mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
373f942ea9
* fix: Allow images to be pulled from insecure registry when allowInsecureRegistry flag is set to true (#10934) Signed-off-by: Pradeep Lakshmi Narasimha <pradeep.vaishnav4@gmail.com> * Update pkg/registryclient/client.go Signed-off-by: Vishal Choudhary <vishal.chdhry.work@gmail.com> --------- Signed-off-by: Pradeep Lakshmi Narasimha <pradeep.vaishnav4@gmail.com> Signed-off-by: Vishal Choudhary <vishal.chdhry.work@gmail.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.chdhry.work@gmail.com>
72 lines
2.6 KiB
Go
72 lines
2.6 KiB
Go
package notary
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/google/go-containerregistry/pkg/name"
|
|
"github.com/google/go-containerregistry/pkg/v1/remote"
|
|
"github.com/kyverno/kyverno/pkg/images"
|
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
|
"gotest.tools/assert"
|
|
)
|
|
|
|
var (
|
|
cert = `-----BEGIN CERTIFICATE-----
|
|
MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
|
|
BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
|
|
Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
|
|
MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
|
|
dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
|
|
DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
|
|
b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
|
|
hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
|
|
Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
|
|
Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
|
|
ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
|
|
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
|
|
CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
|
|
kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
|
|
Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
|
|
ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
|
|
5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
|
|
uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
|
|
-----END CERTIFICATE-----`
|
|
)
|
|
|
|
func TestExtractStatements(t *testing.T) {
|
|
imageRef := "ghcr.io/kyverno/test-verify-image:signed"
|
|
ref, err := name.ParseReference(imageRef)
|
|
assert.NilError(t, err)
|
|
repoDesc, err := remote.Head(ref)
|
|
assert.NilError(t, err)
|
|
referrers, err := remote.Referrers(ref.Context().Digest(repoDesc.Digest.String()))
|
|
assert.NilError(t, err)
|
|
referrersDescs, err := referrers.IndexManifest()
|
|
assert.NilError(t, err)
|
|
|
|
for _, referrer := range referrersDescs.Manifests {
|
|
if referrer.ArtifactType == "application/vnd.cncf.notary.signature" {
|
|
statements, err := extractStatements(context.Background(), ref, referrer, nil, nil)
|
|
assert.NilError(t, err)
|
|
assert.Assert(t, len(statements) == 1)
|
|
assert.Assert(t, statements[0]["type"] == referrer.ArtifactType)
|
|
assert.Assert(t, statements[0]["mediaType"] == string(referrer.MediaType))
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestNotaryImageVerification(t *testing.T) {
|
|
opts := images.Options{
|
|
ImageRef: "ghcr.io/kyverno/test-verify-image:signed",
|
|
Cert: cert,
|
|
}
|
|
|
|
rc, err := registryclient.New()
|
|
assert.NilError(t, err)
|
|
opts.Client = rc
|
|
|
|
verifier := ¬aryVerifier{}
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
assert.NilError(t, err)
|
|
}
|