1package main 2 3import ( 4 "archive/tar" 5 "fmt" 6 "io/ioutil" 7 "net/http" 8 "net/http/httptest" 9 "os" 10 "path/filepath" 11 "strings" 12 "sync" 13 14 "github.com/docker/distribution/reference" 15 "github.com/docker/docker/cli/config" 16 "github.com/docker/docker/integration-cli/checker" 17 "github.com/docker/docker/integration-cli/cli" 18 "github.com/docker/docker/integration-cli/cli/build" 19 "github.com/go-check/check" 20 "github.com/gotestyourself/gotestyourself/icmd" 21) 22 23// Pushing an image to a private registry. 24func testPushBusyboxImage(c *check.C) { 25 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 26 // tag the image to upload it to the private registry 27 dockerCmd(c, "tag", "busybox", repoName) 28 // push the image to the registry 29 dockerCmd(c, "push", repoName) 30} 31 32func (s *DockerRegistrySuite) TestPushBusyboxImage(c *check.C) { 33 testPushBusyboxImage(c) 34} 35 36func (s *DockerSchema1RegistrySuite) TestPushBusyboxImage(c *check.C) { 37 testPushBusyboxImage(c) 38} 39 40// pushing an image without a prefix should throw an error 41func (s *DockerSuite) TestPushUnprefixedRepo(c *check.C) { 42 out, _, err := dockerCmdWithError("push", "busybox") 43 c.Assert(err, check.NotNil, check.Commentf("pushing an unprefixed repo didn't result in a non-zero exit status: %s", out)) 44} 45 46func testPushUntagged(c *check.C) { 47 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 48 expected := "An image does not exist locally with the tag" 49 50 out, _, err := dockerCmdWithError("push", repoName) 51 c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out)) 52 c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) 53} 54 55func (s *DockerRegistrySuite) TestPushUntagged(c *check.C) { 56 testPushUntagged(c) 57} 58 59func (s *DockerSchema1RegistrySuite) TestPushUntagged(c *check.C) { 60 testPushUntagged(c) 61} 62 63func testPushBadTag(c *check.C) { 64 repoName := fmt.Sprintf("%v/dockercli/busybox:latest", privateRegistryURL) 65 expected := "does not exist" 66 67 out, _, err := dockerCmdWithError("push", repoName) 68 c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out)) 69 c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed")) 70} 71 72func (s *DockerRegistrySuite) TestPushBadTag(c *check.C) { 73 testPushBadTag(c) 74} 75 76func (s *DockerSchema1RegistrySuite) TestPushBadTag(c *check.C) { 77 testPushBadTag(c) 78} 79 80func testPushMultipleTags(c *check.C) { 81 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 82 repoTag1 := fmt.Sprintf("%v/dockercli/busybox:t1", privateRegistryURL) 83 repoTag2 := fmt.Sprintf("%v/dockercli/busybox:t2", privateRegistryURL) 84 // tag the image and upload it to the private registry 85 dockerCmd(c, "tag", "busybox", repoTag1) 86 87 dockerCmd(c, "tag", "busybox", repoTag2) 88 89 dockerCmd(c, "push", repoName) 90 91 // Ensure layer list is equivalent for repoTag1 and repoTag2 92 out1, _ := dockerCmd(c, "pull", repoTag1) 93 94 imageAlreadyExists := ": Image already exists" 95 var out1Lines []string 96 for _, outputLine := range strings.Split(out1, "\n") { 97 if strings.Contains(outputLine, imageAlreadyExists) { 98 out1Lines = append(out1Lines, outputLine) 99 } 100 } 101 102 out2, _ := dockerCmd(c, "pull", repoTag2) 103 104 var out2Lines []string 105 for _, outputLine := range strings.Split(out2, "\n") { 106 if strings.Contains(outputLine, imageAlreadyExists) { 107 out1Lines = append(out1Lines, outputLine) 108 } 109 } 110 c.Assert(out2Lines, checker.HasLen, len(out1Lines)) 111 112 for i := range out1Lines { 113 c.Assert(out1Lines[i], checker.Equals, out2Lines[i]) 114 } 115} 116 117func (s *DockerRegistrySuite) TestPushMultipleTags(c *check.C) { 118 testPushMultipleTags(c) 119} 120 121func (s *DockerSchema1RegistrySuite) TestPushMultipleTags(c *check.C) { 122 testPushMultipleTags(c) 123} 124 125func testPushEmptyLayer(c *check.C) { 126 repoName := fmt.Sprintf("%v/dockercli/emptylayer", privateRegistryURL) 127 emptyTarball, err := ioutil.TempFile("", "empty_tarball") 128 c.Assert(err, check.IsNil, check.Commentf("Unable to create test file")) 129 130 tw := tar.NewWriter(emptyTarball) 131 err = tw.Close() 132 c.Assert(err, check.IsNil, check.Commentf("Error creating empty tarball")) 133 134 freader, err := os.Open(emptyTarball.Name()) 135 c.Assert(err, check.IsNil, check.Commentf("Could not open test tarball")) 136 defer freader.Close() 137 138 icmd.RunCmd(icmd.Cmd{ 139 Command: []string{dockerBinary, "import", "-", repoName}, 140 Stdin: freader, 141 }).Assert(c, icmd.Success) 142 143 // Now verify we can push it 144 out, _, err := dockerCmdWithError("push", repoName) 145 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out)) 146} 147 148func (s *DockerRegistrySuite) TestPushEmptyLayer(c *check.C) { 149 testPushEmptyLayer(c) 150} 151 152func (s *DockerSchema1RegistrySuite) TestPushEmptyLayer(c *check.C) { 153 testPushEmptyLayer(c) 154} 155 156// testConcurrentPush pushes multiple tags to the same repo 157// concurrently. 