diff options
| -rw-r--r-- | pkg/api/handlers/compat/auth.go | 59 | ||||
| -rw-r--r-- | pkg/api/handlers/libpod/networks.go | 2 | ||||
| -rw-r--r-- | pkg/api/handlers/libpod/swagger.go | 2 | ||||
| -rw-r--r-- | pkg/api/server/register_auth.go | 24 | ||||
| -rw-r--r-- | pkg/api/server/swagger.go | 9 | ||||
| -rw-r--r-- | pkg/bindings/network/network.go | 3 | ||||
| -rw-r--r-- | pkg/domain/entities/system.go | 11 | ||||
| -rw-r--r-- | test/apiv2/35-networks.at | 4 | ||||
| -rw-r--r-- | test/apiv2/44-mounts.at | 9 | ||||
| -rw-r--r-- | test/apiv2/60-auth.at | 24 | ||||
| -rw-r--r-- | test/apiv2/rest_api/test_rest_v2_0_0.py | 11 | ||||
| -rw-r--r-- | test/system/065-cp.bats | 1 | ||||
| -rw-r--r-- | test/system/070-build.bats | 69 | ||||
| -rw-r--r-- | test/system/120-load.bats | 3 | ||||
| -rw-r--r-- | test/system/700-play.bats | 16 |
15 files changed, 196 insertions, 51 deletions
diff --git a/pkg/api/handlers/compat/auth.go b/pkg/api/handlers/compat/auth.go new file mode 100644 index 000000000..2c152fbc2 --- /dev/null +++ b/pkg/api/handlers/compat/auth.go @@ -0,0 +1,59 @@ +package compat + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "strings" + + DockerClient "github.com/containers/image/v5/docker" + "github.com/containers/image/v5/types" + "github.com/containers/podman/v3/pkg/api/handlers/utils" + "github.com/containers/podman/v3/pkg/domain/entities" + "github.com/containers/podman/v3/pkg/registries" + docker "github.com/docker/docker/api/types" + "github.com/pkg/errors" +) + +func stripAddressOfScheme(address string) string { + for _, s := range []string{"https", "http"} { + address = strings.TrimPrefix(address, s+"://") + } + return address +} + +func Auth(w http.ResponseWriter, r *http.Request) { + var authConfig docker.AuthConfig + err := json.NewDecoder(r.Body).Decode(&authConfig) + if err != nil { + utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrapf(err, "failed to parse request")) + return + } + + skipTLS := types.NewOptionalBool(false) + if strings.HasPrefix(authConfig.ServerAddress, "https://localhost/") || strings.HasPrefix(authConfig.ServerAddress, "https://localhost:") || strings.HasPrefix(authConfig.ServerAddress, "localhost:") { + // support for local testing + skipTLS = types.NewOptionalBool(true) + } + + fmt.Println("Authenticating with existing credentials...") + sysCtx := types.SystemContext{ + AuthFilePath: "", + DockerCertPath: "", + DockerInsecureSkipTLSVerify: skipTLS, + SystemRegistriesConfPath: registries.SystemRegistriesConfPath(), + } + registry := stripAddressOfScheme(authConfig.ServerAddress) + if err := DockerClient.CheckAuth(context.Background(), &sysCtx, authConfig.Username, authConfig.Password, registry); err == nil { + utils.WriteResponse(w, http.StatusOK, entities.AuthReport{ + IdentityToken: "", + Status: "Login Succeeded", + }) + } else { + utils.WriteResponse(w, http.StatusBadRequest, entities.AuthReport{ + IdentityToken: "", + Status: "login attempt to " + authConfig.ServerAddress + " failed with status: " + err.Error(), + }) + } +} diff --git a/pkg/api/handlers/libpod/networks.go b/pkg/api/handlers/libpod/networks.go index a6c4f6d64..48cd37994 100644 --- a/pkg/api/handlers/libpod/networks.go +++ b/pkg/api/handlers/libpod/networks.go @@ -128,7 +128,7 @@ func InspectNetwork(w http.ResponseWriter, r *http.Request) { utils.InternalServerError(w, err) return } - utils.WriteResponse(w, http.StatusOK, reports) + utils.WriteResponse(w, http.StatusOK, reports[0]) } // Connect adds a container to a network diff --git a/pkg/api/handlers/libpod/swagger.go b/pkg/api/handlers/libpod/swagger.go index 1bececa1a..2631f19ac 100644 --- a/pkg/api/handlers/libpod/swagger.go +++ b/pkg/api/handlers/libpod/swagger.go @@ -102,7 +102,7 @@ type swagNetworkRmReport struct { // swagger:response NetworkInspectReport type swagNetworkInspectReport struct { // in:body - Body []entities.NetworkInspectReport + Body entities.NetworkInspectReport } // Network list diff --git a/pkg/api/server/register_auth.go b/pkg/api/server/register_auth.go index 1e5474462..56e115e30 100644 --- a/pkg/api/server/register_auth.go +++ b/pkg/api/server/register_auth.go @@ -1,13 +1,33 @@ package server import ( + "net/http" + "github.com/containers/podman/v3/pkg/api/handlers/compat" "github.com/gorilla/mux" ) func (s *APIServer) registerAuthHandlers(r *mux.Router) error { - r.Handle(VersionedPath("/auth"), s.APIHandler(compat.UnsupportedHandler)) + // swagger:operation POST /auth compat auth + // --- + // summary: Check auth configuration + // tags: + // - system (compat) + // produces: + // - application/json + // parameters: + // - in: body + // name: authConfig + // description: Authentication to check + // schema: + // $ref: "#/definitions/AuthConfig" + // responses: + // 200: + // $ref: "#/responses/SystemAuthResponse" + // 500: + // $ref: "#/responses/InternalError" + r.Handle(VersionedPath("/auth"), s.APIHandler(compat.Auth)).Methods(http.MethodPost) // Added non version path to URI to support docker non versioned paths - r.Handle("/auth", s.APIHandler(compat.UnsupportedHandler)) + r.Handle("/auth", s.APIHandler(compat.Auth)).Methods(http.MethodPost) return nil } diff --git a/pkg/api/server/swagger.go b/pkg/api/server/swagger.go index 92efb8ef3..12fd083bb 100644 --- a/pkg/api/server/swagger.go +++ b/pkg/api/server/swagger.go @@ -226,3 +226,12 @@ type swagSystemPruneReport struct { entities.SystemPruneReport } } + +// Auth response +// swagger:response SystemAuthResponse +type swagSystemAuthResponse struct { + // in:body + Body struct { + entities.AuthReport + } +} diff --git a/pkg/bindings/network/network.go b/pkg/bindings/network/network.go index 46a3719fe..6f3aa8594 100644 --- a/pkg/bindings/network/network.go +++ b/pkg/bindings/network/network.go @@ -40,6 +40,7 @@ func Create(ctx context.Context, options *CreateOptions) (*entities.NetworkCreat // Inspect returns low level information about a CNI network configuration func Inspect(ctx context.Context, nameOrID string, options *InspectOptions) ([]entities.NetworkInspectReport, error) { var reports []entities.NetworkInspectReport + reports = append(reports, entities.NetworkInspectReport{}) if options == nil { options = new(InspectOptions) } @@ -52,7 +53,7 @@ func Inspect(ctx context.Context, nameOrID string, options *InspectOptions) ([]e if err != nil { return nil, err } - return reports, response.Process(&reports) + return reports, response.Process(&reports[0]) } // Remove deletes a defined CNI network configuration by name. The optional force boolean diff --git a/pkg/domain/entities/system.go b/pkg/domain/entities/system.go index a1cfb4481..4b8383613 100644 --- a/pkg/domain/entities/system.go +++ b/pkg/domain/entities/system.go @@ -107,3 +107,14 @@ type ComponentVersion struct { type ListRegistriesReport struct { Registries []string } + +// swagger:model AuthConfig +type AuthConfig struct { + types.AuthConfig +} + +// AuthReport describes the response for authentication check +type AuthReport struct { + IdentityToken string + Status string +} diff --git a/test/apiv2/35-networks.at b/test/apiv2/35-networks.at index 98786e914..ce7ca628a 100644 --- a/test/apiv2/35-networks.at +++ b/test/apiv2/35-networks.at @@ -30,6 +30,10 @@ t GET libpod/networks/json?filters='{"name":["network1"]}' 200 \ .[0].Name=network1 t GET networks 200 +#inspect network +t GET libpod/networks/network1/json 200 \ + .name="network1" + #network list docker endpoint t GET networks?filters='{"name":["network1","network2"]}' 200 \ length=2 diff --git a/test/apiv2/44-mounts.at b/test/apiv2/44-mounts.at index 901245da6..d54669e7d 100644 --- a/test/apiv2/44-mounts.at +++ b/test/apiv2/44-mounts.at @@ -6,7 +6,7 @@ podman pull $IMAGE &>/dev/null tmpfs_name="/mytmpfs" t POST containers/create?name=hostconfig_test \ Image=$IMAGE \ - Cmd='["df"]' \ + Cmd='["df","-P","'$tmpfs_name'"]' \ HostConfig='{"Binds":["/tmp/doesnotexist:/test1"]' \ TmpFs="{\"$tmpfs_name\":\"rw\"}}" \ 201 \ @@ -22,5 +22,10 @@ t POST containers/${cid}/start 204 t POST containers/${cid}/wait 200 t GET containers/${cid}/logs?stdout=true 200 -like "$(<$WORKDIR/curl.result.out)" ".