mirror of
https://github.com/genuinetools/reg.git
synced 2024-10-03 22:01:45 -04:00
254 lines
7.5 KiB
Go
254 lines
7.5 KiB
Go
|
package osxkeychain
|
||
|
|
||
|
import (
|
||
|
"errors"
|
||
|
"fmt"
|
||
|
"github.com/docker/docker-credential-helpers/credentials"
|
||
|
"testing"
|
||
|
)
|
||
|
|
||
|
func TestOSXKeychainHelper(t *testing.T) {
|
||
|
creds := &credentials.Credentials{
|
||
|
ServerURL: "https://foobar.docker.io:2376/v1",
|
||
|
Username: "foobar",
|
||
|
Secret: "foobarbaz",
|
||
|
}
|
||
|
creds1 := &credentials.Credentials{
|
||
|
ServerURL: "https://foobar.docker.io:2376/v2",
|
||
|
Username: "foobarbaz",
|
||
|
Secret: "foobar",
|
||
|
}
|
||
|
helper := Osxkeychain{}
|
||
|
if err := helper.Add(creds); err != nil {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
|
||
|
username, secret, err := helper.Get(creds.ServerURL)
|
||
|
if err != nil {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
|
||
|
if username != "foobar" {
|
||
|
t.Fatalf("expected %s, got %s\n", "foobar", username)
|
||
|
}
|
||
|
|
||
|
if secret != "foobarbaz" {
|
||
|
t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
|
||
|
}
|
||
|
|
||
|
auths, err := helper.List()
|
||
|
if err != nil || len(auths) == 0 {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
|
||
|
helper.Add(creds1)
|
||
|
defer helper.Delete(creds1.ServerURL)
|
||
|
newauths, err := helper.List()
|
||
|
if len(newauths)-len(auths) != 1 {
|
||
|
if err == nil {
|
||
|
t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
|
||
|
}
|
||
|
t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
|
||
|
}
|
||
|
|
||
|
if err := helper.Delete(creds.ServerURL); err != nil {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// TestOSXKeychainHelperParseURL verifies that a // "scheme" is added to URLs,
|
||
|
// and that invalid URLs produce an error.
|
||
|
func TestOSXKeychainHelperParseURL(t *testing.T) {
|
||
|
tests := []struct {
|
||
|
url string
|
||
|
expectedURL string
|
||
|
err error
|
||
|
}{
|
||
|
{url: "foobar.docker.io", expectedURL: "//foobar.docker.io"},
|
||
|
{url: "foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
|
||
|
{url: "//foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
|
||
|
{url: "http://foobar.docker.io:2376", expectedURL: "http://foobar.docker.io:2376"},
|
||
|
{url: "https://foobar.docker.io:2376", expectedURL: "https://foobar.docker.io:2376"},
|
||
|
{url: "https://foobar.docker.io:2376/some/path", expectedURL: "https://foobar.docker.io:2376/some/path"},
|
||
|
{url: "https://foobar.docker.io:2376/some/other/path?foo=bar", expectedURL: "https://foobar.docker.io:2376/some/other/path"},
|
||
|
{url: "/foobar.docker.io", err: errors.New("no hostname in URL")},
|
||
|
{url: "ftp://foobar.docker.io:2376", err: errors.New("unsupported scheme: ftp")},
|
||
|
}
|
||
|
|
||
|
for _, te := range tests {
|
||
|
u, err := parseURL(te.url)
|
||
|
|
||
|
if te.err == nil && err != nil {
|
||
|
t.Errorf("Error: failed to parse URL %q: %s", te.url, err)
|
||
|
continue
|
||
|
}
|
||
|
if te.err != nil && err == nil {
|
||
|
t.Errorf("Error: expected error %q, got none when parsing URL %q", te.err, te.url)
|
||
|
continue
|
||
|
}
|
||
|
if te.err != nil && err.Error() != te.err.Error() {
|
||
|
t.Errorf("Error: expected error %q, got %q when parsing URL %q", te.err, err, te.url)
|
||
|
continue
|
||
|
}
|
||
|
if u != nil && u.String() != te.expectedURL {
|
||
|
t.Errorf("Error: expected URL: %q, but got %q for URL: %q", te.expectedURL, u.String(), te.url)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
|
||
|
// through variations on the URL
|
||
|
func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
|
||
|
tests := []struct {
|
||
|
storeURL string
|
||
|
readURL string
|
||
|
}{
|
||
|
// stored with port, retrieved without
|
||
|
{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
|
||
|
|
||
|
// stored as https, retrieved without scheme
|
||
|
{"https://foobar.docker.io:2376", "foobar.docker.io"},
|
||
|
|
||
|
// stored with path, retrieved without
|
||
|
{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234"},
|
||
|
}
|
||
|
|
||
|
helper := Osxkeychain{}
|
||
|
defer func() {
|
||
|
for _, te := range tests {
|
||
|
helper.Delete(te.storeURL)
|
||
|
}
|
||
|
}()
|
||
|
|
||
|
// Clean store before testing.
