diff --git a/test/e2e_test.go b/test/e2e_test.go index d7801e651db..c12754e8b86 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -38,7 +38,6 @@ import ( "testing" "time" - "github.com/go-openapi/strfmt" "github.com/google/go-cmp/cmp" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" @@ -1056,151 +1055,6 @@ func TestVerifyWithCARoots(t *testing.T) { } } -func TestAttachWithRFC3161Timestamp(t *testing.T) { - ctx := context.Background() - // TSA server needed to create timestamp - viper.Set("timestamp-signer", "memory") - viper.Set("timestamp-signer-hash", "sha256") - apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second) - server := httptest.NewServer(apiServer.GetHandler()) - t.Cleanup(server.Close) - - repo, stop := reg(t) - defer stop() - td := t.TempDir() - - imgName := path.Join(repo, "cosign-attach-timestamp-e2e") - - _, _, cleanup := mkimage(t, imgName) - defer cleanup() - - b := bytes.Buffer{} - must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) - - rootCert, rootKey, _ := GenerateRootCa() - subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) - leafCert, privKey, _ := GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) - pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) - pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) - pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) - - payloadref := mkfile(b.String(), td, t) - - h := sha256.Sum256(b.Bytes()) - signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) - b64signature := base64.StdEncoding.EncodeToString([]byte(signature)) - sigRef := mkfile(b64signature, td, t) - pemleafRef := mkfile(string(pemLeaf), td, t) - pemrootRef := mkfile(string(pemRoot), td, t) - - certchainRef := mkfile(string(append(pemSub[:], pemRoot[:]...)), td, t) - - t.Setenv("SIGSTORE_ROOT_FILE", pemrootRef) - // reset the roots to use the root pointed by the environment variable SIGSTORE_ROOT_FILE - if err := fulcioroots.ReInit(); err != nil { - t.Fatal(err) - } - - tsclient, err := tsaclient.GetTimestampClient(server.URL) - if err != nil { - t.Error(err) - } - - chain, err := tsclient.Timestamp.GetTimestampCertChain(nil) - if err != nil { - t.Fatalf("unexpected error getting timestamp chain: %v", err) - } - - file, err := os.CreateTemp(os.TempDir(), "tempfile") - if err != nil { - t.Fatalf("error creating temp file: %v", err) - } - defer os.Remove(file.Name()) - _, err = file.WriteString(chain.Payload) - if err != nil { - t.Fatalf("error writing chain payload to temp file: %v", err) - } - - tsBytes, err := tsa.GetTimestampedSignature(signature, client.NewTSAClient(server.URL+"/api/v1/timestamp")) - if err != nil { - t.Fatalf("unexpected error creating timestamp: %v", err) - } - rfc3161TSRef := mkfile(string(tsBytes), td, t) - - // Upload it! - err = attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadref, pemleafRef, certchainRef, rfc3161TSRef, "", imgName) - if err != nil { - t.Fatal(err) - } - - must(verifyKeylessTSA(imgName, file.Name(), true, true), t) -} - -func TestAttachWithRekorBundle(t *testing.T) { - ctx := context.Background() - - repo, stop := reg(t) - defer stop() - td := t.TempDir() - - imgName := path.Join(repo, "cosign-attach-timestamp-e2e") - - _, _, cleanup := mkimage(t, imgName) - defer cleanup() - - b := bytes.Buffer{} - must(generate.GenerateCmd(context.Background(), options.RegistryOptions{}, imgName, nil, &b), t) - - rootCert, rootKey, _ := GenerateRootCa() - subCert, subKey, _ := GenerateSubordinateCa(rootCert, rootKey) - leafCert, privKey, _ := GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) - pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) - pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) - pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) - - payloadref := mkfile(b.String(), td, t) - - h := sha256.Sum256(b.Bytes()) - signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) - b64signature := base64.StdEncoding.EncodeToString([]byte(signature)) - sigRef := mkfile(b64signature, td, t) - pemleafRef := mkfile(string(pemLeaf), td, t) - pemrootRef := mkfile(string(pemRoot), td, t) - - t.Setenv("SIGSTORE_ROOT_FILE", pemrootRef) - - certchainRef := mkfile(string(append(pemSub[:], pemRoot[:]...)), td, t) - - localPayload := cosign.LocalSignedPayload{ - Base64Signature: b64signature, - Cert: string(pemLeaf), - Bundle: &bundle.RekorBundle{ - SignedEntryTimestamp: strfmt.Base64("MEUCIEDcarEwRYkrxE9ne+kzEVvUhnWaauYzxhUyXOLy1hwAAiEA4VdVCvNRs+D/5o33C2KBy+q2YX3lP4Y7nqRFU+K3hi0="), - Payload: bundle.RekorPayload{ - Body: "REMOVED", - IntegratedTime: 1631646761, - LogIndex: 693591, - LogID: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d", - }, - }, - } - - jsonBundle, err := json.Marshal(localPayload) - if err != nil { - t.Fatal(err) - } - bundlePath := filepath.Join(td, "bundle.json") - if err := os.WriteFile(bundlePath, jsonBundle, 0644); err != nil { - t.Fatal(err) - } - - // Upload it! - err = attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadref, pemleafRef, certchainRef, "", bundlePath, imgName) - if err != nil { - t.Fatal(err) - } -} - func TestRekorBundle(t *testing.T) { td := t.TempDir() err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) @@ -1832,102 +1686,6 @@ func TestGenerate(t *testing.T) { equals(ss.Optional["foo"], "bar", t) } -func TestUploadDownload(t *testing.T) { - repo, stop := reg(t) - defer stop() - td := t.TempDir() - ctx := context.Background() - - testCases := map[string]struct { - signature string - signatureType attach.SignatureArgType - expectedErr bool - }{ - "stdin containing signature": { - signature: "testsignatureraw", - signatureType: attach.StdinSignature, - expectedErr: false, - }, - "file containing signature": { - signature: "testsignaturefile", - signatureType: attach.FileSignature, - expectedErr: false, - }, - "raw signature as argument": { - signature: "testsignatureraw", - signatureType: attach.RawSignature, - expectedErr: true, - }, - "empty signature as argument": { - signature: "", - signatureType: attach.RawSignature, - expectedErr: true, - }, - } - - imgName := path.Join(repo, "cosign-e2e") - for testName, testCase := range testCases { - t.Run(testName, func(t *testing.T) { - ref, _, cleanup := mkimage(t, imgName) - payload := "testpayload" - payloadPath := mkfile(payload, td, t) - signature := base64.StdEncoding.EncodeToString([]byte(testCase.signature)) - restoreStdin := func() {} - - var sigRef string - if testCase.signatureType == attach.FileSignature { - sigRef = mkfile(signature, td, t) - } else if testCase.signatureType == attach.StdinSignature { - sigRef = "-" - restoreStdin = mockStdin(signature, td, t) - } else { - sigRef = signature - } - // Upload it! - err := attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadPath, "", "", "", "", imgName) - if testCase.expectedErr { - mustErr(err, t) - } else { - must(err, t) - } - restoreStdin() - - // Now download it! - se, err := ociremote.SignedEntity(ref, ociremote.WithRemoteOptions(registryClientOpts(ctx)...)) - must(err, t) - sigs, err := se.Signatures() - must(err, t) - signatures, err := sigs.Get() - must(err, t) - - if testCase.expectedErr { - if len(signatures) != 0 { - t.Fatalf("unexpected signatures %d, wanted 0", len(signatures)) - } - } else { - if len(signatures) != 1 { - t.Fatalf("unexpected signatures %d, wanted 1", len(signatures)) - } - - if b64sig, err := signatures[0].Base64Signature(); err != nil { - t.Fatalf("Base64Signature() = %v", err) - } else if diff := cmp.Diff(b64sig, signature); diff != "" { - t.Error(diff) - } - - if p, err := signatures[0].Payload(); err != nil { - t.Fatalf("Payload() = %v", err) - } else if diff := cmp.Diff(p, []byte(payload)); diff != "" { - t.Error(diff) - } - } - - // Now delete it! - cleanup() - }) - } -} - func TestSaveLoad(t *testing.T) { td := t.TempDir() err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td)