mirror of
https://github.com/project-zot/zot.git
synced 2026-06-17 12:58:02 +08:00
Add wildcard mandatory signatures unit and blackbox tests
This commit is contained in:
copilot-swe-agent[bot]
committed by
GitHub
GitHub
parent
648408a676
commit
c8ddde1794
@@ -82,6 +82,36 @@ func TestMandatorySignaturesFunction(t *testing.T) {
|
||||
So(pass, ShouldBeFalse)
|
||||
})
|
||||
|
||||
Convey("mandatory signatures check is skipped for non-matching repositories", t, func() {
|
||||
enable := true
|
||||
lintConfig := &extconf.LintConfig{
|
||||
BaseConfig: extconf.BaseConfig{Enable: &enable},
|
||||
MandatorySignatures: []string{"another-repo"},
|
||||
}
|
||||
|
||||
dir := t.TempDir()
|
||||
testStoreCtlr := ociutils.GetDefaultStoreController(dir, log.NewTestLogger())
|
||||
err := WriteImageToFileSystem(CreateRandomImage(), "zot-test", "0.0.1", testStoreCtlr)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
indexContent, err := os.ReadFile(path.Join(dir, "zot-test", "index.json"))
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
var index ispec.Index
|
||||
err = json.Unmarshal(indexContent, &index)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
linter := lint.NewLinter(lintConfig, log.NewTestLogger())
|
||||
linter.SetSignatureVerifier(mockImageTrustStore{trusted: true}, true)
|
||||
|
||||
imgStore := local.NewImageStore(dir, false, false,
|
||||
log.NewTestLogger(), monitoring.NewMetricsServer(false, log.NewTestLogger()), linter, nil, nil, nil)
|
||||
|
||||
pass, err := linter.CheckMandatorySignatures("zot-test", index.Manifests[0].Digest, imgStore)
|
||||
So(err, ShouldBeNil)
|
||||
So(pass, ShouldBeTrue)
|
||||
})
|
||||
|
||||
for _, wildcard := range []string{"*", "**"} {
|
||||
wildcard := wildcard
|
||||
|
||||
|
||||
+1
-1
@@ -18,7 +18,7 @@ ${SCRIPTPATH}/setup_images.sh
|
||||
tests=("pushpull" "pushpull_authn" "delete_images" "referrers" "sbom" "metadata" "anonymous_policy"
|
||||
"annotations" "detect_manifest_collision" "cve" "sync" "sync_docker" "sync_replica_cluster"
|
||||
"scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index" "docker_compat" "redis_local" "redis_session_store"
|
||||
"events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding"
|
||||
"events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding" "lint_mandatory_signatures_wildcard"
|
||||
"fips140" "fips140_authn" "openid_claim_mapping" "upgrade" "upgrade_minimal" "dynamic_tls" "quota")
|
||||
|
||||
for test in ${tests[*]}; do
|
||||
|
||||
@@ -0,0 +1,84 @@
|
||||
# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
|
||||
# Makefile target installs & checks all necessary tooling
|
||||
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
|
||||
|
||||
load helpers_zot
|
||||
load ../port_helper
|
||||
|
||||
function verify_prerequisites() {
|
||||
if [ ! $(command -v oras) ]; then
|
||||
echo "you need to install oras as a prerequisite to running the tests" >&3
|
||||
return 1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
function setup_file() {
|
||||
if ! $(verify_prerequisites); then
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
function teardown() {
|
||||
zot_stop_all
|
||||
}
|
||||
|
||||
function run_mandatory_signatures_wildcard_test() {
|
||||
local wildcard="$1"
|
||||
local suffix="$2"
|
||||
local test_dir="${BATS_FILE_TMPDIR}/${suffix}"
|
||||
local zot_root_dir="${test_dir}/zot"
|
||||
local zot_config_file="${test_dir}/zot_config.json"
|
||||
local zot_log_file="${test_dir}/zot.log"
|
||||
|
||||
mkdir -p "${zot_root_dir}"
|
||||
|
||||
local zot_port
|
||||
zot_port=$(get_free_port_for_service "zot")
|
||||
|
||||
cat > "${zot_config_file}"<<EOF
|
||||
{
|
||||
"distSpecVersion": "1.1.1",
|
||||
"storage": {
|
||||
"rootDirectory": "${zot_root_dir}"
|
||||
},
|
||||
"http": {
|
||||
"address": "0.0.0.0",
|
||||
"port": "${zot_port}"
|
||||
},
|
||||
"log": {
|
||||
"level": "debug",
|
||||
"output": "${zot_log_file}"
|
||||
},
|
||||
"extensions": {
|
||||
"lint": {
|
||||
"enable": true,
|
||||
"mandatorySignatures": ["${wildcard}"]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
zot_serve "${ZOT_PATH}" "${zot_config_file}"
|
||||
wait_zot_reachable "${zot_port}"
|
||||
|
||||
echo '{}' > "${test_dir}/config.json"
|
||||
echo "this is a test artifact" > "${test_dir}/artifact.txt"
|
||||
|
||||
run oras push --plain-http 127.0.0.1:${zot_port}/wildcard-${suffix}:v0 \
|
||||
--config "${test_dir}/config.json:application/vnd.oci.image.config.v1+json" \
|
||||
"${test_dir}/artifact.txt:text/plain" -d -v
|
||||
|
||||
[ "$status" -ne 0 ]
|
||||
run grep -q "requires a configured trust store" "${zot_log_file}"
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "mandatory signatures wildcard '*' applies to all repositories" {
|
||||
run_mandatory_signatures_wildcard_test "*" "star"
|
||||
}
|
||||
|
||||
@test "mandatory signatures wildcard '**' applies to all repositories" {
|
||||
run_mandatory_signatures_wildcard_test "**" "double-star"
|
||||
}
|
||||
@@ -461,6 +461,12 @@
|
||||
"end": 11529
|
||||
}
|
||||
},
|
||||
"blackbox/lint_mandatory_signatures_wildcard.bats": {
|
||||
"zot": {
|
||||
"begin": 11540,
|
||||
"end": 11549
|
||||
}
|
||||
},
|
||||
"blackbox/quota.bats": {
|
||||
"zot": {
|
||||
"begin": 11530,
|
||||
|
||||
Reference in New Issue
Block a user