|
||
|
for _, te := range tests {
|
||
|
helper.Delete(te.storeURL)
|
||
|
}
|
||
|
|
||
|
for _, te := range tests {
|
||
|
c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
|
||
|
if err := helper.Add(c); err != nil {
|
||
|
t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
|
||
|
continue
|
||
|
}
|
||
|
if _, _, err := helper.Get(te.readURL); err != nil {
|
||
|
t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
|
||
|
}
|
||
|
helper.Delete(te.storeURL)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
|
||
|
// returned.
|
||
|
func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
|
||
|
tests := []struct {
|
||
|
storeURL string
|
||
|
readURL string
|
||
|
}{
|
||
|
// stored as https, retrieved using http
|
||
|
{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
|
||
|
|
||
|
// stored as http, retrieved using https
|
||
|
{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
|
||
|
|
||
|
// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
|
||
|
{"http://foobar.docker.io", "foobar.docker.io:5678"},
|
||
|
|
||
|
// non-matching ports
|
||
|
{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
|
||
|
|
||
|
// non-matching ports TODO is this desired behavior? The other way round does work
|
||
|
//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
|
||
|
|
||
|
// non-matching paths
|
||
|
{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
|
||
|
}
|
||
|
|
||
|
helper := Osxkeychain{}
|
||
|
defer func() {
|
||
|
for _, te := range tests {
|
||
|
helper.Delete(te.storeURL)
|
||
|
}
|
||
|
}()
|
||
|
|
||
|
// Clean store before testing.
|
||
|
for _, te := range tests {
|
||
|
helper.Delete(te.storeURL)
|
||
|
}
|
||
|
|
||
|
for _, te := range tests {
|
||
|
c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
|
||
|
if err := helper.Add(c); err != nil {
|
||
|
t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
|
||
|
continue
|
||
|
}
|
||
|
if _, _, err := helper.Get(te.readURL); err == nil {
|
||
|
t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
|
||
|
}
|
||
|
helper.Delete(te.storeURL)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
|
||
|
// the keychain can be read back using the URL that was used to store them.
|
||
|
func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
|
||
|
tests := []struct {
|
||
|
url string
|
||
|
}{
|
||
|
{url: "foobar.docker.io"},
|
||
|
{url: "foobar.docker.io:2376"},
|
||
|
{url: "//foobar.docker.io:2376"},
|
||
|
{url: "https://foobar.docker.io:2376"},
|
||
|
{url: "http://foobar.docker.io:2376"},
|
||
|
{url: "https://foobar.docker.io:2376/some/path"},
|
||
|
{url: "https://foobar.docker.io:2376/some/other/path"},
|
||
|
{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
|
||
|
}
|
||
|
|
||
|
helper := Osxkeychain{}
|
||
|
defer func() {
|
||
|
for _, te := range tests {
|
||
|
helper.Delete(te.url)
|
||
|
}
|
||
|
}()
|
||
|
|
||
|
// Clean store before testing.
|
||
|
for _, te := range tests {
|
||
|
helper.Delete(te.url)
|
||
|
}
|
||
|
|
||
|
// Note that we don't delete between individual tests here, to verify that
|
||
|
// subsequent stores/overwrites don't affect storing / retrieving secrets.
|
||
|
for i, te := range tests {
|
||
|
c := &credentials.Credentials{
|
||
|
ServerURL: te.url,
|
||
|
Username: fmt.Sprintf("user-%d", i),
|
||
|
Secret: fmt.Sprintf("secret-%d", i),
|
||
|
}
|
||
|
|
||
|
if err := helper.Add(c); err != nil {
|
||
|
t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
|
||
|
continue
|
||
|
}
|
||
|
user, secret, err := helper.Get(te.url)
|
||
|
if err != nil {
|
||
|
t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
|
||
|
continue
|
||
|
}
|
||
|
if user != c.Username {
|
||
|
t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
|
||
|
}
|
||
|
if secret != c.Secret {
|
||
|
t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestMissingCredentials(t *testing.T) {
|
||
|
helper := Osxkeychain{}
|
||
|
_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
|
||
|
if !credentials.IsErrCredentialsNotFound(err) {
|
||
|
t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
|
||
|
}
|
||
|
}
|