Skip to content

Commit f23a51a

Browse files
author
Tibor Vass
committed
Revert "Remove Schema1 integration test suite"
This reverts commit 13b7d11. Signed-off-by: Tibor Vass <[email protected]>
1 parent 882e26a commit f23a51a

7 files changed

Lines changed: 343 additions & 23 deletions

File tree

Dockerfile

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,13 +51,25 @@ RUN apt-get update && apt-get install -y \
5151
&& make PREFIX=/build/ install-criu
5252

5353
FROM base AS registry
54+
# Install two versions of the registry. The first is an older version that
55+
# only supports schema1 manifests. The second is a newer version that supports
56+
# both. This allows integration-cli tests to cover push/pull with both schema1
57+
# and schema2 manifests.
58+
ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
5459
ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
5560
RUN set -x \
5661
&& export GOPATH="$(mktemp -d)" \
5762
&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
5863
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
5964
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
6065
go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \
66+
&& case $(dpkg --print-architecture) in \
67+
amd64|ppc64*|s390x) \
68+
(cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1"); \
69+
GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \
70+
go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \
71+
;; \
72+
esac \
6173
&& rm -rf "$GOPATH"
6274

6375

integration-cli/check_test.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,39 @@ func (s *DockerRegistrySuite) TearDownTest(c *check.C) {
141141
s.ds.TearDownTest(c)
142142
}
143143

144+
func init() {
145+
check.Suite(&DockerSchema1RegistrySuite{
146+
ds: &DockerSuite{},
147+
})
148+
}
149+
150+
type DockerSchema1RegistrySuite struct {
151+
ds *DockerSuite
152+
reg *registry.V2
153+
d *daemon.Daemon
154+
}
155+
156+
func (s *DockerSchema1RegistrySuite) OnTimeout(c *check.C) {
157+
s.d.DumpStackAndQuit()
158+
}
159+
160+
func (s *DockerSchema1RegistrySuite) SetUpTest(c *check.C) {
161+
testRequires(c, DaemonIsLinux, RegistryHosting, NotArm64, testEnv.IsLocalDaemon)
162+
s.reg = registry.NewV2(c, registry.Schema1)
163+
s.reg.WaitReady(c)
164+
s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
165+
}
166+
167+
func (s *DockerSchema1RegistrySuite) TearDownTest(c *check.C) {
168+
if s.reg != nil {
169+
s.reg.Close()
170+
}
171+
if s.d != nil {
172+
s.d.Stop(c)
173+
}
174+
s.ds.TearDownTest(c)
175+
}
176+
144177
func init() {
145178
check.Suite(&DockerRegistryAuthHtpasswdSuite{
146179
ds: &DockerSuite{},

integration-cli/docker_cli_by_digest_test.go

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,12 @@ package main
33
import (
44
"encoding/json"
55
"fmt"
6+
"os"
7+
"path/filepath"
68
"regexp"
79
"strings"
810

11+
"github.com/docker/distribution/manifest/schema1"
912
"github.com/docker/distribution/manifest/schema2"
1013
"github.com/docker/docker/api/types"
1114
"github.com/docker/docker/integration-cli/checker"
@@ -77,6 +80,10 @@ func (s *DockerRegistrySuite) TestPullByTagDisplaysDigest(c *check.C) {
7780
testPullByTagDisplaysDigest(c)
7881
}
7982

83+
func (s *DockerSchema1RegistrySuite) TestPullByTagDisplaysDigest(c *check.C) {
84+
testPullByTagDisplaysDigest(c)
85+
}
86+
8087
func testPullByDigest(c *check.C) {
8188
testRequires(c, DaemonIsLinux)
8289
pushDigest, err := setupImage(c)
@@ -99,6 +106,10 @@ func (s *DockerRegistrySuite) TestPullByDigest(c *check.C) {
99106
testPullByDigest(c)
100107
}
101108

109+
func (s *DockerSchema1RegistrySuite) TestPullByDigest(c *check.C) {
110+
testPullByDigest(c)
111+
}
112+
102113
func testPullByDigestNoFallback(c *check.C) {
103114
testRequires(c, DaemonIsLinux)
104115
// pull from the registry using the <name>@<digest> reference
@@ -112,6 +123,10 @@ func (s *DockerRegistrySuite) TestPullByDigestNoFallback(c *check.C) {
112123
testPullByDigestNoFallback(c)
113124
}
114125

