From 294e3020c5fe70374050ed78ba64ed450ee6bc05 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 19 Dec 2024 15:04:58 +0000 Subject: [PATCH 1/5] fix e2e test Signed-off-by: Austin Abro --- src/cmd/package.go | 3 ++- src/internal/packager2/pull.go | 9 +++++---- src/internal/packager2/pull_test.go | 2 +- src/test/e2e/11_oci_pull_inspect_test.go | 5 ++++- src/test/nightly/ecr_publish_test.go | 6 +----- 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/src/cmd/package.go b/src/cmd/package.go index 3d7728a4d0..c659deb9ad 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -615,6 +615,7 @@ func NewPackagePullCommand(v *viper.Viper) *cobra.Command { cmd.Flags().StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum) cmd.Flags().StringVarP(&pkgConfig.PullOpts.OutputDirectory, "output-directory", "o", v.GetString(common.VPkgPullOutputDir), lang.CmdPackagePullFlagOutputDirectory) + cmd.Flags().BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) return cmd } @@ -629,7 +630,7 @@ func (o *PackagePullOptions) Run(cmd *cobra.Command, args []string) error { } outputDir = wd } - err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty(), pkgConfig.PkgOpts.PublicKeyPath) + err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty(), pkgConfig.PkgOpts.PublicKeyPath, pkgConfig.PkgOpts.SkipSignatureValidation) if err != nil { return err } diff --git a/src/internal/packager2/pull.go b/src/internal/packager2/pull.go index a8426857fc..31a57fa8d9 100644 --- a/src/internal/packager2/pull.go +++ b/src/internal/packager2/pull.go @@ -29,7 +29,7 @@ import ( ) // Pull fetches the Zarf package from the given sources. -func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy, publicKeyPath string) error { +func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy, publicKeyPath string, skipSignatureValidation bool) error { u, err := url.Parse(src) if err != nil { return err @@ -48,9 +48,10 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component defer os.Remove(tmpDir) tmpPath := filepath.Join(tmpDir, "data.tar.zst") + isPartial := false switch u.Scheme { case "oci": - _, err := pullOCI(ctx, src, tmpPath, shasum, filter) + isPartial, err = pullOCI(ctx, src, tmpPath, shasum, filter) if err != nil { return err } @@ -66,8 +67,8 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component // This loadFromTar is done so that validatePackageIntegrtiy and validatePackageSignature are called layoutOpt := layout.PackageLayoutOptions{ PublicKeyPath: publicKeyPath, - SkipSignatureValidation: false, - IsPartial: false, + SkipSignatureValidation: skipSignatureValidation, + IsPartial: isPartial, } _, err = layout.LoadFromTar(ctx, tmpPath, layoutOpt) if err != nil { diff --git a/src/internal/packager2/pull_test.go b/src/internal/packager2/pull_test.go index da649d71e5..e0497871b1 100644 --- a/src/internal/packager2/pull_test.go +++ b/src/internal/packager2/pull_test.go @@ -39,7 +39,7 @@ func TestPull(t *testing.T) { dir := t.TempDir() shasum := "bef73d652f004d214d5cf9e00195293f7ae8390b8ff6ed45e39c2c9eb622b873" - err := Pull(ctx, srv.URL, dir, shasum, filters.Empty(), "") + err := Pull(ctx, srv.URL, dir, shasum, filters.Empty(), "", false) require.NoError(t, err) packageData, err := os.ReadFile(packagePath) diff --git a/src/test/e2e/11_oci_pull_inspect_test.go b/src/test/e2e/11_oci_pull_inspect_test.go index f3525c8109..2ad374d238 100644 --- a/src/test/e2e/11_oci_pull_inspect_test.go +++ b/src/test/e2e/11_oci_pull_inspect_test.go @@ -52,7 +52,10 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http") suite.Error(err, stdOut, stdErr) - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", publicKeyFlag) + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", publicKeyFlag, "-o", outputPath) + suite.NoError(err, stdOut, stdErr) + + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", "--skip-signature-validation", "-o", outputPath) suite.NoError(err, stdOut, stdErr) stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", simplePackageRef, "--plain-http") diff --git a/src/test/nightly/ecr_publish_test.go b/src/test/nightly/ecr_publish_test.go index 7ada0c5eda..d32295f700 100644 --- a/src/test/nightly/ecr_publish_test.go +++ b/src/test/nightly/ecr_publish_test.go @@ -63,16 +63,12 @@ func TestECRPublishing(t *testing.T) { require.NoError(t, err, stdOut, stdErr) // Validate that we can pull the package down from ECR - stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL) + stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL, keyFlag, fmt.Sprintf("-o=%s", tmpDir)) require.NoError(t, err, stdOut, stdErr) - defer e2e.CleanFiles(t, testPackageFileName) - // Ensure we get a warning when trying to inspect the package without providing the public key - // and the insecure flag stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, "--skip-signature-validation") require.NoError(t, err, stdOut, stdErr) - // Validate that we get no warnings when inspecting the package while providing the public key stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, keyFlag) require.NoError(t, err, stdOut, stdErr) } From 69ed8608e45da74dfa77af4fda86ed130fd16bc2 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 19 Dec 2024 15:19:44 +0000 Subject: [PATCH 2/5] pull make docs and schema Signed-off-by: Austin Abro --- site/src/content/docs/commands/zarf_package_pull.