kyverno/pkg/cosign/cosign_test.go

package cosign

import (
	"testing"

	"github.com/sigstore/cosign/pkg/oci"

	"github.com/go-logr/logr"
	"github.com/sigstore/cosign/pkg/cosign"
	"gotest.tools/assert"
)

const cosignPayload = `{
  "critical": {
 	   "identity": {
 	     "docker-reference": "registry-v2.nirmata.io/pause"
 	    },
   	"image": {
 	     "docker-manifest-digest": "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108"
 	    },
 	    "type": "cosign container image signature"
    },
    "optional": {
		"foo": "bar",
		"bar": "baz"
	}
}`

const tektonPayload = `{
  "Critical": {
    "Identity": {
      "docker-reference": "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
    },
    "Image": {
      "Docker-manifest-digest": "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816"
    },
    "Type": "Tekton container signature"
  },
  "Optional": {
	  "Issuer": "https://github.com/login/oauth",
	  "Subject": "https://github.com/mycompany/demo/.github/workflows/ci.yml@refs/heads/main"
  }
}`

func TestCosignPayload(t *testing.T) {
	var log logr.Logger = logr.Discard()
	image := "registry-v2.nirmata.io/pause"
	signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
	p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}})
	assert.NilError(t, err)
	a := map[string]string{"foo": "bar"}
	err = checkAnnotations(p, a)
	assert.NilError(t, err)
	d, err := extractDigest(image, p, log)
	assert.NilError(t, err)
	assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")

	image2 := "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
	signedPayloads2 := cosign.SignedPayload{Payload: []byte(tektonPayload)}
	signatures2 := []oci.Signature{&sig{cosignPayload: signedPayloads2}}
	p2, err := extractPayload(signatures2)
	assert.NilError(t, err)

	d2, err := extractDigest(image2, p2, log)
	assert.NilError(t, err)
	assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816")
}

func TestCosignKeyless(t *testing.T) {
	var log logr.Logger = logr.Discard()
	opts := Options{
		ImageRef: "ghcr.io/jimbugwadia/pause2",
		Issuer:   "https://github.com/",
		Subject:  "jim",
		Log:      log,
	}

	_, err := VerifySignature(opts)
	assert.Error(t, err, "subject mismatch: expected jim@nirmata.com, got jim")

	opts.Subject = "jim@nirmata.com"
	_, err = VerifySignature(opts)
	assert.Error(t, err, "issuer mismatch: expected https://github.com/login/oauth, got https://github.com/")

	opts.Issuer = "https://github.com/login/oauth"
	_, err = VerifySignature(opts)
	assert.NilError(t, err)

}
handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			`package cosign`

			`import (`
merge main and fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-29 16:18:47 +00:00			`"testing"`

feat: support other key methods (#2607) * feat: support other key methods Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> * feat: support fetch attestations from repository Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Furkan <furkan.turkal@trendyol.com> * fix: parameter type Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> * fix error check Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-11-03 07:45:35 +00:00			`"github.com/sigstore/cosign/pkg/oci"`

handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			`"github.com/go-logr/logr"`
			`"github.com/sigstore/cosign/pkg/cosign"`
			`"gotest.tools/assert"`
			`)`

			const cosignPayload = `{
			`"critical": {`
			`"identity": {`
			`"docker-reference": "registry-v2.nirmata.io/pause"`
			`},`
			`"image": {`
			`"docker-manifest-digest": "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108"`
			`},`
			`"type": "cosign container image signature"`
			`},`
adding support for Cosign key-value annotations (#2824) * adding annotation check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * adding tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * updating manifests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * changing map val type to string form interface{} Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * passing args to opts Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-16 06:19:44 +00:00			`"optional": {`
			`"foo": "bar",`
			`"bar": "baz"`
			`}`
handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			}`

			const tektonPayload = `{
			`"Critical": {`
			`"Identity": {`
			`"docker-reference": "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"`
			`},`
			`"Image": {`
			`"Docker-manifest-digest": "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816"`
			`},`
			`"Type": "Tekton container signature"`
			`},`
added issuer check (#2804) * added issuer check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * switch to using SimpleContainerImage Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * added subject check and required test cases Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * small nits Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * correcting tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-10 19:46:22 +00:00			`"Optional": {`
			`"Issuer": "https://github.com/login/oauth",`
			`"Subject": "https://github.com/mycompany/demo/.github/workflows/ci.yml@refs/heads/main"`
			`}`
handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			}`

