Skip to content

Commit d83e6c2

Browse files
authored
Merge pull request #3333 from robnester-rh/EC-1824
test(EC-1824): add acceptance tests for multi-arch volatile exceptions
2 parents a10b6af + 9817ee4 commit d83e6c2

2 files changed

Lines changed: 326 additions & 0 deletions

File tree

features/__snapshots__/validate_image.snap

Lines changed: 225 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5916,3 +5916,228 @@ time="${TIMESTAMP}" level=warning msg="Attestation signature check skipped, fetc
59165916
time="${TIMESTAMP}" level=warning msg="Both --skip-image-sig-check and --skip-att-sig-check are active, all cryptographic verification is disabled"
59175917

59185918
---
5919+
5920+
[TestFeatures/volatile config exclude matches multi-arch expanded component name:stdout - 1]
5921+
{
5922+
"success": true,
5923+
"components": [
5924+
{
5925+
"name": "multi-arch-test-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-arm64",
5926+
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile@sha256:${REGISTRY_acceptance/multi-arch-volatile:latest_DIGEST}",
5927+
"source": {},
5928+
"successes": [
5929+
{
5930+
"msg": "Pass",
5931+
"metadata": {
5932+
"code": "builtin.attestation.signature_check"
5933+
}
5934+
},
5935+
{
5936+
"msg": "Pass",
5937+
"metadata": {
5938+
"code": "builtin.attestation.syntax_check"
5939+
}
5940+
},
5941+
{
5942+
"msg": "Pass",
5943+
"metadata": {
5944+
"code": "builtin.image.signature_check"
5945+
}
5946+
},
5947+
{
5948+
"msg": "Pass",
5949+
"metadata": {
5950+
"code": "filtering.always_pass"
5951+
}
5952+
},
5953+
{
5954+
"msg": "Pass",
5955+
"metadata": {
5956+
"code": "filtering.always_pass_with_collection"
5957+
}
5958+
}
5959+
],
5960+
"success": true,
5961+
"signatures": [
5962+
{
5963+
"keyid": "",
5964+
"sig": "${IMAGE_SIGNATURE_acceptance/multi-arch-volatile}"
5965+
}
5966+
],
5967+
"attestations": [
5968+
{
5969+
"type": "https://in-toto.io/Statement/v0.1",
5970+
"predicateType": "https://slsa.dev/provenance/v0.2",
5971+
"predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
5972+
"signatures": [
5973+
{
5974+
"keyid": "",
5975+
"sig": "${ATTESTATION_SIGNATURE_acceptance/multi-arch-volatile}"
5976+
}
5977+
]
5978+
}
5979+
]
5980+
}
5981+
],
5982+
"key": "${known_PUBLIC_KEY_JSON}",
5983+
"policy": {
5984+
"sources": [
5985+
{
5986+
"policy": [
5987+
"git::${GITHOST}/git/happy-day-policy.git?ref=${LATEST_COMMIT}"
5988+
],
5989+
"config": {
5990+
"include": [
5991+
"@stamps",
5992+
"filtering.always_pass",
5993+
"filtering.always_fail"
5994+
]
5995+
},
5996+
"volatileConfig": {
5997+
"exclude": [
5998+
{
5999+
"value": "filtering.always_fail",
6000+
"componentNames": [
6001+
"multi-arch-test"
6002+
]
6003+
},
6004+
{
6005+
"value": "filtering.always_fail_with_collection",
6006+
"componentNames": [
6007+
"multi-arch-test"
6008+
]
6009+
}
6010+
]
6011+
}
6012+
}
6013+
],
6014+
"publicKey": "${known_PUBLIC_KEY}"
6015+
},
6016+
"ec-version": "${EC_VERSION}",
6017+
"effective-time": "${TIMESTAMP}"
6018+
}
6019+
---
6020+
6021+
[TestFeatures/volatile config exclude matches multi-arch expanded component name:stderr - 1]
