Update tests for OR behaviour wrt authorities.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mattmoor · Jun 11, 2022 · c5c22f0 · c5c22f0
1 parent 4346dd0
commit c5c22f0
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 33 deletions.
diff --git a/test/e2e_test_cluster_image_policy_with_attestations.sh b/test/e2e_test_cluster_image_policy_with_attestations.sh
@@ -102,7 +102,7 @@ export NS=demo-attestations
 echo '::endgroup::'
 
 echo '::group:: Create CIP that requires keyless signature and custom attestation with policy'
-kubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml
+kubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless.yaml
 # allow things to propagate
 sleep 5
 echo '::endgroup::'
@@ -117,6 +117,12 @@ echo '::group:: Sign demoimage with keyless'
 COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --force --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN}
 echo '::endgroup::'
 
+echo '::group:: Create CIP that requires keyless signature and custom attestation with policy'
+kubectl apply -f ./test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml
+# allow things to propagate
+sleep 5
+echo '::endgroup::'
+
 # This image has been signed, but does not have an attestation, so should fail.
 echo '::group:: test job rejection'
 expected_error='no matching attestations'
@@ -142,6 +148,7 @@ if ! kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_SUCCESS_
 else
   echo Created the job with keyless signature and an attestation
 fi
+kubectl delete -n ${NS} job demo
 echo '::endgroup::'
 
 echo '::group:: Generate New Signing Key that we use for key-ful signing'
@@ -150,8 +157,8 @@ echo '::endgroup::'
 
 # Ok, so now we have satisfied the keyless requirements, one signature, one
 # custom attestation. Let's now do it for 'keyful' one.
-echo '::group:: Create CIP that requires a keyful signature and an attestation'
-yq '. | .spec.authorities[0].key.data |= load_str("cosign.pub") | .spec.authorities[1].key.data |= load_str("cosign.pub")' ./test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml | kubectl apply -f -
+echo '::group:: Create CIP that requires a keyful signature'
+yq '. | .spec.authorities[0].key.data |= load_str("cosign.pub")' ./test/testdata/policy-controller/e2e/cip-key.yaml | kubectl apply -f -
 # allow things to propagate
 sleep 5
 echo '::endgroup::'
@@ -172,6 +179,15 @@ echo '::group:: Verify demoimage with cosign key'
 COSIGN_EXPERIMENTAL=1 cosign verify --key cosign.pub --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage}
 echo '::endgroup::'
 
+# Ok, so now we have satisfied the keyless requirements, one signature, one
+# custom attestation, and one 'keyful' one. But it will now be missing a
+# keyful attestation, so let's add that requirement.
+echo '::group:: Create CIP that requires a keyful attestation'
+yq '. | .spec.authorities[0].key.data |= load_str("cosign.pub")' ./test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml | kubectl apply -f -
+# allow things to propagate
+sleep 5
+echo '::endgroup::'
+
 # This image has been signed with key, but does not have a key attestation
 # so should fail
 echo '::group:: test job rejection'

diff --git a/test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml
@@ -37,12 +37,3 @@ spec:
         data: |
           predicateType: "cosign.sigstore.dev/attestation/v1"
           predicate: Data: "foobar key e2e test"
-  - name: verify signature
-    key:
-      data: |
-        -----BEGIN PUBLIC KEY-----
-        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZxAfzrQG1EbWyCI8LiSB7YgSFXoI
-        FNGTyQGKHFc6/H8TQumT9VLS78pUwtv3w7EfKoyFZoP32KrO7nzUy2q6Cw==
-        -----END PUBLIC KEY-----
-    ctlog:
-      url: http://rekor.rekor-system.svc
diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml
@@ -20,7 +20,7 @@ spec:
   images:
   - glob: registry.local:5000/policy-controller/demo*
   authorities:
-  - name: verifycustomattestation
+  - name: attestation
     keyless:
       url: http://fulcio.fulcio-system.svc
     ctlog:
@@ -33,23 +33,3 @@ spec:
         data: |
           predicateType: "cosign.sigstore.dev/attestation/v1"
           predicate: Data: "foobar e2e test"
-  - name: verifysignature
-    keyless:
-      url: http://fulcio.fulcio-system.svc
-    ctlog:
-      url: http://rekor.rekor-system.svc
-  policy:
-    type: cue
-    data: |
-      package sigstore
-      import "list"
-      authorityMatches: {
-        verifysignature: {
-          signatures: list.MaxItems(1) & list.MinItems(1)
-        },
-        if (len(authorityMatches.verifycustomattestation.attestations) < 1) {
-          keylessattMinAttestations: 1
-          keylessattMinAttestations: "Error"
-        },
-      }
-