mirror of
https://github.com/project-zot/zot.git
synced 2026-06-17 12:58:02 +08:00
Andrei Aaron
95ce68ccb0
* refactor(test/blackbox): extract shared push/pull helpers Move duplicated push/pull/regclient/oras/helm helper functions out of fips140.bats, pushpull.bats and helpers_upgrade.bash into a single helpers_pushpull.bash, then have all three suites load from there. The helpers now share verify_prerequisites, get_zot_port, common assertion helpers (catalog/tag presence, OCI index ref name) and the regclient pagination listing. helpers_upgrade.bash keeps only the test_release_* and test_new_* wrappers that compose those helpers. Net effect: ~1000 lines of duplicated test scaffolding removed across the four files; behavior of the existing test cases is preserved. Refs: #3727 Signed-off-by: Akash Kumar <meakash7902@gmail.com> * refactor(test/blackbox): share pushpull lifecycle and dedupe authn helpers Build on the shared helpers_pushpull.bash to remove more duplicated blackbox scaffolding: - Add pushpull_setup_file/pushpull_teardown/pushpull_teardown_file keyed on PUSHPULL_FIPS_MODE so pushpull.bats and fips140.bats only set the flag and delegate lifecycle, instead of each carrying a near-identical setup_file/teardown. - Add helpers_pushpull_authn.bash (loaded by pushpull_authn.bats and fips140_authn.bats) for shared htpasswd setup, FIPS vs non-FIPS config and teardown, and the regclient/OCI/ML test helpers; both authn suites collapse to one-line @test bodies keyed on PUSHPULL_AUTHN_FIPS_MODE. - Make each authn helper self-sufficient by performing its own regctl login, removing the hidden dependency on the first test having logged in. - Split the implicit manifest delete out of helper_pull_image_index_and_delete into a standalone helper_delete_manifest, surfaced as its own "delete image index" @test in the pushpull, fips140 and upgrade suites, so the delete is explicit and no longer an order-fragile side effect of a pull. Refs: #3727 Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): harden flaky oras pull and sync signature tests Set org.opencontainers.image.title on oras artifact push and verify pull both via oras pull and manifest/blob fetch. Add retry_until_success and use it for periodic notation/cosign signature sync checks on slow CI. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): address Copilot review feedback in push/pull helpers Use curl --fail for manifest deletes so HTTP errors fail the test. Remove the duplicate regctl --format flag in helper_push_manifest_with_regclient. Harden helper_authn_ml_artifacts with run and status checks, using a binary-safe shell redirect for the ONNX artifact round-trip. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): isolate pushpull helper temp files and prerequisites Write oras artifact and docker build files under BATS_TEST_TMPDIR instead of the test working directory, and check git/docker in verify_prerequisites for clearer failures when running bats directly. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test): use verify_prerequisites exit status in bats setup Replace `$(verify_prerequisites)` with a direct call across blackbox and scale-out suites. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): unify blackbox log path to zot/zot-log.json Drop the FIPS vs non-FIPS split between zot-log.json and zot.log in pushpull, authn, and upgrade helpers. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * refactor(test/blackbox): loop over tools in verify_prerequisites Replace repeated command -v checks with a single loop over curl, jq, git, and docker. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * refactor(test/blackbox): fix exit code for retry_until_success Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * refactor(test/blackbox): inline upgrade tests and drop helpers_upgrade Call helper_* directly from upgrade.bats and upgrade_minimal.bats, load helpers_pushpull in those suites, and move teardown there. Remove helpers_upgrade.bash now that the release/new wrappers are gone. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * refactor(test/blackbox): require explicit args on pushpull helpers Drop parameter defaults from shared push/pull helpers and pass image, repository, and pagination values explicitly at each call site. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): clarify docker push/pull negative test naming Rename helper_push_docker_image to helper_build_docker_image_push_and_pull and update test titles to reflect build plus expected push/pull failures without the docker compatibility extension. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): isolate regctl config per BATS suite regctl persists login and TLS settings on disk, so push/pull blackbox tests could leak state into ~/.regctl/config.json across suites. Point REGCTL_CONFIG at BATS_FILE_TMPDIR for pushpull, authn, and upgrade suites, configure TLS once in authn setup, and drop redundant logout and per-login TLS setup. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix(test/blackbox): harden upgrade suite log dump on failure Touch zot-log.json during upgrade setup and only cat it in teardown when the file exists, so a missing log cannot mask the underlying test failure. Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> --------- Signed-off-by: Akash Kumar <meakash7902@gmail.com> Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> Co-authored-by: Akash Kumar <meakash7902@gmail.com>
425 lines
12 KiB
Bash
425 lines
12 KiB
Bash
# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
|
|
# Makefile target installs & checks all necessary tooling
|
|
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
|
|
|
|
load helpers_zot
|
|
load helpers_pushpull
|
|
load ../port_helper
|
|
|
|
function setup_file() {
|
|
# Use unique config name based on test file name and test run to avoid conflicts
|
|
export REGISTRY_NAME=$(basename "${BASH_SOURCE[0]}" .bats)-$(basename "${BATS_FILE_TMPDIR}")
|
|
# Verify prerequisites are available
|
|
if ! verify_prerequisites; then
|
|
exit 1
|
|
fi
|
|
pushpull_isolate_regctl_config
|
|
# Download test data to folder common for the entire suite, not just this file
|
|
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
|
|
# Setup zot server
|
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
|
local oci_data_dir=${BATS_FILE_TMPDIR}/oci
|
|
mkdir -p ${zot_root_dir}
|
|
mkdir -p ${oci_data_dir}
|
|
touch "${zot_root_dir}/zot-log.json"
|
|
zot_port=$(get_free_port_for_service "zot")
|
|
echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
|
|
cat > ${zot_config_file}<<JSON
|
|
{
|
|
"distSpecVersion": "1.1.1",
|
|
"storage": {
|
|
"rootDirectory": "${zot_root_dir}"
|
|
},
|
|
"http": {
|
|
"address": "0.0.0.0",
|
|
"port": "${zot_port}"
|
|
},
|
|
"log": {
|
|
"level": "debug",
|
|
"output": "${zot_root_dir}/zot-log.json"
|
|
},
|
|
"extensions": {
|
|
"search": {
|
|
"cve": {
|
|
"updateInterval": "2h"
|
|
}
|
|
},
|
|
"ui": {
|
|
"enable": true
|
|
}
|
|
}
|
|
}
|
|
JSON
|
|