158func testConcurrentPush(c *check.C) { 159 repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 160 161 repos := []string{} 162 for _, tag := range []string{"push1", "push2", "push3"} { 163 repo := fmt.Sprintf("%v:%v", repoName, tag) 164 buildImageSuccessfully(c, repo, build.WithDockerfile(fmt.Sprintf(` 165 FROM busybox 166 ENTRYPOINT ["/bin/echo"] 167 ENV FOO foo 168 ENV BAR bar 169 CMD echo %s 170`, repo))) 171 repos = append(repos, repo) 172 } 173 174 // Push tags, in parallel 175 results := make(chan error) 176 177 for _, repo := range repos { 178 go func(repo string) { 179 result := icmd.RunCommand(dockerBinary, "push", repo) 180 results <- result.Error 181 }(repo) 182 } 183 184 for range repos { 185 err := <-results 186 c.Assert(err, checker.IsNil, check.Commentf("concurrent push failed with error: %v", err)) 187 } 188 189 // Clear local images store. 190 args := append([]string{"rmi"}, repos...) 191 dockerCmd(c, args...) 192 193 // Re-pull and run individual tags, to make sure pushes succeeded 194 for _, repo := range repos { 195 dockerCmd(c, "pull", repo) 196 dockerCmd(c, "inspect", repo) 197 out, _ := dockerCmd(c, "run", "--rm", repo) 198 c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo) 199 } 200} 201 202func (s *DockerRegistrySuite) TestConcurrentPush(c *check.C) { 203 testConcurrentPush(c) 204} 205 206func (s *DockerSchema1RegistrySuite) TestConcurrentPush(c *check.C) { 207 testConcurrentPush(c) 208} 209 210func (s *DockerRegistrySuite) TestCrossRepositoryLayerPush(c *check.C) { 211 sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 212 // tag the image to upload it to the private registry 213 dockerCmd(c, "tag", "busybox", sourceRepoName) 214 // push the image to the registry 215 out1, _, err := dockerCmdWithError("push", sourceRepoName) 216 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1)) 217 // ensure that none of the layers were mounted from another repository during push 218 c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false) 219 220 digest1 := reference.DigestRegexp.FindString(out1) 221 c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 222 223 destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL) 224 // retag the image to upload the same layers to another repo in the same registry 225 dockerCmd(c, "tag", "busybox", destRepoName) 226 // push the image to the registry 227 out2, _, err := dockerCmdWithError("push", destRepoName) 228 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 229 // ensure that layers were mounted from the first repo during push 230 c.Assert(strings.Contains(out2, "Mounted from dockercli/busybox"), check.Equals, true) 231 232 digest2 := reference.DigestRegexp.FindString(out2) 233 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 234 c.Assert(digest1, check.Equals, digest2) 235 236 // ensure that pushing again produces the same digest 237 out3, _, err := dockerCmdWithError("push", destRepoName) 238 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 239 240 digest3 := reference.DigestRegexp.FindString(out3) 241 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 242 c.Assert(digest3, check.Equals, digest2) 243 244 // ensure that we can pull and run the cross-repo-pushed repository 245 dockerCmd(c, "rmi", destRepoName) 246 dockerCmd(c, "pull", destRepoName) 247 out4, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world") 248 c.Assert(out4, check.Equals, "hello world") 249} 250 251func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c *check.C) { 252 sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL) 253 // tag the image to upload it to the private registry 254 dockerCmd(c, "tag", "busybox", sourceRepoName) 255 // push the image to the registry 256 out1, _, err := dockerCmdWithError("push", sourceRepoName) 257 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1)) 258 // ensure that none of the layers were mounted from another repository during push 259 c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false) 260 261 digest1 := reference.DigestRegexp.FindString(out1) 262 c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 263 264 destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL) 265 // retag the image to upload the same layers to another repo in the same registry 266 dockerCmd(c, "tag", "busybox", destRepoName) 267 // push the image to the registry 268 out2, _, err := dockerCmdWithError("push", destRepoName) 269 c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2)) 270 // schema1 registry should not support cross-repo layer mounts, so ensure that this does not happen 271 c.Assert(strings.Contains(out2, "Mounted from"), check.Equals, false) 272 273 digest2 := reference.DigestRegexp.FindString(out2) 274 c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest")) 275 c.Assert(digest1, check.Not(check.Equals), digest2) 276 277 // ensure that we can pull and run the second pushed repository 278 dockerCmd(c, "rmi", destRepoName) 279 dockerCmd(c, "pull", destRepoName) 280 out3, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world") 281 c.Assert(out3, check.Equals, "hello world") 282} 283 284func (s *DockerTrustSuite) TestTrustedPush(c *check.C) { 285 repoName := fmt.Sprintf("%v/dockerclitrusted/pushtest:latest", privateRegistryURL) 286 // tag the image and upload it to the private registry 287 cli.DockerCmd(c, "tag", "busybox", repoName) 288 289 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 290 291 // Try pull after push 292 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 293 Out: "Status: Image is up to date", 294 }) 295 296 // Assert that we rotated the snapshot key to the server by checking our local keystore 297 contents, err := ioutil.ReadDir(filepath.Join(config.Dir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest")) 298 c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files")) 299 // Check that we only have 1 key (targets key) 300 c.Assert(contents, checker.HasLen, 1) 301} 302 303func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) { 304 repoName := fmt.Sprintf("%v/dockerclienv/trusted:latest", privateRegistryURL) 305 // tag the image and upload it to the private registry 306 cli.DockerCmd(c, "tag", "busybox", repoName) 307 308 cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing) 309 310 // Try pull after push 311 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 312 Out: "Status: Image is up to date", 313 }) 314} 315 316func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) { 317 repoName := fmt.Sprintf("%v/dockerclitrusted/failingserver:latest", privateRegistryURL) 318 // tag the image and upload it to the private registry 319 cli.DockerCmd(c, "tag", "busybox", repoName) 320 321 // Using a name that doesn't resolve to an address makes this test faster 322 cli.Docker(cli.Args("push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{ 323 ExitCode: 1, 324 Err: "error contacting notary server", 325 }) 326} 327 328func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) { 329 repoName := fmt.Sprintf("%v/dockerclitrusted/trustedandnot:latest", privateRegistryURL) 330 // tag the image and upload it to the private registry 331 cli.DockerCmd(c, "tag", "busybox", repoName) 332 333 result := cli.Docker(cli.Args("push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/")) 334 result.Assert(c, icmd.Success) 335 c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:")) 336} 337 338func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) { 339 repoName := fmt.Sprintf("%v/dockerclitag/trusted:latest", privateRegistryURL) 340 // tag the image and upload it to the private registry 341 cli.DockerCmd(c, "tag", "busybox", repoName) 342 cli.DockerCmd(c, "push", repoName) 343 344 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 345 346 // Try pull after push 347 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, icmd.Expected{ 348 Out: "Status: Image is up to date", 349 }) 350} 351 352func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) { 353 repoName := fmt.Sprintf("%v/dockerclipushpush/trusted:latest", privateRegistryURL) 354 // tag the image and upload it to the private registry 355 cli.DockerCmd(c, "tag", "busybox", repoName) 356 357 // Do a trusted push 358 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 359 360 // Do another trusted push 361 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 362 cli.DockerCmd(c, "rmi", repoName) 363 364 // Try pull to ensure the double push did not break our ability to pull 365 cli.Docker(cli.Args("pull", repoName), trustedCmd).Assert(c, SuccessDownloaded) 366} 367 368func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) { 369 repoName := fmt.Sprintf("%v/dockercliincorretpwd/trusted:latest", privateRegistryURL) 370 // tag the image and upload it to the private registry 371 cli.DockerCmd(c, "tag", "busybox", repoName) 372 373 // Push with default passphrases 374 cli.Docker(cli.Args("push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) 375 376 // Push with wrong passphrases 377 cli.Docker(cli.Args("push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{ 378 ExitCode: 1, 379 Err: "could not find necessary signing keys", 380 }) 381} 382 383func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) { 