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/site/src/content/docs/commands/zarf_package_pull.md b/site/src/content/docs/commands/zarf_package_pull.md index 44830762b5..eda39e7ec7 100644 --- a/site/src/content/docs/commands/zarf_package_pull.md +++ b/site/src/content/docs/commands/zarf_package_pull.md @@ -31,9 +31,10 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk ### Options ``` - -h, --help help for pull - -o, --output-directory string Specify the output directory for the pulled Zarf package - --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' + -h, --help help for pull + -o, --output-directory string Specify the output directory for the pulled Zarf package + --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands From 41162886ee76a8935d92aad45104c7ac2095ef26 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 19 Dec 2024 15:43:03 +0000 Subject: [PATCH 3/5] path to inspect Signed-off-by: Austin Abro --- .github/workflows/nightly-ecr.yml | 10 +++++----- src/test/nightly/ecr_publish_test.go | 6 ++++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml index aafbda5b7d..0575413117 100644 --- a/.github/workflows/nightly-ecr.yml +++ b/.github/workflows/nightly-ecr.yml @@ -49,8 +49,8 @@ jobs: if: always() uses: ./.github/actions/save-logs - - name: Send trigger to Slack on workflow failure - if: failure() - uses: ./.github/actions/slack - with: - slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} + # - name: Send trigger to Slack on workflow failure + # if: failure() + # uses: ./.github/actions/slack + # with: + # slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/src/test/nightly/ecr_publish_test.go b/src/test/nightly/ecr_publish_test.go index d32295f700..3350c5d9c5 100644 --- a/src/test/nightly/ecr_publish_test.go +++ b/src/test/nightly/ecr_publish_test.go @@ -66,9 +66,11 @@ func TestECRPublishing(t *testing.T) { stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL, keyFlag, fmt.Sprintf("-o=%s", tmpDir)) require.NoError(t, err, stdOut, stdErr) - stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, "--skip-signature-validation") + pulledPath := filepath.Join(tmpDir, testPackageFileName) + + stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPath, "--skip-signature-validation") require.NoError(t, err, stdOut, stdErr) - stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, keyFlag) + stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPath, keyFlag) require.NoError(t, err, stdOut, stdErr) } From fbd0afdd1a2bc796a088099e5b89f3617a62e492 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 19 Dec 2024 15:48:48 +0000 Subject: [PATCH 4/5] path to inspect Signed-off-by: Austin Abro --- src/test/nightly/ecr_publish_test.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/test/nightly/ecr_publish_test.go b/src/test/nightly/ecr_publish_test.go index 3350c5d9c5..8c35dde0e4 100644 --- a/src/test/nightly/ecr_publish_test.go +++ b/src/test/nightly/ecr_publish_test.go @@ -63,14 +63,15 @@ func TestECRPublishing(t *testing.T) { require.NoError(t, err, stdOut, stdErr) // Validate that we can pull the package down from ECR - stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL, keyFlag, fmt.Sprintf("-o=%s", tmpDir)) + pullTempDir := t.TempDir() + stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL, keyFlag, fmt.Sprintf("-o=%s", pullTempDir)) require.NoError(t, err, stdOut, stdErr) - pulledPath := filepath.Join(tmpDir, testPackageFileName) + pulledPackagePath := filepath.Join(pullTempDir, testPackageFileName) - stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPath, "--skip-signature-validation") + stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPackagePath, "--skip-signature-validation") require.NoError(t, err, stdOut, stdErr) - stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPath, keyFlag) + stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPackagePath, keyFlag) require.NoError(t, err, stdOut, stdErr) } From 49c3e08a69a613b6ed9da11758a89e7f51671b4d Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 19 Dec 2024 15:52:59 +0000 Subject: [PATCH 5/5] re-add workflow Signed-off-by: Austin Abro --- .github/workflows/nightly-ecr.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml index 0575413117..aafbda5b7d 100644 --- a/.github/workflows/nightly-ecr.yml +++ b/.github/workflows/nightly-ecr.yml @@ -49,8 +49,8 @@ jobs: if: always() uses: ./.github/actions/save-logs - # - name: Send trigger to Slack on workflow failure - # if: failure() - # uses: ./.github/actions/slack - # with: - # slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} + - name: Send trigger to Slack on workflow failure + if: failure() + uses: ./.github/actions/slack + with: + slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}