I can attempt to add the TestTrustedPushWithoutServerAndUntrusted test back in another PR - that seems useful to test that the flag and the environment variable interact in the correct way, or perhaps that should just be a unit test.

TestTrustedPushWithIncorrectPassphraseForNonRoot possibly does not need to exist in docker/cli unless we translate the error messaging. I feel like this should be part of the notary tests instead. We have a test in notary for not being able to add data when the root passphrase is invalid (https://github.com/theupdateframework/notary/blob/master/client/client_test.go#L722) but not the repo passphrase. I've added an issue here: notaryproject/notary#1317

[vdemeester]

@dnephin updated, using assertBuildOuptut (move the thing in a separate package)

[dnephin]

lint failure on unused code.

[dnephin]

remove for now and open an issue for these?

[vdemeester]

huh 😓

[thaJeztah]

LGTM

but left a comment 👍

[thaJeztah]

This is basically the same test as for "create" (TestNewCreateCommandWithContentTrustErrors); wonder (for a follow-up) if we can share some of the code, so that we don't have to maintain it twice, but also so that we make sure they're kept in sync