1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00
kyverno/pkg/cosign/sigstore_test.go

92 lines
3.1 KiB
Go
Raw Normal View History

package cosign
import (
"context"
"testing"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/kyverno/kyverno/pkg/images"
"github.com/kyverno/kyverno/pkg/registryclient"
"gotest.tools/assert"
)
func TestSigstoreBundleSignatureVerification(t *testing.T) {
opts := images.Options{
SigstoreBundle: true,
ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
Issuer: "https://token.actions.githubusercontent.com",
Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
}
rc, err := registryclient.New()
assert.NilError(t, err)
opts.Client = rc
verifier := &cosignVerifier{}
_, err = verifier.VerifySignature(context.TODO(), opts)
assert.NilError(t, err)
opts.Subject = "invalid"
_, err = verifier.VerifySignature(context.TODO(), opts)
assert.ErrorContains(t, err, "sigstore bundle verification failed: no matching signatures found")
}
func TestSigstoreBundleSignatureResponse(t *testing.T) {
opts := images.Options{
SigstoreBundle: true,
ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
Issuer: "https://token.actions.githubusercontent.com",
Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
}
rc, err := registryclient.New()
assert.NilError(t, err)
opts.Client = rc
verifier := &cosignVerifier{}
response, err := verifier.VerifySignature(context.TODO(), opts)
assert.NilError(t, err)
nameOpts := rc.NameOptions()
ref, err := name.ParseReference(opts.ImageRef, nameOpts...)
assert.NilError(t, err)
desc, err := remote.Head(ref)
assert.NilError(t, err)
assert.Equal(t, desc.Digest.String(), response.Digest)
assert.Equal(t, len(response.Statements), 0)
}
func TestSigstoreBundleAttestation(t *testing.T) {
opts := images.Options{
SigstoreBundle: true,
ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
Issuer: "https://token.actions.githubusercontent.com",
Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
Type: "https://slsa.dev/provenance/v1",
}
rc, err := registryclient.New()
assert.NilError(t, err)
opts.Client = rc
verifier := &cosignVerifier{}
response, err := verifier.FetchAttestations(context.TODO(), opts)
assert.NilError(t, err)
nameOpts := rc.NameOptions()
ref, err := name.ParseReference(opts.ImageRef, nameOpts...)
assert.NilError(t, err)
desc, err := remote.Head(ref)
assert.NilError(t, err)
assert.Equal(t, desc.Digest.String(), response.Digest)
assert.Assert(t, len(response.Statements) > 0)
buildType, ok := response.Statements[0]["predicate"].(map[string]interface{})["buildDefinition"].(map[string]interface{})["buildType"].(string)
assert.Assert(t, ok)
assert.Equal(t, buildType, "https://actions.github.io/buildtypes/workflow/v1")
}