From c8ddde17945f67031eedea6e30ef1f230d0bf2bf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 29 May 2026 16:50:03 +0000 Subject: [PATCH] Add wildcard mandatory signatures unit and blackbox tests --- pkg/extensions/lint/lint_signatures_test.go | 30 +++++++ test/blackbox/ci.sh | 2 +- .../lint_mandatory_signatures_wildcard.bats | 84 ++++++++++++++++++ test/ports.json | 6 ++ zot | Bin 99111262 -> 99111262 bytes 5 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 test/blackbox/lint_mandatory_signatures_wildcard.bats diff --git a/pkg/extensions/lint/lint_signatures_test.go b/pkg/extensions/lint/lint_signatures_test.go index be3460b8..608330ef 100644 --- a/pkg/extensions/lint/lint_signatures_test.go +++ b/pkg/extensions/lint/lint_signatures_test.go @@ -82,6 +82,36 @@ func TestMandatorySignaturesFunction(t *testing.T) { So(pass, ShouldBeFalse) }) + Convey("mandatory signatures check is skipped for non-matching repositories", t, func() { + enable := true + lintConfig := &extconf.LintConfig{ + BaseConfig: extconf.BaseConfig{Enable: &enable}, + MandatorySignatures: []string{"another-repo"}, + } + + dir := t.TempDir() + testStoreCtlr := ociutils.GetDefaultStoreController(dir, log.NewTestLogger()) + err := WriteImageToFileSystem(CreateRandomImage(), "zot-test", "0.0.1", testStoreCtlr) + So(err, ShouldBeNil) + + indexContent, err := os.ReadFile(path.Join(dir, "zot-test", "index.json")) + So(err, ShouldBeNil) + + var index ispec.Index + err = json.Unmarshal(indexContent, &index) + So(err, ShouldBeNil) + + linter := lint.NewLinter(lintConfig, log.NewTestLogger()) + linter.SetSignatureVerifier(mockImageTrustStore{trusted: true}, true) + + imgStore := local.NewImageStore(dir, false, false, + log.NewTestLogger(), monitoring.NewMetricsServer(false, log.NewTestLogger()), linter, nil, nil, nil) + + pass, err := linter.CheckMandatorySignatures("zot-test", index.Manifests[0].Digest, imgStore) + So(err, ShouldBeNil) + So(pass, ShouldBeTrue) + }) + for _, wildcard := range []string{"*", "**"} { wildcard := wildcard diff --git