From 44b8288d83933a39378aad009687db7109ba76ca Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 13 Sep 2022 18:10:56 +0300 Subject: [PATCH] Add basic cosign verification tests Signed-off-by: Stefan Prodan --- controllers/ocirepository_controller_test.go | 90 ++++++++++---------- go.mod | 2 +- 2 files changed, 46 insertions(+), 46 deletions(-) diff --git a/controllers/ocirepository_controller_test.go b/controllers/ocirepository_controller_test.go index 5b013293..a778f565 100644 --- a/controllers/ocirepository_controller_test.go +++ b/controllers/ocirepository_controller_test.go @@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ + package controllers import ( @@ -24,9 +25,6 @@ import ( "encoding/pem" "errors" "fmt" - coptions "github.com/sigstore/cosign/cmd/cosign/cli/options" - "github.com/sigstore/cosign/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/pkg/cosign" "math/big" "net" "net/http" @@ -55,6 +53,9 @@ import ( gcrv1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/mutate" . "github.com/onsi/gomega" + coptions "github.com/sigstore/cosign/cmd/cosign/cli/options" + "github.com/sigstore/cosign/cmd/cosign/cli/sign" + "github.com/sigstore/cosign/pkg/cosign" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -1231,7 +1232,7 @@ func TestOCIRepository_verifyOCISourceSignature(t *testing.T) { url string reference *sourcev1.OCIRepositoryRef shouldSign bool - wantErr bool + wantErrMsg string }{ { name: "signed image should pass verification", @@ -1246,6 +1247,7 @@ func TestOCIRepository_verifyOCISourceSignature(t *testing.T) { Tag: "6.1.5", }, shouldSign: false, + wantErrMsg: "no matching signatures were found", }, } @@ -1256,6 +1258,29 @@ func TestOCIRepository_verifyOCISourceSignature(t *testing.T) { Storage: testStorage, } + pf := func(b bool) ([]byte, error) { + return []byte("cosign-password"), nil + } + + keys, err := cosign.GenerateKeyPair(pf) + g.Expect(err).ToNot(HaveOccurred()) + + err = os.WriteFile(path.Join(tmpDir, "cosign.key"), keys.PrivateBytes, 0600) + g.Expect(err).ToNot(HaveOccurred()) + + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "cosign-key", + }, + Data: map[string][]byte{ + "cosign.pub": keys.PublicBytes, + }} + + err = r.Create(ctx, secret) + if err != nil { + g.Expect(err).NotTo(HaveOccurred()) + } + for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { obj := &sourcev1.OCIRepository{ @@ -1273,33 +1298,6 @@ func TestOCIRepository_verifyOCISourceSignature(t *testing.T) { }, } - pf := func(b bool) ([]byte, error) { - return []byte("foo"), nil - } - - keys, err := cosign.GenerateKeyPair(pf) - if err != nil { - g.Expect(err).ToNot(HaveOccurred()) - } - - err = os.WriteFile("cosign.key", keys.PrivateBytes, 0600) - if err != nil { - g.Expect(err).ToNot(HaveOccurred()) - } - - secret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "cosign-key", - }, - Data: map[string][]byte{ - "cosign.pub": keys.PublicBytes, - }} - - err = r.Create(ctx, secret) - if err != nil { - g.Expect(err).NotTo(HaveOccurred()) - } - keychain, err := r.keychain(ctx, obj) if err != nil { g.Expect(err).ToNot(HaveOccurred()) @@ -1307,35 +1305,37 @@ func TestOCIRepository_verifyOCISourceSignature(t *testing.T) { options := r.craneOptions(ctx, obj.Spec.Insecure) options = append(options, crane.WithAuthFromKeychain(keychain)) - url, err := r.getArtifactURL(obj, options) + artifactURL, err := r.getArtifactURL(obj, options) if err != nil { g.Expect(err).ToNot(HaveOccurred()) } if tt.shouldSign { - ko := coptions.KeyOpts{ - KeyRef: "cosign.key", + KeyRef: path.Join(tmpDir, "cosign.key"), PassFunc: pf, } - t.Logf("url: %s", url) - - ro := &coptions.RootOptions{} - err = sign.SignCmd(ro, ko, coptions.RegistryOptions{Keychain: keychain}, nil, []string{url}, "", "", false, "", "", "", false, false, "", false) - if err != nil { - g.Expect(err).ToNot(HaveOccurred()) + ro := &coptions.RootOptions{ + Timeout: timeout, } + err = sign.SignCmd(ro, ko, coptions.RegistryOptions{Keychain: keychain}, + nil, []string{artifactURL}, "", + "", true, "", + "", "", false, + false, "", false) + g.Expect(err).ToNot(HaveOccurred()) } - err = r.verifyOCISourceSignature(ctx, obj, url, keychain) - if tt.wantErr { - g.Expect(err).To(HaveOccurred()) - return + err = r.verifyOCISourceSignature(ctx, obj, artifactURL, keychain) + if tt.wantErrMsg != "" { + g.Expect(err).ToNot(BeNil()) + g.Expect(err.Error()).To(ContainSubstring(tt.wantErrMsg)) + } else { + g.Expect(err).ToNot(HaveOccurred()) } }) } - } func TestOCIRepository_stalled(t *testing.T) { diff --git a/go.mod b/go.mod index cec18f65..1e33911f 100644 --- a/go.mod +++ b/go.mod @@ -60,6 +60,7 @@ require ( github.com/prometheus/client_golang v1.13.0 github.com/sigstore/cosign v1.11.1 github.com/sigstore/sigstore v1.4.0 + github.com/sirupsen/logrus v1.9.0 github.com/spf13/pflag v1.0.5 golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503 golang.org/x/net v0.0.0-20220822230855-b0a4917ee28c @@ -292,7 +293,6 @@ require ( github.com/shopspring/decimal v1.2.0 // indirect github.com/sigstore/fulcio v0.5.3 // indirect github.com/sigstore/rekor v0.11.0 // indirect - github.com/sirupsen/logrus v1.9.0 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/soheilhy/cmux v0.1.5 // indirect github.com/spf13/afero v1.8.2 // indirect