git -C ${BATS_FILE_TMPDIR} clone https://github.com/project-zot/helm-charts.git
|
|
zot_rel_serve ${zot_config_file}
|
|
wait_zot_reachable ${zot_port}
|
|
|
|
# setup zli to add zot registry to configs
|
|
local registry_url="http://127.0.0.1:${zot_port}/"
|
|
zli_add_config ${REGISTRY_NAME} ${registry_url}
|
|
}
|
|
|
|
function teardown() {
|
|
# conditionally printing on failure is possible from teardown but not from teardown_file
|
|
[ -f "${BATS_FILE_TMPDIR}/zot/zot-log.json" ] && cat "${BATS_FILE_TMPDIR}/zot/zot-log.json"
|
|
}
|
|
|
|
function teardown_file() {
|
|
zot_stop_all
|
|
}
|
|
|
|
# ==============================================================================
|
|
# RELEASE TESTS - Test released version before upgrade
|
|
# ==============================================================================
|
|
|
|
@test "[release] push image" {
|
|
helper_push_image golang 1.20 oci:${TEST_DATA_DIR}/golang:1.20
|
|
}
|
|
|
|
@test "[release] pull image" {
|
|
helper_pull_image golang 1.20
|
|
}
|
|
|
|
@test "[release] push image index" {
|
|
helper_push_image_index docker://public.ecr.aws/docker/library/busybox:latest busybox latest
|
|
}
|
|
|
|
@test "[release] pull image index" {
|
|
helper_pull_image_index busybox latest
|
|
}
|
|
|
|
@test "[release] push oras artifact" {
|
|
helper_push_oras_artifact hello-artifact v2
|
|
}
|
|
|
|
@test "[release] pull oras artifact" {
|
|
helper_pull_oras_artifact hello-artifact v2
|
|
}
|
|
|
|
@test "[release] attach oras artifacts" {
|
|
helper_attach_oras_artifacts golang 1.20
|
|
}
|
|
|
|
@test "[release] discover oras artifacts" {
|
|
helper_discover_oras_artifacts golang 1.20 2
|
|
}
|
|
|
|
@test "[release] add and list tags using oras" {
|
|
helper_add_and_list_tags_using_oras
|
|
}
|
|
|
|
@test "[release] push helm chart" {
|
|
helper_push_helm_chart
|
|
}
|
|
|
|
@test "[release] pull helm chart" {
|
|
helper_pull_helm_chart
|
|
}
|
|
|
|
@test "[release] push image with regclient" {
|
|
helper_push_image_with_regclient "ocidir://${TEST_DATA_DIR}/golang:1.20" test-regclient
|
|
}
|
|
|
|
@test "[release] pull image with regclient" {
|
|
helper_pull_image_with_regclient test-regclient "ocidir://${TEST_DATA_DIR}/golang:1.20"
|
|
}
|
|
|
|
@test "[release] list repositories with regclient" {
|
|
helper_list_repositories_with_regclient_pagination 2 busybox golang test-regclient "-2:busybox" "-1:golang"
|
|
}
|
|
|
|
@test "[release] list image tags with regclient" {
|
|
helper_list_image_tags_with_regclient test-regclient
|
|
}
|
|
|
|
@test "[release] push manifest with regclient" {
|
|
helper_push_manifest_with_regclient test-regclient 1.0.0
|
|
}
|
|
|
|
@test "[release] pull manifest with regclient" {
|
|
helper_pull_manifest_with_regclient test-regclient
|
|
}
|
|
|
|
@test "[release] pull manifest with docker client" {
|
|
helper_pull_manifest_with_docker_client test-regclient
|
|
}
|
|
|
|
@test "[release] pull manifest with crictl" {
|
|
helper_pull_manifest_with_crictl test-regclient
|
|
}
|
|
|
|
@test "[release] push OCI artifact with regclient" {
|
|
helper_push_oci_artifact_with_regclient artifact:demo
|
|
}
|
|
|
|
@test "[release] pull OCI artifact with regclient" {
|
|
helper_pull_oci_artifact_with_regclient artifact:demo "this is an artifact"
|
|
}
|
|
|
|
@test "[release] push OCI artifact references with regclient" {
|
|
helper_push_oci_artifact_references_with_regclient 0
|
|
}
|
|
|
|
@test "[release] pull OCI artifact references with regclient" {
|
|