a/test/blackbox/ci.sh b/test/blackbox/ci.sh index 84be6ff6..51f144eb 100755 --- a/test/blackbox/ci.sh +++ b/test/blackbox/ci.sh @@ -18,7 +18,7 @@ ${SCRIPTPATH}/setup_images.sh tests=("pushpull" "pushpull_authn" "delete_images" "referrers" "sbom" "metadata" "anonymous_policy" "annotations" "detect_manifest_collision" "cve" "sync" "sync_docker" "sync_replica_cluster" "scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index" "docker_compat" "redis_local" "redis_session_store" - "events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding" + "events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding" "lint_mandatory_signatures_wildcard" "fips140" "fips140_authn" "openid_claim_mapping" "upgrade" "upgrade_minimal" "dynamic_tls" "quota") for test in ${tests[*]}; do diff --git a/test/blackbox/lint_mandatory_signatures_wildcard.bats b/test/blackbox/lint_mandatory_signatures_wildcard.bats new file mode 100644 index 00000000..edede9dc --- /dev/null +++ b/test/blackbox/lint_mandatory_signatures_wildcard.bats @@ -0,0 +1,84 @@ +# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci" +# Makefile target installs & checks all necessary tooling +# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites() + +load helpers_zot +load ../port_helper + +function verify_prerequisites() { + if [ ! $(command -v oras) ]; then + echo "you need to install oras as a prerequisite to running the tests" >&3 + return 1 + fi + + return 0 +} + +function setup_file() { + if ! $(verify_prerequisites); then + exit 1 + fi +} + +function teardown() { + zot_stop_all +} + +function run_mandatory_signatures_wildcard_test() { + local wildcard="$1" + local suffix="$2" + local test_dir="${BATS_FILE_TMPDIR}/${suffix}" + local zot_root_dir="${test_dir}/zot" + local zot_config_file="${test_dir}/zot_config.json" + local zot_log_file="${test_dir}/zot.log" + + mkdir -p "${zot_root_dir}" + + local zot_port + zot_port=$(get_free_port_for_service "zot") + + cat > "${zot_config_file}"< "${test_dir}/config.json" + echo "this is a test artifact" > "${test_dir}/artifact.txt" + + run