1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
//go:build !windows
// +build !windows
package authz // import "github.com/docker/docker/integration/plugin/authz"
import (
"context"
"fmt"
"io"
"os"
"strings"
"testing"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/api/types/volume"
"github.com/docker/docker/client"
"github.com/docker/docker/integration/internal/container"
"github.com/docker/docker/integration/internal/requirement"
"gotest.tools/v3/assert"
"gotest.tools/v3/skip"
)
var (
authzPluginName = "riyaz/authz-no-volume-plugin"
authzPluginTag = "latest"
authzPluginNameWithTag = authzPluginName + ":" + authzPluginTag
authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest"
nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin"
)
func setupTestV2(t *testing.T) func() {
skip.If(t, testEnv.DaemonInfo.OSType == "windows")
skip.If(t, !requirement.HasHubConnectivity(t))
teardown := setupTest(t)
d.Start(t)
return teardown
}
func TestAuthZPluginV2AllowNonVolumeRequest(t *testing.T) {
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
defer setupTestV2(t)()
c := d.NewClientT(t)
ctx := context.Background()
// Install authz plugin
err := pluginInstallGrantAllPermissions(c, authzPluginNameWithTag)
assert.NilError(t, err)
// start the daemon with the plugin and load busybox, --net=none build fails otherwise
// because it needs to pull busybox
d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
d.LoadBusybox(t)
// Ensure docker run command and accompanying docker ps are successful
cID := container.Run(ctx, t, c)
_, err = c.ContainerInspect(ctx, cID)
assert.NilError(t, err)
}
func TestAuthZPluginV2Disable(t *testing.T) {
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
defer setupTestV2(t)()
c := d.NewClientT(t)
// Install authz plugin
err := pluginInstallGrantAllPermissions(c, authzPluginNameWithTag)
assert.NilError(t, err)
d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
d.LoadBusybox(t)
_, err = c.VolumeCreate(context.Background(), volume.CreateOptions{Driver: "local"})
assert.Assert(t, err != nil)
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
// disable the plugin
err = c.PluginDisable(context.Background(), authzPluginNameWithTag, types.PluginDisableOptions{})
assert.NilError(t, err)
// now test to see if the docker api works.
_, err = c.VolumeCreate(context.Background(), volume.CreateOptions{Driver: "local"})
assert.NilError(t, err)
}
func TestAuthZPluginV2RejectVolumeRequests(t *testing.T) {
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
defer setupTestV2(t)()
c := d.NewClientT(t)
// Install authz plugin
err := pluginInstallGrantAllPermissions(c, authzPluginNameWithTag)
assert.NilError(t, err)
// restart the daemon with the plugin
d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
_, err = c.VolumeCreate(context.Background(), volume.CreateOptions{Driver: "local"})
assert.Assert(t, err != nil)
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
_, err = c.VolumeList(context.Background(), volume.ListOptions{})
assert.Assert(t, err != nil)
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
// The plugin will block the command before it can determine the volume does not exist
err = c.VolumeRemove(context.Background(), "test", false)
assert.Assert(t, err != nil)
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
_, err = c.VolumeInspect(context.Background(), "test")
assert.Assert(t, err != nil)
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
_, err = c.VolumesPrune(context.Background(), filters.Args{})
assert.Assert(t, err != nil)
assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
}
func TestAuthZPluginV2BadManifestFailsDaemonStart(t *testing.T) {
skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
defer setupTestV2(t)()
c := d.NewClientT(t)
// Install authz plugin with bad manifest
err := pluginInstallGrantAllPermissions(c, authzPluginBadManifestName)
assert.NilError(t, err)
// start the daemon with the plugin, it will error
err = d.RestartWithError("--authorization-plugin=" + authzPluginBadManifestName)
assert.Assert(t, err != nil)
// restarting the daemon without requiring the plugin will succeed
d.Start(t)
}
func TestAuthZPluginV2NonexistentFailsDaemonStart(t *testing.T) {
defer setupTestV2(t)()
// start the daemon with a non-existent authz plugin, it will error
err := d.RestartWithError("--authorization-plugin=" + nonexistentAuthzPluginName)
assert.Assert(t, err != nil)
// restarting the daemon without requiring the plugin will succeed
d.Start(t)
}
func pluginInstallGrantAllPermissions(client client.APIClient, name string) error {
ctx := context.Background()
options := types.PluginInstallOptions{
RemoteRef: name,
AcceptAllPermissions: true,
}
responseReader, err := client.PluginInstall(ctx, "", options)
if err != nil {
return err
}
defer responseReader.Close()
// we have to read the response out here because the client API
// actually starts a goroutine which we can only be sure has
// completed when we get EOF from reading responseBody
_, err = io.ReadAll(responseReader)
return err
}
|
