From e33f523907bb37c8295d113ea516a7ef3b6ea552 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Mon, 8 Mar 2021 13:23:05 -0700 Subject: [PATCH] apiv2 tests: add helpers to start/stop a local registry ...and a rudimentary set of /auth tests for PR#9589 (disabled). This simply adds a new start_registry() helper function that allocates a random unused port, pulls a registry image, creates a local certificate + random username + random password, and fires everything up. Since none of this is (yet) used in CI, this is very low risk. The only infinitessimally-risky change is using a dedicated subdirectory of $WORKDIR (instead of $WORKDIR itself) as the podman root. This fixes a dumb oversight on my part: the workdir has grown to be used for much more than just podman root; this change removes clutter and makes it easier for humans to debug in cases of problems. Signed-off-by: Ed Santiago --- test/apiv2/60-auth.at | 29 +++++++++++ test/apiv2/test-apiv2 | 115 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 138 insertions(+), 6 deletions(-) create mode 100644 test/apiv2/60-auth.at diff --git a/test/apiv2/60-auth.at b/test/apiv2/60-auth.at new file mode 100644 index 0000000000..378955cd75 --- /dev/null +++ b/test/apiv2/60-auth.at @@ -0,0 +1,29 @@ +# -*- sh -*- +# +# registry-related tests +# + +start_registry + +# FIXME FIXME FIXME: remove the 'if false' for use with PR 9589 +if false; then + +# FIXME FIXME: please forgive the horrible POST params format; I have an +# upcoming PR which should fix that. + +# Test with wrong password. Confirm bad status and appropriate error message +t POST /v1.40/auth "\"username\":\"${REGISTRY_USERNAME}\",\"password\":\"WrOnGPassWord\",\"serveraddress\":\"localhost:$REGISTRY_PORT/\"" \ + 400 \ + .Status~'.* invalid username/password' + +# Test with the right password. Confirm status message and reasonable token +t POST /v1.40/auth "\"username\":\"${REGISTRY_USERNAME}\",\"password\":\"${REGISTRY_PASSWORD}\",\"serveraddress\":\"localhost:$REGISTRY_PORT/\"" \ + 200 \ + .Status="Login Succeeded" \ + .IdentityToken~[a-zA-Z0-9] + +# FIXME: now what? Try something-something using that token? +token=$(jq -r .IdentityToken <<<"$output") +# ... + +fi # FIXME FIXME FIXME: remove when working diff --git a/test/apiv2/test-apiv2 b/test/apiv2/test-apiv2 index d545df2458..e32d6bc62c 100755 --- a/test/apiv2/test-apiv2 +++ b/test/apiv2/test-apiv2 @@ -17,6 +17,8 @@ PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODM IMAGE=$PODMAN_TEST_IMAGE_FQN +REGISTRY_IMAGE="${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/registry:2.7" + # END stuff you can but probably shouldn't customize ############################################################################### # BEGIN setup @@ -313,13 +315,115 @@ function start_service() { die "Cannot start service on non-localhost ($HOST)" fi - $PODMAN_BIN --root $WORKDIR system service --time 15 tcp:127.0.0.1:$PORT \ + $PODMAN_BIN --root $WORKDIR/server_root system service \ + --time 15 \ + tcp:127.0.0.1:$PORT \ &> $WORKDIR/server.log & service_pid=$! wait_for_port $HOST $PORT } +function stop_service() { + # Stop the server + if [[ -n $service_pid ]]; then + kill $service_pid + wait $service_pid + fi +} + +#################### +# start_registry # Run a local registry +#################### +REGISTRY_PORT= +REGISTRY_USERNAME= +REGISTRY_PASSWORD= +function start_registry() { + # We can be invoked multiple times, e.g. from different subtests, but + # let's assume that once started we only kill it at the end of tests. + if [[ -n "$REGISTRY_PORT" ]]; then + return + fi + + REGISTRY_PORT=$(random_port) + REGISTRY_USERNAME=u$(random_string 7) + REGISTRY_PASSWORD=p$(random_string 7) + + local REGDIR=$WORKDIR/registry + local AUTHDIR=$REGDIR/auth + mkdir -p $AUTHDIR + + mkdir -p ${REGDIR}/{root,runroot} + local PODMAN_REGISTRY_ARGS="--root ${REGDIR}/root --runroot ${REGDIR}/runroot" + + # Give it three tries, to compensate for network flakes + podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE || + podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE || + podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE + + # Create a local cert and credentials + # FIXME: is there a hidden "--quiet" flag? This is too noisy. + openssl req -newkey rsa:4096 -nodes -sha256 \ + -keyout $AUTHDIR/domain.key -x509 -days 2 \ + -out $AUTHDIR/domain.crt \ + -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=registry host certificate" \ + -addext subjectAltName=DNS:localhost + htpasswd -Bbn ${REGISTRY_USERNAME} ${REGISTRY_PASSWORD} \ + > $AUTHDIR/htpasswd + + # Run the registry, and wait for it to come up + podman ${PODMAN_REGISTRY_ARGS} run -d \ + -p ${REGISTRY_PORT}:5000 \ + --name registry \ + -v $AUTHDIR:/auth:Z \ + -e "REGISTRY_AUTH=htpasswd" \ + -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ + -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \ + -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \ + ${REGISTRY_IMAGE} + + wait_for_port localhost $REGISTRY_PORT +} + +function stop_registry() { + local REGDIR=${WORKDIR}/registry + if [[ -d $REGDIR ]]; then + local OPTS="--root ${REGDIR}/root --runroot ${REGDIR}/runroot" + podman $OPTS stop -f -t 0 -a + + # rm/rmi are important when running rootless: without them we + # get EPERMS in tmpdir cleanup because files are owned by subuids. + podman $OPTS rm -f -a + podman $OPTS rmi -f -a + fi +} + +################# +# random_port # Random open port; arg is range (min-max), default 5000-5999 +################# +function random_port() { + local range=${1:-5000-5999} + + local port + for port in $(shuf -i ${range}); do + if ! { exec 5<> /dev/tcp/127.0.0.1/$port; } &>/dev/null; then + echo $port + return + fi + done + + die "Could not find open port in range $range" +} + +################### +# random_string # Pseudorandom alphanumeric string of given length +################### +function random_string() { + local length=${1:-10} + head /dev/urandom | tr -dc a-zA-Z0-9 | head -c$length +} + ################### # wait_for_port # Returns once port is available on host ################### @@ -341,8 +445,8 @@ function wait_for_port() { # podman # Needed by some test scripts to invoke the actual podman binary ############ function podman() { - echo "\$ $PODMAN_BIN $*" >>$WORKDIR/output.log - $PODMAN_BIN --root $WORKDIR "$@" >>$WORKDIR/output.log 2>&1 + echo "\$ $PODMAN_BIN $*" >>$WORKDIR/output.log + $PODMAN_BIN --root $WORKDIR/server_root "$@" >>$WORKDIR/output.log 2>&1 } #################### @@ -412,9 +516,8 @@ if [ -n "$service_pid" ]; then podman rm -a podman rmi -af - # Stop the server - kill $service_pid - wait $service_pid + stop_registry + stop_service fi test_count=$(<$testcounter_file)