diff --git a/integration-cli/docker_cli_authz_unix_test.go b/integration-cli/docker_cli_authz_unix_test.go index 79357f1cce..d7557ac3c3 100644 --- a/integration-cli/docker_cli_authz_unix_test.go +++ b/integration-cli/docker_cli_authz_unix_test.go @@ -30,6 +30,10 @@ const ( containerListAPI = "/containers/json" ) +var ( + alwaysAllowed = []string{"/_ping", "/info"} +) + func init() { check.Suite(&DockerAuthzSuite{ ds: &DockerSuite{}, @@ -74,12 +78,6 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) { }) mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) { - if s.ctrl.reqRes.Err != "" { - w.WriteHeader(http.StatusInternalServerError) - } - b, err := json.Marshal(s.ctrl.reqRes) - c.Assert(err, check.IsNil) - w.Write(b) defer r.Body.Close() body, err := ioutil.ReadAll(r.Body) c.Assert(err, check.IsNil) @@ -96,16 +94,20 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) { } s.ctrl.requestsURIs = append(s.ctrl.requestsURIs, authReq.RequestURI) + + reqRes := s.ctrl.reqRes + if isAllowed(authReq.RequestURI) { + reqRes = authorization.Response{Allow: true} + } + if reqRes.Err != "" { + w.WriteHeader(http.StatusInternalServerError) + } + b, err := json.Marshal(reqRes) + c.Assert(err, check.IsNil) + w.Write(b) }) mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) { - if s.ctrl.resRes.Err != "" { - w.WriteHeader(http.StatusInternalServerError) - } - b, err := json.Marshal(s.ctrl.resRes) - c.Assert(err, check.IsNil) - w.Write(b) - defer r.Body.Close() body, err := ioutil.ReadAll(r.Body) c.Assert(err, check.IsNil) @@ -120,6 +122,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) { if strings.HasSuffix(authReq.RequestURI, containerListAPI) { s.ctrl.psResponseCnt++ } + resRes := s.ctrl.resRes + if isAllowed(authReq.RequestURI) { + resRes = authorization.Response{Allow: true} + } + if resRes.Err != "" { + w.WriteHeader(http.StatusInternalServerError) + } + b, err := json.Marshal(resRes) + c.Assert(err, check.IsNil) + w.Write(b) }) err := os.MkdirAll("/etc/docker/plugins", 0755) @@ -130,6 +142,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) { c.Assert(err, checker.IsNil) } +// check for always allowed endpoints to not inhibit test framework functions +func isAllowed(reqURI string) bool { + for _, endpoint := range alwaysAllowed { + if strings.HasSuffix(reqURI, endpoint) { + return true + } + } + return false +} + // assertAuthHeaders validates authentication headers are removed func assertAuthHeaders(c *check.C, headers map[string]string) error { for k := range headers { @@ -171,13 +193,10 @@ func (s *DockerAuthzSuite) TearDownSuite(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) { // start the daemon and load busybox, --net=none build fails otherwise // cause it needs to pull busybox - c.Assert(s.d.StartWithBusybox(), check.IsNil) - // restart the daemon and enable the plugin, otherwise busybox loading - // is blocked by the plugin itself - c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil) - + c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin), check.IsNil) s.ctrl.reqRes.Allow = true s.ctrl.resRes.Allow = true + c.Assert(s.d.LoadBusybox(), check.IsNil) // Ensure command successful out, err := s.d.Cmd("run", "-d", "busybox", "top") @@ -234,12 +253,10 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowEventStream(c *check.C) { testRequires(c, DaemonIsLinux) // start the daemon and load busybox to avoid pulling busybox from Docker Hub - c.Assert(s.d.StartWithBusybox(), check.IsNil) - // restart the daemon and enable the authorization plugin, otherwise busybox loading - // is blocked by the plugin itself - c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil) + c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin), check.IsNil) s.ctrl.reqRes.Allow = true s.ctrl.resRes.Allow = true + c.Assert(s.d.LoadBusybox(), check.IsNil) startTime := strconv.FormatInt(daemonTime(c).Unix(), 10) // Add another command to to enable event pipelining diff --git a/integration-cli/docker_utils.go b/integration-cli/docker_utils.go index 6349b11db8..5c7fe04fa6 100644 --- a/integration-cli/docker_utils.go +++ b/integration-cli/docker_utils.go @@ -321,24 +321,7 @@ func (d *Daemon) StartWithBusybox(arg ...string) error { if err := d.Start(arg...); err != nil { return err } - bb := filepath.Join(d.folder, "busybox.tar") - if _, err := os.Stat(bb); err != nil { - if !os.IsNotExist(err) { - return fmt.Errorf("unexpected error on busybox.tar stat: %v", err) - } - // saving busybox image from main daemon - if err := exec.Command(dockerBinary, "save", "--output", bb, "busybox:latest").Run(); err != nil { - return fmt.Errorf("could not save busybox image: %v", err) - } - } - // loading busybox image to this daemon - if out, err := d.Cmd("load", "--input", bb); err != nil { - return fmt.Errorf("could not load busybox image: %s", out) - } - if err := os.Remove(bb); err != nil { - d.c.Logf("could not remove %s: %v", bb, err) - } - return nil + return d.LoadBusybox() } // Stop will send a SIGINT every second and wait for the daemon to stop. @@ -413,6 +396,28 @@ func (d *Daemon) Restart(arg ...string) error { return d.Start(arg...) } +// LoadBusybox will load the stored busybox into a newly started daemon +func (d *Daemon) LoadBusybox() error { + bb := filepath.Join(d.folder, "busybox.tar") + if _, err := os.Stat(bb); err != nil { + if !os.IsNotExist(err) { + return fmt.Errorf("unexpected error on busybox.tar stat: %v", err) + } + // saving busybox image from main daemon + if err := exec.Command(dockerBinary, "save", "--output", bb, "busybox:latest").Run(); err != nil { + return fmt.Errorf("could not save busybox image: %v", err) + } + } + // loading busybox image to this daemon + if out, err := d.Cmd("load", "--input", bb); err != nil { + return fmt.Errorf("could not load busybox image: %s", out) + } + if err := os.Remove(bb); err != nil { + d.c.Logf("could not remove %s: %v", bb, err) + } + return nil +} + func (d *Daemon) queryRootDir() (string, error) { // update daemon root by asking /info endpoint (to support user // namespaced daemon with root remapped uid.gid directory)