Merge pull request #6600 from thaJeztah/remove_trust_e2e

e2e: remove DCT tests

Author: vvoland

Dockerfile

@@ -122,10 +122,6 @@ FROM docker/buildx-bin:${BUILDX_VERSION}   AS buildx
 FROM docker/compose-bin:${COMPOSE_VERSION} AS compose
 
 FROM e2e-base-${BASE_VARIANT} AS e2e
-ARG NOTARY_VERSION=v0.6.1
-ADD --chmod=0755 https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 /usr/local/bin/notary
-COPY --link e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
-RUN echo 'notary.cert' >> /etc/ca-certificates.conf && update-ca-certificates
 COPY --link --from=gotestsum /out/gotestsum /usr/bin/gotestsum
 COPY --link --from=build /out ./build/
 COPY --link --from=build-plugins /out ./build/

e2e/compose-env.yaml

@@ -9,19 +9,3 @@ services:
       command: ['--insecure-registry=registry:5000', '--experimental']
       environment:
         - DOCKER_TLS_CERTDIR=
-
-  notary-server:
-      build:
-        context: ./testdata
-        dockerfile: Dockerfile.notary-server
-      ports:
-        - 4443:4443
-      command: ['notary-server', '-config=/fixtures/notary-config.json']
-
-  evil-notary-server:
-      build:
-        context: ./testdata
-        dockerfile: Dockerfile.evil-notary-server
-      ports:
-        - 4444:4443
-      command: ['notary-server', '-config=/fixtures/notary-config.json']

e2e/container/create_test.go

@@ -1,107 +1,12 @@
 package container
 
 import (
-	"fmt"
 	"testing"
 
 	"github.com/docker/cli/e2e/internal/fixtures"
-	"github.com/docker/cli/internal/test/environment"
 	"gotest.tools/v3/icmd"
-	"gotest.tools/v3/skip"
 )
 
-func TestCreateWithContentTrust(t *testing.T) {
-	skip.If(t, environment.RemoteDaemon())
-
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
-
-	defer func() {
-		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
-	}()
-
-	result := icmd.RunCmd(
-		icmd.Command("docker", "create", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	)
-	result.Assert(t, icmd.Expected{
-		Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
-	})
-}
-
-func TestTrustedCreateFromUnreachableTrustServer(t *testing.T) {
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
-
-	result := icmd.RunCmd(
-		icmd.Command("docker", "create", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer("https://notary.invalid"),
-	)
-	result.Assert(t, icmd.Expected{
-		ExitCode: 1,
-		Err:      "error contacting notary server",
-	})
-}
-
-func TestTrustedCreateFromBadTrustServer(t *testing.T) {
-	evilImageName := "registry:5000/evil-alpine:latest"
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-
-	// tag the image and upload it to the private registry
-	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
-		fixtures.WithConfig(dir.Path()),
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithPassphrase("root_password", "repo_password"),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
-
-	// try create
-	icmd.RunCmd(icmd.Command("docker", "create", evilImageName),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
-
-	// init a client with the evil-server and a new trust dir
-	evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
-	defer evilNotaryDir.Remove()
-
-	// tag the same image and upload it to the private registry but signed with evil notary server
-	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
-		fixtures.WithConfig(evilNotaryDir.Path()),
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
-		fixtures.WithConfig(evilNotaryDir.Path()),
-		fixtures.WithPassphrase("root_password", "repo_password"),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
-
-	// try creating with the original client from the evil notary server. This should failed
-	// because the new root is invalid
-	icmd.RunCmd(icmd.Command("docker", "create", evilImageName),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
-	).Assert(t, icmd.Expected{
-		ExitCode: 1,
-		Err:      "could not rotate trust to a new trusted root",
-	})
-}
-
 func TestCreateWithEmptySourceVolume(t *testing.T) {
 	icmd.RunCmd(icmd.Command("docker", "create", "-v", ":/volume", fixtures.AlpineImage)).
 		Assert(t, icmd.Expected{

e2e/container/run_test.go

@@ -2,7 +2,6 @@ package container
 
 import (
 	"bytes"
-	"fmt"
 	"io"
 	"math/rand"
 	"os/exec"
@@ -90,104 +89,6 @@ func TestRunInvalidEntrypointWithAutoremove(t *testing.T) {
 	}
 }
 
