kyverno/pkg/cosign/sigstore_test.go

package cosign

import (
	"context"
	"testing"

	"github.com/google/go-containerregistry/pkg/name"
	"github.com/google/go-containerregistry/pkg/v1/remote"
	"github.com/kyverno/kyverno/pkg/images"
	"github.com/kyverno/kyverno/pkg/registryclient"
	"gotest.tools/assert"
)

func TestSigstoreBundleSignatureVerification(t *testing.T) {
	opts := images.Options{
		SigstoreBundle: true,
		ImageRef:       "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
		Issuer:         "https://token.actions.githubusercontent.com",
		Subject:        "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
	}

	rc, err := registryclient.New()
	assert.NilError(t, err)
	opts.Client = rc

	verifier := &cosignVerifier{}
	_, err = verifier.VerifySignature(context.TODO(), opts)
	assert.NilError(t, err)

	opts.Subject = "invalid"
	_, err = verifier.VerifySignature(context.TODO(), opts)
	assert.ErrorContains(t, err, "sigstore bundle verification failed: no matching signatures found")
}

func TestSigstoreBundleSignatureResponse(t *testing.T) {
	opts := images.Options{
		SigstoreBundle: true,
		ImageRef:       "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
		Issuer:         "https://token.actions.githubusercontent.com",
		Subject:        "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
	}

	rc, err := registryclient.New()
	assert.NilError(t, err)
	opts.Client = rc

	verifier := &cosignVerifier{}
	response, err := verifier.VerifySignature(context.TODO(), opts)
	assert.NilError(t, err)

	ref, err := name.ParseReference(opts.ImageRef)
	assert.NilError(t, err)

	desc, err := remote.Head(ref)
	assert.NilError(t, err)
	assert.Equal(t, desc.Digest.String(), response.Digest)
	assert.Equal(t, len(response.Statements), 0)
}

func TestSigstoreBundleAttestation(t *testing.T) {
	opts := images.Options{
		SigstoreBundle: true,
		ImageRef:       "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
		Issuer:         "https://token.actions.githubusercontent.com",
		Subject:        "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
		Type:           "https://slsa.dev/provenance/v1",
	}

	rc, err := registryclient.New()
	assert.NilError(t, err)
	opts.Client = rc

	verifier := &cosignVerifier{}
	response, err := verifier.FetchAttestations(context.TODO(), opts)
	assert.NilError(t, err)

	ref, err := name.ParseReference(opts.ImageRef)
	assert.NilError(t, err)

	desc, err := remote.Head(ref)
	assert.NilError(t, err)

	assert.Equal(t, desc.Digest.String(), response.Digest)
	assert.Assert(t, len(response.Statements) > 0)

	buildType, ok := response.Statements[0]["predicate"].(map[string]interface{})["buildDefinition"].(map[string]interface{})["buildType"].(string)
	assert.Assert(t, ok)
	assert.Equal(t, buildType, "https://actions.github.io/buildtypes/workflow/v1")
}
feat: add support for sigstore bundle verification (#10567) * feat: add support for sigstore bundle verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: missed change Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: another linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add size check in layer Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-08-16 17:06:48 +05:30			`package cosign`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/google/go-containerregistry/pkg/name"`
			`"github.com/google/go-containerregistry/pkg/v1/remote"`
			`"github.com/kyverno/kyverno/pkg/images"`
			`"github.com/kyverno/kyverno/pkg/registryclient"`
			`"gotest.tools/assert"`
			`)`

			`func TestSigstoreBundleSignatureVerification(t *testing.T) {`
			`opts := images.Options{`
			`SigstoreBundle: true,`
			`ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",`
			`Issuer: "https://token.actions.githubusercontent.com",`
			`Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",`
			`}`

			`rc, err := registryclient.New()`
			`assert.NilError(t, err)`
			`opts.Client = rc`

			`verifier := &cosignVerifier{}`
			`_, err = verifier.VerifySignature(context.TODO(), opts)`
			`assert.NilError(t, err)`

			`opts.Subject = "invalid"`
			`_, err = verifier.VerifySignature(context.TODO(), opts)`
			`assert.ErrorContains(t, err, "sigstore bundle verification failed: no matching signatures found")`
			`}`

			`func TestSigstoreBundleSignatureResponse(t *testing.T) {`
			`opts := images.Options{`
			`SigstoreBundle: true,`
			`ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",`
			`Issuer: "https://token.actions.githubusercontent.com",`
			`Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",`
			`}`

			`rc, err := registryclient.New()`
			`assert.NilError(t, err)`
			`opts.Client = rc`

			`verifier := &cosignVerifier{}`
			`response, err := verifier.VerifySignature(context.TODO(), opts)`
			`assert.NilError(t, err)`

			`ref, err := name.ParseReference(opts.ImageRef)`
			`assert.NilError(t, err)`

			`desc, err := remote.Head(ref)`
			`assert.NilError(t, err)`
			`assert.Equal(t, desc.Digest.String(), response.Digest)`
			`assert.Equal(t, len(response.Statements), 0)`
			`}`

			`func TestSigstoreBundleAttestation(t *testing.T) {`
			`opts := images.Options{`
			`SigstoreBundle: true,`
			`ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",`
			`Issuer: "https://token.actions.githubusercontent.com",`
			`Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",`
			`Type: "https://slsa.dev/provenance/v1",`
			`}`

			`rc, err := registryclient.New()`
			`assert.NilError(t, err)`
			`opts.Client = rc`

			`verifier := &cosignVerifier{}`
			`response, err := verifier.FetchAttestations(context.TODO(), opts)`
			`assert.NilError(t, err)`

			`ref, err := name.ParseReference(opts.ImageRef)`
			`assert.NilError(t, err)`

			`desc, err := remote.Head(ref)`
			`assert.NilError(t, err)`

			`assert.Equal(t, desc.Digest.String(), response.Digest)`
			`assert.Assert(t, len(response.Statements) > 0)`

			`buildType, ok := response.Statements[0]["predicate"].(map[string]interface{})["buildDefinition"].(map[string]interface{})["buildType"].(string)`
			`assert.Assert(t, ok)`
			`assert.Equal(t, buildType, "https://actions.github.io/buildtypes/workflow/v1")`
			`}`