This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/test/registry_tests.py

1129 lines
39 KiB
Python
Raw Normal View History

2015-05-29 22:08:17 +00:00
import unittest
import requests
2015-08-27 18:55:33 +00:00
import os
import math
import random
import string
import Crypto.Random
from flask import request, jsonify
2015-05-29 22:08:17 +00:00
from flask.blueprints import Blueprint
from flask.ext.testing import LiveServerTestCase
from app import app
from data.database import close_db_filter, configure
from endpoints.v1 import v1_bp
2015-08-27 18:55:33 +00:00
from endpoints.v2 import v2_bp
from endpoints.verbs import verbs
2015-08-27 18:55:33 +00:00
from endpoints.v2.manifest import SignedManifestBuilder
2015-05-29 22:08:17 +00:00
from endpoints.api import api_bp
from initdb import wipe_database, initialize_database, populate_database
from endpoints.csrf import generate_csrf_token
from tempfile import NamedTemporaryFile
from jsonschema import validate as validate_schema
2015-05-29 22:08:17 +00:00
import endpoints.decorated
import json
import features
2015-08-27 18:55:33 +00:00
import hashlib
import logging
2015-05-29 22:08:17 +00:00
import tarfile
import shutil
2015-05-29 22:08:17 +00:00
2015-08-27 18:55:33 +00:00
from jwkest.jws import SIGNER_ALGS
from jwkest.jwk import RSAKey
from Crypto.PublicKey import RSA
2015-05-29 22:08:17 +00:00
from cStringIO import StringIO
from digest.checksums import compute_simple
2015-05-29 22:08:17 +00:00
try:
app.register_blueprint(v1_bp, url_prefix='/v1')
2015-08-27 18:55:33 +00:00
app.register_blueprint(v2_bp, url_prefix='/v2')
app.register_blueprint(verbs, url_prefix='/c1')
2015-05-29 22:08:17 +00:00
app.register_blueprint(api_bp, url_prefix='/api')
except ValueError:
# Blueprint was already registered
pass
# Add a test blueprint for generating CSRF tokens, setting feature flags and reloading the
# DB connection.
2015-05-29 22:08:17 +00:00
testbp = Blueprint('testbp', __name__)
logger = logging.getLogger(__name__)
2015-05-29 22:08:17 +00:00
@testbp.route('/csrf', methods=['GET'])
def generate_csrf():
return generate_csrf_token()
@testbp.route('/feature/<feature_name>', methods=['POST'])
def set_feature(feature_name):
import features
old_value = features._FEATURES[feature_name].value
features._FEATURES[feature_name].value = request.get_json()['value']
return jsonify({'old_value': old_value})
@testbp.route('/reloadapp', methods=['POST'])
def reload_app():
# Close any existing connection.
close_db_filter(None)
# Reload the database config.
configure(app.config)
# Reload random after the process split, as it cannot be used uninitialized across forks.
Crypto.Random.atfork()
return 'OK'
2015-05-29 22:08:17 +00:00
app.register_blueprint(testbp, url_prefix='/__test')
class TestFeature(object):
""" Helper object which temporarily sets the value of a feature flag.
"""
def __init__(self, test_case, feature_flag, test_value):
self.test_case = test_case
self.feature_flag = feature_flag
self.test_value = test_value
self.old_value = None
def __enter__(self):
result = self.test_case.conduct('POST', '/__test/feature/' + self.feature_flag,
data=json.dumps(dict(value=self.test_value)),
headers={'Content-Type': 'application/json'})
result_data = json.loads(result.text)
self.old_value = result_data['old_value']
def __exit__(self, type, value, traceback):
self.test_case.conduct('POST', '/__test/feature/' + self.feature_flag,
data=json.dumps(dict(value=self.old_value)),
headers={'Content-Type': 'application/json'})
2015-05-29 22:08:17 +00:00
_PORT_NUMBER = 5001
_CLEAN_DATABASE_PATH = None
_JWK = RSAKey(key=RSA.generate(2048))
def get_new_database_uri():
# If a clean copy of the database has not yet been created, create one now.
global _CLEAN_DATABASE_PATH
if not _CLEAN_DATABASE_PATH:
wipe_database()
initialize_database()
populate_database()
close_db_filter(None)
