sigs.k8s.io/release-sdk@v0.11.1-0.20240417074027-8061fb5e4952/test/e2e/sign_test.go

sigs.k8s.io/release-sdk@v0.11.1-0.20240417074027-8061fb5e4952/test/e2e/sign_test.go (about)

     1  //go:build e2e
     2  // +build e2e
     3  
     4  /*
     5  Copyright 2022 The Kubernetes Authors.
     6  
     7  Licensed under the Apache License, Version 2.0 (the "License");
     8  you may not use this file except in compliance with the License.
     9  You may obtain a copy of the License at
    10  
    11      http://www.apache.org/licenses/LICENSE-2.0
    12  
    13  Unless required by applicable law or agreed to in writing, software
    14  distributed under the License is distributed on an "AS IS" BASIS,
    15  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  See the License for the specific language governing permissions and
    17  limitations under the License.
    18  */
    19  
    20  package e2e
    21  
    22  import (
    23  	"fmt"
    24  	"io"
    25  	"net/http"
    26  	"strings"
    27  	"testing"
    28  
    29  	"github.com/stretchr/testify/assert"
    30  	"github.com/stretchr/testify/require"
    31  
    32  	"sigs.k8s.io/release-sdk/sign"
    33  )
    34  
    35  const (
    36  	ociManifestType   = "application/vnd.oci.image.manifest.v1+json"
    37  	registry          = "localhost:5000"
    38  	imageName         = "test"
    39  	registryWithImage = registry + "/" + imageName
    40  	imageRef          = registryWithImage + ":latest"
    41  )
    42  
    43  func TestSignImageSuccess(t *testing.T) {
    44  	// Test the prerequisites
    45  	opts := sign.Default()
    46  	opts.IgnoreTlog = true
    47  	opts.CertIdentityRegexp = "https://github.com/kubernetes-sigs/release-sdk/.github/workflows/e2e.yml@.*"
    48  	opts.CertOidcIssuer = "https://token.actions.githubusercontent.com"
    49  
    50  	signer := sign.New(opts)
    51  	signed, err := signer.IsImageSigned(imageRef)
    52  	require.Nil(t, err)
    53  	require.False(t, signed)
    54  
    55  	// Sign the image
    56  	res, err := signer.SignImage(imageRef)
    57  
    58  	// Verify the results
    59  	assert.Nil(t, err)
    60  	assert.Nil(t, res.File())
    61  	image := res.Image()
    62  	assert.NotNil(t, image)
    63  	assert.Equal(t, imageRef, image.Reference())
    64  	assert.Regexp(t, `sha256:[[:xdigit:]]{64}`, image.Digest())
    65  	assert.Regexp(t, registryWithImage+`:sha256-[[:xdigit:]]{64}\.sig`, image.Signature())
    66  
    67  	url := fmt.Sprintf(
    68  		"http://%s/v2/%s/manifests/%s",
    69  		registry,
    70  		imageName,
    71  		strings.Replace(image.Signature(), registryWithImage+":", "", 1),
    72  	)
    73  	fmt.Printf(": %s\n", url)
    74  
    75  	client := &http.Client{}
    76  	req, err := http.NewRequest("GET", url, nil)
    77  	require.Nil(t, err)
    78  	req.Header.Set("Accept", ociManifestType)
    79  
    80  	resp, err := client.Do(req)
    81  	require.Nil(t, err)
    82  	defer resp.Body.Close()
    83  
    84  	body, err := io.ReadAll(resp.Body)
    85  	require.Nil(t, err)
    86  
    87  	response := string(body)
    88  	assert.Contains(t, response, "-----BEGIN CERTIFICATE-----")
    89  	assert.Contains(t, response, "-----END CERTIFICATE-----")
    90  	assert.Contains(t, response, fmt.Sprintf(`"mediaType":"%s"`, ociManifestType))
    91  
    92  	signed, err = signer.IsImageSigned(imageRef)
    93  	require.Nil(t, err)
    94  	assert.True(t, signed)
    95  
    96  	obj, err := signer.VerifyImage(imageRef)
    97  	require.Nil(t, err)
    98  	assert.Equal(t, res, obj)
    99  }
   100  
   101  func TestSignImageFailureWrongImageRef(t *testing.T) {
   102  	// Test the prerequisites
   103  	signer := sign.New(nil)
   104  	_, err := signer.SignImage(registry + "/not-existing:latest")
   105  	assert.ErrorContains(t, err, "entity not found in registry")
   106  }