mirror of
https://github.com/containers/skopeo.git
synced 2025-08-21 16:03:35 +00:00
Merge pull request #2650 from mtrmac/sequoia-cli-infra
Prepare for `--sign-by-sq-fingerprint`
This commit is contained in:
Miloslav Trmač
GitHub
commit
b59c8598cd
7
Makefile
7
Makefile
@ -53,10 +53,9 @@ ifeq ($(GOOS), linux)
|
|||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
|
# If $TESTFLAGS is set, it is passed as extra arguments to 'go test' on integration tests.
|
||||||
# You can select certain tests to run, with `-run <regex>` for example:
|
# You can select certain tests to run, with `-run <regex>` for example:
|
||||||
#
|
#
|
||||||
# make test-unit TESTFLAGS='-run ^TestManifestDigest$'
|
|
||||||
# make test-integration TESTFLAGS='-run copySuite.TestCopy.*'
|
# make test-integration TESTFLAGS='-run copySuite.TestCopy.*'
|
||||||
export TESTFLAGS ?= -timeout=15m
|
export TESTFLAGS ?= -timeout=15m
|
||||||
|
|
||||||
@ -205,7 +204,7 @@ test-integration:
|
|||||||
# Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
|
# Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
|
||||||
test-integration-local: bin/skopeo
|
test-integration-local: bin/skopeo
|
||||||
hack/warn-destructive-tests.sh
|
hack/warn-destructive-tests.sh
|
||||||
hack/test-integration.sh
|
hack/test-integration.sh $(SKOPEO_LDFLAGS) $(TESTFLAGS)
|
||||||
|
|
||||||
# complicated set of options needed to run podman-in-podman
|
# complicated set of options needed to run podman-in-podman
|
||||||
test-system:
|
test-system:
|
||||||
@ -222,7 +221,7 @@ test-system:
|
|||||||
# Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
|
# Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
|
||||||
test-system-local: bin/skopeo
|
test-system-local: bin/skopeo
|
||||||
hack/warn-destructive-tests.sh
|
hack/warn-destructive-tests.sh
|
||||||
hack/test-system.sh
|
hack/test-system.sh SKOPEO_LDFLAGS="$(SKOPEO_LDFLAGS)" BUILDTAGS="$(BUILDTAGS)"
|
||||||
|
|
||||||
test-unit:
|
test-unit:
|
||||||
# Just call (make test unit-local) here instead of worrying about environment differences
|
# Just call (make test unit-local) here instead of worrying about environment differences
|
||||||
|
|||||||
@ -3,6 +3,6 @@ set -e
|
|||||||
|
|
||||||
make PREFIX=/usr install
|
make PREFIX=/usr install
|
||||||
|
|
||||||
echo "cd ./integration;" go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
|
echo "cd ./integration;" go test "$@" ${BUILDTAGS:+-tags "$BUILDTAGS"}
|
||||||
cd ./integration
|
cd ./integration
|
||||||
go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
|
go test "$@" ${BUILDTAGS:+-tags "$BUILDTAGS"}
|
||||||
|
|||||||
@ -38,7 +38,7 @@ EOF
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Build skopeo, install into /usr/bin
|
# Build skopeo, install into /usr/bin
|
||||||
make PREFIX=/usr install
|
make PREFIX=/usr install "$@"
|
||||||
|
|
||||||
# Run tests
|
# Run tests
|
||||||
SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
|
SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
|
||||||
|
|||||||
@ -8,6 +8,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io/fs"
|
"io/fs"
|
||||||
"log"
|
"log"
|
||||||
|
"maps"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"os"
|
"os"
|
||||||
@ -101,6 +102,16 @@ func (s *copySuite) TearDownSuite() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// policyFixture applies the general edits, as well as extraSubstitutions, to the policy.json fixture,
|
||||||
|
// and returns a path to a policy, which will be automatically removed when the test completes.
|
||||||
|
func (s *copySuite) policyFixture(extraSubstitutions map[string]string) string {
|
||||||
|
t := s.T()
|
||||||
|
edits := map[string]string{"@keydir@": s.gpgHome}
|
||||||
|
maps.Copy(edits, extraSubstitutions)
|
||||||
|
policyPath := fileFromFixture(t, "fixtures/policy.json", edits)
|
||||||
|
return policyPath
|
||||||
|
}
|
||||||
|
|
||||||
func (s *copySuite) TestCopyWithManifestList() {
|
func (s *copySuite) TestCopyWithManifestList() {
|
||||||
t := s.T()
|
t := s.T()
|
||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
@ -744,8 +755,7 @@ func (s *copySuite) TestCopySignatures() {
|
|||||||
dir := t.TempDir()
|
dir := t.TempDir()
|
||||||
dirDest := "dir:" + dir
|
dirDest := "dir:" + dir
|
||||||
|
|
||||||
policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
|
policy := s.policyFixture(nil)
|
||||||
defer os.Remove(policy)
|
|
||||||
|
|
||||||
// type: reject
|
// type: reject
|
||||||
assertSkopeoFails(t, fmt.Sprintf(".*Source image rejected: Running image %s:latest is rejected by policy.*", testFQIN),
|
assertSkopeoFails(t, fmt.Sprintf(".*Source image rejected: Running image %s:latest is rejected by policy.*", testFQIN),
|
||||||
@ -808,8 +818,7 @@ func (s *copySuite) TestCopyDirSignatures() {
|
|||||||
|
|
||||||
// Note the "/@dirpath@": The value starts with a slash so that it is not rejected in other tests which do not replace it,
|
// Note the "/@dirpath@": The value starts with a slash so that it is not rejected in other tests which do not replace it,
|
||||||
// but we must ensure that the result is a canonical path, not something starting with a "//".