384 testRequires(c, NotaryHosting) 385 repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL) 386 targetName := fmt.Sprintf("%s:latest", repoName) 387 s.notaryInitRepo(c, repoName) 388 s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) 389 s.notaryPublish(c, repoName) 390 391 s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private) 392 393 // tag the image and upload it to the private registry 394 cli.DockerCmd(c, "tag", "busybox", targetName) 395 396 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 397 // check to make sure that the target has been added to targets/releases and not targets 398 s.assertTargetInRoles(c, repoName, "latest", "targets/releases") 399 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 400 401 // Try pull after push 402 os.RemoveAll(filepath.Join(config.Dir(), "trust")) 403 404 cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 405 Out: "Status: Image is up to date", 406 }) 407} 408 409func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) { 410 testRequires(c, NotaryHosting) 411 repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL) 412 targetName := fmt.Sprintf("%s:latest", repoName) 413 s.notaryInitRepo(c, repoName) 414 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) 415 s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public) 416 s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public) 417 418 // import everything except the third key 419 s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) 420 s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) 421 422 s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public) 423 s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private) 424 425 s.notaryPublish(c, repoName) 426 427 // tag the image and upload it to the private registry 428 cli.DockerCmd(c, "tag", "busybox", targetName) 429 430 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 431 432 // check to make sure that the target has been added to targets/role1 and targets/role2, and 433 // not targets (because there are delegations) or targets/role3 (due to missing key) or 434 // targets/role1/subrole (due to it being a second level delegation) 435 s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2") 436 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 437 438 // Try pull after push 439 os.RemoveAll(filepath.Join(config.Dir(), "trust")) 440 441 // pull should fail because none of these are the releases role 442 cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 443 ExitCode: 1, 444 }) 445} 446 447func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) { 448 repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL) 449 targetName := fmt.Sprintf("%s:latest", repoName) 450 s.notaryInitRepo(c, repoName) 451 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z") 452 s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y") 453 s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest") 454 s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest") 455 456 // import everything except the third key 457 s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private) 458 s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private) 459 s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private) 460 461 s.notaryPublish(c, repoName) 462 463 // tag the image and upload it to the private registry 464 cli.DockerCmd(c, "tag", "busybox", targetName) 465 466 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) 467 468 // check to make sure that the target has been added to targets/role1 and targets/role4, and 469 // not targets (because there are delegations) or targets/role2 (due to path restrictions) or 470 // targets/role3 (due to missing key) 471 s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4") 472 s.assertTargetNotInRoles(c, repoName, "latest", "targets") 473 474 // Try pull after push 475 os.RemoveAll(filepath.Join(config.Dir(), "trust")) 476 477 // pull should fail because none of these are the releases role 478 cli.Docker(cli.Args("pull", targetName), trustedCmd).Assert(c, icmd.Expected{ 479 ExitCode: 1, 480 }) 481} 482 483func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) { 484 testRequires(c, NotaryHosting) 485 repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL) 486 targetName := fmt.Sprintf("%s:latest", repoName) 487 s.notaryInitRepo(c, repoName) 488 s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public) 489 s.notaryPublish(c, repoName) 490 491 // do not import any delegations key 492 493 // tag the image and upload it to the private registry 494 cli.DockerCmd(c, "tag", "busybox", targetName) 495 496 cli.Docker(cli.Args("push", targetName), trustedCmd).Assert(c, icmd.Expected{ 497 ExitCode: 