github/skopeo
1
0
Fork 0
mirror of https://github.com/containers/skopeo.git synced 2025-04-28 11:14:08 +00:00
Code Issues Projects Releases Wiki Activity

fixup! Incorporate review feedback from mtrmac

Browse Source 
- Got TLS registry working, and test enabled. The trick was to
  copy the .crt file to a separate directory *without* the .key

- auth test - set up a private XDG_RUNTIME_DIR, in case tests
  are being run by a real user.

- signing test - remove FIXME comments; questions answered.

- helpers.bash - document start_registries(); save a .crt file,
  not .cert; and remove unused stop_registries() - it's too hard
  to do right, and very easy for individual tests to 'podman rm -f'

- run-tests - remove SKOPEO_BINARY definition, it's inconsistent
  with the one in helpers.bash

Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit is contained in:
Ed Santiago 2019-05-20 14:28:46 -06:00
parent 12f0e24519
commit 5dd3b2bffd
5 changed files with 39 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
systemtest/030-local-registry-tls.bats
View File

@ -1,16 +1,7 @@
#!/usr/bin/env bats #!/usr/bin/env bats
# #
# This is probably a never-mind. # Confirm that skopeo will push to and pull from a local
# # registry with locally-created TLS certificates.
# The idea is to set up a local registry with locally generated certs,
# using --dest-cert-dir to tell skopeo how to check. But no, it fails with
#
# x509: certificate signed by unknown authority
#
# Perhaps I'm missing something? Maybe I need to add something into
# /etc/pki/somewhere? If this is truly not possible to test without
# a real signature, then let's just delete this test.
#
# #
load helpers load helpers
@ -21,15 +12,15 @@ function setup() {
} }
@test "local registry, with cert" { @test "local registry, with cert" {
skip "doesn't work as expected" # Push to local registry...
run_skopeo copy --dest-cert-dir=$TESTDIR/client-auth \
local remote_image=docker://busybox:latest
local localimg=docker://localhost:5000/busybox:unsigned
# Fails with: x509: certificate signed by unknown authority
run_skopeo --debug copy --dest-cert-dir=$TESTDIR/auth \
docker://busybox:latest \ docker://busybox:latest \
docker://localhost:5000/busybox:unsigned docker://localhost:5000/busybox:unsigned
# ...and pull it back out
run_skopeo copy --src-cert-dir=$TESTDIR/client-auth \
docker://localhost:5000/busybox:unsigned \
dir:$TESTDIR/extracted
} }
teardown() { teardown() {

10
systemtest/040-local-registry-auth.bats
View File

@ -9,8 +9,10 @@ function setup() {
standard_setup standard_setup
# Remove old/stale cred file # Remove old/stale cred file
_cred_file=${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/containers/auth.json _cred_dir=$TESTDIR/credentials
rm -f $_cred_file export XDG_RUNTIME_DIR=$_cred_dir
mkdir -p $_cred_dir/containers
rm -f $_cred_dir/containers/auth.json
# Start authenticated registry with random password # Start authenticated registry with random password
testuser=testuser testuser=testuser
@ -66,8 +68,8 @@ function setup() {
teardown() { teardown() {
podman rm -f reg podman rm -f reg
if [[ -n $_cred_file ]]; then if [[ -n $_cred_dir ]]; then
rm -f $_cred_file rm -rf $_cred_dir
fi fi
standard_teardown standard_teardown

4
systemtest/050-signing.bats
View File

@ -95,9 +95,6 @@ END_POLICY_JSON
/myns/carol:latest - # No signature /myns/carol:latest - # No signature
/open/forall:latest - # No signature, but none needed /open/forall:latest - # No signature, but none needed
END_PUSH END_PUSH
# FIXME: there doesn't seem to be a way to push an image
# such as '/bob:signed', signed by bob, at the same time
# that we have :signedbyalice
# Done pushing. Now try to fetch. From here on we use the --policy option. # Done pushing. Now try to fetch. From here on we use the --policy option.
# The table below lists the paths to fetch, and the expected errors (or # The table below lists the paths to fetch, and the expected errors (or
@ -125,7 +122,6 @@ END_PUSH
/myns/carol:latest Running image docker://localhost:5000/myns/carol:latest is rejected by policy. /myns/carol:latest Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
/open/forall:latest /open/forall:latest
END_TESTS END_TESTS
# FIXME: why does the message for alice:unsigned say ':signed' ?
} }
teardown() { teardown() {

38
systemtest/helpers.bash
View File

@ -220,13 +220,28 @@ function expect_line_count() {
############################################################################### ###############################################################################
# BEGIN helpers for starting/stopping registries # BEGIN helpers for starting/stopping registries
####################
# start_registry # Run a local registry container
####################
#
# Usage: start_registry [OPTIONS] NAME
#
# OPTIONS
# --port=NNNN Port to listen on (default: 5000)
# --testuser=XXX Require authentication; this is the username
# --testpassword=XXX ...and the password (these two go together)
# --with-cert Create a cert for running with TLS (not working)
#
# NAME is the container name to assign.
#
start_registry() { start_registry() {
local port=5000 local port=5000
local testuser= local testuser=
local testpassword= local testpassword=
local create_cert= local create_cert=
# option processing: recognize --auth # option processing: recognize options for running the registry
# in different modes.
local opt local opt
for opt; do for opt; do
local value=$(expr "$opt" : '[^=]*=\(.*\)') local value=$(expr "$opt" : '[^=]*=\(.*\)')
@ -270,7 +285,7 @@ start_registry() {
# Called with --with-cert? Create certificates. # Called with --with-cert? Create certificates.
if [[ -n $create_cert ]]; then if [[ -n $create_cert ]]; then
CERT=$AUTHDIR/domain.cert CERT=$AUTHDIR/domain.crt
if [ ! -e $CERT ]; then if [ ! -e $CERT ]; then
openssl req -newkey rsa:4096 -nodes -sha256 \ openssl req -newkey rsa:4096 -nodes -sha256 \
-keyout $AUTHDIR/domain.key -x509 -days 2 \ -keyout $AUTHDIR/domain.key -x509 -days 2 \
@ -279,25 +294,20 @@ start_registry() {
fi fi
reg_args+=( reg_args+=(
-e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.cert -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/auth/domain.key -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key
) )
# Copy .crt file to a directory *without* the .key one, so we can
# test the client. (If client sees a matching .key file, it fails)
# Thanks to Miloslav Trmac for this hint.
mkdir -p $TESTDIR/client-auth
cp $CERT $TESTDIR/client-auth/
fi fi
podman run -d --name $name "${reg_args[@]}" registry:2 podman run -d --name $name "${reg_args[@]}" registry:2
} }
stop_registries() {
if [[ -z $SKOPEO_DEBUG_REGISTRIES ]]; then
podman rm -a -f
if [[ -n $AUTHDIR ]]; then
rm -rf $AUTHDIR
fi
fi
}
# END helpers for starting/stopping registries # END helpers for starting/stopping registries
############################################################################### ###############################################################################
# BEGIN miscellaneous tools # BEGIN miscellaneous tools

3
systemtest/run-tests
View File

@ -3,9 +3,6 @@
# run-tests - simple wrapper allowing shortcuts on invocation # run-tests - simple wrapper allowing shortcuts on invocation
# #
# FIXME
export SKOPEO_BINARY=${SKOPEO_BINARY:-/usr/bin/skopeo}
TEST_DIR=$(dirname $0) TEST_DIR=$(dirname $0)
TESTS=$TEST_DIR TESTS=$TEST_DIR