2024-08-16 17:06:48 +05:30
|
|
|
package cosign
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/google/go-containerregistry/pkg/name"
|
|
|
|
"github.com/google/go-containerregistry/pkg/v1/remote"
|
|
|
|
"github.com/kyverno/kyverno/pkg/images"
|
|
|
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
|
|
|
"gotest.tools/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSigstoreBundleSignatureVerification(t *testing.T) {
|
|
|
|
opts := images.Options{
|
|
|
|
SigstoreBundle: true,
|
|
|
|
ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
|
|
|
|
Issuer: "https://token.actions.githubusercontent.com",
|
|
|
|
Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
|
|
|
|
}
|
|
|
|
|
|
|
|
rc, err := registryclient.New()
|
|
|
|
assert.NilError(t, err)
|
|
|
|
opts.Client = rc
|
|
|
|
|
|
|
|
verifier := &cosignVerifier{}
|
|
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
opts.Subject = "invalid"
|
|
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
|
|
assert.ErrorContains(t, err, "sigstore bundle verification failed: no matching signatures found")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSigstoreBundleSignatureResponse(t *testing.T) {
|
|
|
|
opts := images.Options{
|
|
|
|
SigstoreBundle: true,
|
|
|
|
ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
|
|
|
|
Issuer: "https://token.actions.githubusercontent.com",
|
|
|
|
Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
|
|
|
|
}
|
|
|
|
|
|
|
|
rc, err := registryclient.New()
|
|
|
|
assert.NilError(t, err)
|
|
|
|
opts.Client = rc
|
|
|
|
|
|
|
|
verifier := &cosignVerifier{}
|
|
|
|
response, err := verifier.VerifySignature(context.TODO(), opts)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2024-10-07 20:59:12 +05:30
|
|
|
nameOpts := rc.NameOptions()
|
|
|
|
ref, err := name.ParseReference(opts.ImageRef, nameOpts...)
|
2024-08-16 17:06:48 +05:30
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
desc, err := remote.Head(ref)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, desc.Digest.String(), response.Digest)
|
|
|
|
assert.Equal(t, len(response.Statements), 0)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSigstoreBundleAttestation(t *testing.T) {
|
|
|
|
opts := images.Options{
|
|
|
|
SigstoreBundle: true,
|
|
|
|
ImageRef: "ghcr.io/vishal-chdhry/artifact-attestation-example:artifact-attestation",
|
|
|
|
Issuer: "https://token.actions.githubusercontent.com",
|
|
|
|
Subject: "https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main",
|
|
|
|
Type: "https://slsa.dev/provenance/v1",
|
|
|
|
}
|
|
|
|
|
|
|
|
rc, err := registryclient.New()
|
|
|
|
assert.NilError(t, err)
|
|
|
|
opts.Client = rc
|
|
|
|
|
|
|
|
verifier := &cosignVerifier{}
|
|
|
|
response, err := verifier.FetchAttestations(context.TODO(), opts)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2024-10-07 20:59:12 +05:30
|
|
|
nameOpts := rc.NameOptions()
|
|
|
|
ref, err := name.ParseReference(opts.ImageRef, nameOpts...)
|
2024-08-16 17:06:48 +05:30
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
desc, err := remote.Head(ref)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
assert.Equal(t, desc.Digest.String(), response.Digest)
|
|
|
|
assert.Assert(t, len(response.Statements) > 0)
|
|
|
|
|
|
|
|
buildType, ok := response.Statements[0]["predicate"].(map[string]interface{})["buildDefinition"].(map[string]interface{})["buildType"].(string)
|
|
|
|
assert.Assert(t, ok)
|
|
|
|
assert.Equal(t, buildType, "https://actions.github.io/buildtypes/workflow/v1")
|
|
|
|
}
|