# Save the path of the clean database.
_CLEAN_DATABASE_PATH = app.config['TEST_DB_FILE'].name
# Create a new temp file to be used as the actual backing database for the test.
# Note that we have the close() the file to ensure we can copy to it via shutil.
local_db_file = NamedTemporaryFile(delete=True)
local_db_file.close()
# Copy the clean database to the path.
shutil.copy2(_CLEAN_DATABASE_PATH, local_db_file.name)
return 'sqlite:///{0}'.format(local_db_file.name)
class RegistryTestCaseMixin(LiveServerTestCase):
2015-05-29 22:08:17 +00:00
def create_app(self):
global _PORT_NUMBER
_PORT_NUMBER = _PORT_NUMBER + 1
2015-10-05 19:26:45 +00:00
if os.environ.get('DEBUG') == 'true':
app.config['DEBUG'] = True
2015-05-29 22:08:17 +00:00
app.config['TESTING'] = True
app.config['LIVESERVER_PORT'] = _PORT_NUMBER
app.config['DB_URI'] = get_new_database_uri()
2015-05-29 22:08:17 +00:00
return app
def setUp(self):
self.clearSession()
# Tell the remote running app to reload the database and app. By default, the app forks from the
# current context and has already loaded the DB config with the *original* DB URL. We call
# the remote reload method to force it to pick up the changes to DB_URI set in the create_app
# method.
self.conduct('POST', '/__test/reloadapp')
2015-05-29 22:08:17 +00:00
def clearSession(self):
self.session = requests.Session()
self.signature = None
self.docker_token = 'true'
self.jwt = None
2015-05-29 22:08:17 +00:00
# Load the CSRF token.
self.csrf_token = ''
self.csrf_token = self.conduct('GET', '/__test/csrf').text
def do_tag(self, namespace, repository, tag, image_id, expected_code=200):
self.conduct('PUT', '/v1/repositories/%s/%s/tags/%s' % (namespace, repository, tag),
data='"%s"' % image_id, expected_code=expected_code, auth='sig')
def conduct_api_login(self, username, password):
self.conduct('POST', '/api/v1/signin',
data=json.dumps(dict(username=username, password=password)),
headers={'Content-Type': 'application/json'})
def change_repo_visibility(self, repository, namespace, visibility):
self.conduct('POST', '/api/v1/repository/%s/%s/changevisibility' % (repository, namespace),
data=json.dumps(dict(visibility=visibility)),
headers={'Content-Type': 'application/json'})
2015-09-08 15:58:21 +00:00
class BaseRegistryMixin(object):
def conduct(self, method, url, headers=None, data=None, auth=None, params=None, expected_code=200,
json_data=None):
2015-09-08 15:58:21 +00:00
params = params or {}
params['_csrf_token'] = self.csrf_token
2015-05-29 22:08:17 +00:00
headers = headers or {}
2015-09-08 15:58:21 +00:00
auth_tuple = None
2015-05-29 22:08:17 +00:00
2015-09-08 15:58:21 +00:00
if self.docker_token:
headers['X-Docker-Token'] = self.docker_token
if auth == 'sig':
if self.signature:
headers['Authorization'] = 'token ' + self.signature
elif auth == 'jwt':
if self.jwt:
headers['Authorization'] = 'Bearer ' + self.jwt
elif auth:
auth_tuple = auth
2015-05-29 22:08:17 +00:00
if json_data is not None:
data = json.dumps(json_data)
headers['Content-Type'] = 'application/json'
2015-05-29 22:08:17 +00:00
response = self.session.request(method, self.get_server_url() + url, headers=headers, data=data,
2015-09-08 15:58:21 +00:00
auth=auth_tuple, params=params)
2015-05-29 22:08:17 +00:00
if response.status_code != expected_code:
print response.text
if 'www-authenticate' in response.headers:
self.signature = response.headers['www-authenticate']
if 'X-Docker-Token' in response.headers:
self.docker_token = response.headers['X-Docker-Token']
self.assertEquals(response.status_code, expected_code)
return response
def _get_default_images(self):
return [{'id': 'someid', 'contents': 'somecontent'}]
2015-09-08 15:58:21 +00:00
class V1RegistryMixin(BaseRegistryMixin):
def v1_ping(self):
2015-05-29 22:08:17 +00:00
self.conduct('GET', '/v1/_ping')
2015-09-08 15:58:21 +00:00
class V1RegistryPushMixin(V1RegistryMixin):
def do_push(self, namespace, repository, username, password, images=None, expected_code=201):
images = images or self._get_default_images()
2015-05-29 22:08:17 +00:00
auth = (username, password)
# Ping!
2015-09-08 15:58:21 +00:00
self.v1_ping()
2015-05-29 22:08:17 +00:00
# PUT /v1/repositories/{namespace}/{repository}/
self.conduct('PUT', '/v1/repositories/%s/%s' % (namespace, repository),
data=json.dumps(images), auth=auth,
expected_code=expected_code)
if expected_code != 201:
return
2015-05-29 22:08:17 +00:00
last_image_id = None
for image_data in images:
image_id = image_data['id']
last_image_id = image_id
2015-05-29 22:08:17 +00:00
# PUT /v1/images/{imageID}/json
self.conduct('PUT', '/v1/images/%s/json' % image_id,
data=json.dumps({'id': image_id}), auth='sig')
2015-05-29 22:08:17 +00:00
# PUT /v1/images/{imageID}/layer
tar_file_info = tarfile.TarInfo(name='image_name')
tar_file_info.type = tarfile.REGTYPE
tar_file_info.size = len(image_id)
2015-05-29 22:08:17 +00:00
layer_data = StringIO()
tar_file = tarfile.open(fileobj=layer_data, mode='w|gz')
tar_file.addfile(tar_file_info, StringIO(image_id))
2015-05-29 22:08:17 +00:00
tar_file.close()
layer_bytes = layer_data.getvalue()
layer_data.close()
self.conduct('PUT', '/v1/images/%s/layer' % image_id,
2015-09-08 15:58:21 +00:00
data=StringIO(layer_bytes), auth='sig')
2015-05-29 22:08:17 +00:00
# PUT /v1/images/{imageID}/checksum
checksum = compute_simple(StringIO(layer_bytes), json.dumps({'id': image_id}))
self.conduct('PUT', '/v1/images/%s/checksum' % image_id,
2015-09-08 15:58:21 +00:00
headers={'X-Docker-Checksum-Payload': checksum},
auth='sig')
2015-05-29 22:08:17 +00:00
# PUT /v1/repositories/{namespace}/{repository}/tags/latest
2015-10-05 20:36:33 +00:00
self.do_tag(namespace, repository, 'latest', images[0]['id'])
2015-05-29 22:08:17 +00:00
# PUT /v1/repositories/{namespace}/{repository}/images
self.conduct('PUT', '/v1/repositories/%s/%s/images' % (namespace, repository),
2015-09-08 15:58:21 +00:00
expected_code=204,
auth='sig')
2015-05-29 22:08:17 +00:00
2015-09-08 15:58:21 +00:00
class V1RegistryPullMixin(V1RegistryMixin):
def do_pull(self, namespace, repository, username=None, password='password', expected_code=200,
images=None):
images = images or self._get_default_images()
2015-05-29 22:08:17 +00:00
auth = None
if username:
auth = (username, password)
