archive
/
watchtower
mirror of https://github.com/containrrr/watchtower
1
0
Fork 0
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/go_modules/github.com/docker/cli-26.0.0incompatible
dependabot/go_modules/github.com/docker/docker-26.0.0incompatible
dependabot/github_actions/dominikh/staticcheck-action-1.3.1
dependabot/go_modules/github.com/docker/docker-24.0.9incompatible
dependabot/go_modules/github.com/onsi/gomega-1.32.0
dependabot/github_actions/docker/login-action-3.1.0
dependabot/go_modules/google.golang.org/protobuf-1.33.0
dependabot/go_modules/golang.org/x/net-0.22.0
dependabot/github_actions/hmarr/auto-approve-action-4
dependabot/github_actions/codecov/codecov-action-4
dependabot/docker/dockerfiles/alpine-3.19.1
dependabot/go_modules/github.com/docker/go-connections-0.5.0
refactor-update
main
dependabot/github_actions/actions/setup-go-5
gh-pages
feat/extended-api
feat/opencontainers-labels
feat/registry-client
fix/snakeswap
fix/image-tag-from-hash
feat/api-report
feature/http-overhaul
feat/graph-updates
fix/avoid-rate-limits
feature/urls-from-file
v1.7.0
v1.6.0
v1.5.3
v1.5.2
v1.3.0
v1.1.6
v1.1.5
v0.1.0
CenturyLink
v0.1.1
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.2.1
v1.4.0
v1.5.0
v1.5.1
v1.7.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '25fdb40312'
${ noResults }
watchtower/pkg/registry/auth/auth_test.go

163 lines
6.2 KiB
Go
Raw Blame History

package auth_test
import (
"fmt"
"net/url"
"os"
"strings"
"testing"
"time"
"github.com/containrrr/watchtower/internal/actions/mocks"
"github.com/containrrr/watchtower/pkg/registry/auth"
wtTypes "github.com/containrrr/watchtower/pkg/types"
ref "github.com/docker/distribution/reference"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
func TestAuth(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Registry Auth Suite")
}
func SkipIfCredentialsEmpty(credentials *wtTypes.RegistryCredentials, fn func()) func() {
if credentials.Username == "" {
return func() {
Skip("Username missing. Skipping integration test")
}
} else if credentials.Password == "" {
return func() {
Skip("Password missing. Skipping integration test")
}
} else {
return fn
}
}
var GHCRCredentials = &wtTypes.RegistryCredentials{
Username: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_USERNAME"),
Password: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_PASSWORD"),
}
var _ = Describe("the auth module", func() {
mockId := "mock-id"
mockName := "mock-container"
mockImage := "ghcr.io/k6io/operator:latest"
mockCreated := time.Now()
mockDigest := "ghcr.io/k6io/operator@sha256:d68e1e532088964195ad3a0a71526bc2f11a78de0def85629beb75e2265f0547"
mockContainer := mocks.CreateMockContainerWithDigest(
mockId,
mockName,
mockImage,
mockCreated,
mockDigest)
Describe("GetToken", func() {
It("should parse the token from the response",
SkipIfCredentialsEmpty(GHCRCredentials, func() {
creds := fmt.Sprintf("%s:%s", GHCRCredentials.Username, GHCRCredentials.Password)
token, err := auth.GetToken(mockContainer, creds)
Expect(err).NotTo(HaveOccurred())
Expect(token).NotTo(Equal(""))
}),
)
})
Describe("GetAuthURL", func() {
It("should create a valid auth url object based on the challenge header supplied", func() {
challenge := `bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull"`
imageRef, err := ref.ParseNormalizedNamed("containrrr/watchtower")
Expect(err).NotTo(HaveOccurred())
expected := &url.URL{
Host: "ghcr.io",
Scheme: "https",
Path: "/token",
RawQuery: "scope=repository%3Acontainrrr%2Fwatchtower%3Apull&service=ghcr.io",
}
URL, err := auth.GetAuthURL(challenge, imageRef)
Expect(err).NotTo(HaveOccurred())
Expect(URL).To(Equal(expected))
})
When("given an invalid challenge header", func() {