* ${tmpfs_name}" \ +# /logs returns application/octet-stream, which our test helper saves in +# an outfile rather than returning in $output. That's why we can't test +# this directly in the /logs test above; instead, we rely on knowing the +# path to the stored results. The 'tr' is needed because there may be +# null bytes in the outfile. +like "$(tr -d \\0 <$WORKDIR/curl.result.out)" ".* ${tmpfs_name}" \ "'df' output includes tmpfs name" diff --git a/test/apiv2/60-auth.at b/test/apiv2/60-auth.at index 378955cd7..cfde519c1 100644 --- a/test/apiv2/60-auth.at +++ b/test/apiv2/60-auth.at @@ -5,25 +5,19 @@ start_registry -# FIXME FIXME FIXME: remove the 'if false' for use with PR 9589 -if false; then - -# FIXME FIXME: please forgive the horrible POST params format; I have an -# upcoming PR which should fix that. - # Test with wrong password. Confirm bad status and appropriate error message -t POST /v1.40/auth "\"username\":\"${REGISTRY_USERNAME}\",\"password\":\"WrOnGPassWord\",\"serveraddress\":\"localhost:$REGISTRY_PORT/\"" \ +t POST /v1.40/auth username=$REGISTRY_USERNAME password=WrOnGPassWord serveraddress=localhost:$REGISTRY_PORT/ \ 400 \ .Status~'.* invalid username/password' -# Test with the right password. Confirm status message and reasonable token -t POST /v1.40/auth "\"username\":\"${REGISTRY_USERNAME}\",\"password\":\"${REGISTRY_PASSWORD}\",\"serveraddress\":\"localhost:$REGISTRY_PORT/\"" \ +# Test with the right password. Confirm status message +t POST /v1.40/auth username=$REGISTRY_USERNAME password=$REGISTRY_PASSWORD serveraddress=localhost:$REGISTRY_PORT/ \ 200 \ .Status="Login Succeeded" \ - .IdentityToken~[a-zA-Z0-9] - -# FIXME: now what? Try something-something using that token? -token=$(jq -r .IdentityToken <<<"$output") -# ... + .IdentityToken="" -fi # FIXME FIXME FIXME: remove when working +# Same test with url scheme provided +t POST /v1.40/auth username=$REGISTRY_USERNAME password=$REGISTRY_PASSWORD serveraddress=https://localhost:$REGISTRY_PORT/ \ + 200 \ + .Status="Login Succeeded" \ + .IdentityToken="" diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py index c0b61ea85..d7910f555 100644 --- a/test/apiv2/rest_api/test_rest_v2_0_0.py +++ b/test/apiv2/rest_api/test_rest_v2_0_0.py @@ -555,17 +555,6 @@ class TestApi(unittest.TestCase): self.assertIn(name, payload["VolumesDeleted"]) self.assertGreater(payload["SpaceReclaimed"], 0) - def test_auth_compat(self): - r = requests.post( - PODMAN_URL + "/v1.40/auth", - json={ - "username": "bozo", - "password": "wedontneednopasswords", - "serveraddress": "https://localhost/v1.40/", - }, - ) - self.assertEqual(r.status_code, 404, r.content) - def test_version(self): r = requests.get(PODMAN_URL + "/v1.40/version") self.assertEqual(r.status_code, 200, r.content) diff --git a/test/system/065-cp.bats b/test/system/065-cp.bats index 73e807843..679cdc209 100644 --- a/test/system/065-cp.bats +++ b/test/system/065-cp.bats @@ -370,6 +370,7 @@ load helpers is "${lines[0]}" "${randomcontent[0]}" "eval symlink - created container" is "${lines[1]}" "${randomcontent[1]}" "eval symlink - created container" run_podman rm -f cpcontainer + run_podman rmi $cpimage } diff --git a/test/system/070-build.bats b/test/system/070-build.bats index d413b0c10..8f6cdb46b 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -241,11 +241,21 @@ EOF build_arg_implicit+="=$arg_implicit_value" fi + # FIXME FIXME FIXME: 2021-03-15: workaround for #9567 (slow ubuntu 2004): + # we're seeing lots of timeouts in CI. Until/unless #9567 gets fixed, + # let's get CI passing by extending the timeout when remote on ubuntu + local localtimeout=${PODMAN_TIMEOUT} + if is_remote; then + if grep -qi ubuntu /etc/os-release; then + localtimeout=$(( 2 * $localtimeout )) + fi + fi + # cd to the dir, so we test relative paths (important for podman-remote) cd $PODMAN_TMPDIR export arg_explicit="THIS SHOULD BE OVERRIDDEN BY COMMAND LINE!" export arg_implicit=${arg_implicit_value} - run_podman ${MOUNTS_CONF} build \ + PODMAN_TIMEOUT=$localtimeout run_podman ${MOUNTS_CONF} build \ --build-arg arg_explicit=${arg_explicit_value} \ $build_arg_implicit \ --dns-search $nosuchdomain \ @@ -594,34 +604,46 @@ EOF run_podman