# Ping!
2015-09-08 15:58:21 +00:00
self.v1_ping()
2015-05-29 22:08:17 +00:00
prefix = '/v1/repositories/%s/%s/' % (namespace, repository)
# GET /v1/repositories/{namespace}/{repository}/
self.conduct('GET', prefix + 'images', auth=auth, expected_code=expected_code)
if expected_code != 200:
return
# GET /v1/repositories/{namespace}/{repository}/
2015-09-08 15:58:21 +00:00
result = json.loads(self.conduct('GET', prefix + 'tags', auth='sig').text)
2015-05-29 22:08:17 +00:00
self.assertEquals(len(images), len(result.values()))
for image_data in images:
image_id = image_data['id']
self.assertIn(image_id, result.values())
2015-05-29 22:08:17 +00:00
# /v1/images/{imageID}/{ancestry, json, layer}
image_prefix = '/v1/images/%s/' % image_id
2015-09-08 15:58:21 +00:00
self.conduct('GET', image_prefix + 'ancestry', auth='sig')
self.conduct('GET', image_prefix + 'json', auth='sig')
self.conduct('GET', image_prefix + 'layer', auth='sig')
2015-08-27 18:55:33 +00:00
2015-09-08 15:58:21 +00:00
class V2RegistryMixin(BaseRegistryMixin):
MANIFEST_SCHEMA = {
'type': 'object',
'properties': {
'name': {
'type': 'string',
},
'tag': {
'type': 'string',
},
'signatures': {
'type': 'array',
'itemType': {
'type': 'object',
},
},
'fsLayers': {
'type': 'array',
'itemType': {
'type': 'object',
'properties': {
'blobSum': {
'type': 'string',
},
},
'required': 'blobSum',
},
},
'history': {
'type': 'array',
'itemType': {
'type': 'object',
'properties': {
'v1Compatibility': {
'type': 'object',
},
},
'required': ['v1Compatibility'],
},
},
},
'required': ['name', 'tag', 'fsLayers', 'history', 'signatures'],
}
2015-09-08 15:58:21 +00:00
def v2_ping(self):
response = self.conduct('GET', '/v2/', expected_code=200 if self.jwt else 401, auth='jwt')
self.assertEquals(response.headers['Docker-Distribution-API-Version'], 'registry/2.0')
2015-08-27 18:55:33 +00:00
def do_auth(self, username, password, namespace, repository, expected_code=200, scopes=[]):
auth = (username, password)
params = {
'account': username,
'scope': 'repository:%s/%s:%s' % (namespace, repository, ','.join(scopes)),
2015-09-17 20:27:05 +00:00
'service': app.config['SERVER_HOSTNAME'],
2015-08-27 18:55:33 +00:00
}
response = self.conduct('GET', '/v2/auth', params=params, auth=(username, password),
expected_code=expected_code)
if expected_code == 200:
response_json = json.loads(response.text)
self.assertIsNotNone(response_json.get('token'))
2015-09-08 15:58:21 +00:00
self.jwt = response_json['token']
2015-08-27 18:55:33 +00:00
return response
2015-08-27 18:55:33 +00:00
2015-09-08 15:58:21 +00:00
class V2RegistryPushMixin(V2RegistryMixin):
def do_push(self, namespace, repository, username, password, images=None, tag_name=None,
cancel=False, invalid=False, expected_manifest_code=202, expected_auth_code=200,
scopes=None):
images = images or self._get_default_images()
