mirror of
https://github.com/project-zot/zot.git
synced 2024-12-30 22:34:13 -05:00
fix: metrics endpoint must be secured behind authN (#1864)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
This commit is contained in:
parent
0eb984426e
commit
2fd7bfc37a
14 changed files with 216 additions and 84 deletions
3
Makefile
3
Makefile
|
@ -408,7 +408,8 @@ run-blackbox-ci: check-blackbox-prerequisites binary binary-minimal cli
|
||||||
$(BATS) $(BATS_FLAGS) test/blackbox/sync_replica_cluster.bats && \
|
$(BATS) $(BATS_FLAGS) test/blackbox/sync_replica_cluster.bats && \
|
||||||
$(BATS) $(BATS_FLAGS) test/blackbox/scrub.bats && \
|
$(BATS) $(BATS_FLAGS) test/blackbox/scrub.bats && \
|
||||||
$(BATS) $(BATS_FLAGS) test/blackbox/garbage_collect.bats && \
|
$(BATS) $(BATS_FLAGS) test/blackbox/garbage_collect.bats && \
|
||||||
$(BATS) $(BATS_FLAGS) test/blackbox/metrics.bats
|
$(BATS) $(BATS_FLAGS) test/blackbox/metrics.bats && \
|
||||||
|
$(BATS) $(BATS_FLAGS) test/blackbox/metrics_minimal.bats
|
||||||
|
|
||||||
.PHONY: run-blackbox-cloud-ci
|
.PHONY: run-blackbox-cloud-ci
|
||||||
run-blackbox-cloud-ci: check-blackbox-prerequisites check-awslocal binary $(BATS)
|
run-blackbox-cloud-ci: check-blackbox-prerequisites check-awslocal binary $(BATS)
|
||||||
|
|
|
@ -2195,7 +2195,7 @@ func TestBearerAuth(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2225,7 +2225,7 @@ func TestBearerAuth(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2254,7 +2254,7 @@ func TestBearerAuth(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2283,7 +2283,7 @@ func TestBearerAuth(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2307,7 +2307,7 @@ func TestBearerAuth(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2392,7 +2392,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2416,7 +2416,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2445,7 +2445,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2474,7 +2474,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -2498,7 +2498,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
|
|
@ -120,8 +120,8 @@ func NewError(code ErrorCode) *Error {
|
||||||
|
|
||||||
UNAUTHORIZED: {
|
UNAUTHORIZED: {
|
||||||
Message: "authentication required",
|
Message: "authentication required",
|
||||||
Description: "The access controller was unable to authenticate the client." +
|
Description: "The access controller was unable to authenticate the client. " +
|
||||||
"Often this will be accompanied by a Www-Authenticate HTTP response header " +
|
"Often this will be accompanied by a WWW-Authenticate HTTP response header " +
|
||||||
"indicating how to authenticate.",
|
"indicating how to authenticate.",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -29,5 +29,6 @@ func SetupMetricsRoutes(conf *config.Config, router *mux.Router,
|
||||||
zcommon.WriteJSON(w, http.StatusOK, m)
|
zcommon.WriteJSON(w, http.StatusOK, m)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
router.Use(authFunc)
|
||||||
router.HandleFunc("/metrics", getMetrics).Methods("GET")
|
router.HandleFunc("/metrics", getMetrics).Methods("GET")
|
||||||
}
|
}
|
||||||
|
|
|
@ -799,7 +799,7 @@ func TestMgmtWithBearer(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -829,7 +829,7 @@ func TestMgmtWithBearer(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
@ -853,7 +853,7 @@ func TestMgmtWithBearer(t *testing.T) {
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
|
||||||
|
|
||||||
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetQueryParam("service", authorizationHeader.Service).
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
SetQueryParam("scope", authorizationHeader.Scope).