126+
func (s *DockerSchema1RegistrySuite) TestPullByDigestNoFallback(c *check.C) {
127+
testPullByDigestNoFallback(c)
128+
}
129+
115130
func (s *DockerRegistrySuite) TestCreateByDigest(c *check.C) {
116131
pushDigest, err := setupImage(c)
117132
assert.NilError(c, err, "error setting up image")
@@ -546,3 +561,131 @@ func (s *DockerRegistrySuite) TestPullFailsWithAlteredManifest(c *check.C) {
546561
expectedErrorMsg := fmt.Sprintf("manifest verification failed for digest %s", manifestDigest)
547562
assert.Assert(c, is.Contains(out, expectedErrorMsg))
548563
}
564+
565+
// TestPullFailsWithAlteredManifest tests that a `docker pull` fails when
566+
// we have modified a manifest blob and its digest cannot be verified.
567+
// This is the schema1 version of the test.
568+
func (s *DockerSchema1RegistrySuite) TestPullFailsWithAlteredManifest(c *check.C) {
569+
testRequires(c, DaemonIsLinux)
570+
manifestDigest, err := setupImage(c)
571+
c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
572+
573+
// Load the target manifest blob.
574+
manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
575+
576+
var imgManifest schema1.Manifest
577+
err = json.Unmarshal(manifestBlob, &imgManifest)
578+
c.Assert(err, checker.IsNil, check.Commentf("unable to decode image manifest from blob"))
579+
580+
// Change a layer in the manifest.
581+
imgManifest.FSLayers[0] = schema1.FSLayer{
582+
BlobSum: digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"),
583+
}
584+
585+
// Move the existing data file aside, so that we can replace it with a
586+
// malicious blob of data. NOTE: we defer the returned undo func.
587+
undo := s.reg.TempMoveBlobData(c, manifestDigest)
588+
defer undo()
589+
590+
alteredManifestBlob, err := json.MarshalIndent(imgManifest, "", " ")
591+
c.Assert(err, checker.IsNil, check.Commentf("unable to encode altered image manifest to JSON"))
592+
593+
s.reg.WriteBlobContents(c, manifestDigest, alteredManifestBlob)
594+
595+
// Now try pulling that image by digest. We should get an error about
596+
// digest verification for the manifest digest.
597+
598+
// Pull from the registry using the <name>@<digest> reference.
599+
imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
600+
out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
601+
c.Assert(exitStatus, checker.Not(check.Equals), 0)
602+
603+
expectedErrorMsg := fmt.Sprintf("image verification failed for digest %s", manifestDigest)
604+
c.Assert(out, checker.Contains, expectedErrorMsg)
605+
}
606+
607+
// TestPullFailsWithAlteredLayer tests that a `docker pull` fails when
608+
// we have modified a layer blob and its digest cannot be verified.
609+
// This is the schema2 version of the test.
610+
func (s *DockerRegistrySuite) TestPullFailsWithAlteredLayer(c *check.C) {
611+
testRequires(c, DaemonIsLinux)
612+
manifestDigest, err := setupImage(c)
613+
c.Assert(err, checker.IsNil)
614+
615+
// Load the target manifest blob.
616+
manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
617+
618+
var imgManifest schema2.Manifest
619+
err = json.Unmarshal(manifestBlob, &imgManifest)
620+
c.Assert(err, checker.IsNil)
621+
622+
// Next, get the digest of one of the layers from the manifest.
623+
targetLayerDigest := imgManifest.Layers[0].Digest
624+
625+
// Move the existing data file aside, so that we can replace it with a
626+
// malicious blob of data. NOTE: we defer the returned undo func.
627+
undo := s.reg.TempMoveBlobData(c, targetLayerDigest)
628+
defer undo()
629+
630+
// Now make a fake data blob in this directory.
631+
s.reg.WriteBlobContents(c, targetLayerDigest, []byte("This is not the data you are looking for."))
632+
633+
// Now try pulling that image by digest. We should get an error about
634+
// digest verification for the target layer digest.
635+
636+
// Remove distribution cache to force a re-pull of the blobs
637+
if err := os.RemoveAll(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "image", s.d.StorageDriver(), "distribution")); err != nil {
638+
c.Fatalf("error clearing distribution cache: %v", err)
639+
}
640+
641+
// Pull from the registry using the <name>@<digest> reference.
642+
imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
643+
out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
644+
c.Assert(exitStatus, checker.Not(check.Equals), 0, check.Commentf("expected a non-zero exit status"))
645+
646+
expectedErrorMsg := fmt.Sprintf("filesystem layer verification failed for digest %s", targetLayerDigest)
647+
c.Assert(out, checker.Contains, expectedErrorMsg, check.Commentf("expected error message in output: %s", out))
648+
}
649+
650+
// TestPullFailsWithAlteredLayer tests that a `docker pull` fails when
651+
// we have modified a layer blob and its digest cannot be verified.
652+
// This is the schema1 version of the test.
653+
func (s *DockerSchema1RegistrySuite) TestPullFailsWithAlteredLayer(c *check.C) {
654+
testRequires(c, DaemonIsLinux)
655+
manifestDigest, err := setupImage(c)
656+
c.Assert(err, checker.IsNil)
657+
658+
// Load the target manifest blob.
659+
manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
660+
661+
var imgManifest schema1.Manifest
662+
err = json.Unmarshal(manifestBlob, &imgManifest)
663+
c.Assert(err, checker.IsNil)
664+
665+
// Next, get the digest of one of the layers from the manifest.
666+
targetLayerDigest := imgManifest.FSLayers[0].BlobSum
667+
668+
// Move the existing data file aside, so that we can replace it with a
669+
// malicious blob of data. NOTE: we defer the returned undo func.
670+
undo := s.reg.TempMoveBlobData(c, targetLayerDigest)
671+
defer undo()
672+
673+
// Now make a fake data blob in this directory.
674+
s.reg.WriteBlobContents(c, targetLayerDigest, []byte("This is not the data you are looking for."))
675+
676+
// Now try pulling that image by digest. We should get an error about
677+
// digest verification for the target layer digest.
678+
679+
// Remove distribution cache to force a re-pull of the blobs
680+
if err := os.RemoveAll(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "image", s.d.StorageDriver(), "distribution")); err != nil {
681+
c.Fatalf("error clearing distribution cache: %v", err)
682+
}
683+
684+
// Pull from the registry using the <name>@<digest> reference.
685+
imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
686+
out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
687+
c.Assert(exitStatus, checker.Not(check.Equals), 0, check.Commentf("expected a non-zero exit status"))
688+
689+
expectedErrorMsg := fmt.Sprintf("filesystem layer verification failed for digest %s", targetLayerDigest)
690+
c.Assert(out, checker.Contains, expectedErrorMsg, check.Commentf("expected error message in output: %s", out))
691+
}