It("should return an error", func() {
challenge := `bearer realm="https://ghcr.io/token"`
imageRef, err := ref.ParseNormalizedNamed("containrrr/watchtower")
Expect(err).NotTo(HaveOccurred())
URL, err := auth.GetAuthURL(challenge, imageRef)
Expect(err).To(HaveOccurred())
Expect(URL).To(BeNil())
})
})
When("deriving the auth scope from an image name", func() {
It("should prepend official dockerhub images with \"library/\"", func() {
Expect(getScopeFromImageAuthURL("registry")).To(Equal("library/registry"))
Expect(getScopeFromImageAuthURL("docker.io/registry")).To(Equal("library/registry"))
Expect(getScopeFromImageAuthURL("index.docker.io/registry")).To(Equal("library/registry"))
})
It("should not include vanity hosts\"", func() {
Expect(getScopeFromImageAuthURL("docker.io/containrrr/watchtower")).To(Equal("containrrr/watchtower"))
Expect(getScopeFromImageAuthURL("index.docker.io/containrrr/watchtower")).To(Equal("containrrr/watchtower"))
})
It("should not destroy three segment image names\"", func() {
Expect(getScopeFromImageAuthURL("piksel/containrrr/watchtower")).To(Equal("piksel/containrrr/watchtower"))
Expect(getScopeFromImageAuthURL("ghcr.io/piksel/containrrr/watchtower")).To(Equal("piksel/containrrr/watchtower"))
})
It("should not prepend library/ to image names if they're not on dockerhub", func() {
Expect(getScopeFromImageAuthURL("ghcr.io/watchtower")).To(Equal("watchtower"))
Expect(getScopeFromImageAuthURL("ghcr.io/containrrr/watchtower")).To(Equal("containrrr/watchtower"))
})
})
It("should not crash when an empty field is recieved", func() {
input := `bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull",`
imageRef, err := ref.ParseNormalizedNamed("containrrr/watchtower")
Expect(err).NotTo(HaveOccurred())
res, err := auth.GetAuthURL(input, imageRef)
Expect(err).NotTo(HaveOccurred())
Expect(res).NotTo(BeNil())
})
It("should not crash when a field without a value is recieved", func() {
input := `bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull",valuelesskey`
imageRef, err := ref.ParseNormalizedNamed("containrrr/watchtower")
Expect(err).NotTo(HaveOccurred())
res, err := auth.GetAuthURL(input, imageRef)
Expect(err).NotTo(HaveOccurred())
Expect(res).NotTo(BeNil())
})
})
Describe("GetChallengeURL", func() {
It("should create a valid challenge url object based on the image ref supplied", func() {
expected := url.URL{Host: "ghcr.io", Scheme: "https", Path: "/v2/"}
imageRef, _ := ref.ParseNormalizedNamed("ghcr.io/containrrr/watchtower:latest")
Expect(auth.GetChallengeURL(imageRef)).To(Equal(expected))
})
It("should assume Docker Hub for image refs with no explicit registry", func() {
expected := url.URL{Host: "index.docker.io", Scheme: "https", Path: "/v2/"}
imageRef, _ := ref.ParseNormalizedNamed("containrrr/watchtower:latest")
Expect(auth.GetChallengeURL(imageRef)).To(Equal(expected))
})
It("should use index.docker.io if the image ref specifies docker.io", func() {
expected := url.URL{Host: "index.docker.io", Scheme: "https", Path: "/v2/"}
imageRef, _ := ref.ParseNormalizedNamed("docker.io/containrrr/watchtower:latest")
Expect(auth.GetChallengeURL(imageRef)).To(Equal(expected))
})
})
})
var scopeImageRegexp = MatchRegexp("^repository:[a-z0-9]+(/[a-z0-9]+)*:pull$")
func getScopeFromImageAuthURL(imageName string) string {
normalizedRef, _ := ref.ParseNormalizedNamed(imageName)
challenge := `bearer realm="https://dummy.host/token",service="dummy.host",scope="repository:user/image:pull"`
URL, _ := auth.GetAuthURL(challenge, normalizedRef)
scope := URL.Query().Get("scope")
Expect(scopeImageRegexp.Match(scope)).To(BeTrue())
return strings.Replace(scope[11:], ":pull", "", 1)
}
View Git Blame Copy Permalink