e2e: add private registry pull/push regression test

Add a privateregistry service (htpasswd auth, port 5001) to the e2e
compose stack and a TestPullPushPrivateRepository test that verifies:

  - unauthenticated push/pull is rejected with an auth error
  - authenticated push/pull succeeds

The volume path in compose-env.yaml is resolved relative to the compose
file directory (e2e/), so use ./testdata/registry/auth, not
./e2e/testdata/registry/auth.

Regression test for #5963.
Closes #5965.

Signed-off-by: aryansharma9917 <sharmaaryan9837@gmail.com>
Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>

Author: lohitkolluri

e2e/compose-env.yaml

@@ -3,9 +3,18 @@ services:
   registry:
     image: 'registry:3'
 
+  privateregistry:
+    build:
+      context: ./testdata/registry
+    environment:
+      - REGISTRY_HTTP_ADDR=0.0.0.0:5001
+      - REGISTRY_AUTH=htpasswd
+      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
+      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
+
   engine:
       image: 'docker:${ENGINE_VERSION:-29}-dind'
       privileged: true
-      command: ['--insecure-registry=registry:5000', '--experimental']
+      command: ['--insecure-registry=registry:5000', '--insecure-registry=privateregistry:5001', '--experimental']
       environment:
         - DOCKER_TLS_CERTDIR=

e2e/image/private_test.go

@@ -0,0 +1,114 @@
+package image
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/icmd"
+)
+
+const privateRegistryPrefix = "privateregistry:5001"
+
+// Regression test for https://github.com/docker/cli/issues/5963
+func TestPullPushPrivateRepository(t *testing.T) {
+	t.Parallel()
+
+	dir := fixtures.SetupConfigFile(t)
+	t.Cleanup(dir.Remove)
+	emptyConfigDir := t.TempDir()
+
+	sourceImage := fixtures.AlpineImage
+	privateImage := privateRegistryPrefix + "/private/alpine:test-private-pull-push"
+
+	runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "pull", sourceImage),
+	).Assert(t, icmd.Success)
+	t.Cleanup(func() {
+		icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
+	})
+
+	icmd.RunCommand("docker", "tag", sourceImage, privateImage).Assert(t, icmd.Success)
+
+	pushNoAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "push", privateImage),
+		fixtures.WithConfig(emptyConfigDir),
+	)
+	pushNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
+	assertAuthDenied(t, pushNoAuth)
+
+	pushWithAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "push", privateImage),
+		fixtures.WithConfig(dir.Path()),
+	)
+	pushWithAuth.Assert(t, icmd.Success)
+	// Docker omits the tag in the "push refers to repository" line; strip it before asserting.
+	privateRepo := privateImage[:strings.LastIndex(privateImage, ":")]
+	assert.Check(t, strings.Contains(pushWithAuth.Combined(), "The push refers to repository ["+privateRepo+"]"), pushWithAuth.Combined())
+
+	icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
+
+	pullNoAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "pull", privateImage),
+		fixtures.WithConfig(emptyConfigDir),
+	)
+	pullNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
+	assertAuthDenied(t, pullNoAuth)
+
+	pullWithAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "pull", privateImage),
+		fixtures.WithConfig(dir.Path()),
+	)
+	pullWithAuth.Assert(t, icmd.Success)
+	assert.Check(t, strings.Contains(pullWithAuth.Combined(), privateImage), pullWithAuth.Combined())
+}
+
+func assertAuthDenied(t *testing.T, result *icmd.Result) {
+	t.Helper()
+	output := result.Combined()
+	if isPrivateRegistryTransient(output) {
+		t.Fatalf("private registry unavailable while expecting auth failure: %s", output)
+	}
+
+	assert.Assert(t,
+		strings.Contains(output, "requested access to the resource is denied") ||
+			strings.Contains(output, "no basic auth credentials") ||
+			strings.Contains(output, "unauthorized") ||
+			strings.Contains(output, "authentication required"),
+		output,
+	)
+}
+
+func runWithPrivateRegistryRetry(t *testing.T, cmd icmd.Cmd, opts ...icmd.CmdOp) *icmd.Result {
+	t.Helper()
+
+	deadline := time.Now().Add(90 * time.Second)
+	for {
+		result := icmd.RunCmd(cmd, opts...)
+		output := result.Combined()
+		if isPrivateRegistryTransient(output) {
+			if time.Now().Before(deadline) {
+				t.Logf("waiting for private registry availability: %s", output)
+				time.Sleep(500 * time.Millisecond)
+				continue
+			}
+		}
+		return result
+	}
+}
+
+func isPrivateRegistryTransient(output string) bool {
+	return strings.Contains(output, "lookup privateregistry") ||
+		strings.Contains(output, "lookup registry") ||
+		strings.Contains(output, "no such host") ||
+		strings.Contains(output, "server misbehaving") ||
+		strings.Contains(output, "Temporary failure in name resolution") ||
+		strings.Contains(output, "connection refused") ||
+		strings.Contains(output, "i/o timeout") ||
+		strings.Contains(output, "TLS handshake timeout") ||
+		strings.Contains(output, "context deadline exceeded") ||
+		strings.Contains(output, "connection reset by peer") ||
+		strings.Contains(output, "unexpected EOF")
+}

e2e/internal/fixtures/fixtures.go

@@ -23,6 +23,9 @@ func SetupConfigFile(t *testing.T) fs.Dir {
 	"auths": {
 		"registry:5000": {
 			"auth": "ZWlhaXM6cGFzc3dvcmQK"
+		},
+		"privateregistry:5001": {
+			"auth": "ZTJlOnBhc3N3b3Jk"
 		}
 	}}`), fs.WithDir("trust", fs.WithDir("private")))
 	return *dir

e2e/testdata/registry/Dockerfile

@@ -0,0 +1,2 @@
+FROM registry:3
+COPY auth /auth

e2e/testdata/registry/auth/htpasswd

@@ -0,0 +1 @@
+e2e:$2y$05$DxRBsGSy61vZsBgNVxwUh.UtZmlg3wZHMxYcHYAlupY7r1xbIiuoq