From 5dd3b2bffdca3f9275a1aa40fc13077ba2ef0fe5 Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 20 May 2019 14:28:46 -0600
Subject: [PATCH] fixup! Incorporate review feedback from mtrmac

- Got TLS registry working, and test enabled. The trick was to
  copy the .crt file to a separate directory *without* the .key

- auth test - set up a private XDG_RUNTIME_DIR, in case tests
  are being run by a real user.

- signing test - remove FIXME comments; questions answered.

- helpers.bash - document start_registries(); save a .crt file,
  not .cert; and remove unused stop_registries() - it's too hard
  to do right, and very easy for individual tests to 'podman rm -f'

- run-tests - remove SKOPEO_BINARY definition, it's inconsistent
  with the one in helpers.bash

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 systemtest/030-local-registry-tls.bats  | 27 ++++++------------
 systemtest/040-local-registry-auth.bats | 10 ++++---
 systemtest/050-signing.bats             |  4 ---
 systemtest/helpers.bash                 | 38 ++++++++++++++++---------
 systemtest/run-tests                    |  3 --
 5 files changed, 39 insertions(+), 43 deletions(-)

diff --git a/systemtest/030-local-registry-tls.bats b/systemtest/030-local-registry-tls.bats
index 6c14ba86..69270199 100644
--- a/systemtest/030-local-registry-tls.bats
+++ b/systemtest/030-local-registry-tls.bats
@@ -1,16 +1,7 @@
 #!/usr/bin/env bats
 #
-# This is probably a never-mind.
-#
-# The idea is to set up a local registry with locally generated certs,
-# using --dest-cert-dir to tell skopeo how to check. But no, it fails with
-#
-#        x509: certificate signed by unknown authority
-#
-# Perhaps I'm missing something? Maybe I need to add something into
-# /etc/pki/somewhere? If this is truly not possible to test without
-# a real signature, then let's just delete this test.
-#
+# Confirm that skopeo will push to and pull from a local
+# registry with locally-created TLS certificates.
 #
 load helpers
 
@@ -21,15 +12,15 @@ function setup() {
 }
 
 @test "local registry, with cert" {
-    skip "doesn't work as expected"
-
-    local remote_image=docker://busybox:latest
-    local localimg=docker://localhost:5000/busybox:unsigned
-
-    # Fails with: x509: certificate signed by unknown authority
-    run_skopeo --debug copy --dest-cert-dir=$TESTDIR/auth \
+    # Push to local registry...
+    run_skopeo copy --dest-cert-dir=$TESTDIR/client-auth \
                docker://busybox:latest \
                docker://localhost:5000/busybox:unsigned
+
+    # ...and pull it back out
+    run_skopeo copy --src-cert-dir=$TESTDIR/client-auth \
+               docker://localhost:5000/busybox:unsigned \
+               dir:$TESTDIR/extracted
 }
 
 teardown() {
diff --git a/systemtest/040-local-registry-auth.bats b/systemtest/040-local-registry-auth.bats
index 9996ec0c..dab3bd18 100644
--- a/systemtest/040-local-registry-auth.bats
+++ b/systemtest/040-local-registry-auth.bats
@@ -9,8 +9,10 @@ function setup() {
     standard_setup
 
     # Remove old/stale cred file
-    _cred_file=${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/containers/auth.json
-    rm -f $_cred_file
+    _cred_dir=$TESTDIR/credentials
+    export XDG_RUNTIME_DIR=$_cred_dir
+    mkdir -p $_cred_dir/containers
+    rm -f $_cred_dir/containers/auth.json
 
     # Start authenticated registry with random password
     testuser=testuser
@@ -66,8 +68,8 @@ function setup() {
 teardown() {
     podman rm -f reg
 
