Skip to content

Commit

Permalink
added test to check for v001 blocking
Browse files Browse the repository at this point in the history
Signed-off-by: pxp928 <[email protected]>
  • Loading branch information
pxp928 committed Aug 29, 2022
1 parent 77a7cde commit 2fa4649
Show file tree
Hide file tree
Showing 14 changed files with 130 additions and 17 deletions.
5 changes: 5 additions & 0 deletions cmd/rekor-cli/app/pflags_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -762,6 +762,11 @@ func TestParseTypeFlag(t *testing.T) {
{
caseDesc: "explicit intoto v0.0.1",
typeStr: "intoto:0.0.1",
expectSuccess: false,
},
{
caseDesc: "explicit intoto v0.0.2",
typeStr: "intoto:0.0.2",
expectSuccess: true,
},
{
Expand Down
9 changes: 3 additions & 6 deletions pkg/generated/restapi/embedded_spec.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/types/alpine/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -332,7 +332,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

re.AlpineModel.PublicKey.Content = (*strfmt.Base64)(&publicKeyBytes[0])
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/cose/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,7 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

kb := strfmt.Base64(publicKeyBytes[0])
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/hashedrekord/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

re.HashedRekordObj.Signature.PublicKey.Content = strfmt.Base64(publicKeyBytes[0])
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/helm/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

re.HelmObj.PublicKey.Content = (*strfmt.Base64)(&publicKeyBytes[0])
Expand Down
6 changes: 6 additions & 0 deletions pkg/types/intoto/intoto.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (

"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/types"
"golang.org/x/exp/slices"
)

const (
Expand Down Expand Up @@ -79,3 +80,8 @@ func (it BaseIntotoType) DefaultVersion() string {
func (it BaseIntotoType) SupportedVersions() []string {
return []string{"0.0.2"}
}

// IsSupportedVersion returns true if the version can be inserted into the log, and false if not
func (it *BaseIntotoType) IsSupportedVersion(proposedVersion string) bool {
return slices.Contains(it.SupportedVersions(), proposedVersion)
}
2 changes: 1 addition & 1 deletion pkg/types/intoto/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

kb := strfmt.Base64(publicKeyBytes[0])
Expand Down
3 changes: 1 addition & 2 deletions pkg/types/intoto/v0.0.2/intoto_v0_0_2_schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,7 @@
}
}
},
"required": ["payloadType", "signatures"],
"writeOnly": true
"required": ["payloadType", "signatures"]
},
"hash": {
"description": "Specifies the hash algorithm and value encompassing the entire signed envelope",
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/rekord/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -401,7 +401,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

re.RekordObj.Signature.PublicKey.Content = (*strfmt.Base64)(&publicKeyBytes[0])
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/rpm/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
}
publicKeyBytes = append(publicKeyBytes, keyBytes)
} else if len(publicKeyBytes) != 1 {
return nil, errors.New("only one public key byte must be provided")
return nil, errors.New("only one public key must be provided")
}

re.RPMModel.PublicKey.Content = (*strfmt.Base64)(&publicKeyBytes[0])
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/tuf/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
rootBytes = append(rootBytes, keyBytes)

} else if len(rootBytes) != 1 {
return nil, errors.New("only one root key byte must be provided")
return nil, errors.New("only one root key must be provided")
}

root := &data.Signed{}
Expand Down
2 changes: 1 addition & 1 deletion tests/e2e-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ set -e
testdir=$(dirname "$0")

echo "starting services"
docker-compose up -d --build
docker-compose up -d

echo "building CLI and server"
go build -o rekor-cli ./cmd/rekor-cli
Expand Down
106 changes: 106 additions & 0 deletions tests/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,19 @@ import (
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"os/exec"
"path/filepath"
"reflect"
"runtime"
"strconv"
"strings"
"testing"
"time"

"golang.org/x/sync/errgroup"
"sigs.k8s.io/release-utils/version"

"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
"github.com/go-openapi/strfmt"
Expand All @@ -57,6 +60,7 @@ import (
"github.com/sigstore/rekor/pkg/sharding"
"github.com/sigstore/rekor/pkg/signer"
"github.com/sigstore/rekor/pkg/types"
_ "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"
rekord "github.com/sigstore/rekor/pkg/types/rekord/v0.0.1"
"github.com/sigstore/rekor/pkg/util"
"github.com/sigstore/sigstore/pkg/cryptoutils"
Expand Down Expand Up @@ -523,6 +527,10 @@ func TestIntoto(t *testing.T) {
write(t, string(eb), attestationPath)
write(t, ecdsaPub, pubKeyPath)