6022+
6023+
---
6024+
6025+
[TestFeatures/volatile config exclude does not match different multi-arch component:stdout - 1]
6026+
{
6027+
"success": false,
6028+
"components": [
6029+
{
6030+
"name": "other-component-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-amd64",
6031+
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile-neg@sha256:${REGISTRY_acceptance/multi-arch-volatile-neg:latest_DIGEST}",
6032+
"source": {},
6033+
"violations": [
6034+
{
6035+
"msg": "always fail",
6036+
"metadata": {
6037+
"code": "filtering.always_fail"
6038+
}
6039+
},
6040+
{
6041+
"msg": "always fail with collection",
6042+
"metadata": {
6043+
"code": "filtering.always_fail_with_collection"
6044+
}
6045+
}
6046+
],
6047+
"successes": [
6048+
{
6049+
"msg": "Pass",
6050+
"metadata": {
6051+
"code": "builtin.attestation.signature_check"
6052+
}
6053+
},
6054+
{
6055+
"msg": "Pass",
6056+
"metadata": {
6057+
"code": "builtin.attestation.syntax_check"
6058+
}
6059+
},
6060+
{
6061+
"msg": "Pass",
6062+
"metadata": {
6063+
"code": "builtin.image.signature_check"
6064+
}
6065+
},
6066+
{
6067+
"msg": "Pass",
6068+
"metadata": {
6069+
"code": "filtering.always_pass"
6070+
}
6071+
},
6072+
{
6073+
"msg": "Pass",
6074+
"metadata": {
6075+
"code": "filtering.always_pass_with_collection"
6076+
}
6077+
}
6078+
],
6079+
"success": false,
6080+
"signatures": [
6081+
{
6082+
"keyid": "",
6083+
"sig": "${IMAGE_SIGNATURE_acceptance/multi-arch-volatile-neg}"
6084+
}
6085+
],
6086+
"attestations": [
6087+
{
6088+
"type": "https://in-toto.io/Statement/v0.1",
6089+
"predicateType": "https://slsa.dev/provenance/v0.2",
6090+
"predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
6091+
"signatures": [
6092+
{
6093+
"keyid": "",
6094+
"sig": "${ATTESTATION_SIGNATURE_acceptance/multi-arch-volatile-neg}"
6095+
}
6096+
]
6097+
}
6098+
]
6099+
}
6100+
],
6101+
"key": "${known_PUBLIC_KEY_JSON}",
6102+
"policy": {
6103+
"sources": [
6104+
{
6105+
"policy": [
6106+
"git::${GITHOST}/git/happy-day-policy.git?ref=${LATEST_COMMIT}"
6107+
],
6108+
"config": {
6109+
"include": [
6110+
"@stamps",
6111+
"filtering.always_pass",
6112+
"filtering.always_fail"
6113+
]
6114+
},
6115+
"volatileConfig": {
6116+
"exclude": [
6117+
{
6118+
"value": "filtering.always_fail",
6119+
"componentNames": [
6120+
"multi-arch-test"
6121+
]
6122+
},
6123+
{
6124+
"value": "filtering.always_fail_with_collection",
6125+
"componentNames": [
6126+
"multi-arch-test"
6127+
]
6128+
}
6129+
]
6130+
}
6131+
}
6132+
],
6133+
"publicKey": "${known_PUBLIC_KEY}"
6134+
},
6135+
"ec-version": "${EC_VERSION}",
6136+
"effective-time": "${TIMESTAMP}"
6137+
}
6138+
---
6139+
6140+
[TestFeatures/volatile config exclude does not match different multi-arch component:stderr - 1]
6141+
Error: success criteria not met
6142+
6143+
---

features/validate_image.feature

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1115,6 +1115,107 @@ Feature: evaluate enterprise contract
11151115
Then the exit status should be 0
11161116
Then the output should match the snapshot
11171117

