2025-02-21 06:33:53 +05:30
|
|
|
package cosign
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/go-logr/logr"
|
|
|
|
|
"github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
|
2025-02-23 14:25:32 +05:30
|
|
|
"github.com/kyverno/kyverno/pkg/imageverification/imagedataloader"
|
2025-02-21 06:33:53 +05:30
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
)
|
|
|
|
|
|
2025-02-21 14:50:06 +05:30
|
|
|
func Test_ImageSignatureVerificationKeyless(t *testing.T) {
|
2025-02-21 06:33:53 +05:30
|
|
|
image := "ghcr.io/jimbugwadia/pause2"
|
|
|
|
|
idf, err := imagedataloader.New(nil)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
img, err := idf.FetchImageData(context.TODO(), image)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
attestor := &v1alpha1.Attestor{
|
|
|
|
|
Name: "test",
|
|
|
|
|
Cosign: &v1alpha1.Cosign{
|
|
|
|
|
Keyless: &v1alpha1.Keyless{
|
|
|
|
|
Identities: []v1alpha1.Identity{
|
|
|
|
|
{
|
|
|
|
|
Issuer: "https://github.com/login/oauth",
|
|
|
|
|
Subject: "jim@nirmata.com",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
CTLog: &v1alpha1.CTLog{
|
|
|
|
|
URL: "https://rekor.sigstore.dev",
|
|
|
|
|
InsecureIgnoreSCT: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-26 06:26:17 +05:30
|
|
|
v := Verifier{log: logr.Discard()}
|
2025-02-21 06:33:53 +05:30
|
|
|
err = v.VerifyImageSignature(context.TODO(), img, attestor)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_ImageSignatureVerificationFail(t *testing.T) {
|
|
|
|
|
image := "ghcr.io/jimbugwadia/pause2"
|
|
|
|
|
idf, err := imagedataloader.New(nil)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
img, err := idf.FetchImageData(context.TODO(), image)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
attestor := &v1alpha1.Attestor{
|
|
|
|
|
Name: "test",
|
|
|
|
|
Cosign: &v1alpha1.Cosign{
|
|
|
|
|
Keyless: &v1alpha1.Keyless{
|
|
|
|
|
Identities: []v1alpha1.Identity{
|
|
|
|
|
{
|
|
|
|
|
Issuer: "https://github.com/login/oauth",
|
|
|
|
|
Subject: "jim@invalid.com",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
CTLog: &v1alpha1.CTLog{
|
|
|
|
|
URL: "https://rekor.sigstore.dev",
|
|
|
|
|
InsecureIgnoreSCT: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-26 06:26:17 +05:30
|
|
|
v := Verifier{log: logr.Discard()}
|
2025-02-21 06:33:53 +05:30
|
|
|
err = v.VerifyImageSignature(context.TODO(), img, attestor)
|
|
|
|
|
assert.ErrorContains(t, err, "no matching signatures: none of the expected identities matched what was in the certificate")
|
|
|
|
|
}
|
2025-02-21 14:50:06 +05:30
|
|
|
|
|
|
|
|
func Test_ImageSignatureVerificationKeyed(t *testing.T) {
|
|
|
|
|
image := "ghcr.io/kyverno/test-verify-image:signed"
|
|
|
|
|
idf, err := imagedataloader.New(nil)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
img, err := idf.FetchImageData(context.TODO(), image)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
attestor := &v1alpha1.Attestor{
|
|
|
|
|
Name: "test",
|
|
|
|
|
Cosign: &v1alpha1.Cosign{
|
|
|
|
|
Key: &v1alpha1.Key{
|
|
|
|
|
Data: `-----BEGIN PUBLIC KEY-----
|
|
|
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
|
|
|
|
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
|
|
|
|
-----END PUBLIC KEY-----`,
|
|
|
|
|
},
|
|
|
|
|
CTLog: &v1alpha1.CTLog{
|
|
|
|
|
URL: "https://rekor.sigstore.dev",
|
|
|
|
|
InsecureIgnoreTlog: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-26 06:26:17 +05:30
|
|
|
v := Verifier{log: logr.Discard()}
|
2025-02-21 14:50:06 +05:30
|
|
|
err = v.VerifyImageSignature(context.TODO(), img, attestor)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_ImageSignatureVerificationKeyedFail(t *testing.T) {
|
|
|
|
|
image := "ghcr.io/kyverno/test-verify-image:signed"
|
|
|
|
|
idf, err := imagedataloader.New(nil)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
img, err := idf.FetchImageData(context.TODO(), image)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
attestor := &v1alpha1.Attestor{
|
|
|
|
|
Name: "test",
|
|
|
|
|
Cosign: &v1alpha1.Cosign{
|
|
|
|
|
Key: &v1alpha1.Key{
|
|
|
|
|
Data: `-----BEGIN PUBLIC KEY-----
|
|
|
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKYkkX32oSx61B4iwKXa6llAF2dB
|
|
|
|
|
IoL3R/9n1SJ7s00Nfkk3z4/Ar6q8el/guUmXi8akEJMxvHnvphorVUz8vQ==
|
|
|
|
|
-----END PUBLIC KEY-----`,
|
|
|
|
|
},
|
|
|
|
|
CTLog: &v1alpha1.CTLog{
|
|
|
|
|
URL: "https://rekor.sigstore.dev",
|
|
|
|
|
InsecureIgnoreTlog: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-26 06:26:17 +05:30
|
|
|
v := Verifier{log: logr.Discard()}
|
2025-02-21 14:50:06 +05:30
|
|
|
err = v.VerifyImageSignature(context.TODO(), img, attestor)
|
|
|
|
|
assert.ErrorContains(t, err, "failed to verify cosign signatures")
|
|
|
|
|
}
|
