Skip to content
This repository has been archived by the owner on Nov 7, 2024. It is now read-only.

Add test to ensure policy verification occurs when pulling image #500

Merged
merged 1 commit into from
Jul 18, 2023
Merged

Add test to ensure policy verification occurs when pulling image #500

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions ci/priv-integration.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ image=quay.io/fedora/fedora-coreos:testing-devel
imgref=ostree-unverified-registry:${image}
stateroot=testos

# This image was generated manually; TODO auto-generate in quay.io/coreos-assembler or better start sigstore signing our production images
FIXTURE_SIGSTORE_SIGNED_FCOS_IMAGE=quay.io/rh_ee_rsaini/coreos

cd $(mktemp -d -p /var/tmp)

set -x
Expand Down Expand Up @@ -103,4 +106,67 @@ img_commit2=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref})
test "${img_commit}" = "${img_commit2}"
echo "ok deploy derived container identical revs"

# Verify policy

mkdir -p /etc/pki/containers
#Ensure Wrong Public Key fails
cat > /etc/pki/containers/fcos.pub << EOF
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPw/TzXY5FQ00LT2orloOuAbqoOKv
relAN0my/O8tziGvc16PtEhF6A7Eun0/9//AMRZ8BwLn2cORZiQsGd5adA==
-----END PUBLIC KEY-----
EOF

cat > /etc/containers/registries.d/default.yaml << EOF
docker:
${FIXTURE_SIGSTORE_SIGNED_FCOS_IMAGE}:
use-sigstore-attachments: true
EOF

cat > /etc/containers/policy.json << EOF
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"quay.io/fedora/fedora-coreos": [
{
"type": "insecureAcceptAnything"
}
],
"${FIXTURE_SIGSTORE_SIGNED_FCOS_IMAGE}": [
{
"type": "sigstoreSigned",
"keyPath": "/etc/pki/containers/fcos.pub",
RishabhSaini marked this conversation as resolved.
Show resolved Hide resolved
"signedIdentity": {
"type": "matchRepository"
}
}
]

}
}
}
EOF

if ostree container image pull ${repo} ostree-image-signed:docker://${FIXTURE_SIGSTORE_SIGNED_FCOS_IMAGE} 2> error; then
echo "unexpectedly pulled image" 1>&2
exit 1
else
grep -q "invalid signature" error
fi

#Ensure Correct Public Key succeeds
cat > /etc/pki/containers/fcos.pub << EOF
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEREpVb8t/Rp/78fawILAodC6EXGCG
rWNjJoPo7J99cBu5Ui4oCKD+hAHagop7GTi/G3UBP/dtduy2BVdICuBETQ==
-----END PUBLIC KEY-----
EOF
ostree container image pull ${repo} ostree-image-signed:docker://${FIXTURE_SIGSTORE_SIGNED_FCOS_IMAGE}
ostree container image history --repo ${repo} docker://${FIXTURE_SIGSTORE_SIGNED_FCOS_IMAGE}

echo ok privileged integration