helper_pull_oci_artifact_references_with_regclient 1
|
|
}
|
|
|
|
@test "[release] build docker image and verify docker push and pull fail" {
|
|
helper_build_docker_image_push_and_pull
|
|
}
|
|
|
|
@test "[release] list by image name" {
|
|
zot_port=$(get_zot_port)
|
|
run ${ZLI_PATH} repo list --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
}
|
|
|
|
@test "[release] cve by image name and tag" {
|
|
zot_port=$(get_zot_port)
|
|
run ${ZLI_PATH} cve list golang:1.20 --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
|
|
found=0
|
|
for i in "${lines[@]}"
|
|
do
|
|
if [[ "$i" = *"CVE-2011-4915 LOW fs/proc/base.c in the Linux kernel through 3..."* ]]; then
|
|
found=1
|
|
fi
|
|
done
|
|
[ "$found" -eq 1 ]
|
|
}
|
|
|
|
# ==============================================================================
|
|
# UPGRADE - Switch to new binary
|
|
# ==============================================================================
|
|
|
|
@test "[upgrade] upgrade to new binary" {
|
|
zot_stop_all
|
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
|
local zot_port=$(get_zot_port)
|
|
zot_serve ${ZOT_PATH} ${zot_config_file}
|
|
wait_zot_reachable ${zot_port}
|
|
sleep 60 # zot does additional initialization/verification during startup
|
|
}
|
|
|
|
# ==============================================================================
|
|
# NEW TESTS - Test new version after upgrade
|
|
# After upgrading to the new binary, expect additional artifacts (a signature
|
|
# and an sbom) that were attached
|
|
# ==============================================================================
|
|
|
|
@test "[new] existing list by image name" {
|
|
zot_port=$(get_zot_port)
|
|
run ${ZLI_PATH} repo list --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
found=0
|
|
for i in "${lines[@]}"
|
|
do
|
|
case "$i" in
|
|
busybox | golang)
|
|
((++found))
|
|
;;
|
|
*)
|
|
;;
|
|
esac
|
|
done
|
|
[ "$found" -eq 2 ]
|
|
}
|
|
|
|
@test "[new] existing cve by image name and tag" {
|
|
zot_port=$(get_zot_port)
|
|
run ${ZLI_PATH} cve list golang:1.20 --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
|
|
found=0
|
|
for i in "${lines[@]}"
|
|
do
|
|
if [[ "$i" = *"CVE-2011-4915 LOW fs/proc/base.c in the Linux kernel through 3..."* ]]; then
|
|
found=1
|
|
fi
|
|
done
|
|
[ "$found" -eq 1 ]
|
|
}
|
|
|
|
@test "[new] existing pull image" {
|
|
helper_pull_image golang 1.20
|
|
}
|
|
|
|
@test "[new] existing pull image index" {
|
|
helper_pull_image_index busybox latest
|
|
}
|
|
|
|
@test "[new] existing pull oras artifact" {
|
|
helper_pull_oras_artifact hello-artifact v2
|
|
}
|
|
|
|
@test "[new] existing list repositories with regclient" {
|
|
helper_list_repositories_with_regclient_pagination 4 busybox golang test-regclient "-2:busybox" "-1:golang"
|
|
}
|
|
|
|
@test "[new] push image" {
|
|
helper_assert_catalog_has_repo golang
|
|
helper_push_image golang 1.20 oci:${TEST_DATA_DIR}/golang:1.20
|
|
helper_push_image alpine 3.17.3 docker://ghcr.io/project-zot/test-images/alpine:3.17.3
|
|
helper_assert_catalog_has_repo golang
|
|
helper_assert_catalog_has_repo alpine
|
|
helper_assert_repo_has_tag golang 1.20
|
|
}
|
|
|
|
@test "[new] pull image" {
|
|
helper_pull_image golang 1.20
|
|
}
|
|
|
|
@test "[new] push image index" {
|
|
helper_push_image_index docker://public.ecr.aws/docker/library/busybox:latest busybox latest
|
|
}
|
|
|
|
@test "[new] pull image index" {
|
|
helper_pull_image_index busybox latest
|
|
}
|
|
|
|
@test "[new] delete image index" {
|
|
