fix: expect base64 string in raw tuf root (#11117) (#11128)

* fix: expect base64 string in raw tuf root * fix: add tests * fix: rename kyverno yaml file --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-12-15 17:51:20 +00:00 · 2024-09-12 13:31:35 +00:00 · 2024-09-12 13:31:35 +00:00 · 458b84e366
commit 458b84e366
parent a7fb4bbf4c
11 changed files with 115 additions and 1 deletions
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -563,6 +563,26 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}
          chainsaw-tests: ${{ matrix.tests }}

+  sigstore-custom-tuf:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+        tests: ${{ fromJSON(needs.define-matrix.outputs.tests).sigstore-custom-tuf }}
+    needs: [ prepare-images, define-matrix ]
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: ./.github/actions/run-tests
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+          kind-config: ./scripts/config/kind/vap-v1beta1.yaml
+          kyverno-configs: standard,sigstore-custom-tuf
+          token: ${{ secrets.GITHUB_TOKEN }}
+          chainsaw-tests: ${{ matrix.tests }}
+
  custom-sigstore:
    runs-on: ubuntu-latest
    permissions:
--- a/cmd/internal/tuf.go
+++ b/cmd/internal/tuf.go
@ -2,6 +2,7 @@ package internal

 import (
 	"context"
+	"encoding/base64"
 	"fmt"

 	"github.com/go-logr/logr"
@ -24,7 +25,11 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
 			checkError(logger, err, fmt.Sprintf("Failed to read alternate TUF root file %s : %v", tufRoot, err))
 		}
 	} else if tufRootRaw != "" {
-		tufRootBytes = []byte(tufRootRaw)
+		root, err := base64.StdEncoding.DecodeString(tufRootRaw)
+		if err != nil {
+			checkError(logger, err, fmt.Sprintf("Failed to base64 decode TUF root  %s : %v", tufRootRaw, err))
+		}
+		tufRootBytes = root
 	}

 	logger.Info("Initializing TUF root")
--- a/pkg/cosign/sigstore.go
+++ b/pkg/cosign/sigstore.go
@ -83,6 +83,8 @@ func verifyBundles(bundles []*Bundle, desc *v1.Descriptor, trustedRoot *root.Tru
 		result, err := verifier.Verify(bundle.ProtoBundle, policy)
 		if err == nil {
 			verificationResults = append(verificationResults, &VerificationResult{Bundle: bundle, Result: result, Desc: desc})
+		} else {
+			logger.V(4).Info("failed to verify sigstore bundle", "err", err.Error(), "bundle", bundle)
 		}
 	}

--- a/scripts/config/sigstore-custom-tuf/kyverno.yaml
+++ b/scripts/config/sigstore-custom-tuf/kyverno.yaml
--- a/test/conformance/chainsaw/e2e-matrix.json
+++ b/test/conformance/chainsaw/e2e-matrix.json
@ -106,6 +106,9 @@
  "reports": [
    "^reports$"
  ],
+  "sigstore-custom-tuf": [
+    "^sigstore-custom-tuf$"
+  ],
  "ttl": [
    "^ttl$"
  ],
--- a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/README.md
+++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/README.md
@ -0,0 +1,4 @@
+## Description
+
+This test verifies sigstore bundle attached to an image.
+
--- a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/chainsaw-test.yaml
@ -0,0 +1,20 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: sigstore-image-verification
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod.yaml
+    - assert:
+        file: pod-assert.yaml
+
--- a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod-assert.yaml
+++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod-assert.yaml
@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: default
+
--- a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod.yaml
+++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/nirmata/github-signing-demo:latest
+    name: test-container
+
--- a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy-assert.yaml
+++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy-assert.yaml
@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sigstore-image-verification
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+
--- a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy.yaml
+++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy.yaml
@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+  name: sigstore-image-verification
+spec:
+  background: false
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: sigstore-image-verification
+    verifyImages:
+    - imageReferences:
+      - "*"
+      type: SigstoreBundle
+      attestors:
+      - entries:
+        - keyless:
+            issuer: https://token.actions.githubusercontent.com
+            subject: https://github.com/nirmata/github-signing-demo/.github/workflows/build-attested-image.yaml@refs/heads/main
+            rekor:
+                url: https://rekor.sigstore.dev
+                ignoreTlog: true