diff --git a/contrib/docker-integration/Makefile b/contrib/docker-integration/Makefile deleted file mode 100644 index 38a595bc4..000000000 --- a/contrib/docker-integration/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -.PHONY: build test - -build: - docker-compose build - -start: build - docker-compose up -d - -stop: - docker-compose stop - -clean: - docker-compose kill - docker-compose rm -f - -install: - sh ./install_certs.sh localhost - sh ./install_certs.sh localregistry - -test: - @echo "!!!!Ensure /etc/hosts entry is updated for localregistry and make install has been run" - sh ./test_docker.sh localregistry - -all: build diff --git a/contrib/docker-integration/README.md b/contrib/docker-integration/README.md index af0779fed..7e2ca11e6 100644 --- a/contrib/docker-integration/README.md +++ b/contrib/docker-integration/README.md @@ -1,16 +1,31 @@ -# Docker Registry Multi-Configuration Testing +# Docker Registry Integration Testing -This compose configuration is intended to setup a testing environment for Docker +These integration tests cover interactions between the Docker daemon and the +registry server. All tests are run using the docker cli. + +The compose configuration is intended to setup a testing environment for Docker using multiple registry configurations. These configurations include different combinations of a v1 and v2 registry as well as TLS configurations. -### Limitations +## Running inside of Docker +### Get integration container +The container image to run the integation tests will need to be pulled or built +locally. -Currently this setup is configured to use localhost as the hostname which -limits the ease of testing within Docker since localhost is always treated -as an insecure registry. To treat localhost as secure the Docker code must -be modified. Without localhost as secure, the test cases will not distinguish -between a TLS configuration with a CA and self-signed. +*Building locally* +``` +docker build -t distribution/docker-integration . +``` + +### Run script + +Invoke the tests within Docker through the `run.sh` script. + +``` +./run.sh +``` + +## Running manually outside of Docker ### Install Docker Compose @@ -26,15 +41,14 @@ between a TLS configuration with a CA and self-signed. $ sudo chmod +x /usr/local/bin/docker-compose -## Usage - ### Start compose setup ``` docker-compose up ``` ### Install Certificates -The certificates must be installed in /etc/docker/cert.d in order to use TLS client auth and use the CA certificate. +The certificates must be installed in /etc/docker/cert.d in order to use TLS +client auth and use the CA certificate. ``` sudo sh ./install_certs.sh ``` @@ -52,6 +66,16 @@ docker push localhost:5441/hello-world # Perform login using user `testuser` and password `passpassword` ``` +### Set /etc/hosts entry +Find the non-localhost ip address of local machine + +### Run bats +Run the bats tests after updating /etc/hosts, installing the certificates, and +running the `docker-compose` script. +``` +bats -p . +``` + ## Configurations Port | V2 | V1 | TLS | Authentication @@ -59,6 +83,7 @@ Port | V2 | V1 | TLS | Authentication 5000 | yes | yes | no | none 5001 | no | yes | no | none 5002 | yes | no | no | none +5011 | no | yes | yes | none 5440 | yes | yes | yes | none 5441 | yes | yes | yes | basic (testuser/passpassword) 5442 | yes | yes | yes | TLS client diff --git a/contrib/docker-integration/test_docker.sh b/contrib/docker-integration/test_docker.sh deleted file mode 100644 index e66b65f7b..000000000 --- a/contrib/docker-integration/test_docker.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/sh - -hostname=$1 -if [ "$hostname" = "" ]; then - hostname="localhost" -fi - -docker pull hello-world - -# TLS Configuration chart -# Username/Password: testuser/passpassword -# | ca | client | basic | notes -# 5440 | yes | no | no | Tests CA certificate -# 5441 | yes | no | yes | Tests basic auth over TLS -# 5442 | yes | yes | no | Tests client auth with client CA -# 5443 | yes | yes | no | Tests client auth without client CA -# 5444 | yes | yes | yes | Tests using basic auth + tls auth -# 5445 | no | no | no | Tests insecure using TLS -# 5446 | no | no | yes | Tests sending credentials to server with insecure TLS -# 5447 | no | yes | no | Tests client auth to insecure -# 5448 | yes | no | no | Bad SSL version -docker tag -f hello-world $hostname:5440/hello-world -docker push $hostname:5440/hello-world -if [ $? -ne 0 ]; then - echo "Fail to push" - exit 1 -fi - -docker login -u testuser -p passpassword -e distribution@docker.com $hostname:5441 -if [ $? -ne 0 ]; then - echo "Failed to login" - exit 1 -fi -docker tag -f hello-world $hostname:5441/hello-world -docker push $hostname:5441/hello-world -if [ $? -ne 0 ]; then - echo "Fail to push" - exit 1 -fi - -docker tag -f hello-world $hostname:5442/hello-world -docker push $hostname:5442/hello-world -if [ $? -ne 0 ]; then - echo "Fail to push" - exit 1 -fi - -docker tag -f hello-world $hostname:5443/hello-world -docker push $hostname:5443/hello-world -if [ $? -eq 0 ]; then - echo "Expected failure" - exit 1 -fi - -docker login -u testuser -p passpassword -e distribution@docker.com $hostname:5444 -if [ $? -ne 0 ]; then - echo "Failed to login" - exit 1 -fi -docker tag -f hello-world $hostname:5444/hello-world -docker push $hostname:5444/hello-world -if [ $? -ne 0 ]; then - echo "Fail to push" - exit 1 -fi - -docker tag -f hello-world $hostname:5445/hello-world -docker push $hostname:5445/hello-world -if [ $? -eq 0 ]; then - echo "Expected failure with insecure registry" - exit 1 -fi - -docker login -u testuser -p passpassword -e distribution@docker.com $hostname:5446 -if [ $? -ne 0 ]; then - echo "Failed to login" - exit 1 -fi -docker tag -f hello-world $hostname:5446/hello-world -docker push $hostname:5446/hello-world -if [ $? -eq 0 ]; then - echo "Expected failure with insecure registry" - exit 1 -fi - -docker tag -f hello-world $hostname:5447/hello-world -docker push $hostname:5447/hello-world -if [ $? -eq 0 ]; then - echo "Expected failure with insecure registry" - exit 1 -fi - -docker tag -f hello-world $hostname:5448/hello-world -docker push $hostname:5448/hello-world -if [ $? -eq 0 ]; then - echo "Expected failure contacting with sslv3" - exit 1 -fi diff --git a/contrib/docker-integration/test_runner.sh b/contrib/docker-integration/test_runner.sh index 3ce1bb7aa..2c958c5eb 100755 --- a/contrib/docker-integration/test_runner.sh +++ b/contrib/docker-integration/test_runner.sh @@ -48,7 +48,3 @@ execute docker-compose up -d # Run the tests. execute time bats -p $TESTS - -# Run test script -execute sh test_docker.sh localregistry - diff --git a/contrib/docker-integration/tls.bats b/contrib/docker-integration/tls.bats new file mode 100644 index 000000000..20358b723 --- /dev/null +++ b/contrib/docker-integration/tls.bats @@ -0,0 +1,96 @@ +# Registry host name, should be set to non-localhost address and match +# DNS name in nginx/ssl certificates and what is installed in /etc/docker/cert.d +hostname="localregistry" + +image="hello-world:latest" + +# Login information, should match values in nginx/test.passwd +user="testuser" +password="passpassword" +email="distribution@docker.com" + +function setup() { + docker pull $image +} + +# has_digest enforces the last output line is "Digest: sha256:..." +# the input is the name of the array containing the output lines +function has_digest() { + name=$1[@] + lines=("${!name}") + length=${#lines[@]} + digest_idx=$((length-1)) + value=${lines[$digest_idx]} + result=$(echo "$value"|cut -d':' -f1,2) + [ "$result" = "Digest: sha256" ] +} + +function login() { + run docker login -u $user -p $password -e $email $1 + [ "$status" -eq 0 ] + # First line is WARNING about credential save + [ "${lines[1]}" = "Login Succeeded" ] +} + +@test "Test valid certificates" { + docker tag -f $image $hostname:5440/$image + run docker push $hostname:5440/$image + [ "$status" -eq 0 ] + has_digest lines +} + +@test "Test basic auth" { + login $hostname:5441 + docker tag -f $image $hostname:5441/$image + run docker push $hostname:5441/$image + [ "$status" -eq 0 ] + has_digest lines +} + +@test "Test TLS client auth" { + docker tag -f $image $hostname:5442/$image + run docker push $hostname:5442/$image + [ "$status" -eq 0 ] + has_digest lines +} + +@test "Test TLS client with invalid certificate authority fails" { + docker tag -f $image $hostname:5443/$image + run docker push $hostname:5443/$image + [ "$status" -ne 0 ] +} + +@test "Test basic auth with TLS client auth" { + login $hostname:5444 + docker tag -f $image $hostname:5444/$image + run docker push $hostname:5444/$image + [ "$status" -eq 0 ] + has_digest lines +} + +@test "Test unknown certificate authority fails" { + docker tag -f $image $hostname:5445/$image + run docker push $hostname:5445/$image + [ "$status" -ne 0 ] +} + +@test "Test basic auth with unknown certificate authority fails" { + run login $hostname:5446 + [ "$status" -ne 0 ] + docker tag -f $image $hostname:5446/$image + run docker push $hostname:5446/$image + [ "$status" -ne 0 ] +} + +@test "Test TLS client auth to server with unknown certificate authority fails" { + docker tag -f $image $hostname:5447/$image + run docker push $hostname:5447/$image + [ "$status" -ne 0 ] +} + +@test "Test failure to connect to server fails to fallback to SSLv3" { + docker tag -f $image $hostname:5448/$image + run docker push $hostname:5448/$image + [ "$status" -ne 0 ] +} +