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
|
|
@ -5,6 +5,11 @@
|
||||||
load helpers_zot
|
load helpers_zot
|
||||||
|
|
||||||
function verify_prerequisites {
|
function verify_prerequisites {
|
||||||
|
if [ ! $(command -v htpasswd) ]; then
|
||||||
|
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -15,15 +20,15 @@ function setup_file() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Download test data to folder common for the entire suite, not just this file
|
# Download test data to folder common for the entire suite, not just this file
|
||||||
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
|
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
|
||||||
# Setup zot server
|
# Setup zot server
|
||||||
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
||||||
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
||||||
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
||||||
local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd
|
local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
|
||||||
mkdir -p ${zot_root_dir}
|
mkdir -p ${zot_root_dir}
|
||||||
mkdir -p ${oci_data_dir}
|
mkdir -p ${oci_data_dir}
|
||||||
echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile}
|
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
|
||||||
cat > ${zot_config_file}<<EOF
|
cat > ${zot_config_file}<<EOF
|
||||||
{
|
{
|
||||||
"distSpecVersion": "1.1.0-dev",
|
"distSpecVersion": "1.1.0-dev",
|
||||||
|
@ -35,7 +40,7 @@ function setup_file() {
|
||||||
"port": "8080",
|
"port": "8080",
|
||||||
"auth": {
|
"auth": {
|
||||||
"htpasswd": {
|
"htpasswd": {
|
||||||
"path": "${htpasswordFile}"
|
"path": "${zot_htpasswd_file}"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"accessControl": {
|
"accessControl": {
|
||||||
|
@ -45,7 +50,7 @@ function setup_file() {
|
||||||
"policies": [
|
"policies": [
|
||||||
{
|
{
|
||||||
"users": [
|
"users": [
|
||||||
"test"
|
"${AUTH_USER}"
|
||||||
],
|
],
|
||||||
"actions": [
|
"actions": [
|
||||||
"read",
|
"read",
|
||||||
|
@ -78,23 +83,23 @@ function teardown_file() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "push image user policy" {
|
@test "push image user policy" {
|
||||||
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.20 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:1.20
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pull image anonymous policy" {
|
@test "pull image anonymous policy" {
|
||||||
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
||||||
run skopeo --insecure-policy copy --src-tls-verify=false \
|
run skopeo --insecure-policy copy --src-tls-verify=false \
|
||||||
docker://127.0.0.1:8080/golang:1.20 \
|
docker://127.0.0.1:8080/busybox:1.36 \
|
||||||
oci:${oci_data_dir}/golang:1.20
|
oci:${oci_data_dir}/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "push image anonymous policy" {
|
@test "push image anonymous policy" {
|
||||||
run skopeo --insecure-policy copy --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.20 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:1.20
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 1 ]
|
[ "$status" -eq 1 ]
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,11 @@
|
||||||
load helpers_zot
|
load helpers_zot
|
||||||
|
|
||||||
function verify_prerequisites {
|
function verify_prerequisites {
|
||||||
|
if [ ! $(command -v htpasswd) ]; then
|
||||||
|
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -15,15 +20,16 @@ function setup_file() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Download test data to folder common for the entire suite, not just this file
|
# Download test data to folder common for the entire suite, not just this file
|
||||||
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
|
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
|
||||||
|
|
||||||
# Setup zot server
|
# Setup zot server
|
||||||
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
||||||
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
||||||
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
||||||
local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd
|
local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
|
||||||
mkdir -p ${zot_root_dir}
|
mkdir -p ${zot_root_dir}
|
||||||
mkdir -p ${oci_data_dir}
|
mkdir -p ${oci_data_dir}
|
||||||
echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile}
|
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
|
||||||
cat > ${zot_config_file}<<EOF
|
cat > ${zot_config_file}<<EOF
|
||||||
{
|
{
|
||||||
"distSpecVersion": "1.1.0-dev",
|
"distSpecVersion": "1.1.0-dev",
|
||||||
|
@ -35,7 +41,7 @@ function setup_file() {
|
||||||
"port": "8080",
|
"port": "8080",
|
||||||
"auth": {
|
"auth": {
|
||||||
"htpasswd": {
|
"htpasswd": {
|
||||||
"path": "${htpasswordFile}"
|
"path": "${zot_htpasswd_file}"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"accessControl": {
|
"accessControl": {
|
||||||
|
@ -50,7 +56,7 @@ function setup_file() {
|
||||||
"policies": [
|
"policies": [
|
||||||
{
|
{
|
||||||
"users": [
|
"users": [
|
||||||
"test"
|
"${AUTH_USER}"
|
||||||
],
|
],
|
||||||
"actions": [
|
"actions": [
|
||||||
"read",
|
"read",
|
||||||
|
