1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
// Policy evaluation for prCosignSigned.
package signature
import (
"context"
"encoding/base64"
"os"
"testing"
"github.com/containers/image/v5/internal/signature"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestPRrSigstoreSignedIsSignatureAuthorAccepted(t *testing.T) {
// Currently, this fails even with a correctly signed image.
prm := NewPRMMatchRepository() // We prefer to test with a Cosign-created signature for interoperability, and that doesn’t work with matchExact.
testImage := dirImageMock(t, "fixtures/dir-img-cosign-valid", "192.168.64.2:5000/cosign-signed-single-sample")
testImageSigBlob, err := os.ReadFile("fixtures/dir-img-cosign-valid/signature-1")
require.NoError(t, err)
// Successful validation, with KeyData and KeyPath
pr, err := newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
sar, parsedSig, err := pr.isSignatureAuthorAccepted(context.Background(), testImage, testImageSigBlob)
assertSARRejected(t, sar, parsedSig, err)
}
// sigstoreSignatureFromFile returns a signature.Sigstore loaded from path.
func sigstoreSignatureFromFile(t *testing.T, path string) signature.Sigstore {
blob, err := os.ReadFile(path)
require.NoError(t, err)
genericSig, err := signature.FromBlob(blob)
require.NoError(t, err)
sig, ok := genericSig.(signature.Sigstore)
require.True(t, ok)
return sig
}
func TestPRrSigstoreSignedIsSignatureAccepted(t *testing.T) {
assertAccepted := func(sar signatureAcceptanceResult, err error) {
assert.Equal(t, sarAccepted, sar)
assert.NoError(t, err)
}
assertRejected := func(sar signatureAcceptanceResult, err error) {
assert.Equal(t, sarRejected, sar)
assert.Error(t, err)
}
prm := NewPRMMatchRepository() // We prefer to test with a Cosign-created signature to ensure interoperability, and that doesn’t work with matchExact. matchExact is tested later.
testImage := dirImageMock(t, "fixtures/dir-img-cosign-valid", "192.168.64.2:5000/cosign-signed-single-sample")
testImageSig := sigstoreSignatureFromFile(t, "fixtures/dir-img-cosign-valid/signature-1")
// Successful validation, with KeyData and KeyPath
pr, err := newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
sar, err := pr.isSignatureAccepted(context.Background(), testImage, testImageSig)
assertAccepted(sar, err)
keyData, err := os.ReadFile("fixtures/cosign.pub")
require.NoError(t, err)
pr, err = newPRSigstoreSignedKeyData(keyData, prm)
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), testImage, testImageSig)
assertAccepted(sar, err)
// Both KeyPath and KeyData set. Do not use newPRSigstoreSigned*, because it would reject this.
pr = &prSigstoreSigned{
KeyPath: "/foo/bar",
KeyData: []byte("abc"),
SignedIdentity: prm,
}
// Pass nil and empty data to, kind of, test that the return value does not depend on the image.
sar, err = pr.isSignatureAccepted(context.Background(), nil, testImageSig)
assertRejected(sar, err)
// Invalid KeyPath
pr, err = newPRSigstoreSignedKeyPath("/this/does/not/exist", prm)
require.NoError(t, err)
// Pass nil and empty data to, kind of, test that the return value does not depend on the image.
sar, err = pr.isSignatureAccepted(context.Background(), nil, testImageSig)
assertRejected(sar, err)
// KeyData doesn’t contain a public key.
pr, err = newPRSigstoreSignedKeyData([]byte{}, prm)
require.NoError(t, err)
// Pass nil and empty data to, kind of, test that the return value does not depend on the image.
sar, err = pr.isSignatureAccepted(context.Background(), nil, testImageSig)
assertRejected(sar, err)
// Signature has no cryptographic signature
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
// Pass a nil pointer to, kind of, test that the return value does not depend on the image.
sar, err = pr.isSignatureAccepted(context.Background(), nil,
signature.SigstoreFromComponents(testImageSig.UntrustedMIMEType(), testImageSig.UntrustedPayload(), nil))
assertRejected(sar, err)
// A signature which does not verify
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
// Pass a nil pointer to, kind of, test that the return value does not depend on the image.
sar, err = pr.isSignatureAccepted(context.Background(), nil,
signature.SigstoreFromComponents(testImageSig.UntrustedMIMEType(), testImageSig.UntrustedPayload(), map[string]string{
signature.SigstoreSignatureAnnotationKey: base64.StdEncoding.EncodeToString([]byte("invalid signature")),
}))
assertRejected(sar, err)
// A valid signature using an unknown key.