2015-08-27 18:55:33 +00:00
# Ping!
2015-09-08 15:58:21 +00:00
self.v2_ping()
2015-08-27 18:55:33 +00:00
# Auth.
self.do_auth(username, password, namespace, repository, scopes=scopes or ['push', 'pull'],
2015-10-05 18:19:52 +00:00
expected_code=expected_auth_code)
if expected_auth_code != 200:
return
2015-08-27 18:55:33 +00:00
# Build a fake manifest.
tag_name = tag_name or 'latest'
2015-08-27 18:55:33 +00:00
builder = SignedManifestBuilder(namespace, repository, tag_name)
for image_data in images:
checksum = 'sha256:' + hashlib.sha256(image_data['contents']).hexdigest()
if invalid:
checksum = 'sha256:' + hashlib.sha256('foobarbaz').hexdigest()
builder.add_layer(checksum, json.dumps(image_data))
2015-08-27 18:55:33 +00:00
# Build the manifest.
manifest = builder.build(_JWK)
2015-08-27 18:55:33 +00:00
# Push the image's layers.
checksums = {}
for image_data in images:
image_id = image_data['id']
full_contents = image_data['contents']
chunks = image_data.get('chunks')
2015-08-27 18:55:33 +00:00
# Layer data should not yet exist.
checksum = 'sha256:' + hashlib.sha256(full_contents).hexdigest()
2015-08-27 18:55:33 +00:00
self.conduct('HEAD', '/v2/%s/%s/blobs/%s' % (namespace, repository, checksum),
2015-09-08 15:58:21 +00:00
expected_code=404, auth='jwt')
2015-08-27 18:55:33 +00:00
# Start a new upload of the layer data.
response = self.conduct('POST', '/v2/%s/%s/blobs/uploads/' % (namespace, repository),
2015-09-08 15:58:21 +00:00
expected_code=202, auth='jwt')
2015-08-27 18:55:33 +00:00
upload_uuid = response.headers['Docker-Upload-UUID']
2015-08-27 18:55:33 +00:00
location = response.headers['Location'][len(self.get_server_url()):]
# PATCH the image data into the layer.
if chunks is None:
self.conduct('PATCH', location, data=full_contents, expected_code=204, auth='jwt')
else:
for chunk in chunks:
if len(chunk) == 3:
(start_byte, end_byte, expected_code) = chunk
else:
(start_byte, end_byte) = chunk
expected_code = 204
contents_chunk = full_contents[start_byte:end_byte]
self.conduct('PATCH', location, data=contents_chunk, expected_code=expected_code, auth='jwt',
headers={'Range': 'bytes=%s-%s' % (start_byte, end_byte)})
2015-08-27 18:55:33 +00:00
if expected_code != 204:
return
# Retrieve the upload status at each point.
status_url = '/v2/%s/%s/blobs/uploads/%s' % (namespace, repository, upload_uuid)
response = self.conduct('GET', status_url, expected_code=204, auth='jwt',
headers=dict(host=self.get_server_url()))
self.assertEquals(response.headers['Docker-Upload-UUID'], upload_uuid)
self.assertEquals(response.headers['Range'], "bytes=0-%s" % end_byte)
if cancel:
self.conduct('DELETE', location, params=dict(digest=checksum), expected_code=204,
auth='jwt')
# Ensure the upload was canceled.
status_url = '/v2/%s/%s/blobs/uploads/%s' % (namespace, repository, upload_uuid)
self.conduct('GET', status_url, expected_code=404, auth='jwt',
headers=dict(host=self.get_server_url()))
return
2015-08-27 18:55:33 +00:00
# Finish the layer upload with a PUT.
response = self.conduct('PUT', location, params=dict(digest=checksum), expected_code=201,
auth='jwt')
self.assertEquals(response.headers['Docker-Content-Digest'], checksum)
checksums[image_id] = checksum
# Ensure the layer exists now.
response = self.conduct('HEAD', '/v2/%s/%s/blobs/%s' % (namespace, repository, checksum),
expected_code=200, auth='jwt')
self.assertEquals(response.headers['Docker-Content-Digest'], checksum)
self.assertEquals(response.headers['Content-Length'], str(len(full_contents)))
2015-08-27 18:55:33 +00:00
# Write the manifest.
put_code = 404 if invalid else expected_manifest_code
2015-08-27 18:55:33 +00:00
self.conduct('PUT', '/v2/%s/%s/manifests/%s' % (namespace, repository, tag_name),
data=manifest.bytes, expected_code=put_code,
2015-09-08 15:58:21 +00:00
headers={'Content-Type': 'application/json'}, auth='jwt')
2015-08-27 18:55:33 +00:00
return checksums, manifest.digest
2015-08-27 18:55:33 +00:00
2015-09-08 15:58:21 +00:00
class V2RegistryPullMixin(V2RegistryMixin):
def do_pull(self, namespace, repository, username=None, password='password', expected_code=200,
manifest_id=None, expected_manifest_code=200, images=None):
images = images or self._get_default_images()