@ -83,21 +89,21 @@ function teardown_file() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "push 2 images with same manifest with user policy" {
|
@test "push 2 images with same manifest with user policy" {
|
||||||
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.20 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:1.20
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.20 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:latest
|
docker://127.0.0.1:8080/busybox:latest
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "skopeo delete image with anonymous policy should fail" {
|
@test "skopeo delete image with anonymous policy should fail" {
|
||||||
# skopeo deletes by digest, so it should fail with detectManifestCollision policy
|
# skopeo deletes by digest, so it should fail with detectManifestCollision policy
|
||||||
run skopeo --insecure-policy delete --tls-verify=false \
|
run skopeo --insecure-policy delete --tls-verify=false \
|
||||||
docker://127.0.0.1:8080/golang:1.20
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 1 ]
|
[ "$status" -eq 1 ]
|
||||||
# conflict status code
|
# conflict status code
|
||||||
[[ "$output" == *"manifest invalid"* ]]
|
[[ "$output" == *"manifest invalid"* ]]
|
||||||
|
@ -107,7 +113,7 @@ function teardown_file() {
|
||||||
run regctl registry set localhost:8080 --tls disabled
|
run regctl registry set localhost:8080 --tls disabled
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
run regctl image delete localhost:8080/golang:1.20 --force-tag-dereference
|
run regctl image delete localhost:8080/busybox:1.36 --force-tag-dereference
|
||||||
[ "$status" -eq 1 ]
|
[ "$status" -eq 1 ]
|
||||||
# conflict status code
|
# conflict status code
|
||||||
[[ "$output" == *"409"* ]]
|
[[ "$output" == *"409"* ]]
|
||||||
|
@ -115,7 +121,7 @@ function teardown_file() {
|
||||||
|
|
||||||
@test "delete image with user policy should work" {
|
@test "delete image with user policy should work" {
|
||||||
# should work without detectManifestCollision policy
|
# should work without detectManifestCollision policy
|
||||||
run skopeo --insecure-policy delete --creds test:test --tls-verify=false \
|
run skopeo --insecure-policy delete --creds ${AUTH_USER}:${AUTH_PASS} --tls-verify=false \
|
||||||
docker://127.0.0.1:8080/golang:1.20
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
6
test/blackbox/helpers_metrics.bash
Normal file
6
test/blackbox/helpers_metrics.bash
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
function metrics_route_check () {
|
||||||
|
local servername="http://127.0.0.1:${1}/metrics"
|
||||||
|
status_code=$(curl --write-out '%{http_code}' ${2} --silent --output /dev/null ${servername})
|
||||||
|
|
||||||
|
[ "$status_code" -eq ${3} ]
|
||||||
|
}
|
|
@ -6,6 +6,8 @@ ZOT_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}
|
||||||
ZLI_PATH=${ROOT_DIR}/bin/zli-${OS}-${ARCH}
|
ZLI_PATH=${ROOT_DIR}/bin/zli-${OS}-${ARCH}
|
||||||
ZOT_MINIMAL_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}-minimal
|
ZOT_MINIMAL_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}-minimal
|
||||||
ZB_PATH=${ROOT_DIR}/bin/zb-${OS}-${ARCH}
|
ZB_PATH=${ROOT_DIR}/bin/zb-${OS}-${ARCH}
|
||||||
|
AUTH_USER=poweruser
|
||||||
|
AUTH_PASS=sup*rSecr9T
|
||||||
|
|
||||||
mkdir -p ${TEST_DATA_DIR}
|
mkdir -p ${TEST_DATA_DIR}
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,11 @@ function verify_prerequisites {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! $(command -v htpasswd) ]; then
|
||||||
|
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,15 +30,16 @@ function setup_file() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Download test data to folder common for the entire suite, not just this file
|
# Download test data to folder common for the entire suite, not just this file
|
||||||
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.18 oci:${TEST_DATA_DIR}/golang:1.18
|
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
|
||||||
|
|
||||||
# Setup zot server
|
# Setup zot server
|
||||||
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
||||||
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
||||||
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
||||||
local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd
|
local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
|
||||||
mkdir -p ${zot_root_dir}
|
mkdir -p ${zot_root_dir}
|
||||||
mkdir -p ${oci_data_dir}
|
mkdir -p ${oci_data_dir}
|
||||||
echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile}
|
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
|
||||||
cat > ${zot_config_file}<<EOF
|
cat > ${zot_config_file}<<EOF
|
||||||
{
|
{
|
||||||
"distSpecVersion": "1.1.0-dev",
|
"distSpecVersion": "1.1.0-dev",
|
||||||
|
@ -53,7 +59,7 @@ function setup_file() {
|
||||||
"port": "8080",
|
"port": "8080",
|
||||||
"auth": {
|
"auth": {
|
||||||
"htpasswd": {
|
"htpasswd": {
|
||||||
"path": "${htpasswordFile}"
|
"path": "${zot_htpasswd_file}"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"accessControl": {
|
"accessControl": {
|
||||||
|
@ -63,7 +69,7 @@ function setup_file() {
|
||||||
"policies": [
|
"policies": [
|
||||||
{
|
{
|
||||||
"users": [
|
"users": [
|
||||||
"test"
|
