diff --git a/pkg/credentialprovider/keyring_test.go b/pkg/credentialprovider/keyring_test.go index 4a865bedd86..771a6b60544 100644 --- a/pkg/credentialprovider/keyring_test.go +++ b/pkg/credentialprovider/keyring_test.go @@ -19,7 +19,10 @@ package credentialprovider import ( "encoding/base64" "fmt" + "reflect" "testing" + + dockertypes "github.com/docker/engine-api/types" ) func TestUrlsMatch(t *testing.T) { @@ -499,3 +502,117 @@ func TestLazyKeyring(t *testing.T) { t.Errorf("Unexpected number of Provide calls: %v", provider.Count) } } + +func TestDockerKeyringLookup(t *testing.T) { + ada := LazyAuthConfiguration{ + AuthConfig: dockertypes.AuthConfig{ + Username: "ada", + Password: "smash", + Email: "ada@example.com", + }, + } + + grace := LazyAuthConfiguration{ + AuthConfig: dockertypes.AuthConfig{ + Username: "grace", + Password: "squash", + Email: "grace@example.com", + }, + } + + dk := &BasicDockerKeyring{} + dk.Add(DockerConfig{ + "bar.example.com/pong": DockerConfigEntry{ + Username: grace.Username, + Password: grace.Password, + Email: grace.Email, + }, + "bar.example.com": DockerConfigEntry{ + Username: ada.Username, + Password: ada.Password, + Email: ada.Email, + }, + }) + + tests := []struct { + image string + match []LazyAuthConfiguration + ok bool + }{ + // direct match + {"bar.example.com", []LazyAuthConfiguration{ada}, true}, + + // direct match deeper than other possible matches + {"bar.example.com/pong", []LazyAuthConfiguration{grace, ada}, true}, + + // no direct match, deeper path ignored + {"bar.example.com/ping", []LazyAuthConfiguration{ada}, true}, + + // match first part of path token + {"bar.example.com/pongz", []LazyAuthConfiguration{grace, ada}, true}, + + // match regardless of sub-path + {"bar.example.com/pong/pang", []LazyAuthConfiguration{grace, ada}, true}, + + // no host match + {"example.com", []LazyAuthConfiguration{}, false}, + {"foo.example.com", []LazyAuthConfiguration{}, false}, + } + + for i, tt := range tests { + match, ok := dk.Lookup(tt.image) + if tt.ok != ok { + t.Errorf("case %d: expected ok=%t, got %t", i, tt.ok, ok) + } + + if !reflect.DeepEqual(tt.match, match) { + t.Errorf("case %d: expected match=%#v, got %#v", i, tt.match, match) + } + } +} + +// This validates that dockercfg entries with a scheme and url path are properly matched +// by images that only match the hostname. +// NOTE: the above covers the case of a more specific match trumping just hostname. +func TestIssue3797(t *testing.T) { + rex := LazyAuthConfiguration{ + AuthConfig: dockertypes.AuthConfig{ + Username: "rex", + Password: "tiny arms", + Email: "rex@example.com", + }, + } + + dk := &BasicDockerKeyring{} + dk.Add(DockerConfig{ + "https://quay.io/v1/": DockerConfigEntry{ + Username: rex.Username, + Password: rex.Password, + Email: rex.Email, + }, + }) + + tests := []struct { + image string + match []LazyAuthConfiguration + ok bool + }{ + // direct match + {"quay.io", []LazyAuthConfiguration{rex}, true}, + + // partial matches + {"quay.io/foo", []LazyAuthConfiguration{rex}, true}, + {"quay.io/foo/bar", []LazyAuthConfiguration{rex}, true}, + } + + for i, tt := range tests { + match, ok := dk.Lookup(tt.image) + if tt.ok != ok { + t.Errorf("case %d: expected ok=%t, got %t", i, tt.ok, ok) + } + + if !reflect.DeepEqual(tt.match, match) { + t.Errorf("case %d: expected match=%#v, got %#v", i, tt.match, match) + } + } +} diff --git a/pkg/kubelet/dockertools/docker_test.go b/pkg/kubelet/dockertools/docker_test.go index adf636b2f72..6ea62b442d7 100644 --- a/pkg/kubelet/dockertools/docker_test.go +++ b/pkg/kubelet/dockertools/docker_test.go @@ -544,168 +544,6 @@ func TestPullWithSecrets(t *testing.T) { } } -func TestDockerKeyringLookupFails(t *testing.T) { - fakeKeyring := &credentialprovider.FakeKeyring{} - fakeClient := NewFakeDockerClient() - fakeClient.InjectError("pull", fmt.Errorf("test error")) - - dp := dockerPuller{ - client: fakeClient, - keyring: fakeKeyring, - } - - err := dp.Pull("host/repository/image:version", []v1.Secret{}) - if err == nil { - t.Errorf("unexpected non-error") - } - msg := "image pull failed for host/repository/image:version, this may be because there are no credentials on this request. details: (test error)" - if err.Error() != msg { - t.Errorf("expected: %s, saw: %s", msg, err.Error()) - } -} - -func TestDockerKeyringLookup(t *testing.T) { - ada := credentialprovider.LazyAuthConfiguration{ - AuthConfig: dockertypes.AuthConfig{ - Username: "ada", - Password: "smash", - Email: "ada@example.com", - }, - } - - grace := credentialprovider.LazyAuthConfiguration{ - AuthConfig: dockertypes.AuthConfig{ - Username: "grace", - Password: "squash", - Email: "grace@example.com", - }, - } - - dk := &credentialprovider.BasicDockerKeyring{} - dk.Add(credentialprovider.DockerConfig{ - "bar.example.com/pong": credentialprovider.DockerConfigEntry{ - Username: grace.Username, - Password: grace.Password, - Email: grace.Email, - }, - "bar.example.com": credentialprovider.DockerConfigEntry{ - Username: ada.Username, - Password: ada.Password, - Email: ada.Email, - }, - }) - - tests := []struct { - image string - match []credentialprovider.LazyAuthConfiguration - ok bool - }{ - // direct match - {"bar.example.com", []credentialprovider.LazyAuthConfiguration{ada}, true}, - - // direct match deeper than other possible matches - {"bar.example.com/pong", []credentialprovider.LazyAuthConfiguration{grace, ada}, true}, - - // no direct match, deeper path ignored - {"bar.example.com/ping", []credentialprovider.LazyAuthConfiguration{ada}, true}, - - // match first part of path token - {"bar.example.com/pongz", []credentialprovider.LazyAuthConfiguration{grace, ada}, true}, - - // match regardless of sub-path - {"bar.example.com/pong/pang", []credentialprovider.LazyAuthConfiguration{grace, ada}, true}, - - // no host match - {"example.com", []credentialprovider.LazyAuthConfiguration{}, false}, - {"foo.example.com", []credentialprovider.LazyAuthConfiguration{}, false}, - } - - for i, tt := range tests { - match, ok := dk.Lookup(tt.image) - if tt.ok != ok { - t.Errorf("case %d: expected ok=%t, got %t", i, tt.ok, ok) - } - - if !reflect.DeepEqual(tt.match, match) { - t.Errorf("case %d: expected match=%#v, got %#v", i, tt.match, match) - } - } -} - -// This validates that dockercfg entries with a scheme and url path are properly matched -// by images that only match the hostname. -// NOTE: the above covers the case of a more specific match trumping just hostname. -func TestIssue3797(t *testing.T) { - rex := credentialprovider.LazyAuthConfiguration{ - AuthConfig: dockertypes.AuthConfig{ - Username: "rex", - Password: "tiny arms", - Email: "rex@example.com", - }, - } - - dk := &credentialprovider.BasicDockerKeyring{} - dk.Add(credentialprovider.DockerConfig{ - "https://quay.io/v1/": credentialprovider.DockerConfigEntry{ - Username: rex.Username, - Password: rex.Password, - Email: rex.Email, - }, - }) - - tests := []struct { - image string - match []credentialprovider.LazyAuthConfiguration - ok bool - }{ - // direct match - {"quay.io", []credentialprovider.LazyAuthConfiguration{rex}, true}, - - // partial matches - {"quay.io/foo", []credentialprovider.LazyAuthConfiguration{rex}, true}, - {"quay.io/foo/bar", []credentialprovider.LazyAuthConfiguration{rex}, true}, - } - - for i, tt := range tests { - match, ok := dk.Lookup(tt.image) - if tt.ok != ok { - t.Errorf("case %d: expected ok=%t, got %t", i, tt.ok, ok) - } - - if !reflect.DeepEqual(tt.match, match) { - t.Errorf("case %d: expected match=%#v, got %#v", i, tt.match, match) - } - } -} - -type imageTrackingDockerClient struct { - *FakeDockerClient - imageName string -} - -func (f *imageTrackingDockerClient) InspectImageByID(name string) (image *dockertypes.ImageInspect, err error) { - image, err = f.FakeDockerClient.InspectImageByID(name) - f.imageName = name - return -} - -func (f *imageTrackingDockerClient) InspectImageByRef(name string) (image *dockertypes.ImageInspect, err error) { - image, err = f.FakeDockerClient.InspectImageByRef(name) - f.imageName = name - return -} - -func TestGetImageRef(t *testing.T) { - cl := &imageTrackingDockerClient{NewFakeDockerClient(), ""} - puller := &dockerPuller{ - client: cl, - } - _, _ = puller.GetImageRef("abc:123") - if cl.imageName != "abc:123" { - t.Errorf("expected inspection of image abc:123, instead inspected image %v", cl.imageName) - } -} - const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" func randStringBytes(n int) string {