2015-08-27 18:55:33 +00:00
# Ping!
2015-09-08 15:58:21 +00:00
self.v2_ping()
2015-08-27 18:55:33 +00:00
# Auth.
self.do_auth(username, password, namespace, repository, scopes=['pull'],
expected_code=expected_code)
if expected_code != 200:
return
# Retrieve the manifest for the tag or digest.
manifest_id = manifest_id or 'latest'
response = self.conduct('GET', '/v2/%s/%s/manifests/%s' % (namespace, repository, manifest_id),
auth='jwt', expected_code=expected_manifest_code)
if expected_manifest_code != 200:
return
2015-08-27 18:55:33 +00:00
manifest_data = json.loads(response.text)
# Ensure the manifest returned by us is valid.
validate_schema(manifest_data, V2RegistryMixin.MANIFEST_SCHEMA)
# Verify the layers.
blobs = {}
2015-08-27 18:55:33 +00:00
for layer in manifest_data['fsLayers']:
blob_id = layer['blobSum']
result = self.conduct('GET', '/v2/%s/%s/blobs/%s' % (namespace, repository, blob_id),
expected_code=200, auth='jwt')
blobs[blob_id] = result.text
# Verify the V1 metadata is present for each expected image.
found_v1_layers = set()
history = manifest_data['history']
for entry in history:
v1_history = json.loads(entry['v1Compatibility'])
found_v1_layers.add(v1_history['id'])
for image in images:
self.assertIn(image['id'], found_v1_layers)
return blobs
2015-08-27 18:55:33 +00:00
class RegistryTestsMixin(object):
def test_push_pull_logging(self):
# Push a new repository.
self.do_push('public', 'newrepo', 'public', 'password')
# Retrieve the logs and ensure the push was added.
self.conduct_api_login('public', 'password')
result = self.conduct('GET', '/api/v1/repository/public/newrepo/logs')
logs = result.json()['logs']
self.assertEquals(1, len(logs))
self.assertEquals('push_repo', logs[0]['kind'])
self.assertEquals('public', logs[0]['performer']['name'])
# Pull the repository.
self.do_pull('public', 'newrepo', 'public', 'password')
# Retrieve the logs and ensure the pull was added.
result = self.conduct('GET', '/api/v1/repository/public/newrepo/logs')
logs = result.json()['logs']
self.assertEquals(2, len(logs))
self.assertEquals('pull_repo', logs[0]['kind'])
self.assertEquals('public', logs[0]['performer']['name'])
2015-05-29 22:08:17 +00:00
def test_pull_publicrepo_anonymous(self):
# Add a new repository under the public user, so we have a real repository to pull.
self.do_push('public', 'newrepo', 'public', 'password')
2015-05-29 22:08:17 +00:00
self.clearSession()
# First try to pull the (currently private) repo anonymously, which should fail (since it is
# private)
self.do_pull('public', 'newrepo', expected_code=403)
# Make the repository public.
self.conduct_api_login('public', 'password')
self.change_repo_visibility('public', 'newrepo', 'public')
self.clearSession()
# Pull the repository anonymously, which should succeed because the repository is public.
self.do_pull('public', 'newrepo')
def test_pull_publicrepo_devtable(self):
# Add a new repository under the public user, so we have a real repository to pull.
self.do_push('public', 'newrepo', 'public', 'password')
2015-05-29 22:08:17 +00:00
self.clearSession()
# First try to pull the (currently private) repo as devtable, which should fail as it belongs
# to public.
self.do_pull('public', 'newrepo', 'devtable', 'password', expected_code=403)
# Make the repository public.
self.conduct_api_login('public', 'password')
self.change_repo_visibility('public', 'newrepo', 'public')
self.clearSession()
# Pull the repository as devtable, which should succeed because the repository is public.
self.do_pull('public', 'newrepo', 'devtable', 'password')
def test_pull_private_repo(self):
# Add a new repository under the devtable user, so we have a real repository to pull.
self.do_push('devtable', 'newrepo', 'devtable', 'password')
2015-05-29 22:08:17 +00:00
self.clearSession()
# First try to pull the (currently private) repo as public, which should fail as it belongs
# to devtable.
self.do_pull('devtable', 'newrepo', 'public', 'password', expected_code=403)
# Pull the repository as devtable, which should succeed because the repository is owned by
# devtable.
self.do_pull('devtable', 'newrepo', 'devtable', 'password')
def test_public_no_anonymous_access_with_auth(self):
# Turn off anonymous access.
with TestFeature(self, 'ANONYMOUS_ACCESS', False):
# Add a new repository under the public user, so we have a real repository to pull.
self.do_push('public', 'newrepo', 'public', 'password')
self.clearSession()
# First try to pull the (currently private) repo as devtable, which should fail as it belongs
# to public.
self.do_pull('public', 'newrepo', 'devtable', 'password', expected_code=403)
# Make the repository public.
self.conduct_api_login('public', 'password')
self.change_repo_visibility('public', 'newrepo', 'public')
self.clearSession()
# Pull the repository as devtable, which should succeed because the repository is public.
self.do_pull('public', 'newrepo', 'devtable', 'password')
def test_private_no_anonymous_access(self):
# Turn off anonymous access.
with TestFeature(self, 'ANONYMOUS_ACCESS', False):
# Add a new repository under the public user, so we have a real repository to pull.
self.do_push('public', 'newrepo', 'public', 'password')
self.clearSession()
# First try to pull the (currently private) repo as devtable, which should fail as it belongs
# to public.
self.do_pull('public', 'newrepo', 'devtable', 'password', expected_code=403)
