load helpers_zot load ../port_helper function verify_prerequisites { if [ ! $(command -v curl) ]; then echo "you need to install curl as a prerequisite to running the tests" >&3 return 1 fi if [ ! $(command -v jq) ]; then echo "you need to install jq as a prerequisite to running the tests" >&3 return 1 fi if [ ! $(command -v htpasswd) ]; then echo "you need to install htpasswd as a prerequisite to running the tests" >&3 return 1 fi if [ ! $(command -v mkpasswd) ]; then echo "you need to install mkpasswd as a prerequisite to running the tests" >&3 return 1 fi return 0 } function setup_file() { # Verify prerequisites are available if ! $(verify_prerequisites); then exit 1 fi # Download test data to folder common for the entire suite, not just this file skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36 # Setup zot server local zot_root_dir=${BATS_FILE_TMPDIR}/zot local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json ZOT_LOG_FILE=${zot_root_dir}/zot-log.json local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd zot_port=$(get_free_port_for_service "zot") echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file} # bcrypt echo "${AUTH_USER2}:$(echo ${AUTH_PASS2} | mkpasswd -s -R 1 -m sha-256)" >> ${zot_htpasswd_file} # sha256 echo "${AUTH_USER3}:$(echo ${AUTH_PASS3} | mkpasswd -s -R 1 -m sha-512)" >> ${zot_htpasswd_file} # sha512 echo "${AUTH_USER4}:$(echo ${AUTH_PASS4} | mkpasswd -s -R 0 -m sha-256)" >> ${zot_htpasswd_file} # sha256 zero rounds echo "${AUTH_USER5}:$(echo ${AUTH_PASS5} | mkpasswd -s -R 0 -m sha-512)" >> ${zot_htpasswd_file} # sha512 zero rounds echo ${zot_root_dir} >&3 mkdir -p ${zot_root_dir} touch ${ZOT_LOG_FILE} cat > ${zot_config_file}</dev/null || true fi } function teardown_file() { zot_stop_all unset GODEBUG } # Helper function to verify authentication and image push # Args: $1=username, $2=password, $3=hash_type, $4=should_succeed (true/false) function verify_auth_and_push() { local user="$1" local pass="$2" local hash_type="$3" local should_succeed="$4" zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` # Disable TLS for regctl to avoid X25519 issues when regctl runs in FIPS mode # This must be done before regctl registry login, as login automatically pings the registry run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] # anonymous authn is set for zot, so all auth is ignored for the /v2/ ping run regctl registry login localhost:${zot_port} -u ${user} -p ${pass} [ "$status" -eq 0 ] run regctl image copy ocidir://${TEST_DATA_DIR}/busybox:1.36 localhost:${zot_port}/test-${hash_type} if [ "$should_succeed" = "true" ]; then [ "$status" -eq 0 ] else [ "$status" -eq 1 ] log_output | jq 'contains("htpasswd bcrypt failed since fips140 is enabled")' | grep true fi } @test "push image with regclient - setup registry" { zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] } @test "push image with bcrypt auth (should fail in FIPS mode)" { verify_auth_and_push "${AUTH_USER}" "${AUTH_PASS}" "bcrypt" "false" } @test "push image with SHA256 auth (should succeed)" { verify_auth_and_push "${AUTH_USER2}" "${AUTH_PASS2}" "sha256" "true" } @test "push image with SHA512 auth (should succeed)" { verify_auth_and_push "${AUTH_USER3}" "${AUTH_PASS3}" "sha512" "true" } @test "push image with SHA256 auth with 0 rounds (should succeed)" { verify_auth_and_push "${AUTH_USER4}" "${AUTH_PASS4}" "sha256-0rounds" "true" } @test "push image with SHA512 auth with 0 rounds (should succeed)" { verify_auth_and_push "${AUTH_USER5}" "${AUTH_PASS5}" "sha512-0rounds" "true" } @test "pull image with SHA256 auth" { zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] run regctl registry login localhost:${zot_port} -u ${AUTH_USER2} -p ${AUTH_PASS2} [ "$status" -eq 0 ] run regctl image copy localhost:${zot_port}/test-sha256 ocidir://${TEST_DATA_DIR}/busybox:sha256-pulled [ "$status" -eq 0 ] } @test "pull image with SHA512 auth" { zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] run regctl registry login localhost:${zot_port} -u ${AUTH_USER3} -p ${AUTH_PASS3} [ "$status" -eq 0 ] run regctl image copy localhost:${zot_port}/test-sha512 ocidir://${TEST_DATA_DIR}/busybox:sha512-pulled [ "$status" -eq 0 ] } @test "pull image with SHA256 auth with 0 rounds" { zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] run regctl registry login localhost:${zot_port} -u ${AUTH_USER4} -p ${AUTH_PASS4} [ "$status" -eq 0 ] run regctl image copy localhost:${zot_port}/test-sha256-0rounds ocidir://${TEST_DATA_DIR}/busybox:sha256-0rounds-pulled [ "$status" -eq 0 ] } @test "pull image with SHA512 auth with 0 rounds" { zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] run regctl registry login localhost:${zot_port} -u ${AUTH_USER5} -p ${AUTH_PASS5} [ "$status" -eq 0 ] run regctl image copy localhost:${zot_port}/test-sha512-0rounds ocidir://${TEST_DATA_DIR}/busybox:sha512-0rounds-pulled [ "$status" -eq 0 ] } @test "push OCI artifact with SHA256 auth" { zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port` run regctl registry set localhost:${zot_port} --tls disabled [ "$status" -eq 0 ] run regctl registry login localhost:${zot_port} -u ${AUTH_USER2} -p ${AUTH_PASS2} [ "$status" -eq 0 ] run regctl artifact put localhost:${zot_port}/artifact-sha256:demo < ${BATS_FILE_TMPDIR}/mnist.onnx.check sha256_out=$(sha256sum ${BATS_FILE_TMPDIR}/mnist.onnx.check | awk '{print $1}') [ "$sha256_in" = "$sha256_out" ] }