rmi -a --force } +# Caveat lector: this test was mostly copy-pasted from buildah in #9275. +# It's not entirely clear what it's testing, or if the 'mount' section is +# necessary. @test "build with copy-from referencing the base image" { - skip_if_rootless "cannot mount as rootless" - target=busybox-derived - target_mt=busybox-mt-derived + target=derived + target_mt=derived-mt tmpdir=$PODMAN_TMPDIR/build-test mkdir -p $tmpdir + containerfile1=$tmpdir/Containerfile1 - cat >$containerfile1 <<EOF -FROM quay.io/libpod/busybox AS build -RUN rm -f /bin/paste + cat >$containerfile1 <<EOF +FROM $IMAGE AS build +RUN rm -f /etc/issue USER 1001 -COPY --from=quay.io/libpod/busybox /bin/paste /test/ +COPY --from=$IMAGE /etc/issue /test/ EOF + containerfile2=$tmpdir/Containerfile2 - cat >$containerfile2 <<EOF -FROM quay.io/libpod/busybox AS test -RUN rm -f /bin/nl + cat >$containerfile2 <<EOF +FROM $IMAGE AS test +RUN rm -f /etc/alpine-release FROM quay.io/libpod/alpine AS final -COPY --from=quay.io/libpod/busybox /bin/nl /test/ +COPY --from=$IMAGE /etc/alpine-release /test/ EOF - run_podman build -t ${target} -f ${containerfile1} ${tmpdir} - run_podman build --jobs 4 -t ${target} -f ${containerfile1} ${tmpdir} - run_podman build -t ${target} -f ${containerfile2} ${tmpdir} + # Before the build, $IMAGE's base image should not be present + local base_image=quay.io/libpod/alpine:latest + run_podman 1 image exists $base_image + + run_podman build --jobs 1 -t ${target} -f ${containerfile2} ${tmpdir} run_podman build --no-cache --jobs 4 -t ${target_mt} -f ${containerfile2} ${tmpdir} + # After the build, the base image should exist + run_podman image exists $base_image + # (can only test locally; podman-remote has no image mount command) - if ! is_remote; then + # (can also only test as root; mounting under rootless podman is too hard) + # We perform the test as a conditional, not a 'skip', because there's + # value in testing the above 'build' commands even remote & rootless. + if ! is_remote && ! is_rootless; then run_podman image mount ${target} root_single_job=$output @@ -629,8 +651,21 @@ EOF root_multi_job=$output # Check that both the version with --jobs 1 and --jobs=N have the same number of files - test $(find $root_single_job -type f | wc -l) = $(find $root_multi_job -type f | wc -l) + nfiles_single=$(find $root_single_job -type f | wc -l) + nfiles_multi=$(find $root_multi_job -type f | wc -l) + run_podman image umount ${target_mt} + run_podman image umount ${target} + + is "$nfiles_single" "$nfiles_multi" \ + "Number of files (--jobs=1) == (--jobs=4)" + + # Make sure the number is reasonable + test "$nfiles_single" -gt 50 fi + + # Clean up + run_podman rmi ${target_mt} ${target} ${base_image} + run_podman image prune -f } @test "podman build --logfile test" { diff --git a/test/system/120-load.bats b/test/system/120-load.bats index 936449bdb..95113c4a6 100644 --- a/test/system/120-load.bats +++ b/test/system/120-load.bats @@ -31,6 +31,9 @@ verify_iid_and_name() { invalid=$PODMAN_TMPDIR/invalid echo "I am an invalid file and should cause a podman-load error" > $invalid run_podman 125 load -i $invalid + # podman and podman-remote emit different messages; this is a common string + is "$output" ".*error pulling image: unable to pull .*" \ + "load -i INVALID fails with expected diagnostic" } @test "podman save to pipe and load" { diff --git a/test/system/700-play.bats b/test/system/700-play.bats index e7904f59f..8fa96741c 100644 --- a/test/system/700-play.bats +++ b/test/system/700-play.bats @@ -5,6 +5,20 @@ load helpers +# This is a long ugly way to clean up pods and remove the pause image +function teardown() { + run_podman pod rm -f -a + run_podman rm -f -a + run_podman image list --format '{{.ID}} {{.Repository}}' + while read id name; do + if [[ "$name" =~ /pause ]]; then + run_podman rmi $id + fi + done <<<"$output" + + basic_teardown +} + testYaml=" apiVersion: v1 kind: Pod @@ -24,7 +38,7 @@ spec: value: xterm - name: container value: podman - image: quay.io/libpod/alpine:latest + image: $IMAGE name: test resources: {} securityContext: |