# Pull the repository as public, which should succeed because the repository is owned by public.
self.do_pull('public', 'newrepo', 'public', 'password')
def test_public_no_anonymous_access_no_auth(self):
# Turn off anonymous access.
with TestFeature(self, 'ANONYMOUS_ACCESS', False):
# Add a new repository under the public user, so we have a real repository to pull.
self.do_push('public', 'newrepo', 'public', 'password')
self.clearSession()
# First try to pull the (currently private) repo as anonymous, which should fail as it
# is private.
self.do_pull('public', 'newrepo', expected_code=401)
# Make the repository public.
self.conduct_api_login('public', 'password')
self.change_repo_visibility('public', 'newrepo', 'public')
self.clearSession()
# Try again to pull the (currently public) repo as anonymous, which should fail as
# anonymous access is disabled.
self.do_pull('public', 'newrepo', expected_code=401)
# Pull the repository as public, which should succeed because the repository is owned by public.
self.do_pull('public', 'newrepo', 'public', 'password')
# Pull the repository as devtable, which should succeed because the repository is public.
self.do_pull('public', 'newrepo', 'devtable', 'password')
def test_create_repo_creator_user(self):
self.do_push('buynlarge', 'newrepo', 'creator', 'password')
# Pull the repository as devtable, which should succeed because the repository is owned by the
# org.
self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
def test_create_repo_robot_owner(self):
# Lookup the robot's password.
self.conduct_api_login('devtable', 'password')
resp = self.conduct('GET', '/api/v1/organization/buynlarge/robots/ownerbot')
robot_token = json.loads(resp.text)['token']
self.do_push('buynlarge', 'newrepo', 'buynlarge+ownerbot', robot_token)
# Pull the repository as devtable, which should succeed because the repository is owned by the
# org.
self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
def test_create_repo_robot_creator(self):
# Lookup the robot's password.
self.conduct_api_login('devtable', 'password')
resp = self.conduct('GET', '/api/v1/organization/buynlarge/robots/creatorbot')
robot_token = json.loads(resp.text)['token']
self.do_push('buynlarge', 'newrepo', 'buynlarge+creatorbot', robot_token)
# Pull the repository as devtable, which should succeed because the repository is owned by the
# org.
self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
2015-08-27 18:55:33 +00:00
2015-09-08 15:58:21 +00:00
class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMixin,
RegistryTestCaseMixin, LiveServerTestCase):
2015-08-27 18:55:33 +00:00
""" Tests for V1 registry. """
def test_push_reponame_with_slashes(self):
# Attempt to add a repository name with slashes. This should fail as we do not support it.
images = [{
'id': 'onlyimagehere'
}]
self.do_push('public', 'newrepo/somesubrepo', 'public', 'password', images, expected_code=400)
def test_push_unicode_metadata(self):
self.conduct_api_login('devtable', 'password')
images = [{
'id': 'onlyimagehere',
'comment': 'Pawe\xc5\x82 Kami\xc5\x84ski <pawel.kaminski@codewise.com>'.decode('utf-8')
}]
self.do_push('devtable', 'unicodetest', 'devtable', 'password', images)
self.do_pull('devtable', 'unicodetest', 'devtable', 'password', images=images)
2015-10-05 20:36:33 +00:00
def test_tag_validation(self):
image_id = 'onlyimagehere'
images = [{
'id': image_id
}]
self.do_push('public', 'newrepo', 'public', 'password', images)
self.do_tag('public', 'newrepo', '1', image_id)
self.do_tag('public', 'newrepo', 'x' * 128, image_id)
self.do_tag('public', 'newrepo', '', image_id, expected_code=400)
self.do_tag('public', 'newrepo', 'x' * 129, image_id, expected_code=400)
self.do_tag('public', 'newrepo', '.fail', image_id, expected_code=400)
self.do_tag('public', 'newrepo', '-fail', image_id, expected_code=400)
2015-08-27 18:55:33 +00:00
2015-09-08 15:58:21 +00:00
class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMixin,
RegistryTestCaseMixin, LiveServerTestCase):
2015-08-27 18:55:33 +00:00
""" Tests for V2 registry. """
def test_push_only_push_scope(self):
images = [{
'id': 'onlyimagehere',
'contents': 'foobar',
}]
self.do_push('devtable', 'somenewrepo', 'devtable', 'password', images,
scopes=['push'])
def test_attempt_push_only_push_scope(self):
images = [{
'id': 'onlyimagehere',
'contents': 'foobar',
}]
self.do_push('public', 'somenewrepo', 'devtable', 'password', images,
scopes=['push'], expected_auth_code=403)
def test_push_reponame_with_slashes(self):
# Attempt to add a repository name with slashes. This should fail as we do not support it.
images = [{
'id': 'onlyimagehere'
}]
self.do_push('public', 'newrepo/somesubrepo', 'devtable', 'password', images,
expected_auth_code=400)
def test_invalid_push(self):
self.do_push('devtable', 'newrepo', 'devtable', 'password', invalid=True)
def test_cancel_push(self):
self.do_push('devtable', 'newrepo', 'devtable', 'password', cancel=True)
def test_pull_by_checksum(self):