helper_delete_manifest busybox latest
|
|
}
|
|
|
|
@test "[new] push oras artifact" {
|
|
helper_push_oras_artifact hello-artifact v2
|
|
}
|
|
|
|
@test "[new] pull oras artifact" {
|
|
helper_pull_oras_artifact hello-artifact v2
|
|
}
|
|
|
|
@test "[new] attach oras artifacts" {
|
|
helper_attach_oras_artifacts golang 1.20
|
|
}
|
|
|
|
@test "[new] discover oras artifacts" {
|
|
helper_discover_oras_artifacts golang 1.20 4
|
|
}
|
|
|
|
@test "[new] add and list tags using oras" {
|
|
helper_add_and_list_tags_using_oras
|
|
}
|
|
|
|
@test "[new] push helm chart" {
|
|
helper_push_helm_chart
|
|
}
|
|
|
|
@test "[new] pull helm chart" {
|
|
helper_pull_helm_chart
|
|
}
|
|
|
|
@test "[new] push image with regclient" {
|
|
helper_push_image_with_regclient "ocidir://${TEST_DATA_DIR}/golang:1.20" test-regclient
|
|
}
|
|
|
|
@test "[new] pull image with regclient" {
|
|
helper_pull_image_with_regclient test-regclient "ocidir://${TEST_DATA_DIR}/golang:1.20"
|
|
}
|
|
|
|
@test "[new] list repositories with regclient" {
|
|
helper_list_repositories_with_regclient_pagination 4 busybox golang test-regclient "0:alpine" "-1:busybox"
|
|
}
|
|
|
|
@test "[new] list image tags with regclient" {
|
|
helper_list_image_tags_with_regclient test-regclient
|
|
}
|
|
|
|
@test "[new] push manifest with regclient" {
|
|
helper_push_manifest_with_regclient test-regclient 1.0.0
|
|
}
|
|
|
|
@test "[new] pull manifest with regclient" {
|
|
helper_pull_manifest_with_regclient test-regclient
|
|
}
|
|
|
|
@test "[new] pull manifest with docker client" {
|
|
helper_pull_manifest_with_docker_client test-regclient
|
|
}
|
|
|
|
@test "[new] pull manifest with crictl" {
|
|
helper_pull_manifest_with_crictl test-regclient
|
|
}
|
|
|
|
@test "[new] push OCI artifact with regclient" {
|
|
helper_push_oci_artifact_with_regclient artifact:demo
|
|
}
|
|
|
|
@test "[new] pull OCI artifact with regclient" {
|
|
helper_pull_oci_artifact_with_regclient artifact:demo "this is an artifact"
|
|
}
|
|
|
|
@test "[new] push OCI artifact references with regclient" {
|
|
helper_push_oci_artifact_references_with_regclient 1
|
|
}
|
|
|
|
@test "[new] pull OCI artifact references with regclient" {
|
|
helper_pull_oci_artifact_references_with_regclient 1
|
|
}
|
|
|
|
@test "[new] build docker image and verify docker push and pull fail" {
|
|
helper_build_docker_image_push_and_pull
|
|
}
|
|
|
|
@test "[new] list by image name" {
|
|
zot_port=$(get_zot_port)
|
|
run ${ZLI_PATH} repo list --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
found=0
|
|
for i in "${lines[@]}"
|
|
do
|
|
case "$i" in
|
|
alpine | busybox | golang)
|
|
((++found))
|
|
;;
|
|
*)
|
|
;;
|
|
esac
|
|
done
|
|
[ "$found" -eq 3 ]
|
|
}
|
|
|
|
@test "[new] cve by image name and tag" {
|
|
zot_port=$(get_zot_port)
|
|
run ${ZLI_PATH} cve list golang:1.20 --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
|
|
found=0
|
|
for i in "${lines[@]}"
|
|
do
|
|
if [[ "$i" = *"CVE-2011-4915 LOW fs/proc/base.c in the Linux kernel through 3..."* ]]; then
|
|
found=1
|
|
fi
|
|
done
|
|
[ "$found" -eq 1 ]
|
|
|
|
run ${ZLI_PATH} cve list alpine:3.17.3 --config ${REGISTRY_NAME}
|
|
[ "$status" -eq 0 ]
|
|
|
|
echo ${lines[@]}
|
|
|
|
found=0
|
|
for i in "${lines[@]}"
|
|
do
|
|
# Severity can change with Trivy DB / vulnSeveritySources (e.g. auto); match CVE id + title only.
|
|
if [[ "$i" = *"CVE-2025-26519"* && "$i" = *"musl libc 0.9.13 through 1.2.5 before 1.2.6 h"* ]]; then
|
|
found=1
|
|
fi
|
|
done
|
|
[ "$found" -eq 1 ]
|
|
}
|