oras push --plain-http 127.0.0.1:${zot_port}/wildcard-${suffix}:v0 \ + --config "${test_dir}/config.json:application/vnd.oci.image.config.v1+json" \ + "${test_dir}/artifact.txt:text/plain" -d -v + + [ "$status" -ne 0 ] + run grep -q "requires a configured trust store" "${zot_log_file}" + [ "$status" -eq 0 ] +} + +@test "mandatory signatures wildcard '*' applies to all repositories" { + run_mandatory_signatures_wildcard_test "*" "star" +} + +@test "mandatory signatures wildcard '**' applies to all repositories" { + run_mandatory_signatures_wildcard_test "**" "double-star" +} diff --git a/test/ports.json b/test/ports.json index 8f171b17..80bf4cbf 100644 --- a/test/ports.json +++ b/test/ports.json @@ -461,6 +461,12 @@ "end": 11529 } }, + "blackbox/lint_mandatory_signatures_wildcard.bats": { + "zot": { + "begin": 11540, + "end": 11549 + } + }, "blackbox/quota.bats": { "zot": { "begin": 11530, diff --git a/zot b/zot index 571a85cf43efb0d38099105edcc121e53d8407c3..6293f90480850b6558329644ffe32252b46f21c0 100755 GIT binary patch delta 9724 zcmcK9cRZDEz{l}(9p_jPQbdIIl5Co!p`CVVP*GGWX)mQoQYqSZdugkrb)!9{;dC0B z+I#Pw@AshJ@AZ3L&!3Oi>+`7kbGyDHjmsGYy-l85LWXBoZ4y;Dx*OB1TP42|gT<>3VaiDuqmtDJqS)*Bn`(GRP8@MdgqcvPR{R4YEZQkR7tmcwtuY)>o4Q^TL&_;;t#$ zS~{m^TrqT*B7{e3kg-D*rCCC%uZcrt<@5N|z8J;H)GT8Mf0K#v+;Cgbwu1Ax4AW8$ zY9XRiElnJ%h<2$y9BQQY!JyQeo0@Ix;E=k`#KFlVbI#vQ2U2rQ96A{W<4jw3=iakx znmQmyWO-x zV8qAW2lYk$PzVY|{m}q45QU*|Gzbkw5hxN3K||3n6orPP5ojceMx#&+8jZ%Fv1l9` zk0zjrXcC%?rl6@P7EMFbQ5>3qW};bWHkyOxqIi^m=AlG1A0?p$XdzmJlF?$c1f`%< zv=l8v%h3w760Jh3k%ZQuwP+n$k2au%nQJ-w_YN((iEg3W=ng7CchNm`A3Z=1(IZrd9-}Ad zDSC#UqZjBUdWBx2H|Q;Thu)(P=p*`sKBF(_EBc1MqaWxe`h|X@KMB8gh$KXmM31P5 zn&=Y)Vn~dLF)2k%h$$&e%!oO$AZ3UpDND)`D`HK`6B}YnDiAwjPbv}z;z*oGB~qDG zAyr8=Qk~QwHAyW}o75rBq%LtG^@uBRBksh5coHw-O?-$isZSb^hNKZ`Oqvis;!m2A z0Md*!CoM=z5=dH+)}#$-OWKk4qyyToQxnNNi-QnV#sJRhKwcS$ape=OeB-YWHN`m%8CgzNkd4K@O5ka)=xz zN61lfjL0O5WRo0noSYyh$tiN0oFQk)IdYy{AQ#Ccl1na=JaUCxCD(-fd&hP0^p(=; zyYzHLzHk-mW!shcB36j$(u!62Vue!wtL(EnU(6NC;LnoThJ4{C>8;5Z-Nger7-ND^ zdVQ2uVrf&U*1CMrLmZOhFvbg|*?ZmkRFNWY#=c+!yYJ6-Do*6|R1}`b2~xZ|k<&`? z=|qmd;#Xjzvm{mAo-Y!Og0LhoQEmKE-iPB!