1, 498 Err: "no valid signing keys", 499 }) 500 s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1") 501} 502 503func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) { 504 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 505 dockerCmd(c, "tag", "busybox", repoName) 506 out, _, err := dockerCmdWithError("push", repoName) 507 c.Assert(err, check.NotNil, check.Commentf(out)) 508 c.Assert(out, check.Not(checker.Contains), "Retrying") 509 c.Assert(out, checker.Contains, "no basic auth credentials") 510} 511 512// This may be flaky but it's needed not to regress on unauthorized push, see #21054 513func (s *DockerSuite) TestPushToCentralRegistryUnauthorized(c *check.C) { 514 testRequires(c, Network) 515 repoName := "test/busybox" 516 dockerCmd(c, "tag", "busybox", repoName) 517 out, _, err := dockerCmdWithError("push", repoName) 518 c.Assert(err, check.NotNil, check.Commentf(out)) 519 c.Assert(out, check.Not(checker.Contains), "Retrying") 520} 521 522func getTestTokenService(status int, body string, retries int) *httptest.Server { 523 var mu sync.Mutex 524 return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 525 mu.Lock() 526 if retries > 0 { 527 w.WriteHeader(http.StatusServiceUnavailable) 528 w.Header().Set("Content-Type", "application/json") 529 w.Write([]byte(`{"errors":[{"code":"UNAVAILABLE","message":"cannot create token at this time"}]}`)) 530 retries-- 531 } else { 532 w.WriteHeader(status) 533 w.Header().Set("Content-Type", "application/json") 534 w.Write([]byte(body)) 535 } 536 mu.Unlock() 537 })) 538} 539 540func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *check.C) { 541 ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0) 542 defer ts.Close() 543 s.setupRegistryWithTokenService(c, ts.URL) 544 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 545 dockerCmd(c, "tag", "busybox", repoName) 546 out, _, err := dockerCmdWithError("push", repoName) 547 c.Assert(err, check.NotNil, check.Commentf(out)) 548 c.Assert(out, checker.Not(checker.Contains), "Retrying") 549 c.Assert(out, checker.Contains, "unauthorized: a message") 550} 551 552func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *check.C) { 553 ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`, 0) 554 defer ts.Close() 555 s.setupRegistryWithTokenService(c, ts.URL) 556 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 557 dockerCmd(c, "tag", "busybox", repoName) 558 out, _, err := dockerCmdWithError("push", repoName) 559 c.Assert(err, check.NotNil, check.Commentf(out)) 560 c.Assert(out, checker.Not(checker.Contains), "Retrying") 561 split := strings.Split(out, "\n") 562 c.Assert(split[len(split)-2], check.Equals, "unauthorized: authentication required") 563} 564 565func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *check.C) { 566 ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 3) 567 defer ts.Close() 568 s.setupRegistryWithTokenService(c, ts.URL) 569 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 570 dockerCmd(c, "tag", "busybox", repoName) 571 out, _, err := dockerCmdWithError("push", repoName) 572 c.Assert(err, check.NotNil, check.Commentf(out)) 573 // TODO: isolate test so that it can be guaranteed that the 503 will trigger xfer retries 574 //c.Assert(out, checker.Contains, "Retrying") 575 //c.Assert(out, checker.Not(checker.Contains), "Retrying in 15") 576 split := strings.Split(out, "\n") 577 c.Assert(split[len(split)-2], check.Equals, "toomanyrequests: out of tokens") 578} 579 580func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *check.C) { 581 ts := getTestTokenService(http.StatusForbidden, `no way`, 0) 582 defer ts.Close() 583 s.setupRegistryWithTokenService(c, ts.URL) 584 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 585 dockerCmd(c, "tag", "busybox", repoName) 586 out, _, err := dockerCmdWithError("push", repoName) 587 c.Assert(err, check.NotNil, check.Commentf(out)) 588 c.Assert(out, checker.Not(checker.Contains), "Retrying") 589 split := strings.Split(out, "\n") 590 c.Assert(split[len(split)-2], checker.Contains, "error parsing HTTP 403 response body: ") 591} 592 593func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *check.C) { 594 ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`, 0) 595 defer ts.Close() 596 s.setupRegistryWithTokenService(c, ts.URL) 597 repoName := fmt.Sprintf("%s/busybox", privateRegistryURL) 598 dockerCmd(c, "tag", "busybox", repoName) 599 out, _, err := dockerCmdWithError("push", repoName) 600 c.Assert(err, check.NotNil, check.Commentf(out)) 601 c.Assert(out, checker.Not(checker.Contains), "Retrying") 602 split := strings.Split(out, "\n") 603 c.Assert(split[len(split)-2], check.Equals, "authorization server did not include a token in the response") 604} 605