github/skopeo
1
0
Fork 0
mirror of https://github.com/containers/skopeo.git synced 2025-04-27 11:01:18 +00:00
Code Issues Projects Releases Wiki Activity

fixup! Incorporate review feedback from mtrmac

Browse Source 
- Got TLS registry working, and test enabled. The trick was to
  copy the .crt file to a separate directory *without* the .key

- auth test - set up a private XDG_RUNTIME_DIR, in case tests
  are being run by a real user.

- signing test - remove FIXME comments; questions answered.

- helpers.bash - document start_registries(); save a .crt file,
  not .cert; and remove unused stop_registries() - it's too hard
  to do right, and very easy for individual tests to 'podman rm -f'

- run-tests - remove SKOPEO_BINARY definition, it's inconsistent
  with the one in helpers.bash

Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit is contained in:
Ed Santiago 2019-05-20 14:28:46 -06:00
parent 12f0e24519
commit 5dd3b2bffd
5 changed files with 39 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
systemtest/030-local-registry-tls.bats
View File

@ -1,16 +1,7 @@
#!/usr/bin/env bats
#
# This is probably a never-mind.
#
# The idea is to set up a local registry with locally generated certs,
# using --dest-cert-dir to tell skopeo how to check. But no, it fails with
#
# x509: certificate signed by unknown authority
#
# Perhaps I'm missing something? Maybe I need to add something into
# /etc/pki/somewhere? If this is truly not possible to test without
# a real signature, then let's just delete this test.
#
# Confirm that skopeo will push to and pull from a local
# registry with locally-created TLS certificates.
#
load helpers
@ -21,15 +12,15 @@ function setup() {
}
@test "local registry, with cert" {
skip "doesn't work as expected"
local remote_image=docker://busybox:latest
local localimg=docker://localhost:5000/busybox:unsigned
# Fails with: x509: certificate signed by unknown authority
run_skopeo --debug copy --dest-cert-dir=$TESTDIR/auth \
# Push to local registry...
run_skopeo copy --dest-cert-dir=$TESTDIR/client-auth \
docker://busybox:latest \
docker://localhost:5000/busybox:unsigned
# ...and pull it back out
run_skopeo copy --src-cert-dir=$TESTDIR/client-auth \
docker://localhost:5000/busybox:unsigned \
dir:$TESTDIR/extracted
}
teardown() {

10
systemtest/040-local-registry-auth.bats
View File

@ -9,8 +9,10 @@ function setup() {
standard_setup
# Remove old/stale cred file
_cred_file=${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/containers/auth.json
rm -f $_cred_file
_cred_dir=$TESTDIR/credentials
export XDG_RUNTIME_DIR=$_cred_dir
mkdir -p $_cred_dir/containers
rm -f $_cred_dir/containers/auth.json
# Start authenticated registry with random password
testuser=testuser
@ -66,8 +68,8 @@ function setup() {
teardown() {
podman rm -f reg
if [[ -n $_cred_file ]]; then
rm -f $_cred_file
if [[ -n $_cred_dir ]]; then
rm -rf $_cred_dir
fi
standard_teardown

4
systemtest/050-signing.bats
View File

@ -95,9 +95,6 @@ END_POLICY_JSON
/myns/carol:latest - # No signature
/open/forall:latest - # No signature, but none needed
END_PUSH
# FIXME: there doesn't seem to be a way to push an image
# such as '/bob:signed', signed by bob, at the same time
# that we have :signedbyalice
# Done pushing. Now try to fetch. From here on we use the --policy option.
# The table below lists the paths to fetch, and the expected errors (or
@ -125,7 +122,6 @@ END_PUSH
/myns/carol:latest Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
/open/forall:latest
END_TESTS
# FIXME: why does the message for alice:unsigned say ':signed' ?
}
teardown() {

38
systemtest/helpers.bash
View File

@ -220,13 +220,28 @@ function expect_line_count() {
###############################################################################
# BEGIN helpers for starting/stopping registries
####################
# start_registry # Run a local registry container
####################
#
# Usage: start_registry [OPTIONS] NAME
#
# OPTIONS
# --port=NNNN Port to listen on (default: 5000)
# --testuser=XXX Require authentication; this is the username
# --testpassword=XXX ...and the password (these two go together)
# --with-cert Create a cert for running with TLS (not working)
#
# NAME is the container name to assign.
#
start_registry() {
local port=5000
local testuser=
local testpassword=
local create_cert=
# option processing: recognize --auth
# option processing: recognize options for running the registry
# in different modes.
local opt
for opt; do
local value=$(expr "$opt" : '[^=]*=\(.*\)')
@ -270,7 +285,7 @@ start_registry() {
# Called with --with-cert? Create certificates.
if [[ -n $create_cert ]]; then
CERT=$AUTHDIR/domain.cert
CERT=$AUTHDIR/domain.crt
if [ ! -e $CERT ]; then
openssl req -newkey rsa:4096 -nodes -sha256 \
-keyout $AUTHDIR/domain.key -x509 -days 2 \
@ -279,25 +294,20 @@ start_registry() {
fi
reg_args+=(
-e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.cert
-e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/auth/domain.key
)
# Copy .crt file to a directory *without* the .key one, so we can
# test the client. (If client sees a matching .key file, it fails)
# Thanks to Miloslav Trmac for this hint.
mkdir -p $TESTDIR/client-auth
cp $CERT $TESTDIR/client-auth/
fi
podman run -d --name $name "${reg_args[@]}" registry:2
}
stop_registries() {
if [[ -z $SKOPEO_DEBUG_REGISTRIES ]]; then
podman rm -a -f
if [[ -n $AUTHDIR ]]; then
rm -rf $AUTHDIR
fi
fi
}
# END helpers for starting/stopping registries
###############################################################################
# BEGIN miscellaneous tools

3
systemtest/run-tests
View File

@ -3,9 +3,6 @@
# run-tests - simple wrapper allowing shortcuts on invocation
#
# FIXME
export SKOPEO_BINARY=${SKOPEO_BINARY:-/usr/bin/skopeo}
TEST_DIR=$(dirname $0)
TESTS=$TEST_DIR