^TklvwSh+9BVKlIs1d!D!dYI>Sa;*H z{K`)w1}L#6C_p2w28e@l)!7>H%Rt0Sm6J5$uGl8)EzpR5LbR3#EYyf5N~N(<-jJ*j zer*hPAK0Nt@Z2lCD9{L7Jx#`rR42>wmU4x=8Zk_1?6Gf$;zKjD;hqhoMfWx0nX!L* z@rgir<^zrRCX5^JDL&I&p7Tf}wyBKcw-=vTC^vkj5xHf=9@*rlMudn`9hVkQbzdqq z!knwT<(EbrGZNjB1{vHC@*o4PxNV}BIemMoYr}GuhJlHJj)95gj>w^9wZcT`%DS1Y&R9cN(lq%$DMRol1 z1YoRh^5;1A#ofg3e)d15xj3~{43H{a(TX^6SK6c-gQZ$md90CkVytDlA)8xnV2kP6 zY^mE#oRiG1;bNkJ)EZ-DVJ$`J#t+gW-IyyKz*w#HnykM&S7oJ1!Pr_=HoLABZIq4N zj$v-@slWvFSKj*axRuBXjJtw!8k~DsbgrHFraLFH|C!QaN-EH3g_Tl$O4@}R<0}n3 zT5_>kB^UeGj*5SG*sDvGT=+-Pg^&Mp;jhx<8@O1hlp`e<>n#bbR#@6~hjcv7la*<&$&9j~Yx z)DF7A)KTt=$+E(s@}ZK8KI5(bJXd$5Ik&W;xr3ZpvTA0@s((ERAOrYel5eWb>B4QyZlFFSR1x z#NwY*rFEyQrTMS4;;^av=D%y}Z7#ZuGz|CL+~nM*zcZ($V>mU^q}@NKTI)_(OP$_m zg`dgujeIn^Kf#_zt8r?VsS8dOKbSfjbr-fxig~LQa?IPCLNi{^)p?ulJ6#Hmyd~W9 zjEWECtvH<2P0u@jYpUxiD@(aS_AN2aNojO2Y5#*;0^BBdNCCM^?veZC0eMIskwWsA zJRwiXGxD6gATP-)@|wIMZ^=9Io_ru5$tUued?8=SH}akQAV0}3@|*k-3Hu)?aYGO# z(IYCNCi=vH7!o65OiB?GVoFLAGh$9GNEu>D%93)#idd8K#D>_C3dD}slZwQFI1(pP ziBu+4NL5meR3|k^O;U^0CUuB2sY_f)J>p8-h&%Bhp2UlI6CdJB>XQbfA!$S!lP1KE z_>-n2fHWh`Nej}F1d>*yHEBcIl6Is$=|DP?Akv9+CS6EZ(v5T{JxEW|iv*M2qz~y! z`jHS4O8S!lWFQG6;bagQOd?1m8A67VVI+zSCnLy65=};t7&4lSA!ErnGM-Ez6Uihp znM@&5Ni3O0rYq(B58{+VUR!(kxO+N#dH8tL^9l9x_VNjhWUDVh7a`h4aIFYuW-*W_b_*9irGwMMYV@deRof3EpC@99}_(~%=nvI zfa|RCj?s$gP0jtSZoJ2jKluWtug%o`zm>Fd$xLN4Y4?FBWxe?+GnMmGW}(?=4w{SN zQ39HW6488=gchKMXc0O~^vfHtB{XfxV^ zwxVq)4Q)p|&`z`q?M8dhUX+gZq5bFp%0LHECOU);qa)}jI)-GFg|bl&I*v}DljsyW zjn1I6=o~taE})C(63RuFQ69R2uA*z`I?6{HbOUM8O>_(0Mt4vFx{L0i`{)6Bh#sLr z^cX!sPth~<9KAp<(JS;Cy+Lo$JM?N zNQv~23aODkGC+pN2pOYN$OM_9(#Q;%BMVdpS)#J29I`^zs64Vkwx|NKL-wd5azKvA z2~|RsQ594bRYTQL4OA1=LbXvH5#zpth(TYL7agjwlFqLY+|;)D?9@-BAzJ6ZJyDs5k0^ z`l5a)1cjphXaE|B!caIGga)Gs6p4nQp=cP2Lc`GrG!jLlQ78tDMq|)eG!BhN6VOC7 z2~9>*&{PzQrlIL54$VL_(JV9@%|UZfJW4?GP$HU-lF$OQ5G_K$9AroYZN+UC5jx10a zWQoe6a>xofG*{Y7ER8Za1t{!2hs;OK!MasH7LmBe__oCP8|9a6={BdkK+%Y_2 z#Hfg<@ZpYs6xYh0G^z5e+J&sThfD*v_tSsdtIA26EuR}^r59Ec-vB9%yGQbi?;eN|N%6NE)lX5DHkP@U8uHAyW} zo75rBq%LtG^@uBRBksh5coHw-O?