diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-08-01 13:35:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-01 13:35:43 +0200 |
commit | 82137dc64e27a797126ad2d5fcc86af2a621993a (patch) | |
tree | c5a2cb426b0de94e1fa1b18e54329d963b6188db /test/e2e | |
parent | 271a9f45a462c652d4f025f583fc3bd204d95656 (diff) | |
parent | d462da676cf0e97420d42ea64d72f69cab675922 (diff) | |
download | podman-82137dc64e27a797126ad2d5fcc86af2a621993a.tar.gz podman-82137dc64e27a797126ad2d5fcc86af2a621993a.tar.bz2 podman-82137dc64e27a797126ad2d5fcc86af2a621993a.zip |
Merge pull request #15108 from mtrmac/sigstore-sign
Sigstore sign
Diffstat (limited to 'test/e2e')
-rw-r--r-- | test/e2e/config_amd64.go | 2 | ||||
-rw-r--r-- | test/e2e/config_arm64.go | 2 | ||||
-rw-r--r-- | test/e2e/login_logout_test.go | 14 | ||||
-rw-r--r-- | test/e2e/push_test.go | 50 | ||||
-rw-r--r-- | test/e2e/sign/policy.json | 6 | ||||
-rw-r--r-- | test/e2e/testdata/sigstore-key.key | 11 | ||||
-rw-r--r-- | test/e2e/testdata/sigstore-key.key.pass | 1 | ||||
-rw-r--r-- | test/e2e/testdata/sigstore-key.pub | 4 | ||||
-rw-r--r-- | test/e2e/testdata/sigstore-registries.d-fragment.yaml | 3 |
9 files changed, 79 insertions, 14 deletions
diff --git a/test/e2e/config_amd64.go b/test/e2e/config_amd64.go index f32542df8..ba7940d57 100644 --- a/test/e2e/config_amd64.go +++ b/test/e2e/config_amd64.go @@ -8,7 +8,7 @@ var ( CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, NGINX_IMAGE, REDIS_IMAGE, REGISTRY_IMAGE, INFRA_IMAGE, LABELS_IMAGE, HEALTHCHECK_IMAGE, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:revive,stylecheck NGINX_IMAGE = "quay.io/libpod/alpine_nginx:latest" //nolint:revive,stylecheck BB_GLIBC = "docker.io/library/busybox:glibc" //nolint:revive,stylecheck - REGISTRY_IMAGE = "quay.io/libpod/registry:2.6" //nolint:revive,stylecheck + REGISTRY_IMAGE = "quay.io/libpod/registry:2.8" //nolint:revive,stylecheck LABELS_IMAGE = "quay.io/libpod/alpine_labels:latest" //nolint:revive,stylecheck UBI_MINIMAL = "registry.access.redhat.com/ubi8-minimal" //nolint:revive,stylecheck UBI_INIT = "registry.access.redhat.com/ubi8-init" //nolint:revive,stylecheck diff --git a/test/e2e/config_arm64.go b/test/e2e/config_arm64.go index c1e0afc47..32ed2f90d 100644 --- a/test/e2e/config_arm64.go +++ b/test/e2e/config_arm64.go @@ -8,7 +8,7 @@ var ( CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, NGINX_IMAGE, REDIS_IMAGE, REGISTRY_IMAGE, INFRA_IMAGE, LABELS_IMAGE, HEALTHCHECK_IMAGE, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:revive,stylecheck NGINX_IMAGE = "quay.io/lsm5/alpine_nginx-aarch64:latest" //nolint:revive,stylecheck BB_GLIBC = "docker.io/library/busybox:glibc" //nolint:revive,stylecheck - REGISTRY_IMAGE = "quay.io/libpod/registry:2.6" //nolint:revive,stylecheck + REGISTRY_IMAGE = "quay.io/libpod/registry:2.8" //nolint:revive,stylecheck LABELS_IMAGE = "quay.io/libpod/alpine_labels:latest" //nolint:revive,stylecheck UBI_MINIMAL = "registry.access.redhat.com/ubi8-minimal" //nolint:revive,stylecheck UBI_INIT = "registry.access.redhat.com/ubi8-init" //nolint:revive,stylecheck diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go index 3ae130c6d..60c53e27e 100644 --- a/test/e2e/login_logout_test.go +++ b/test/e2e/login_logout_test.go @@ -52,15 +52,15 @@ var _ = Describe("Podman login and logout", func() { } } - session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", "registry:2.6", "-Bbn", "podmantest", "test"}) - session.WaitWithDefaultTimeout() - Expect(session).Should(Exit(0)) + htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"}) + htpasswd.WaitWithDefaultTimeout() + Expect(htpasswd).Should(Exit(0)) f, err := os.Create(filepath.Join(authPath, "htpasswd")) Expect(err).ToNot(HaveOccurred()) defer f.Close() - _, err = f.WriteString(session.OutputToString()) + _, err = f.WriteString(htpasswd.OutputToString()) Expect(err).ToNot(HaveOccurred()) err = f.Sync() Expect(err).ToNot(HaveOccurred()) @@ -80,12 +80,12 @@ var _ = Describe("Podman login and logout", func() { setup := SystemExec("cp", []string{filepath.Join(certPath, "domain.crt"), filepath.Join(certDirPath, "ca.crt")}) setup.WaitWithDefaultTimeout() - session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), + session := podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), "-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v", strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", "-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", - "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"}) + "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) @@ -249,7 +249,7 @@ var _ = Describe("Podman login and logout", func() { strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", "-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", - "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"}) + "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go index f2a103f6b..898d21d00 100644 --- a/test/e2e/push_test.go +++ b/test/e2e/push_test.go @@ -4,6 +4,7 @@ import ( "fmt" "io/ioutil" "os" + "os/exec" "path/filepath" "strings" @@ -136,6 +137,45 @@ var _ = Describe("Podman push", func() { Expect(fi.Name()).To(Equal("digestfile.txt")) Expect(push2).Should(Exit(0)) } + + if !IsRemote() { // Remote does not support signing + By("pushing and pulling with sigstore signatures") + // Ideally, this should set SystemContext.RegistriesDirPath, but Podman currently doesn’t + // expose that as an option. So, for now, modify /etc/directly, and skip testing sigstore if + // we don’t have permission to do so. + systemRegistriesDAddition := "/etc/containers/registries.d/podman-test-only-temporary-addition.yaml" + cmd := exec.Command("cp", "testdata/sigstore-registries.d-fragment.yaml", systemRegistriesDAddition) + output, err := cmd.CombinedOutput() + if err != nil { + fmt.Fprintf(os.Stderr, "Skipping sigstore tests because /etc/containers/registries.d isn’t writable: %s", string(output)) + } else { + defer func() { + err := os.Remove(systemRegistriesDAddition) + Expect(err).ToNot(HaveOccurred()) + }() + + // Verify that the policy rejects unsigned images + push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed"}) + push.WaitWithDefaultTimeout() + Expect(push).Should(Exit(0)) + Expect(len(push.ErrorToString())).To(Equal(0)) + + pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"}) + pull.WaitWithDefaultTimeout() + Expect(pull).To(ExitWithError()) + Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists")) + + // Sign an image, and verify it is accepted. + push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5000/sigstore-signed"}) + push.WaitWithDefaultTimeout() + Expect(push).Should(Exit(0)) + Expect(len(push.ErrorToString())).To(Equal(0)) + + pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"}) + pull.WaitWithDefaultTimeout() + Expect(pull).Should(Exit(0)) + } + } }) It("podman push to local registry with authorization", func() { @@ -167,20 +207,20 @@ var _ = Describe("Podman push", func() { } lock := GetPortLock("5000") defer lock.Unlock() - session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", REGISTRY_IMAGE, "-Bbn", "podmantest", "test"}) - session.WaitWithDefaultTimeout() - Expect(session).Should(Exit(0)) + htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"}) + htpasswd.WaitWithDefaultTimeout() + Expect(htpasswd).Should(Exit(0)) f, err := os.Create(filepath.Join(authPath, "htpasswd")) Expect(err).ToNot(HaveOccurred()) defer f.Close() - _, err = f.WriteString(session.OutputToString()) + _, err = f.WriteString(htpasswd.OutputToString()) Expect(err).ToNot(HaveOccurred()) err = f.Sync() Expect(err).ToNot(HaveOccurred()) - session = podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v", + session := podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v", strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", "-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", diff --git a/test/e2e/sign/policy.json b/test/e2e/sign/policy.json index ab01137bf..812c14989 100644 --- a/test/e2e/sign/policy.json +++ b/test/e2e/sign/policy.json @@ -12,6 +12,12 @@ "keyType": "GPGKeys", "keyPath": "/tmp/key.gpg" } + ], + "localhost:5000/sigstore-signed": [ + { + "type": "sigstoreSigned", + "keyPath": "testdata/sigstore-key.pub" + } ] } } diff --git a/test/e2e/testdata/sigstore-key.key b/test/e2e/testdata/sigstore-key.key new file mode 100644 index 000000000..c4eed76a8 --- /dev/null +++ b/test/e2e/testdata/sigstore-key.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiI2ckxVcEl1M1pTallrY3dua1pNVktuTHNDUjRENTJv +Y3J5Wmh2anZ4L1VrPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJMTVpkeTNBL285NS9SektUZGR3RURhODJTVThVcDdlKyJ9LCJj +aXBoZXJ0ZXh0IjoiNkkzUlRCc1IwRXpHZWs0SE5LazlVdlpyMEp6Y1Bxemw0ZkEr +SitJdHlCc0RBSkcyNmhESnFLUDFuQkJTUE5XdHpJRzJUVzQ5Z2hObEJmQy9qYVNk +eFo2QmhXYk9ldlY0MDB4WjVNZ1oyVHdGSnJxaE9HK0JMdmNvanVkc2tOUFpJTlpE +LytFZVBIYTRlRVJPTWhnSWlTRC9BYTd3eitlc2trVjkrN216Y3N2RVRiTTJTZGd6 +L3daMUtqV3FlOUc2MWlXSTJPSm1rRlhxQWc9PSJ9 +-----END ENCRYPTED COSIGN PRIVATE KEY----- diff --git a/test/e2e/testdata/sigstore-key.key.pass b/test/e2e/testdata/sigstore-key.key.pass new file mode 100644 index 000000000..beb5c7687 --- /dev/null +++ b/test/e2e/testdata/sigstore-key.key.pass @@ -0,0 +1 @@ +sigstore pass diff --git a/test/e2e/testdata/sigstore-key.pub b/test/e2e/testdata/sigstore-key.pub new file mode 100644 index 000000000..1f470f72b --- /dev/null +++ b/test/e2e/testdata/sigstore-key.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX/AWbBiFPuAU5+ys+Ce8YFPhTr1a +nM7A8h6NrQi6w8w8/4dJCzlGH4SN+P93nopATs6jDXs4Lpc2/tiA1SBmzA== +-----END PUBLIC KEY----- diff --git a/test/e2e/testdata/sigstore-registries.d-fragment.yaml b/test/e2e/testdata/sigstore-registries.d-fragment.yaml new file mode 100644 index 000000000..d79f4c935 --- /dev/null +++ b/test/e2e/testdata/sigstore-registries.d-fragment.yaml @@ -0,0 +1,3 @@ +docker: + localhost:5000/sigstore-signed: + use-sigstore-attachments: true |