-    if [[ -n $_cred_file ]]; then
-        rm -f $_cred_file
+    if [[ -n $_cred_dir ]]; then
+        rm -rf $_cred_dir
     fi
 
     standard_teardown
diff --git a/systemtest/050-signing.bats b/systemtest/050-signing.bats
index 5de7f876..7cdfc598 100644
--- a/systemtest/050-signing.bats
+++ b/systemtest/050-signing.bats
@@ -95,9 +95,6 @@ END_POLICY_JSON
 /myns/carol:latest        -        # No signature
 /open/forall:latest       -        # No signature, but none needed
 END_PUSH
-    # FIXME: there doesn't seem to be a way to push an  image
-    #        such as '/bob:signed', signed by bob, at the same time
-    #        that we have :signedbyalice
 
     # Done pushing. Now try to fetch. From here on we use the --policy option.
     # The table below lists the paths to fetch, and the expected errors (or
@@ -125,7 +122,6 @@ END_PUSH
 /myns/carol:latest         Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
 /open/forall:latest
 END_TESTS
-    # FIXME: why does the message for alice:unsigned say ':signed' ?
 }
 
 teardown() {
diff --git a/systemtest/helpers.bash b/systemtest/helpers.bash
index 0d4c768f..b7479138 100644
--- a/systemtest/helpers.bash
+++ b/systemtest/helpers.bash
@@ -220,13 +220,28 @@ function expect_line_count() {
 ###############################################################################
 # BEGIN helpers for starting/stopping registries
 
+####################
+#  start_registry  #  Run a local registry container
+####################
+#
+# Usage:  start_registry [OPTIONS] NAME
+#
+#   OPTIONS
+#       --port=NNNN         Port to listen on (default: 5000)
+#       --testuser=XXX      Require authentication; this is the username
+#       --testpassword=XXX  ...and the password (these two go together)
+#       --with-cert         Create a cert for running with TLS (not working)
+#
+#   NAME is the container name to assign.
+#
 start_registry() {
     local port=5000
     local testuser=
     local testpassword=
     local create_cert=
 
-    # option processing: recognize --auth
+    # option processing: recognize options for running the registry
+    # in different modes.
     local opt
     for opt; do
         local value=$(expr "$opt" : '[^=]*=\(.*\)')
@@ -270,7 +285,7 @@ start_registry() {
 
     # Called with --with-cert? Create certificates.
     if [[ -n $create_cert ]]; then
-        CERT=$AUTHDIR/domain.cert
+        CERT=$AUTHDIR/domain.crt
         if [ ! -e $CERT ]; then
             openssl req -newkey rsa:4096 -nodes -sha256 \
                     -keyout $AUTHDIR/domain.key -x509 -days 2 \
@@ -279,25 +294,20 @@ start_registry() {
         fi
 
         reg_args+=(
-            -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.cert
+            -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt
             -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key
         )
+
+        # Copy .crt file to a directory *without* the .key one, so we can
+        # test the client. (If client sees a matching .key file, it fails)
+        # Thanks to Miloslav Trmac for this hint.
+        mkdir -p $TESTDIR/client-auth
+        cp $CERT $TESTDIR/client-auth/
     fi
 
     podman run -d --name $name "${reg_args[@]}" registry:2
 }
 
-
-stop_registries() {
-    if [[ -z $SKOPEO_DEBUG_REGISTRIES ]]; then
-        podman rm -a -f
-
-        if [[ -n $AUTHDIR ]]; then
-            rm -rf $AUTHDIR
-        fi
-    fi
-}
-
 # END   helpers for starting/stopping registries
 ###############################################################################
 # BEGIN miscellaneous tools
diff --git a/systemtest/run-tests b/systemtest/run-tests
index 004c5f56..21763494 100755
--- a/systemtest/run-tests
+++ b/systemtest/run-tests
@@ -3,9 +3,6 @@
 # run-tests - simple wrapper allowing shortcuts on invocation
 #
 
-# FIXME
-export SKOPEO_BINARY=${SKOPEO_BINARY:-/usr/bin/skopeo}
-
 TEST_DIR=$(dirname $0)
 TESTS=$TEST_DIR