-func TestRunWithContentTrust(t *testing.T) {
-	skip.If(t, environment.RemoteDaemon())
-
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest")
-
-	defer func() {
-		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
-	}()
-
-	result := icmd.RunCmd(
-		icmd.Command("docker", "run", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	)
-	result.Assert(t, icmd.Expected{
-		Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
-	})
-}
-
-func TestUntrustedRun(t *testing.T) {
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-	image := registryPrefix + "/alpine:untrusted"
-	// tag the image and upload it to the private registry
-	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
-	defer func() {
-		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
-	}()
-
-	// try trusted run on untrusted tag
-	result := icmd.RunCmd(
-		icmd.Command("docker", "run", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	)
-	result.Assert(t, icmd.Expected{
-		ExitCode: 125,
-		Err:      "does not have trust data for",
-	})
-}
-
-func TestTrustedRunFromBadTrustServer(t *testing.T) {
-	evilImageName := registryPrefix + "/evil-alpine:latest"
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-
-	// tag the image and upload it to the private registry
-	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
-		fixtures.WithConfig(dir.Path()),
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithPassphrase("root_password", "repo_password"),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
-
-	// try run
-	icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
-
-	// init a client with the evil-server and a new trust dir
-	evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
-	defer evilNotaryDir.Remove()
-
-	// tag the same image and upload it to the private registry but signed with evil notary server
-	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
-		fixtures.WithConfig(evilNotaryDir.Path()),
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
-		fixtures.WithConfig(evilNotaryDir.Path()),
-		fixtures.WithPassphrase("root_password", "repo_password"),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
-	).Assert(t, icmd.Success)
-	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
-
-	// try running with the original client from the evil notary server. This should failed
-	// because the new root is invalid
-	icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
-	).Assert(t, icmd.Expected{
-		ExitCode: 125,
-		Err:      "could not rotate trust to a new trusted root",
-	})
-}
-
 // TODO: create this with registry API instead of engine API
 func createRemoteImage(t *testing.T) string {
 	t.Helper()

e2e/global/cli_test.go

@@ -89,7 +89,6 @@ func TestPromptExitCode(t *testing.T) {
 
 	defaultCmdOpts := []icmd.CmdOp{
 		fixtures.WithConfig(dir.Path()),
-		fixtures.WithNotary,
 	}
 
 	testCases := []struct {
@@ -131,13 +130,6 @@ func TestPromptExitCode(t *testing.T) {
 				return icmd.Command("docker", "system", "prune")
 			},
 		},
-		{
-			name: "revoke trust",
-			run: func(t *testing.T) icmd.Cmd {
-				t.Helper()
-				return icmd.Command("docker", "trust", "revoke", "example/trust-demo")
-			},
-		},
 		{
 			name: "plugin install",
 			run: func(t *testing.T) icmd.Cmd {

e2e/image/build_test.go

@@ -62,6 +62,7 @@ func TestBuildFromContextDirectoryWithTag(t *testing.T) {
 }
 
 func TestBuildIidFileSquash(t *testing.T) {
+	t.Skip("Not implemented with containerd")
 	environment.SkipIfNotExperimentalDaemon(t)
 	t.Setenv("DOCKER_BUILDKIT", "0")
 

e2e/image/pull_test.go

@@ -4,81 +4,16 @@ import (
 	"testing"
 
 	"github.com/docker/cli/e2e/internal/fixtures"
-	"github.com/docker/cli/internal/test/environment"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
-	"gotest.tools/v3/golden"
 	"gotest.tools/v3/icmd"
-	"gotest.tools/v3/skip"
 )
 
 const registryPrefix = "registry:5000"
 
-func TestPullWithContentTrust(t *testing.T) {
-	skip.If(t, environment.RemoteDaemon())
-
-	// Digests in golden files are linux/amd64 specific.
-	// TODO: Fix this test and make it work on all platforms.
-	environment.SkipIfNotPlatform(t, "linux/amd64")
-
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-pull", "latest")
-	defer func() {
-		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
-	}()
-
-	result := icmd.RunCmd(icmd.Command("docker", "pull", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	)
-	result.Assert(t, icmd.Success)
-	golden.Assert(t, result.Stderr(), "pull-with-content-trust-err.golden")
-	golden.Assert(t, result.Stdout(), "pull-with-content-trust.golden")
-}
-
 func TestPullQuiet(t *testing.T) {
 	result := icmd.RunCommand("docker", "pull", "--quiet", fixtures.AlpineImage)
 	result.Assert(t, icmd.Success)
-	assert.Check(t, is.Equal(result.Stdout(), "registry:5000/alpine:frozen\n"))
+	assert.Check(t, is.Equal(result.Stdout(), registryPrefix+"/alpine:frozen\n"))
 	assert.Check(t, is.Equal(result.Stderr(), ""))
 }
-
-func TestPullWithContentTrustUsesCacheWhenNotaryUnavailable(t *testing.T) {
-	skip.If(t, environment.RemoteDaemon())
-
-	dir := fixtures.SetupConfigFile(t)
-	defer dir.Remove()
-	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-pull-unreachable", "latest")
-	defer func() {
-		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
-	}()
-	result := icmd.RunCmd(icmd.Command("docker", "pull", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer("https://invalidnotaryserver"),
-	)
-	result.Assert(t, icmd.Expected{
-		ExitCode: 1,
-		Err:      "error contacting notary server",
-	})
-
-	// Do valid trusted pull to warm cache
-	result = icmd.RunCmd(icmd.Command("docker", "pull", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotary,
-	)
-	result.Assert(t, icmd.Success)
-	result = icmd.RunCommand("docker", "rmi", image)
-	result.Assert(t, icmd.Success)
-
-	// Try pull again with invalid notary server, should use cache
-	result = icmd.RunCmd(icmd.Command("docker", "pull", image),
-		fixtures.WithConfig(dir.Path()),
-		fixtures.WithTrust,
-		fixtures.WithNotaryServer("https://invalidnotaryserver"),
-	)
-	result.Assert(t, icmd.Success)
-}