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
// Pass a nil pointer to, kind of, test that the return value does not depend on the image.
sar, err = pr.isSignatureAccepted(context.Background(), nil, sigstoreSignatureFromFile(t, "fixtures/unknown-cosign-key.signature"))
assertRejected(sar, err)
// A valid signature with a rejected identity.
nonmatchingPRM, err := NewPRMExactReference("this/doesnt:match")
require.NoError(t, err)
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", nonmatchingPRM)
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), testImage, testImageSig)
assertRejected(sar, err)
// Error reading image manifest
image := dirImageMock(t, "fixtures/dir-img-cosign-no-manifest", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), image, sigstoreSignatureFromFile(t, "fixtures/dir-img-cosign-no-manifest/signature-1"))
assertRejected(sar, err)
// Error computing manifest digest
image = dirImageMock(t, "fixtures/dir-img-cosign-manifest-digest-error", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), image, sigstoreSignatureFromFile(t, "fixtures/dir-img-cosign-manifest-digest-error/signature-1"))
assertRejected(sar, err)
// A valid signature with a non-matching manifest
image = dirImageMock(t, "fixtures/dir-img-cosign-modified-manifest", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), image, sigstoreSignatureFromFile(t, "fixtures/dir-img-cosign-modified-manifest/signature-1"))
assertRejected(sar, err)
// Minimally check that the prmMatchExact also works as expected:
// - Signatures with a matching tag work
image = dirImageMock(t, "fixtures/dir-img-cosign-valid-with-tag", "192.168.64.2:5000/skopeo-signed:tag")
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", NewPRMMatchExact())
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), image, sigstoreSignatureFromFile(t, "fixtures/dir-img-cosign-valid-with-tag/signature-1"))
assertAccepted(sar, err)
// - Signatures with a non-matching tag are rejected
image = dirImageMock(t, "fixtures/dir-img-cosign-valid-with-tag", "192.168.64.2:5000/skopeo-signed:othertag")
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", NewPRMMatchExact())
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), image, sigstoreSignatureFromFile(t, "fixtures/dir-img-cosign-valid-with-tag/signature-1"))
assertRejected(sar, err)
// - Cosign-created signatures are rejected
pr, err = newPRSigstoreSignedKeyPath("fixtures/cosign.pub", NewPRMMatchExact())
require.NoError(t, err)
sar, err = pr.isSignatureAccepted(context.Background(), testImage, testImageSig)
assertRejected(sar, err)
}
func TestPRSigstoreSignedIsRunningImageAllowed(t *testing.T) {
prm := NewPRMMatchRepository() // We prefer to test with a Cosign-created signature to ensure interoperability, and that doesn’t work with matchExact. matchExact is tested later.
// A simple success case: single valid signature.
image := dirImageMock(t, "fixtures/dir-img-cosign-valid", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err := NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err := pr.isRunningImageAllowed(context.Background(), image)
assertRunningAllowed(t, allowed, err)
// Error reading signatures
invalidSigDir := createInvalidSigDir(t)
image = dirImageMock(t, invalidSigDir, "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejected(t, allowed, err)
// No signatures
image = dirImageMock(t, "fixtures/dir-img-unsigned", "testing/manifest:latest")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejected(t, allowed, err)
// Only non-sigstore signatures
image = dirImageMock(t, "fixtures/dir-img-valid", "testing/manifest:latest")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejected(t, allowed, err)
// Only non-signature sigstore attachments
image = dirImageMock(t, "fixtures/dir-img-cosign-other-attachment", "testing/manifest:latest")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejected(t, allowed, err)
// 1 invalid signature: use dir-img-valid, but a non-matching Docker reference
image = dirImageMock(t, "fixtures/dir-img-cosign-valid", "testing/manifest:notlatest")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejectedPolicyRequirement(t, allowed, err)
// 2 valid signatures
image = dirImageMock(t, "fixtures/dir-img-cosign-valid-2", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningAllowed(t, allowed, err)
// One invalid, one valid signature (in this order)
image = dirImageMock(t, "fixtures/dir-img-cosign-mixed", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningAllowed(t, allowed, err)
// 2 invalid signajtures: use dir-img-cosign-valid-2, but a non-matching Docker reference
image = dirImageMock(t, "fixtures/dir-img-cosign-valid-2", "this/doesnt:match")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", prm)
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejectedPolicyRequirement(t, allowed, err)
// Minimally check that the prmMatchExact also works as expected:
// - Signatures with a matching tag work
image = dirImageMock(t, "fixtures/dir-img-cosign-valid-with-tag", "192.168.64.2:5000/skopeo-signed:tag")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", NewPRMMatchExact())
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningAllowed(t, allowed, err)
// - Signatures with a non-matching tag are rejected
image = dirImageMock(t, "fixtures/dir-img-cosign-valid-with-tag", "192.168.64.2:5000/skopeo-signed:othertag")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", NewPRMMatchExact())
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejectedPolicyRequirement(t, allowed, err)
// - Cosign-created signatures are rejected
image = dirImageMock(t, "fixtures/dir-img-cosign-valid", "192.168.64.2:5000/cosign-signed-single-sample")
pr, err = NewPRSigstoreSignedKeyPath("fixtures/cosign.pub", NewPRMMatchExact())
require.NoError(t, err)
allowed, err = pr.isRunningImageAllowed(context.Background(), image)
assertRunningRejectedPolicyRequirement(t, allowed, err)
}
|
