Add wildcard mandatory signatures unit and blackbox tests

pkg/extensions/lint/lint_signatures_test.go

@@ -82,6 +82,36 @@ func TestMandatorySignaturesFunction(t *testing.T) {
 		So(pass, ShouldBeFalse)
 	})
 
+	Convey("mandatory signatures check is skipped for non-matching repositories", t, func() {
+		enable := true
+		lintConfig := &extconf.LintConfig{
+			BaseConfig:          extconf.BaseConfig{Enable: &enable},
+			MandatorySignatures: []string{"another-repo"},
+		}
+
+		dir := t.TempDir()
+		testStoreCtlr := ociutils.GetDefaultStoreController(dir, log.NewTestLogger())
+		err := WriteImageToFileSystem(CreateRandomImage(), "zot-test", "0.0.1", testStoreCtlr)
+		So(err, ShouldBeNil)
+
+		indexContent, err := os.ReadFile(path.Join(dir, "zot-test", "index.json"))
+		So(err, ShouldBeNil)
+
+		var index ispec.Index
+		err = json.Unmarshal(indexContent, &index)
+		So(err, ShouldBeNil)
+
+		linter := lint.NewLinter(lintConfig, log.NewTestLogger())
+		linter.SetSignatureVerifier(mockImageTrustStore{trusted: true}, true)
+
+		imgStore := local.NewImageStore(dir, false, false,
+			log.NewTestLogger(), monitoring.NewMetricsServer(false, log.NewTestLogger()), linter, nil, nil, nil)
+
+		pass, err := linter.CheckMandatorySignatures("zot-test", index.Manifests[0].Digest, imgStore)
+		So(err, ShouldBeNil)
+		So(pass, ShouldBeTrue)
+	})
+
 	for _, wildcard := range []string{"*", "**"} {
 		wildcard := wildcard
 

test/blackbox/ci.sh

@@ -18,7 +18,7 @@ ${SCRIPTPATH}/setup_images.sh
 tests=("pushpull" "pushpull_authn" "delete_images" "referrers" "sbom" "metadata" "anonymous_policy"
       "annotations" "detect_manifest_collision" "cve" "sync" "sync_docker" "sync_replica_cluster"
       "scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index" "docker_compat" "redis_local" "redis_session_store"
-      "events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding"
+      "events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding" "lint_mandatory_signatures_wildcard"
       "fips140" "fips140_authn" "openid_claim_mapping" "upgrade" "upgrade_minimal" "dynamic_tls" "quota")
 
 for test in ${tests[*]}; do

test/blackbox/lint_mandatory_signatures_wildcard.bats

@@ -0,0 +1,84 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load ../port_helper
+
+function verify_prerequisites() {
+    if [ ! $(command -v oras) ]; then
+        echo "you need to install oras as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    return 0
+}
+
+function setup_file() {
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+}
+
+function teardown() {
+    zot_stop_all
+}
+
+function run_mandatory_signatures_wildcard_test() {
+    local wildcard="$1"
+    local suffix="$2"
+    local test_dir="${BATS_FILE_TMPDIR}/${suffix}"
+    local zot_root_dir="${test_dir}/zot"
+    local zot_config_file="${test_dir}/zot_config.json"
+    local zot_log_file="${test_dir}/zot.log"
+
+    mkdir -p "${zot_root_dir}"
+
+    local zot_port
+    zot_port=$(get_free_port_for_service "zot")
+
+    cat > "${zot_config_file}"<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${zot_log_file}"
+    },
+    "extensions": {
+        "lint": {
+            "enable": true,
+            "mandatorySignatures": ["${wildcard}"]
+        }
+    }
+}
+EOF
+
+    zot_serve "${ZOT_PATH}" "${zot_config_file}"
+    wait_zot_reachable "${zot_port}"
+
+    echo '{}' > "${test_dir}/config.json"
+    echo "this is a test artifact" > "${test_dir}/artifact.txt"
+
+    run oras push --plain-http 127.0.0.1:${zot_port}/wildcard-${suffix}:v0 \
+        --config "${test_dir}/config.json:application/vnd.oci.image.config.v1+json" \
+        "${test_dir}/artifact.txt:text/plain" -d -v
+
+    [ "$status" -ne 0 ]
+    run grep -q "requires a configured trust store" "${zot_log_file}"
+    [ "$status" -eq 0 ]
+}
+
+@test "mandatory signatures wildcard '*' applies to all repositories" {
+    run_mandatory_signatures_wildcard_test "*" "star"
+}
+
+@test "mandatory signatures wildcard '**' applies to all repositories" {
+    run_mandatory_signatures_wildcard_test "**" "double-star"
+}

test/ports.json

@@ -461,6 +461,12 @@
       "end": 11529
     }
   },
+  "blackbox/lint_mandatory_signatures_wildcard.bats": {
+    "zot": {
+      "begin": 11540,
+      "end": 11549
+    }
+  },
   "blackbox/quota.bats": {
     "zot": {
       "begin": 11530,