-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add some content trust tests #924
Conversation
e2e/compose-env.yaml
Outdated
@@ -17,5 +17,14 @@ services: | |||
- notary-fixtures:/fixtures | |||
command: ['notary-server', '-config=/fixtures/notary-config.json'] | |||
|
|||
evil-notary-server: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is it evil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://github.com/moby/moby/pull/36515/files#diff-4b1e56bb77ac16f2ccf956fc24cf0a82L350 😛
Definitely open to name it something else, but I'll need to re-generate the certs 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe malicious? I'm not sure what the intent is here.
ada7260
to
67572da
Compare
Codecov Report
@@ Coverage Diff @@
## master #924 +/- ##
==========================================
- Coverage 53.92% 53.78% -0.15%
==========================================
Files 262 262
Lines 16604 16601 -3
==========================================
- Hits 8954 8929 -25
- Misses 7049 7084 +35
+ Partials 601 588 -13 |
67572da
to
6542b98
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a ton of work. Thanks for porting these!
dockerfiles/Dockerfile.dev
Outdated
ARG NOTARY_VERSION=v0.6.0 | ||
RUN export URL=https://github.com/theupdateframework/notary/releases/download; \ | ||
curl -Ls $URL/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary && \ | ||
chmod +x /usr/local/bin/notary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this in the dev image? Aren't we using a docker image for the notary server?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For some tests (to come), we need to use the notary
client to set up the server in some state.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a TODO to move to a separate stage when we make this multi-stage? and document that it's only used from the e2e runner?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
e2e/compose-env.yaml
Outdated
@@ -17,5 +17,14 @@ services: | |||
- notary-fixtures:/fixtures | |||
command: ['notary-server', '-config=/fixtures/notary-config.json'] | |||
|
|||
evil-notary-server: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe malicious? I'm not sure what the intent is here.
e2e/container/create_test.go
Outdated
) | ||
result.Assert(t, icmd.Expected{ | ||
ExitCode: 1, | ||
Err: "does not have trust data for", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we test error cases with unit tests?
I guess this is running now, so maybe just add a TODO?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, and we probably should, that's a good point. I only worked moving from the moby's integration to cli's e2e tests but those could definitely be unit tests instead 👼 (with just one e2e tests that validates the behavior against a real server)
e2e/image/pull_trust_test.go
Outdated
@@ -0,0 +1,78 @@ | |||
package image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we keep this as pull_test.go
? We shouldn't have so many e2e tests that we need more than a single file per command.
e2e/image/pull_trust_test.go
Outdated
}) | ||
} | ||
|
||
func TestPullWithContentTrustUnreachableServer(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TestPullWithContentTrustUsesCacheWhenNotaryUnavailable
?
"github.com/gotestyourself/gotestyourself/icmd" | ||
) | ||
|
||
func TestCreateWithContentTrust(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If both create
and run
use exactly the same code, do we need e2e tests for both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally prefer too much tests than the opposite. Today they run the same code but we can catch an issue the day this is not true anymore (extremely unlikely I admit).
e2e/image/push_trust_test.go
Outdated
Err: "error contacting notary server", | ||
}) | ||
|
||
// FIXME(vdemeester) doesn't work |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ya, this is weird. I don't understand why it would hit notary if content trust is disabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, but somehow, in moby, with 17.06, that's something it was doing 😅
e2e/image/push_trust_test.go
Outdated
@@ -0,0 +1,160 @@ | |||
package image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
push_test.go
?
e2e/image/push_trust_test.go
Outdated
|
||
func TestPushWithContentTrustSignsForRolesWithKeysAndValidPaths(t *testing.T) {} | ||
|
||
func TestPullWithContentTrustSignsForRolesWithKeysAndValidPaths(t *testing.T) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are way too many e2e tests here. It must be possible for some of these to be unit tests.