// ensure that we can't upload a intoto v0.0.1 entry
v001out := runCliErr(t, "upload", "--artifact", attestationPath, "--type", "intoto:0.0.1", "--public-key", pubKeyPath)
outputContains(t, v001out, "type intoto does not support version 0.0.1")

// If we do it twice, it should already exist
out := runCli(t, "upload", "--artifact", attestationPath, "--type", "intoto", "--public-key", pubKeyPath)
outputContains(t, out, "Created entry at")
Expand Down Expand Up @@ -653,6 +661,10 @@ func TestIntotoMultiSig(t *testing.T) {
write(t, ecdsaPub, ecdsapubKeyPath)
write(t, pubKey, rsapubKeyPath)

// ensure that we can't upload a intoto v0.0.1 entry
v001out := runCliErr(t, "upload", "--artifact", attestationPath, "--type", "intoto:0.0.1", "--public-key", ecdsapubKeyPath, "--public-key", rsapubKeyPath)
outputContains(t, v001out, "type intoto does not support version 0.0.1")

// If we do it twice, it should already exist
out := runCli(t, "upload", "--artifact", attestationPath, "--type", "intoto", "--public-key", ecdsapubKeyPath, "--public-key", rsapubKeyPath)
outputContains(t, out, "Created entry at")
Expand Down Expand Up @@ -697,6 +709,100 @@ func TestIntotoMultiSig(t *testing.T) {

}

func TestIntotoBlockV001(t *testing.T) {
td := t.TempDir()
attestationPath := filepath.Join(td, "attestation.json")
pubKeyPath := filepath.Join(td, "pub.pem")

// Get some random data so it's unique each run
d := randomData(t, 10)
id := base64.StdEncoding.EncodeToString(d)

it := in_toto.ProvenanceStatement{
StatementHeader: in_toto.StatementHeader{
Type: in_toto.StatementInTotoV01,
PredicateType: slsa.PredicateSLSAProvenance,
Subject: []in_toto.Subject{
{
Name: "foobar",
Digest: slsa.DigestSet{
"foo": "bar",
},
},
},
},
Predicate: slsa.ProvenancePredicate{
Builder: slsa.ProvenanceBuilder{
ID: "foo" + id,
},
},
}

b, err := json.Marshal(it)
if err != nil {
t.Fatal(err)
}

pb, _ := pem.Decode([]byte(ecdsaPriv))
priv, err := x509.ParsePKCS8PrivateKey(pb.Bytes)
if err != nil {
t.Fatal(err)
}

s, err := signature.LoadECDSASigner(priv.(*ecdsa.PrivateKey), crypto.SHA256)
if err != nil {
t.Fatal(err)
}

signer, err := dsse.NewEnvelopeSigner(&verifier{
s: s,
})
if err != nil {
t.Fatal(err)
}

env, err := signer.SignPayload(in_toto.PayloadType, b)
if err != nil {
t.Fatal(err)
}

eb, err := json.Marshal(env)
if err != nil {
t.Fatal(err)
}

uaString := fmt.Sprintf("rekor-cli/%s (%s; %s)", version.GetVersionInfo().GitVersion, runtime.GOOS, runtime.GOARCH)

write(t, string(eb), attestationPath)
write(t, ecdsaPub, pubKeyPath)

rekorClient, err := client.GetRekorClient("http://localhost:3000", client.WithUserAgent(uaString))
if err != nil {
t.Fatal(err)
}
var entry models.ProposedEntry
params := entries.NewCreateLogEntryParams()
params.SetTimeout(time.Duration(30) * time.Second)

props := &types.ArtifactProperties{}

props.ArtifactPath = &url.URL{Path: attestationPath}

collectedKeys := []*url.URL{{Path: pubKeyPath}}
props.PublicKeyPaths = collectedKeys

entry, err = types.NewProposedEntry(context.Background(), "intoto", "0.0.1", *props)
if err != nil {
t.Fatal(err)
}
params.SetProposedEntry(entry)

_, err = rekorClient.Entries.CreateLogEntry(params)
if err == nil {
t.Fatal("insertion of v0.0.1 entry should fail")
}
}

func TestTimestampArtifact(t *testing.T) {
var out string
out = runCli(t, "upload", "--type", "rfc3161", "--artifact", "test.tsr")
Expand Down

0 comments on commit 2fa4649

Please sign in to comment.