-
Notifications
You must be signed in to change notification settings - Fork 550
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Dmitry S <[email protected]>
- Loading branch information
Showing
1 changed file
with
0 additions
and
242 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,7 +38,6 @@ import ( | |
"testing" | ||
"time" | ||
|
||
"github.com/go-openapi/strfmt" | ||
"github.com/google/go-cmp/cmp" | ||
"github.com/google/go-containerregistry/pkg/name" | ||
"github.com/google/go-containerregistry/pkg/v1/remote" | ||
|
@@ -1056,151 +1055,6 @@ func TestVerifyWithCARoots(t *testing.T) { | |
} | ||
} | ||
|
||
func TestAttachWithRFC3161Timestamp(t *testing.T) { | ||
ctx := context.Background() | ||
// TSA server needed to create timestamp | ||
viper.Set("timestamp-signer", "memory") | ||
viper.Set("timestamp-signer-hash", "sha256") | ||
apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second) | ||
server := httptest.NewServer(apiServer.GetHandler()) | ||
t.Cleanup(server.Close) | ||
|
||
repo, stop := reg(t) | ||
defer stop() | ||
td := t.TempDir() | ||
|
||
imgName := path.Join(repo, "cosign-attach-timestamp-e2e") | ||
|
||
_, _, cleanup := mkimage(t, imgName) | ||
defer cleanup() | ||
|
||
b := bytes.Buffer{} | ||
must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) | ||
|
||
rootCert, rootKey, _ := GenerateRootCa() | ||
subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) | ||
leafCert, privKey, _ := GenerateLeafCert("[email protected]", "oidc-issuer", subCert, subKey) | ||
pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) | ||
pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) | ||
pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) | ||
|
||
payloadref := mkfile(b.String(), td, t) | ||
|
||
h := sha256.Sum256(b.Bytes()) | ||
signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) | ||
b64signature := base64.StdEncoding.EncodeToString([]byte(signature)) | ||
sigRef := mkfile(b64signature, td, t) | ||
pemleafRef := mkfile(string(pemLeaf), td, t) | ||
pemrootRef := mkfile(string(pemRoot), td, t) | ||
|
||
certchainRef := mkfile(string(append(pemSub[:], pemRoot[:]...)), td, t) | ||
|
||
t.Setenv("SIGSTORE_ROOT_FILE", pemrootRef) | ||
// reset the roots to use the root pointed by the environment variable SIGSTORE_ROOT_FILE | ||
if err := fulcioroots.ReInit(); err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
tsclient, err := tsaclient.GetTimestampClient(server.URL) | ||
if err != nil { | ||
t.Error(err) | ||
} | ||
|
||
chain, err := tsclient.Timestamp.GetTimestampCertChain(nil) | ||
if err != nil { | ||
t.Fatalf("unexpected error getting timestamp chain: %v", err) | ||
} | ||
|
||
file, err := os.CreateTemp(os.TempDir(), "tempfile") | ||
if err != nil { | ||
t.Fatalf("error creating temp file: %v", err) | ||
} | ||
defer os.Remove(file.Name()) | ||
_, err = file.WriteString(chain.Payload) | ||
if err != nil { | ||
t.Fatalf("error writing chain payload to temp file: %v", err) | ||
} | ||
|
||
tsBytes, err := tsa.GetTimestampedSignature(signature, client.NewTSAClient(server.URL+"/api/v1/timestamp")) | ||
if err != nil { | ||
t.Fatalf("unexpected error creating timestamp: %v", err) | ||
} | ||
rfc3161TSRef := mkfile(string(tsBytes), td, t) | ||
|
||
// Upload it! | ||
err = attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadref, pemleafRef, certchainRef, rfc3161TSRef, "", imgName) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
must(verifyKeylessTSA(imgName, file.Name(), true, true), t) | ||
} | ||
|
||
func TestAttachWithRekorBundle(t *testing.T) { | ||
ctx := context.Background() | ||
|
||
repo, stop := reg(t) | ||
defer stop() | ||
td := t.TempDir() | ||
|
||
imgName := path.Join(repo, "cosign-attach-timestamp-e2e") | ||
|
||
_, _, cleanup := mkimage(t, imgName) | ||
defer cleanup() | ||
|
||
b := bytes.Buffer{} | ||
must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) | ||
|
||
rootCert, rootKey, _ := GenerateRootCa() | ||
subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) | ||
leafCert, privKey, _ := GenerateLeafCert("[email protected]", "oidc-issuer", subCert, subKey) | ||
pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) | ||
pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) | ||
pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) | ||
|
||
payloadref := mkfile(b.String(), td, t) | ||
|
||
h := sha256.Sum256(b.Bytes()) | ||
signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) | ||
