summaryrefslogtreecommitdiff
path: root/test/e2e/push_test.go
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-08-01 13:35:43 +0200
committerGitHub <noreply@github.com>2022-08-01 13:35:43 +0200
commit82137dc64e27a797126ad2d5fcc86af2a621993a (patch)
treec5a2cb426b0de94e1fa1b18e54329d963b6188db /test/e2e/push_test.go
parent271a9f45a462c652d4f025f583fc3bd204d95656 (diff)
parentd462da676cf0e97420d42ea64d72f69cab675922 (diff)
downloadpodman-82137dc64e27a797126ad2d5fcc86af2a621993a.tar.gz
podman-82137dc64e27a797126ad2d5fcc86af2a621993a.tar.bz2
podman-82137dc64e27a797126ad2d5fcc86af2a621993a.zip
Merge pull request #15108 from mtrmac/sigstore-sign
Sigstore sign
Diffstat (limited to 'test/e2e/push_test.go')
-rw-r--r--test/e2e/push_test.go50
1 files changed, 45 insertions, 5 deletions
diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go
index f2a103f6b..898d21d00 100644
--- a/test/e2e/push_test.go
+++ b/test/e2e/push_test.go
@@ -4,6 +4,7 @@ import (
"fmt"
"io/ioutil"
"os"
+ "os/exec"
"path/filepath"
"strings"
@@ -136,6 +137,45 @@ var _ = Describe("Podman push", func() {
Expect(fi.Name()).To(Equal("digestfile.txt"))
Expect(push2).Should(Exit(0))
}
+
+ if !IsRemote() { // Remote does not support signing
+ By("pushing and pulling with sigstore signatures")
+ // Ideally, this should set SystemContext.RegistriesDirPath, but Podman currently doesn’t
+ // expose that as an option. So, for now, modify /etc/directly, and skip testing sigstore if
+ // we don’t have permission to do so.
+ systemRegistriesDAddition := "/etc/containers/registries.d/podman-test-only-temporary-addition.yaml"
+ cmd := exec.Command("cp", "testdata/sigstore-registries.d-fragment.yaml", systemRegistriesDAddition)
+ output, err := cmd.CombinedOutput()
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "Skipping sigstore tests because /etc/containers/registries.d isn’t writable: %s", string(output))
+ } else {
+ defer func() {
+ err := os.Remove(systemRegistriesDAddition)
+ Expect(err).ToNot(HaveOccurred())
+ }()
+
+ // Verify that the policy rejects unsigned images
+ push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed"})
+ push.WaitWithDefaultTimeout()
+ Expect(push).Should(Exit(0))
+ Expect(len(push.ErrorToString())).To(Equal(0))
+
+ pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"})
+ pull.WaitWithDefaultTimeout()
+ Expect(pull).To(ExitWithError())
+ Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists"))
+
+ // Sign an image, and verify it is accepted.
+ push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5000/sigstore-signed"})
+ push.WaitWithDefaultTimeout()
+ Expect(push).Should(Exit(0))
+ Expect(len(push.ErrorToString())).To(Equal(0))
+
+ pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"})
+ pull.WaitWithDefaultTimeout()
+ Expect(pull).Should(Exit(0))
+ }
+ }
})
It("podman push to local registry with authorization", func() {
@@ -167,20 +207,20 @@ var _ = Describe("Podman push", func() {
}
lock := GetPortLock("5000")
defer lock.Unlock()
- session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", REGISTRY_IMAGE, "-Bbn", "podmantest", "test"})
- session.WaitWithDefaultTimeout()
- Expect(session).Should(Exit(0))
+ htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"})
+ htpasswd.WaitWithDefaultTimeout()
+ Expect(htpasswd).Should(Exit(0))
f, err := os.Create(filepath.Join(authPath, "htpasswd"))
Expect(err).ToNot(HaveOccurred())
defer f.Close()
- _, err = f.WriteString(session.OutputToString())
+ _, err = f.WriteString(htpasswd.OutputToString())
Expect(err).ToNot(HaveOccurred())
err = f.Sync()
Expect(err).ToNot(HaveOccurred())
- session = podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v",
+ session := podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v",
strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",