"${AUTH_USER}"
|
||||||
],
|
],
|
||||||
"actions": [
|
"actions": [
|
||||||
"read",
|
"read",
|
||||||
|
@ -97,64 +103,64 @@ function teardown_file() {
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "push image user policy" {
|
@test "push image user policy" {
|
||||||
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.18 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:1.18
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "User metadata starredRepos" {
|
@test "User metadata starredRepos" {
|
||||||
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.18 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:1.18
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
USER_STAR_REPOS_QUERY='{ "query": "{ StarredRepos { Results { Name } } }"}'
|
USER_STAR_REPOS_QUERY='{ "query": "{ StarredRepos { Results { Name } } }"}'
|
||||||
|
|
||||||
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
[ $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results') = '[]' ]
|
[ $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results') = '[]' ]
|
||||||
|
|
||||||
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleStar"
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleStar"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results[0].Name')
|
echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results[0].Name')
|
||||||
[ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results[0].Name') = 'golang' ]
|
[ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results[0].Name') = 'busybox' ]
|
||||||
|
|
||||||
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleStar"
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleStar"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results')
|
echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results')
|
||||||
[ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results') = '[]' ]
|
[ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results') = '[]' ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "User metadata bookmarkedRepos" {
|
@test "User metadata bookmarkedRepos" {
|
||||||
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
|
run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
|
||||||
oci:${TEST_DATA_DIR}/golang:1.18 \
|
oci:${TEST_DATA_DIR}/busybox:1.36 \
|
||||||
docker://127.0.0.1:8080/golang:1.18
|
docker://127.0.0.1:8080/busybox:1.36
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
USER_BOOKMARK_REPOS_QUERY='{ "query": "{ BookmarkedRepos { Results { Name } } }"}'
|
USER_BOOKMARK_REPOS_QUERY='{ "query": "{ BookmarkedRepos { Results { Name } } }"}'
|
||||||
|
|
||||||
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
[ $(echo "${lines[-1]}" | jq '.data.BookmarkedRepos.Results') = '[]' ]
|
[ $(echo "${lines[-1]}" | jq '.data.BookmarkedRepos.Results') = '[]' ]
|
||||||
|
|
||||||
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleBookmark"
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleBookmark"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
[ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results[0].Name') = 'golang' ]
|
[ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results[0].Name') = 'busybox' ]
|
||||||
|
|
||||||
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleBookmark"
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleBookmark"
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
[ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results') = '[]' ]
|
[ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results') = '[]' ]
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
|
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
|
||||||
|
|
||||||
load helpers_zot
|
load helpers_zot
|
||||||
|
load helpers_metrics
|
||||||
|
|
||||||
function verify_prerequisites() {
|
function verify_prerequisites() {
|
||||||
if [ ! $(command -v curl) ]; then
|
if [ ! $(command -v curl) ]; then
|
||||||
|
@ -10,6 +11,11 @@ function verify_prerequisites() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! $(command -v htpasswd) ]; then
|
||||||
|
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -19,14 +25,14 @@ function setup_file() {
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Download test data to folder common for the entire suite, not just this file
|
|
||||||
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
|
|
||||||
|
|
||||||
# Setup zot server
|
# Setup zot server
|
||||||
zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
||||||
echo ${zot_root_dir}
|
echo ${zot_root_dir} >&3
|
||||||
zot_log_file=${zot_root_dir}/zot-log.json
|
zot_log_file=${zot_root_dir}/zot-log.json
|
||||||
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
||||||
|
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
|
||||||
|
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
|
||||||
|
|
||||||
mkdir -p ${zot_root_dir}
|
mkdir -p ${zot_root_dir}
|
||||||
touch ${zot_log_file}
|
touch ${zot_log_file}
|
||||||
cat >${zot_config_file} <<EOF
|
cat >${zot_config_file} <<EOF
|
||||||
|
@ -37,7 +43,12 @@ function setup_file() {
|
||||||
},
|
},
|
||||||
"http": {
|
"http": {
|
||||||
"address": "0.0.0.0",
|
"address": "0.0.0.0",
|
||||||
"port": "8080"
|
"port": "8080",
|