integration-cli/docker_cli_daemon_test.go

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818
"path"
1919
"path/filepath"
2020
"regexp"
21+
"runtime"
2122
"strconv"
2223
"strings"
2324
"sync"
@@ -550,6 +551,26 @@ func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *check.C) {
550551
}
551552
}
552553

554+
func (s *DockerDaemonSuite) TestDaemonUUIDGeneration(c *check.C) {
555+
dir := "/var/lib/docker"
556+
if runtime.GOOS == "windows" {
557+
dir = filepath.Join(os.Getenv("programdata"), "docker")
558+
}
559+
file := filepath.Join(dir, "engine_uuid")
560+
os.Remove(file)
561+
s.d.Start(c)
562+
s.d.Stop(c)
563+
564+
fi, err := os.Stat(file)
565+
if err != nil {
566+
c.Fatalf("Error opening uuid file")
567+
}
568+
// Test for uuid length
569+
if fi.Size() != 36 {
570+
c.Fatalf("Bad UUID size %d", fi.Size())
571+
}
572+
}
573+
553574
// GH#11320 - verify that the daemon exits on failure properly
554575
// Note that this explicitly tests the conflict of {-b,--bridge} and {--bip} options as the means
555576
// to get a daemon init failure; no other tests for -b/--bip conflict are therefore required
@@ -1174,6 +1195,59 @@ func (s *DockerDaemonSuite) TestDaemonUnixSockCleanedUp(c *check.C) {
11741195
}
11751196
}
11761197

1198+
func (s *DockerDaemonSuite) TestDaemonWithWrongkey(c *check.C) {
1199+
type Config struct {
1200+
Crv string `json:"crv"`
1201+
D string `json:"d"`
1202+
Kid string `json:"kid"`
1203+
Kty string `json:"kty"`
1204+
X string `json:"x"`
1205+
Y string `json:"y"`
1206+
}
1207+
1208+
os.Remove("/etc/docker/key.json")
1209+
s.d.Start(c)
1210+
s.d.Stop(c)
1211+
1212+
config := &Config{}
1213+
bytes, err := ioutil.ReadFile("/etc/docker/key.json")
1214+
if err != nil {
1215+
c.Fatalf("Error reading key.json file: %s", err)
1216+
}
1217+
1218+
// byte[] to Data-Struct
1219+
if err := json.Unmarshal(bytes, &config); err != nil {
1220+
c.Fatalf("Error Unmarshal: %s", err)
1221+
}
1222+
1223+
//replace config.Kid with the fake value
1224+
config.Kid = "VSAJ:FUYR:X3H2:B2VZ:KZ6U:CJD5:K7BX:ZXHY:UZXT:P4FT:MJWG:HRJ4"
1225+
1226+
// NEW Data-Struct to byte[]
1227+
newBytes, err := json.Marshal(&config)
1228+
if err != nil {
1229+
c.Fatalf("Error Marshal: %s", err)
1230+
}
1231+
1232+
// write back
1233+
if err := ioutil.WriteFile("/etc/docker/key.json", newBytes, 0400); err != nil {
1234+
c.Fatalf("Error ioutil.WriteFile: %s", err)
1235+
}
1236+
1237+
defer os.Remove("/etc/docker/key.json")
1238+
1239+
if err := s.d.StartWithError(); err == nil {
1240+
c.Fatalf("It should not be successful to start daemon with wrong key: %v", err)
1241+
}
1242+
1243+
content, err := s.d.ReadLogFile()
1244+
c.Assert(err, checker.IsNil)
1245+
1246+
if !strings.Contains(string(content), "Public Key ID does not match") {
1247+
c.Fatalf("Missing KeyID message from daemon logs: %s", string(content))
1248+
}
1249+
}
1250+
11771251
func (s *DockerDaemonSuite) TestDaemonRestartKillWait(c *check.C) {
11781252
s.d.StartWithBusybox(c)
11791253

0 commit comments

Comments
 (0)