# Add a new repository under the user, so we have a real repository to pull.
_, digest = self.do_push('devtable', 'newrepo', 'devtable', 'password')
# Attempt to pull by digest.
self.do_pull('devtable', 'newrepo', 'devtable', 'password', manifest_id=digest)
def test_pull_invalid_image_tag(self):
# Add a new repository under the user, so we have a real repository to pull.
self.do_push('devtable', 'newrepo', 'devtable', 'password')
self.clearSession()
# Attempt to pull the invalid tag.
self.do_pull('devtable', 'newrepo', 'devtable', 'password', manifest_id='invalid',
expected_manifest_code=404)
def test_partial_upload_below_5mb(self):
chunksize = 1024 * 1024 * 2
size = chunksize * 3
contents = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(size))
chunk_count = int(math.ceil((len(contents) * 1.0) / chunksize))
chunks = [(index * chunksize, (index + 1)*chunksize) for index in range(chunk_count)]
images = [
{
'id':'someid',
'contents': contents,
'chunks': chunks
}
]
# Push the chunked upload.
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
# Pull the image back and verify the contents.
blobs = self.do_pull('devtable', 'newrepo', 'devtable', 'password', images=images)
self.assertEquals(len(blobs.items()), 1)
self.assertEquals(blobs.items()[0][1], contents)
def test_partial_upload_way_below_5mb(self):
size = 1024
contents = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(size))
chunks = [(0, 100), (100, size)]
images = [
{
'id':'someid',
'contents': contents,
'chunks': chunks
}
]
# Push the chunked upload.
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
# Pull the image back and verify the contents.
blobs = self.do_pull('devtable', 'newrepo', 'devtable', 'password', images=images)
self.assertEquals(len(blobs.items()), 1)
self.assertEquals(blobs.items()[0][1], contents)
def test_partial_upload_resend_below_5mb(self):
size = 150
contents = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(size))
chunks = [(0, 100), (10, size)]
images = [
{
'id':'someid',
'contents': contents,
'chunks': chunks
}
]
# Push the chunked upload.
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
# Pull the image back and verify the contents.
blobs = self.do_pull('devtable', 'newrepo', 'devtable', 'password', images=images)
self.assertEquals(len(blobs.items()), 1)
self.assertEquals(blobs.items()[0][1], contents)
def test_partial_upload_try_resend_with_gap(self):
size = 150
contents = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(size))
chunks = [(0, 100), (101, size, 416)]
images = [
{
'id':'someid',
'contents': contents,
'chunks': chunks
}
]
# Attempt to push the chunked upload, which should fail.
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
def test_multiple_layers_invalid(self):
# Attempt to push a manifest with an image depending on an unknown base layer.
images = [
{
'id': 'latestid',
'contents': 'the latest image',
'parent': 'baseid',
}
]
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images,
expected_manifest_code=400)
def test_multiple_layers(self):
# Push a manifest with multiple layers.
images = [
{
'id': 'latestid',
'contents': 'the latest image',
'parent': 'baseid',
},
{
'id': 'baseid',
'contents': 'The base image',
}
]
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
2015-10-05 18:19:52 +00:00
def test_invalid_regname(self):
self.do_push('devtable', 'this/is/a/repo', 'devtable', 'password', expected_auth_code=400)
def test_multiple_tags(self):
latest_images = [
{
'id': 'latestid',
'contents': 'the latest image'
}
]
foobar_images = [
{
'id': 'foobarid',
'contents': 'the foobar image',
}
]
# Create the repo.
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=latest_images,
tag_name='latest')
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=foobar_images,
tag_name='foobar')
# Retrieve the tags.
response = self.conduct('GET', '/v2/devtable/newrepo/tags/list', auth='jwt', expected_code=200)
data = json.loads(response.text)
self.assertEquals(data['name'], "devtable/newrepo")
self.assertIn('latest', data['tags'])
self.assertIn('foobar', data['tags'])
2015-10-05 19:26:45 +00:00
# Retrieve the tags with pagination.
response = self.conduct('GET', '/v2/devtable/newrepo/tags/list', auth='jwt',
params=dict(n=1), expected_code=200)
data = json.loads(response.text)
self.assertEquals(data['name'], "devtable/newrepo")
self.assertEquals(len(data['tags']), 1)
self.assertTrue(response.headers['Link'].find('n=1&last=2') > 0)
# Try to get tags before a repo exists.
self.conduct('GET', '/v2/devtable/doesnotexist/tags/list', auth='jwt', expected_code=401)
2015-09-08 15:58:21 +00:00
class V1PushV2PullRegistryTests(V2RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMixin,
RegistryTestCaseMixin, LiveServerTestCase):
2015-09-08 15:58:21 +00:00
""" Tests for V1 push, V2 pull registry. """
class V1PullV2PushRegistryTests(V1RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMixin,
RegistryTestCaseMixin, LiveServerTestCase):
2015-09-08 15:58:21 +00:00
""" Tests for V1 pull, V2 push registry. """
2015-08-27 18:55:33 +00:00
class VerbTests(RegistryTestCaseMixin, V1RegistryPushMixin, LiveServerTestCase):
""" Tests for registry verbs. """
def test_multilayer_squashing(self):
images = [
{
'id': 'latestid',
'contents': 'the latest image',
'parent': 'baseid',
},
{
'id': 'baseid',
'contents': 'The base image',
}
]
# Create the repo.
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
# Pull the squashed version of the tag.
response = self.conduct('GET', '/c1/squash/devtable/newrepo/latest', auth='sig')
tar = tarfile.open(fileobj=StringIO(response.content))
expected_image_id = 'bd590ae79fba5ebc6550aaf016c0bd0f49b1d78178e0f83e0ca1c56c2bb7e7bf'
expected_names = ['repositories',
expected_image_id,
'%s/json' % expected_image_id,
'%s/VERSION' % expected_image_id,
'%s/layer.tar' % expected_image_id]
self.assertEquals(expected_names, tar.getnames())
self.assertEquals('1.0', tar.extractfile(tar.getmember('%s/VERSION' % expected_image_id)).read())
json_data = (tar.extractfile(tar.getmember('%s/json' % expected_image_id)).read())
# Ensure the JSON loads and parses.
result = json.loads(json_data)
self.assertEquals(expected_image_id, result['id'])
# Ensure that the "image_name" file refers to the latest image, as it is the top layer.
layer_tar = tarfile.open(fileobj=tar.extractfile(tar.getmember('%s/layer.tar' % expected_image_id)))
image_name = layer_tar.extractfile(layer_tar.getmember('image_name')).read()
self.assertEquals('latestid', image_name)
class V1RegistryLoginMixin(object):
def do_login(self, username, password, scope, expect_success=True):
data = {
'username': username,
'password': password,
}
response = self.conduct('POST', '/v1/users/', json_data=data, expected_code=400)
if expect_success:
self.assertEquals(response.text, '"Username or email already exists"')
else:
self.assertNotEquals(response.text, '"Username or email already exists"')
class V2RegistryLoginMixin(object):
def do_login(self, username, password, scope, expect_success=True, expected_code=None):
params = {
'account': username,
'scope': scope,
'service': app.config['SERVER_HOSTNAME'],
}
if expected_code is None:
if expect_success:
expected_code = 200
else:
expected_code = 403
response = self.conduct('GET', '/v2/auth', params=params, auth=(username, password),
expected_code=expected_code)
return response
class LoginTests(object):
""" Generic tests for registry login. """
def test_invalid_username_knownrepo(self):
self.do_login('invaliduser', 'somepassword', expect_success=False,
scope='repository:devtable/simple:pull')
def test_invalid_password_knownrepo(self):
self.do_login('devtable', 'somepassword', expect_success=False,
scope='repository:devtable/simple:pull')
def test_validuser_knownrepo(self):
self.do_login('devtable', 'password', expect_success=True,
scope='repository:devtable/simple:pull')
def test_validuser_encryptedpass(self):
# Generate an encrypted password.
self.conduct_api_login('devtable', 'password')
resp = self.conduct('POST', '/api/v1/user/clientkey', json_data=dict(password='password'))
encryptedpassword = resp.json()['key']
self.do_login('devtable', encryptedpassword, expect_success=True,
scope='repository:devtable/simple:pull')
def test_robotkey(self):
# Lookup the robot's password.
self.conduct_api_login('devtable', 'password')
resp = self.conduct('GET', '/api/v1/user/robots/dtrobot')
robot_token = resp.json()['token']
self.do_login('devtable+dtrobot', robot_token, expect_success=True,
scope='repository:devtable/complex:pull')
def test_oauth(self):
self.do_login('$oauthtoken', 'test', expect_success=True,
scope='repository:devtable/complex:pull')
class V1LoginTests(V1RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, BaseRegistryMixin, LiveServerTestCase):
""" Tests for V1 login. """
pass # No additional tests.
class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, BaseRegistryMixin, LiveServerTestCase):
""" Tests for V2 login. """
def test_validuser_unknownrepo(self):
self.do_login('devtable', 'password', expect_success=False,
scope='repository:invalidnamespace/simple:pull')
def test_validuser_unknownnamespacerepo(self):
self.do_login('devtable', 'password', expect_success=True,
scope='repository:devtable/newrepo:push')
def test_validuser_noaccess(self):
self.do_login('public', 'password', expect_success=False,
scope='repository:devtable/simple:pull')
def test_validuser_noscope(self):
self.do_login('public', 'password', expect_success=True, scope=None)
def test_invaliduser_noscope(self):
self.do_login('invaliduser', 'invalidpass', expected_code=401, scope=None)
def test_invalidpassword_noscope(self):
self.do_login('public', 'invalidpass', expected_code=401, scope=None)
def test_oauth_noaccess(self):
self.do_login('$oauthtoken', 'test', expect_success=False,
scope='repository:public/publicrepo:pull,push')
def test_nouser_pull_publicrepo(self):
self.do_login('', '', expect_success=True, scope='repository:public/publicrepo:pull')
def test_nouser_push_publicrepo(self):
self.do_login('', '', expected_code=401, scope='repository:public/publicrepo:push')
2015-05-29 22:08:17 +00:00
if __name__ == '__main__':
unittest.main()