||||||
|
"auth": {
|
||||||
|
"htpasswd": {
|
||||||
|
"path": "${zot_htpasswd_file}"
|
||||||
|
}
|
||||||
|
}
|
||||||
},
|
},
|
||||||
"log": {
|
"log": {
|
||||||
"level": "debug",
|
"level": "debug",
|
||||||
|
@ -68,8 +79,15 @@ function teardown_file() {
|
||||||
zot_stop_all
|
zot_stop_all
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "metric enabled" {
|
@test "unauthorized request to metrics" {
|
||||||
local servername="http://127.0.0.1:8080/metrics"
|
run metrics_route_check 8080 "" 401
|
||||||
status_code=$(curl --write-out '%{http_code}' --silent --output /dev/null ${servername})
|
[ "$status" -eq 0 ]
|
||||||
[ "$status_code" -eq 200 ]
|
run metrics_route_check 8080 "-u unlucky:wrongpass" 401
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "authorized request: metrics enabled" {
|
||||||
|
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
84
test/blackbox/metrics_minimal.bats
Normal file
84
test/blackbox/metrics_minimal.bats
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
|
||||||
|
# Makefile target installs & checks all necessary tooling
|
||||||
|
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
|
||||||
|
|
||||||
|
load helpers_zot
|
||||||
|
load helpers_metrics
|
||||||
|
|
||||||
|
function verify_prerequisites() {
|
||||||
|
if [ ! $(command -v curl) ]; then
|
||||||
|
echo "you need to install curl as a prerequisite to running the tests" >&3
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! $(command -v htpasswd) ]; then
|
||||||
|
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
function setup_file() {
|
||||||
|
# verify prerequisites are available
|
||||||
|
if ! $(verify_prerequisites); then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup zot server
|
||||||
|
zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
||||||
|
echo ${zot_root_dir} >&3
|
||||||
|
zot_log_file=${zot_root_dir}/zot-log.json
|
||||||
|
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
||||||
|
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
|
||||||
|
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
|
||||||
|
|
||||||
|
mkdir -p ${zot_root_dir}
|
||||||
|
touch ${zot_log_file}
|
||||||
|
cat >${zot_config_file} <<EOF
|
||||||
|
{
|
||||||
|
"distSpecVersion": "1.1.0-dev",
|
||||||
|
"storage": {
|
||||||
|
"rootDirectory": "${zot_root_dir}"
|
||||||
|
},
|
||||||
|
"http": {
|
||||||
|
"address": "0.0.0.0",
|
||||||
|
"port": "8080",
|
||||||
|
"auth": {
|
||||||
|
"htpasswd": {
|
||||||
|
"path": "${zot_htpasswd_file}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"log": {
|
||||||
|
"level": "debug",
|
||||||
|
"output": "${zot_log_file}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
zot_serve ${ZOT_MINIMAL_PATH} ${zot_config_file}
|
||||||
|
wait_zot_reachable 8080
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown() {
|
||||||
|
# conditionally printing on failure is possible from teardown but not from from teardown_file
|
||||||
|
cat ${BATS_FILE_TMPDIR}/zot/zot-log.json
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown_file() {
|
||||||
|
zot_stop_all
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "unauthorized request to metrics" {
|
||||||
|
run metrics_route_check 8080 "" 401
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
run metrics_route_check 8080 "-u test:wrongpass" 401
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "authorized request: metrics enabled" {
|
||||||
|
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
}
|
|
@ -25,11 +25,14 @@ function setup_file() {
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Download test data to folder common for the entire suite, not just this file
|
||||||
|
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
|
||||||
|
|
||||||
# Setup zot server
|
# Setup zot server
|
||||||
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
||||||
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
||||||
local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
|
local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
|
||||||
htpasswd -Bbn test test123 >> ${zot_htpasswd_file}
|
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
|
||||||
|
|
||||||
echo ${zot_root_dir} >&3
|
echo ${zot_root_dir} >&3
|
||||||
|
|
||||||
|
@ -89,14 +92,14 @@ function teardown_file() {
|
||||||
|
|
||||||
@test "push image with regclient" {
|
@test "push image with regclient" {
|
||||||
run regctl registry set localhost:8080 --tls disabled
|
run regctl registry set localhost:8080 --tls disabled
|
||||||
run regctl registry login localhost:8080 -u test -p test123
|
run regctl registry login localhost:8080 -u ${AUTH_USER} -p ${AUTH_PASS}
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
run regctl image copy ocidir://${TEST_DATA_DIR}/golang:1.20 localhost:8080/test-regclient
|
run regctl image copy ocidir://${TEST_DATA_DIR}/busybox:1.36 localhost:8080/test-regclient
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "pull image with regclient" {
|
@test "pull image with regclient" {
|
||||||
run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/golang:1.20
|
run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/busybox:latest
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue