e2e: add private registry pull/push regression test

Add a privateregistry service (htpasswd auth, port 5001) to the e2e
compose stack and a TestPullPushPrivateRepository test that verifies:

  - unauthenticated push/pull is rejected with an auth error
  - authenticated push/pull succeeds

Fix private-registry flakiness by moving the registry debug listener off
port 5001 (to avoid conflicting listeners) and fail fast during e2e setup
if supporting services are not running.

The volume path in compose-env.yaml is resolved relative to the compose
file directory (e2e/), so use ./testdata/registry/auth, not
./e2e/testdata/registry/auth.

Regression test for #5963.
Closes #5965.

Signed-off-by: aryansharma9917 <sharmaaryan9837@gmail.com>
Signed-off-by: Lohit Kolluri <lohitkolluri@gmail.com>

Author: lohitkolluri

e2e/compose-env.yaml

@@ -3,9 +3,18 @@ services:
   registry:
     image: 'registry:3'
 
+  privateregistry:
+    build:
+      context: ./testdata/registry
+    environment:
+      - REGISTRY_HTTP_ADDR=0.0.0.0:5001
+      - REGISTRY_AUTH=htpasswd
+      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
+      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
+
   engine:
       image: 'docker:${ENGINE_VERSION:-29}-dind'
       privileged: true
-      command: ['--insecure-registry=registry:5000', '--experimental']
+      command: ['--insecure-registry=registry:5000', '--insecure-registry=privateregistry:5001', '--experimental']
       environment:
         - DOCKER_TLS_CERTDIR=

e2e/image/private_test.go

@@ -0,0 +1,114 @@
+package image
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"gotest.tools/v3/assert"
+	"gotest.tools/v3/icmd"
+)
+
+const privateRegistryPrefix = "privateregistry:5001"
+
+// Regression test for https://github.com/docker/cli/issues/5963
+func TestPullPushPrivateRepository(t *testing.T) {
+	t.Parallel()
+
+	dir := fixtures.SetupConfigFile(t)
+	t.Cleanup(dir.Remove)
+	emptyConfigDir := t.TempDir()
+
+	sourceImage := fixtures.AlpineImage
+	privateImage := privateRegistryPrefix + "/private/alpine:test-private-pull-push"
+
+	runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "pull", sourceImage),
+	).Assert(t, icmd.Success)
+	t.Cleanup(func() {
+		icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
+	})
+
+	icmd.RunCommand("docker", "tag", sourceImage, privateImage).Assert(t, icmd.Success)
+
+	pushNoAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "push", privateImage),
+		fixtures.WithConfig(emptyConfigDir),
+	)
+	pushNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
+	assertAuthDenied(t, pushNoAuth)
+
+	pushWithAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "push", privateImage),
+		fixtures.WithConfig(dir.Path()),
+	)
+	pushWithAuth.Assert(t, icmd.Success)
+	// Docker omits the tag in the "push refers to repository" line; strip it before asserting.
+	privateRepo := privateImage[:strings.LastIndex(privateImage, ":")]
+	assert.Check(t, strings.Contains(pushWithAuth.Combined(), "The push refers to repository ["+privateRepo+"]"), pushWithAuth.Combined())
+
+	icmd.RunCommand("docker", "image", "rm", "-f", privateImage).Assert(t, icmd.Success)
+
+	pullNoAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "pull", privateImage),
+		fixtures.WithConfig(emptyConfigDir),
+	)
+	pullNoAuth.Assert(t, icmd.Expected{ExitCode: 1})
+	assertAuthDenied(t, pullNoAuth)
+
+	pullWithAuth := runWithPrivateRegistryRetry(t,
+		icmd.Command("docker", "pull", privateImage),
+		fixtures.WithConfig(dir.Path()),
+	)
+	pullWithAuth.Assert(t, icmd.Success)
+	assert.Check(t, strings.Contains(pullWithAuth.Combined(), privateImage), pullWithAuth.Combined())
+}
+
+func assertAuthDenied(t *testing.T, result *icmd.Result) {
+	t.Helper()
+	output := result.Combined()
+	if isPrivateRegistryTransient(output) {
+		t.Fatalf("private registry unavailable while expecting auth failure: %s", output)
+	}
+
+	assert.Assert(t,
+		strings.Contains(output, "requested access to the resource is denied") ||
+			strings.Contains(output, "no basic auth credentials") ||
+			strings.Contains(output, "unauthorized") ||
+			strings.Contains(output, "authentication required"),
+		output,
+	)
+}
+
+func runWithPrivateRegistryRetry(t *testing.T, cmd icmd.Cmd, opts ...icmd.CmdOp) *icmd.Result {
+	t.Helper()
+
+	deadline := time.Now().Add(90 * time.Second)
+	for {
+		result := icmd.RunCmd(cmd, opts...)
+		output := result.Combined()
+		if isPrivateRegistryTransient(output) {
+			if time.Now().Before(deadline) {
+				t.Logf("waiting for private registry availability: %s", output)
+				time.Sleep(500 * time.Millisecond)
+				continue
+			}
+		}
+		return result
+	}
+}
+
+func isPrivateRegistryTransient(output string) bool {
+	return strings.Contains(output, "lookup privateregistry") ||
+		strings.Contains(output, "lookup registry") ||
+		strings.Contains(output, "no such host") ||
+		strings.Contains(output, "server misbehaving") ||
+		strings.Contains(output, "Temporary failure in name resolution") ||
+		strings.Contains(output, "connection refused") ||
+		strings.Contains(output, "i/o timeout") ||
+		strings.Contains(output, "TLS handshake timeout") ||
+		strings.Contains(output, "context deadline exceeded") ||
+		strings.Contains(output, "connection reset by peer") ||
+		strings.Contains(output, "unexpected EOF")
+}

e2e/internal/fixtures/fixtures.go

@@ -23,6 +23,9 @@ func SetupConfigFile(t *testing.T) fs.Dir {
 	"auths": {
 		"registry:5000": {
 			"auth": "ZWlhaXM6cGFzc3dvcmQK"
+		},
+		"privateregistry:5001": {
+			"auth": "ZTJlOnBhc3N3b3Jk"
 		}
 	}}`), fs.WithDir("trust", fs.WithDir("private")))
 	return *dir

e2e/testdata/registry/Dockerfile

@@ -0,0 +1,2 @@
+FROM registry:3
+COPY auth /auth

e2e/testdata/registry/auth/htpasswd

@@ -0,0 +1 @@
+e2e:$2y$05$DxRBsGSy61vZsBgNVxwUh.UtZmlg3wZHMxYcHYAlupY7r1xbIiuoq