			`func TestCosignPayload(t *testing.T) {`
bumps k8s libraries for k8s v1.23 upgrade for kyverno (#3043) * bumps k8s libraries for k8s v1.23 upgrade for kyverno Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes kustomize version Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * updates golang to v1.17 to test fails Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * updates logr package to 1.2.2 Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * Fixed tests for `pkg/cosign` and `pkg/webhooks/generation` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * fix go-logr deps version issue Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com> * fix kube-openapi commit hash Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: prateekpandey14 <prateekpandey14@gmail.com> 2022-01-22 12:26:53 +00:00			`var log logr.Logger = logr.Discard()`
handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			`image := "registry-v2.nirmata.io/pause"`
feat: support other key methods (#2607) * feat: support other key methods Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> * feat: support fetch attestations from repository Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Furkan <furkan.turkal@trendyol.com> * fix: parameter type Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> * fix error check Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-11-03 07:45:35 +00:00			`signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}`
update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * update cosign to 1.5.0 and add checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix subject and issuer checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 05:13:23 +00:00			`p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}})`
added issuer check (#2804) * added issuer check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * switch to using SimpleContainerImage Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * added subject check and required test cases Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * small nits Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * correcting tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-10 19:46:22 +00:00			`assert.NilError(t, err)`
adding support for Cosign key-value annotations (#2824) * adding annotation check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * adding tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * updating manifests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * changing map val type to string form interface{} Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * passing args to opts Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-16 06:19:44 +00:00			`a := map[string]string{"foo": "bar"}`
update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * update cosign to 1.5.0 and add checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix subject and issuer checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 05:13:23 +00:00			`err = checkAnnotations(p, a)`
adding support for Cosign key-value annotations (#2824) * adding annotation check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * adding tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * updating manifests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * changing map val type to string form interface{} Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * passing args to opts Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-16 06:19:44 +00:00			`assert.NilError(t, err)`
added issuer check (#2804) * added issuer check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * switch to using SimpleContainerImage Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * added subject check and required test cases Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * small nits Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * correcting tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-10 19:46:22 +00:00			`d, err := extractDigest(image, p, log)`
handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			`assert.NilError(t, err)`
			`assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")`

			`image2 := "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"`
feat: support other key methods (#2607) * feat: support other key methods Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> * feat: support fetch attestations from repository Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Furkan <furkan.turkal@trendyol.com> * fix: parameter type Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> * fix error check Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-11-03 07:45:35 +00:00			`signedPayloads2 := cosign.SignedPayload{Payload: []byte(tektonPayload)}`
update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * update cosign to 1.5.0 and add checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix subject and issuer checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 05:13:23 +00:00			`signatures2 := []oci.Signature{&sig{cosignPayload: signedPayloads2}}`
			`p2, err := extractPayload(signatures2)`
added issuer check (#2804) * added issuer check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * switch to using SimpleContainerImage Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * added subject check and required test cases Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * small nits Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * correcting tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-10 19:46:22 +00:00			`assert.NilError(t, err)`
update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * update cosign to 1.5.0 and add checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix subject and issuer checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 05:13:23 +00:00
added issuer check (#2804) * added issuer check Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * switch to using SimpleContainerImage Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * added subject check and required test cases Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * small nits Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> * correcting tests Signed-off-by: Namanl2001 <namanlakhwani@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2021-12-10 19:46:22 +00:00			`d2, err := extractDigest(image2, p2, log)`
handle Cosign payload variations Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2021-10-28 22:48:35 +00:00			`assert.NilError(t, err)`
			`assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816")`
			`}`
fixing and adding tests (#3112) Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-01-28 06:50:29 +00:00
			`func TestCosignKeyless(t *testing.T) {`
			`var log logr.Logger = logr.Discard()`
			`opts := Options{`
			`ImageRef: "ghcr.io/jimbugwadia/pause2",`
			`Issuer: "https://github.com/",`
			`Subject: "jim",`
			`Log: log,`
			`}`

			`_, err := VerifySignature(opts)`
			`assert.Error(t, err, "subject mismatch: expected jim@nirmata.com, got jim")`

			`opts.Subject = "jim@nirmata.com"`
			`_, err = VerifySignature(opts)`
			`assert.Error(t, err, "issuer mismatch: expected https://github.com/login/oauth, got https://github.com/")`

			`opts.Issuer = "https://github.com/login/oauth"`
			`_, err = VerifySignature(opts)`
			`assert.NilError(t, err)`

			`}`