b64signature := base64.StdEncoding.EncodeToString([]byte(signature)) | ||
sigRef := mkfile(b64signature, td, t) | ||
pemleafRef := mkfile(string(pemLeaf), td, t) | ||
pemrootRef := mkfile(string(pemRoot), td, t) | ||
|
||
t.Setenv("SIGSTORE_ROOT_FILE", pemrootRef) | ||
|
||
certchainRef := mkfile(string(append(pemSub[:], pemRoot[:]...)), td, t) | ||
|
||
localPayload := cosign.LocalSignedPayload{ | ||
Base64Signature: b64signature, | ||
Cert: string(pemLeaf), | ||
Bundle: &bundle.RekorBundle{ | ||
SignedEntryTimestamp: strfmt.Base64("MEUCIEDcarEwRYkrxE9ne+kzEVvUhnWaauYzxhUyXOLy1hwAAiEA4VdVCvNRs+D/5o33C2KBy+q2YX3lP4Y7nqRFU+K3hi0="), | ||
Payload: bundle.RekorPayload{ | ||
Body: "REMOVED", | ||
IntegratedTime: 1631646761, | ||
LogIndex: 693591, | ||
LogID: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d", | ||
}, | ||
}, | ||
} | ||
|
||
jsonBundle, err := json.Marshal(localPayload) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
bundlePath := filepath.Join(td, "bundle.json") | ||
if err := os.WriteFile(bundlePath, jsonBundle, 0644); err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
// Upload it! | ||
err = attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadref, pemleafRef, certchainRef, "", bundlePath, imgName) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
} | ||
|
||
func TestRekorBundle(t *testing.T) { | ||
td := t.TempDir() | ||
err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) | ||
|
@@ -1832,102 +1686,6 @@ func TestGenerate(t *testing.T) { | |
equals(ss.Optional["foo"], "bar", t) | ||
} | ||
|
||
func TestUploadDownload(t *testing.T) { | ||
repo, stop := reg(t) | ||
defer stop() | ||
td := t.TempDir() | ||
ctx := context.Background() | ||
|
||
testCases := map[string]struct { | ||
signature string | ||
signatureType attach.SignatureArgType | ||
expectedErr bool | ||
}{ | ||
"stdin containing signature": { | ||
signature: "testsignatureraw", | ||
signatureType: attach.StdinSignature, | ||
expectedErr: false, | ||
}, | ||
"file containing signature": { | ||
signature: "testsignaturefile", | ||
signatureType: attach.FileSignature, | ||
expectedErr: false, | ||
}, | ||
"raw signature as argument": { | ||
signature: "testsignatureraw", | ||
signatureType: attach.RawSignature, | ||
expectedErr: true, | ||
}, | ||
"empty signature as argument": { | ||
signature: "", | ||
signatureType: attach.RawSignature, | ||
expectedErr: true, | ||
}, | ||
} | ||
|
||
imgName := path.Join(repo, "cosign-e2e") | ||
for testName, testCase := range testCases { | ||
t.Run(testName, func(t *testing.T) { | ||
ref, _, cleanup := mkimage(t, imgName) | ||
payload := "testpayload" | ||
payloadPath := mkfile(payload, td, t) | ||
signature := base64.StdEncoding.EncodeToString([]byte(testCase.signature)) | ||
restoreStdin := func() {} | ||
|
||
var sigRef string | ||
if testCase.signatureType == attach.FileSignature { | ||
sigRef = mkfile(signature, td, t) | ||
} else if testCase.signatureType == attach.StdinSignature { | ||
sigRef = "-" | ||
restoreStdin = mockStdin(signature, td, t) | ||
} else { | ||
sigRef = signature | ||
} | ||
// Upload it! | ||
err := attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadPath, "", "", "", "", imgName) | ||
if testCase.expectedErr { | ||
mustErr(err, t) | ||
} else { | ||
must(err, t) | ||
} | ||
restoreStdin() | ||
|
||
// Now download it! | ||
se, err := ociremote.SignedEntity(ref, ociremote.WithRemoteOptions(registryClientOpts(ctx)...)) | ||
must(err, t) | ||
sigs, err := se.Signatures() | ||
must(err, t) | ||
signatures, err := sigs.Get() | ||
must(err, t) | ||
|
||
if testCase.expectedErr { | ||
if len(signatures) != 0 { | ||
t.Fatalf("unexpected signatures %d, wanted 0", len(signatures)) | ||
} | ||
} else { | ||
if len(signatures) != 1 { | ||
t.Fatalf("unexpected signatures %d, wanted 1", len(signatures)) | ||
} | ||
|
||
if b64sig, err := signatures[0].Base64Signature(); err != nil { | ||
t.Fatalf("Base64Signature() = %v", err) | ||
} else if diff := cmp.Diff(b64sig, signature); diff != "" { | ||
t.Error(diff) | ||
} | ||
|
||
if p, err := signatures[0].Payload(); err != nil { | ||
t.Fatalf("Payload() = %v", err) | ||
} else if diff := cmp.Diff(p, []byte(payload)); diff != "" { | ||
t.Error(diff) | ||
} | ||
} | ||
|
||
// Now delete it! | ||
cleanup() | ||
}) | ||
} | ||
} | ||
|
||
func TestSaveLoad(t *testing.T) { | ||
td := t.TempDir() | ||
err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) | ||
|