-$isZSb^hNKZ`Oqvis;!m2A0Md*!CoM=z5=dH+ z)}#$-OWKk4qyyToQxnNNi-QnV#sJRhKwcS$ape=OeB-YWHN`m%8CgzNkd4K@O5ka)=xzN61lfjL0O5WRo0n zoSYyh$tiN0oFQk)IdYy{AQ#Ccl1na=JaUCxCD+Jxl20_`2GNq6!XQk&Ev&P4YpU3jY=aV2iVop=yW;zhiP5Ah}S zNdwZ5G$M^j6XK_q@#9bZCq{a@-d}BQ^k{@aAruCREGZAi);5m#tA{`A9gBYAD?S#_ z`^jR1zq*4;8oUMDq!4ImlU4j`XkNTHYi!ZQE=$ueZ!NOqWf(I&rNITdP0-M0PVpwg z;!SU!6>VA|O~bskMaX|X10iMeyp*Nez2-l&PS1-!|D^kvm+u!eReMV|B`?#W_&x?E zsdbO?pyWCwKt1;F3)|Afq7|2Q^A?H_DI4?FHYKmb#oHC{bn}Lof5&;ef*MT?P`ijs z$+u{fBQQD$yxu3p#|EfDGt!*2AT3ECX+>I-Hl!_SN7|DPq$3F;ok(ZWg>)s|NO#hM z^d!AVFzHSDkiMiJ2_d1RKN&y|Ko$Mp~$pMl<4w6iAh#V$I$Wd~P$RvwolN@rKoFFI3DRP>eA!o@s za-Liu7s(}(OD>ZM19VuFZ@64t>E>_V&q*ewR* z7+4sH-R*LwebUF-YVb9NjU7C7SMu3PJpi*{>-aYU6SN(KHz?DH2_lm^Mc zTcjpuUK`lO`>IMCr>r}rUrdP)RQXuE&FiV+*0*^!`mwwu4%@1%<9Dmd8yh_-Tr-N# zR{0of@(Zst@fKZ?-kL;wUe{|_{kmo zhPZU=?=_)oSYWU4juXNscW>1z#CyzWmp0*J2Mr48F?>{yj>Csc3UF&auKQ>O?_U-f zpw{iXDyD4e+;@GGb+P&R2i!-F?Ch|@)+xeecv!Hvr%P0U`Md&ift1JqsgN3#K!(T& z86y)^5}6`1R0{EIX=H)QAWKvhl|xp@8kI*jr~;~pY>{1BfqA7nUrl!|3|0C^-B1Kr zI;W;xGqRs9M4iMy6MHA6VN7B@Q~N5)N70G>Fp6V|87B5kO~*v@z+FW^Mdye#vy%2| zA%-Sen%X;wmWjR`91{CtQ2v;om}z2fpSaG{-qCc={J)2GCSEbM?_|^&GXWmXUFOv^ zvquid5miQ2kQ1tks-fzr2C9i_q1vbpaz=HL3vxwn$Q^kgPvnKXkq`1k^-z7(05wF7 zP-D~tX;4$t3^hkBP)pPbwMKr(AGJYkQ2=U(+M^DrBML;FP-n#F)fII^-BAzJ6ZJy9 zQ6JP7^+Wy902G9R(LfY}2BAvq!y`7>JVpAm$(pD;zrzw2k|6c#GCjKUs8|MCk;qL(ug!BO^AjxCCx~4 z(t@-ktw?L)NBl_}(v}2}cBDP&Ksu5@(us5?T}W5bjdUkHNKev>^d@~sU(%2CCj&?j z2_^$c2pL2|$zU>sgpr|S7#U7RkZ>}RM37NrG#Nw2l5u1_nLs9zNn|paLZ*^wWICBa zBFRiLi$syxWDc22=8^ei0f{CtWFd(qi%1+G{eW;U=Qw3afHNq!7W<%GEhyrSj<)*>_EjSRj-QK1=2sa)d@QNXZf1MV8zfV~kK* zeUw&VYcr|Vx*X9%tdOHHMhoSecl!N_V!XT==Xx93-p=2tIGNQ`@#JJypyJiZEPutP zlUYp_zx-mIXGoQ{=ZIKiH*E2XRlg{Z_v3o%A`u|FHP8zD87g};)QUbzVJ0tbtbedu zex=chflBNNY_1j8n~N=S)p=U+%TP>~s>Er z)7Egy!5xYiuWeF6u2xhqNK4z1=xABqQm%MkD@G_yoc8Zfd}v`l(yO+#^r2Sdo4D;O zn(&q9JkpA9!ldq=q8TrFex6orQ<+TOUNkdPZkVqXSIUSbvguE)7$8b&l8TmECrOR4 z<|c3Xr4`4Gg?HRw!&^cgY^W1=O%0M~ZBKM-SkBVOFV@e&FSgt&IjF2om zsoQPLN#-|jGvOh%!B|C@OX2#lKw7FF&qxO`Rx6d1@%QBNj8v&Nj#ib;Z|X!