|
// but we must ensure that the result is a canonical path, not something starting with a "//".
|
||||||
policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome, "/@dirpath@": topDir + "/restricted"})
|
policy := s.policyFixture(map[string]string{"/@dirpath@": topDir + "/restricted"})
|
||||||
defer os.Remove(policy)
|
|
||||||
|
|
||||||
// Get some images.
|
// Get some images.
|
||||||
assertSkopeoSucceeds(t, "", "copy", "--retry-times", "3", testFQIN+":armfh", topDirDest+"/dir1")
|
assertSkopeoSucceeds(t, "", "copy", "--retry-times", "3", testFQIN+":armfh", topDirDest+"/dir1")
|
||||||
@ -916,8 +925,7 @@ func (s *copySuite) TestCopyDockerLookaside() {
|
|||||||
}))
|
}))
|
||||||
defer splitLookasideReadServer.Close()
|
defer splitLookasideReadServer.Close()
|
||||||
|
|
||||||
policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
|
policy := s.policyFixture(nil)
|
||||||
defer os.Remove(policy)
|
|
||||||
registriesDir := filepath.Join(tmpDir, "registries.d")
|
registriesDir := filepath.Join(tmpDir, "registries.d")
|
||||||
err = os.Mkdir(registriesDir, 0755)
|
err = os.Mkdir(registriesDir, 0755)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
@ -977,8 +985,7 @@ func (s *copySuite) TestCopyAtomicExtension() {
|
|||||||
}
|
}
|
||||||
registriesDir := filepath.Join(topDir, "registries.d")
|
registriesDir := filepath.Join(topDir, "registries.d")
|
||||||
dirDest := "dir:" + topDir
|
dirDest := "dir:" + topDir
|
||||||
policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
|
policy := s.policyFixture(nil)
|
||||||
defer os.Remove(policy)
|
|
||||||
|
|
||||||
// Get an image to work with to an atomic: destination. Also verifies that we can use Docker repositories without X-Registry-Supports-Signatures
|
// Get an image to work with to an atomic: destination. Also verifies that we can use Docker repositories without X-Registry-Supports-Signatures
|
||||||
assertSkopeoSucceeds(t, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--retry-times", "3",
|
assertSkopeoSucceeds(t, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--retry-times", "3",
|
||||||
@ -1035,8 +1042,7 @@ func (s *copySuite) TestCopyVerifyingMirroredSignatures() {
|
|||||||
registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable lookaside use
|
registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable lookaside use
|
||||||
dirDest := "dir:" + filepath.Join(topDir, "unused-dest")
|
dirDest := "dir:" + filepath.Join(topDir, "unused-dest")
|
||||||
|
|
||||||
policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
|
policy := s.policyFixture(nil)
|
||||||
defer os.Remove(policy)
|
|
||||||
|
|
||||||
// We use X-R-S-S for this testing to avoid having to deal with the lookasides.
|
// We use X-R-S-S for this testing to avoid having to deal with the lookasides.
|
||||||
// A downside is that OpenShift records signatures per image, so the error messages below
|
// A downside is that OpenShift records signatures per image, so the error messages below
|
||||||
|
|||||||
@ -174,8 +174,8 @@ func modifyEnviron(env []string, name, value string) []string {
|
|||||||
return append(res, prefix+value)
|
return append(res, prefix+value)
|
||||||
}
|
}
|
||||||
|
|
||||||
// fileFromFixture applies edits to inputPath and returns a path to the temporary file.
|
// fileFromFixture applies edits to inputPath and returns a path to the temporary file with the edits,
|
||||||
// Callers should defer os.Remove(the_returned_path)
|
// which will be automatically removed when the test completes.
|
||||||
func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) string {
|
func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) string {
|
||||||
contents, err := os.ReadFile(inputPath)
|
contents, err := os.ReadFile(inputPath)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
@ -188,6 +188,7 @@ func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) st
|
|||||||
file, err := os.CreateTemp("", "policy.json")
|
file, err := os.CreateTemp("", "policy.json")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
path := file.Name()
|
path := file.Name()
|
||||||
|
t.Cleanup(func() { os.Remove(path) })
|
||||||
|
|
||||||
_, err = file.Write(contents)
|
_, err = file.Write(contents)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user