e2e/plugin/trust_test.go
Outdated
|
||
const registryPrefix = "registry:5000" | ||
|
||
func TestPluginInstallWithContentTrust(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TestInstallWithContentTrust
6542b98
to
d3ac738
Compare
e0e8479
to
c786830
Compare
e2e/container/create_test.go
Outdated
|
||
// FIXME(vdemeester) doesn't work | ||
/* | ||
// Now, try running with the original client from this new trust server. This should fail because the new root is invalid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@endophage @n4ss what's the expected behavior here ? (the commented code comes from initial moby test suite, but fails on current docker/cli
)
e2e/image/push_test.go
Outdated
Err: "error contacting notary server", | ||
}) | ||
|
||
// FIXME(vdemeester) doesn't work |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@endophage @n4ss what's the expected behavior here ? pretty sure it works as expected and the commented code should be gone, but somehow, in 17.06 it did act that way (i.e. even with --disable-content-trust
it would fail)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know.. If you disable content trust, it shouldn't try to reach the notary server, right?
@endophage @cyli if you have more guesses?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for not getting to this sooner - if it was this test: https://github.com/moby/moby/pull/36515/files#diff-cf31c649a9e77c869ff8c6cdcec05f60L328, it looks like the intention was to test the --disable-content-trust
flag in combination with the content trust environment variable to say that even with the environment variable set, if --disable-content-trust
is passed, it doesn't use content trust. So the push should work, because it doesn't contact the notary server, hence it seem to be checking that there is no comment about the notary server being invalid (e.g. if it were going the path of content trust, the push should have failed with that error message).
e2e/image/push_test.go
Outdated
// FIXME(vdemeester) doesn't work | ||
/* | ||
// With a wrong password | ||
result = icmd.RunCmd(icmd.Command("docker", "push", image), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@endophage @n4ss what's the expected behavior here ? (the commented code comes from initial moby test suite, but fails on current docker/cli
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that https://github.com/moby/moby/pull/36515/files#diff-cf31c649a9e77c869ff8c6cdcec05f60L368? If so, it's possible that the error message has changed - not sure what the failure on docker/cli
was.
931123c
to
922cb69
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM when the commented code is removed (if it's not necessary anymore)
07722ba
to
70bfe54
Compare
Updated with removing commented code (and cleaning some stuff not required for now) |
70bfe54
to
492b480
Compare
The failure is weird 😱
PS: I have another |
492b480
to
54669f5
Compare
We either need to clean the registry between each test or.. something else 😓 |
We could use the line matching system from the image build test (https://github.com/docker/cli/blob/master/e2e/image/build_test.go#L31). Just needs to be renamed to |
Thank you so much for porting these @vdemeester! Apologies I didn't respond earlier. This all LGTM - I can attempt to add the
|
54669f5
to
84bdbfe
Compare
@dnephin updated, using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lint failure on unused code.
e2e/service/trust_test.go
Outdated
|
||
func TestServiceCreateWithContentTrust(t *testing.T) {} | ||
|
||
func TestServiceUpdateWithContentTrust(t *testing.T) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove for now and open an issue for these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
huh 😓
bd1b2a3
to
ef5db75
Compare
Importing from moby's DockerTrustSuite tests. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
ef5db75
to
8b00c5c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
but left a comment 👍
@@ -23,3 +26,48 @@ func TestRunLabel(t *testing.T) { | |||
cmd.SetArgs([]string{"--label", "foo", "busybox"}) | |||
assert.NilError(t, cmd.Execute()) | |||
} | |||
|
|||
func TestRunCommandWithContentTrustErrors(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is basically the same test as for "create" (TestNewCreateCommandWithContentTrustErrors
); wonder (for a follow-up) if we can share some of the code, so that we don't have to maintain it twice, but also so that we make sure they're kept in sync
Importing from moby's
DockerTrustSuite
tests.This is still wip since there is some tests that are failing and some empty tests I did not yet migrate.
Also, there has been some slight changes between
17.06
and currentdocker/cli
, so one some behavior, I'm not sure if it's supposed to fail or not (cc @n4ss @endophage)See moby/moby#36515 for original tests that are supposed to be migrated.
Probably require #929 to be able to write unit tests for content trust..
Signed-off-by: Vincent Demeester vincent@sbr.pm