File: authenticate.bats

package info (click to toggle)
golang-github-containers-buildah 1.19.6%2Bdfsg1-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 5,020 kB
  • sloc: sh: 1,957; makefile: 199; perl: 173; awk: 12; ansic: 1
file content (122 lines) | stat: -rw-r--r-- 5,243 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
#!/usr/bin/env bats

load helpers

@test "authenticate: login/logout" {
  run_buildah 0 login --username testuserfoo --password testpassword docker.io

  run_buildah 0 logout docker.io
}

@test "authenticate: login/logout should succeed with XDG_RUNTIME_DIR unset" {
  unset XDG_RUNTIME_DIR
  run_buildah 0 login --username testuserfoo --password testpassword docker.io

  run_buildah 0 logout docker.io
}

@test "authenticate: logout should fail with nonexistent authfile" {
  run_buildah 0 login --username testuserfoo --password testpassword docker.io

  run_buildah 125 logout --authfile /tmp/nonexistent docker.io
  expect_output "error checking authfile path /tmp/nonexistent: stat /tmp/nonexistent: no such file or directory"

  run_buildah 0 logout docker.io
}

@test "authenticate: cert and credentials" {

  _prefetch alpine

  # Basic test: should pass
  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword alpine localhost:5000/my-alpine
  expect_output --substring "Writing manifest to image destination"

  # With tls-verify=true, should fail due to self-signed cert
  # The magic GODEBUG is needed for RHEL on 2021-01-20. Without it,
  # we get the following error instead of 'unknown authority':
  #   x509: certificate relies on legacy Common Name field, use SANs or [...]
  # It is possible that this is a temporary workaround, and Go
  # may remove it without notice. We'll deal with that then.
  GODEBUG=x509ignoreCN=0 run_buildah 125 push  --signature-policy ${TESTSDIR}/policy.json --tls-verify=true alpine localhost:5000/my-alpine
  expect_output --substring " x509: certificate signed by unknown authority" \
                "push with --tls-verify=true"

  # wrong credentials: should fail
  run_buildah 125 from --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds baduser:badpassword localhost:5000/my-alpine
  expect_output --substring "unauthorized: authentication required"

  # This should work
  run_buildah from --name "my-alpine-work-ctr" --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds testuser:testpassword localhost:5000/my-alpine
  expect_output --from="${lines[-1]}" "my-alpine-work-ctr"

  # Create Dockerfile for bud tests
  mkdir -p ${TESTDIR}/dockerdir
  DOCKERFILE=${TESTDIR}/dockerdir/Dockerfile
  /bin/cat <<EOM >$DOCKERFILE
FROM localhost:5000/my-alpine
EOM

  # Remove containers and images before bud tests
  run_buildah rm --all
  run_buildah rmi -f --all

  # bud test bad password should fail
  run_buildah 125 bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds=testuser:badpassword
  expect_output --substring "unauthorized: authentication required" \
                "buildah bud with wrong credentials"

  # bud test this should work
  run_buildah bud -f $DOCKERFILE --signature-policy ${TESTSDIR}/policy.json --tls-verify=false --creds=testuser:testpassword .
  expect_output --from="${lines[0]}" "STEP 1: FROM localhost:5000/my-alpine"
  expect_output --substring "Writing manifest to image destination"
}


@test "authenticate: with --tls-verify=true" {
  if [ -z "$BUILDAH_AUTHDIR" ]; then
    # Special case: in Cirrus, the registry auth dir is hardcoded
    if [ -n "$CIRRUS_CI" -a -e "$HOME/auth/domain.cert" ]; then
      BUILDAH_AUTHDIR="$HOME/auth"
    else
      skip "\$BUILDAH_AUTHDIR undefined"
    fi
  fi

  _prefetch alpine

  # Push with correct credentials: should pass
  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true --cert-dir=$BUILDAH_AUTHDIR --creds testuser:testpassword alpine localhost:5000/my-alpine
  expect_output --substring "Writing manifest to image destination"

  # Push with wrong credentials: should fail
  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=true --cert-dir=$BUILDAH_AUTHDIR --creds testuser:WRONGPASSWORD alpine localhost:5000/my-alpine
  expect_output --substring "unauthorized: authentication required"

  # Make sure we can fetch it
  run_buildah from --pull-always --cert-dir=$BUILDAH_AUTHDIR --tls-verify=true --creds=testuser:testpassword localhost:5000/my-alpine
  expect_output --from="${lines[-1]}" "localhost-working-container"
}


@test "authenticate: with cached (not command-line) credentials" {
  _prefetch alpine

  run_buildah 0 login --tls-verify=false --username testuser --password testpassword localhost:5000
  expect_output "Login Succeeded!"

  # After login, push should pass
  run_buildah push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false alpine localhost:5000/my-alpine
  expect_output --substring "Storing signatures"

  run_buildah 125 login --tls-verify=false --username testuser --password WRONGPASSWORD localhost:5000
  expect_output 'error logging into "localhost:5000": invalid username/password' \
                "buildah login, wrong credentials"

  run_buildah 0 logout localhost:5000
  expect_output "Removed login credentials for localhost:5000"

  run_buildah 125 push --signature-policy ${TESTSDIR}/policy.json --tls-verify=false alpine localhost:5000/my-alpine
  expect_output --substring "unauthorized: authentication required" \
                "buildah push after buildah logout"
}