1118+
# EC-1824: verify volatile config componentNames excludes work with
1119+
# multi-arch expanded component names (e.g., "foo-sha256:<digest>-arm64").
1120+
1121+
Scenario: volatile config exclude matches multi-arch expanded component name
1122+
Given a key pair named "known"
1123+
Given an image named "acceptance/multi-arch-volatile"
1124+
Given a valid image signature of "acceptance/multi-arch-volatile" image signed by the "known" key
1125+
Given a valid attestation of "acceptance/multi-arch-volatile" signed by the "known" key
1126+
Given a git repository named "happy-day-policy" with
1127+
| filtering.rego | examples/filtering.rego |
1128+
Given a file named "${TMPDIR}/multi-arch-images.json" containing
1129+
"""
1130+
{
1131+
"components": [
1132+
{
1133+
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile",
1134+
"name": "multi-arch-test-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-arm64"
1135+
}
1136+
]
1137+
}
1138+
"""
1139+
Given policy configuration named "ec-policy" with specification
1140+
"""
1141+
{
1142+
"sources": [
1143+
{
1144+
"volatileConfig": {
1145+
"exclude": [
1146+
{
1147+
"value": "filtering.always_fail",
1148+
"componentNames": ["multi-arch-test"]
1149+
},
1150+
{
1151+
"value": "filtering.always_fail_with_collection",
1152+
"componentNames": ["multi-arch-test"]
1153+
}
1154+
]
1155+
},
1156+
"config": {
1157+
"include": ["@stamps", "filtering.always_pass", "filtering.always_fail"]
1158+
},
1159+
"policy": [
1160+
"git::https://${GITHOST}/git/happy-day-policy.git"
1161+
]
1162+
}
1163+
]
1164+
}
1165+
"""
1166+
When ec command is run with "validate image --images ${TMPDIR}/multi-arch-images.json --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --show-successes --output json"
1167+
Then the exit status should be 0
1168+
Then the output should match the snapshot
1169+
1170+
Scenario: volatile config exclude does not match different multi-arch component
1171+
Given a key pair named "known"
1172+
Given an image named "acceptance/multi-arch-volatile-neg"
1173+
Given a valid image signature of "acceptance/multi-arch-volatile-neg" image signed by the "known" key
1174+
Given a valid attestation of "acceptance/multi-arch-volatile-neg" signed by the "known" key
1175+
Given a git repository named "happy-day-policy" with
1176+
| filtering.rego | examples/filtering.rego |
1177+
Given a file named "${TMPDIR}/multi-arch-images-neg.json" containing
1178+
"""
1179+
{
1180+
"components": [
1181+
{
1182+
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile-neg",
1183+
"name": "other-component-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-amd64"
1184+
}
1185+
]
1186+
}
1187+
"""
1188+
Given policy configuration named "ec-policy" with specification
1189+
"""
1190+
{
1191+
"sources": [
1192+
{
1193+
"volatileConfig": {
1194+
"exclude": [
1195+
{
1196+
"value": "filtering.always_fail",
1197+
"componentNames": ["multi-arch-test"]
1198+
},
1199+
{
1200+
"value": "filtering.always_fail_with_collection",
1201+
"componentNames": ["multi-arch-test"]
1202+
}
1203+
]
1204+
},
1205+
"config": {
1206+
"include": ["@stamps", "filtering.always_pass", "filtering.always_fail"]
1207+
},
1208+
"policy": [
1209+
"git::https://${GITHOST}/git/happy-day-policy.git"
1210+
]
1211+
}
1212+
]
1213+
}
1214+
"""
1215+
When ec command is run with "validate image --images ${TMPDIR}/multi-arch-images-neg.json --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --show-successes --output json"
1216+
Then the exit status should be 1
1217+
Then the output should match the snapshot
1218+
11181219
Scenario: Unsupported policies
11191220
Given a key pair named "known"
11201221
Given an image named "acceptance/image"

0 commit comments

Comments
 (0)