_Wusch zv9{o}UyS+|AANc1FEae1u3=7#xr>E!?Zh|zoXGrVDIH5vu2v_kl|ZB-W3}*vow|TKzdUUxeiYvL#6LH_B~819o0VL2wD@KXC85&^OIz3f`;eXF ziY*m{iPRS3B!`S6#fQUr8$PXneTd+rk{hBYMS74Q1j7on&0lDix_|J@~ucV+$a zHTaY+1>V((7WQur72j+%5B%qOERptO*AQz5tl`_jQ9qQctRL*Eq)XBG#&VVh+|!Al z=H=6H{!B*UcdA(#X;`jK)HHo?5VKKN@k@)@JvjwaRt9Fr_oXWQqV6mFDtaB+C&{mM z!dkxlP$%jsP5k$!7XCPPlNz!33=?>+d@0Zz`}W({wG}u8hS^#8|2q1 zyp*@%a%wjN>zu8LZmX><Ih>{o( z6;YEC#E=*fV`4%|5>sMEN)dBXnpluB#FCUH<%kurCgq6@sX!_cTVh8l5qsi597$zT zg*cI_q#CJCYLJ?w7O73@5NA@CxDZ$3M%;-9@g!cvoA?l4QjgRp4M;=Mh%_cmh=w#J z%}8_7g0v*9NNeIp{7D(vS2f z14s}FCId+b8AL+KU^0Y+k)dQ58BRu!a59oakWpkb8AHaBab!H1Kqit&WHOmTrjlu7 zI+;Nt$xJd!DIa(gr5yI!!qwf~)7c{=ILON<)Z5eD+eh}vo~^9fxW>QdJluWVy?ujx z>(%oK_4Rf22z4Li?Hdy0?iLzUPkOV{R#mBzt9yNS&t4|M^$~rtXN5Az`6m zgF+gG1`Qu0$>wvER`M-)b&j-q`5dKYQNkSMqJ+6<9-5C9plB3>7NS_R2*shrXbD=1 z;?Xj+93`Mcl!TJe3bYcfLaWglB%u_v7Og|;(FU{;Z9<#T7PJ*@L#b#x+JSbWU1&Gj zgZ83*Xg@lD4x%)42&JRL=m6l1N0C*LXS}%dV-#!XXrV~M=wwTdWl}4 z*XRv;i{7F4=mYwQKB3R(3;K$_q3`Gi`iXv_-{_ArI>BI3f${^1UA#db^d{I4AA2mP?Q6tnCH9;EG6g5N5Q47=(wL-0t zAM!_SP+Js$+M)KS1L}wZQ76VKs`|})Eo6deNjKu9}Pf3C>RYyA!rZ^ zMT5~06o!VPVQ4rSfx^*96oE#e(P#`Bi^iexXabsuCZWk_3Yv$BP)THp%up$0j!Gj7R0dh1vZx%gLe{7}vOyJ8 zI}<9ZZm)3|r*v2oVXLaCTsU3IxH?-o;Q#Y=&cQ|q}dpx`l5N0-^OV`aCOOH>MB6iv09ixclh3_pTNlS3;V^RFR zPznCpz(0}>^Y+3)`o>ZDHczUs+g25h|BhII(O#rTTQRyA;H@Vq`_c%dWBdc5I=;tN z6)7Bx-?(~S^aj?0w4wTY7LRA8wR`c_m5py5PrlisnBPjRUoRdrq-_1VCUU8M{p*t` z{d)1Jk;Fcn7m<<;#>5KAMIT3@vD3d{rU|vuzgdM(`aCvNvMGKqD|Dd#K8oT|6DRiD zs(>A-MC^$JaU_*V72>3l#r~?Qw8_FWF1>Cw6{t>XkeZ|xsZHt-XHu8A5Lex8`D6i!CNX3oi6x6j z99c}3kfkJ^EF;TF0!buEB$=!rE6FOdnyeubNg->=I^kfY=nIZkAfK{81eIYCa6Q{*%`L(Y+GPy#ol5BE~TqifkO_D>j#FfU5G64nDxxMO zh#@f|#>9k_B&NiSlp^M&G_fFMh$SgY$`LDKP0AA+Qh`(?w#1H9BKE|AIFibw3UMM; zNi|ZP)F3rUEmE7*AmADai;z2x#7x5-O#Fx|~^+^NLkTfEVNfV+`%lPY0 z{b#JrgQAx*hr++x6?qW~g-{qOQl#wlP1V-YAy`^`lpgX*F1?|tTBE|tSKt<0TI?=5 zT)OCRh7`nkX)!bsDRMH#G%qnx3e4s9$fE5=Mcdy`I^djskzg{Agpffb zlnf?ANSIoVjvT6PRZ^J6WycIvgJEPi89~CyND@ItklLaK2#E^v~mMkK1WHDJnmXdg~j4US!B#|VMWU_*+ zB&*13vW7?`g{&p($a=DYY$Th=X0nBBCEG|U*-mzlon#l;P4Q+jT|EB z