From ad92b385278ef66712601515fcb584ec3602ec12 Mon Sep 17 00:00:00 2001 From: enrico-kaack-comp Date: Mon, 2 May 2022 11:02:41 +0200 Subject: [PATCH 01/15] Add tests --- .../signature/signature_suite_test.go | 54 +++ .../signature/signature_test.go | 443 ++++++++++++++++++ 2 files changed, 497 insertions(+) create mode 100644 pkg/commands/componentarchive/signature/signature_suite_test.go create mode 100644 pkg/commands/componentarchive/signature/signature_test.go diff --git a/pkg/commands/componentarchive/signature/signature_suite_test.go b/pkg/commands/componentarchive/signature/signature_suite_test.go new file mode 100644 index 00000000..b3d4a295 --- /dev/null +++ b/pkg/commands/componentarchive/signature/signature_suite_test.go @@ -0,0 +1,54 @@ +package signature_test + +import ( + "context" + "path/filepath" + "testing" + + "github.com/go-logr/logr" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + "github.com/gardener/component-cli/ociclient" + "github.com/gardener/component-cli/ociclient/cache" + "github.com/gardener/component-cli/ociclient/credentials" + "github.com/gardener/component-cli/ociclient/test/envtest" + "github.com/gardener/component-cli/pkg/logger" +) + +func TestConfig(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "signature Test Suite") +} + +var ( + testenv *envtest.Environment + client ociclient.ExtendedClient + ociCache cache.Cache + keyring *credentials.GeneralOciKeyring +) + +var _ = BeforeSuite(func() { + testenv = envtest.New(envtest.Options{ + RegistryBinaryPath: filepath.Join("../../../../", envtest.DefaultRegistryBinaryPath), + Stdout: GinkgoWriter, + Stderr: GinkgoWriter, + }) + Expect(testenv.Start(context.Background())).To(Succeed()) + + keyring = credentials.New() + Expect(keyring.AddAuthConfig(testenv.Addr, credentials.AuthConfig{ + Username: testenv.BasicAuth.Username, + Password: testenv.BasicAuth.Password, + })).To(Succeed()) + ociCache = cache.NewInMemoryCache() + var err error + client, err = ociclient.NewClient(logr.Discard(), ociclient.WithKeyring(keyring), ociclient.WithCache(ociCache)) + Expect(err).ToNot(HaveOccurred()) + + logger.SetLogger(logr.Discard()) +}, 60) + +var _ = AfterSuite(func() { + Expect(testenv.Close()).To(Succeed()) +}) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go new file mode 100644 index 00000000..ea83243c --- /dev/null +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -0,0 +1,443 @@ +package signature_test + +import ( + "context" + "fmt" + + cdv2 "github.com/gardener/component-spec/bindings-go/apis/v2" + v2 "github.com/gardener/component-spec/bindings-go/apis/v2" + cdv2Sign "github.com/gardener/component-spec/bindings-go/apis/v2/signatures" + "github.com/gardener/component-spec/bindings-go/ctf" + + cdoci "github.com/gardener/component-spec/bindings-go/oci" + "github.com/mandelsoft/vfs/pkg/memoryfs" + . "github.com/onsi/gomega" + ocispecv1 "github.com/opencontainers/image-spec/specs-go/v1" + + "github.com/gardener/component-cli/pkg/commands/componentarchive/signature/verify" + "github.com/gardener/component-cli/pkg/signatures" + "github.com/gardener/component-cli/pkg/testutils" + . "github.com/onsi/ginkgo" +) + +func getParentCd() cdv2.ComponentDescriptor { + refResParent := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0/test-resource-parent:v0.0.1") + uploadTestResource(refResParent, "data-parent") + parentResAccess, err := cdv2.NewUnstructured(cdv2.NewOCIRegistryAccess(refResParent)) + Expect(err).ToNot(HaveOccurred()) + return cdv2.ComponentDescriptor{ + ComponentSpec: cdv2.ComponentSpec{ + ObjectMeta: cdv2.ObjectMeta{ + Name: "github.com/component-cli/test-component-parent", + Version: "v0.1.0", + }, + Provider: cdv2.InternalProvider, + ComponentReferences: []v2.ComponentReference{ + { + Name: "test-component-child", + ComponentName: "github.com/component-cli/test-component-child", + Version: "v0.1.0", + ExtraIdentity: v2.Identity{ + "refkey": "refName", + }, + }, + }, + Resources: []cdv2.Resource{ + { + IdentityObjectMeta: cdv2.IdentityObjectMeta{ + Name: "resource1", + Version: "v0.0.1", + ExtraIdentity: cdv2.Identity{ + "key": "value", + }, + Type: "ociImage", + }, + Access: &parentResAccess, + }, + }, + }, + } +} + +func getChildCd() cdv2.ComponentDescriptor { + refResChild := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0/test-resource-child:v0.0.1") + uploadTestResource(refResChild, "data-child") + childResAccess, err := cdv2.NewUnstructured(cdv2.NewOCIRegistryAccess(refResChild)) + Expect(err).ToNot(HaveOccurred()) + return cdv2.ComponentDescriptor{ + ComponentSpec: cdv2.ComponentSpec{ + ObjectMeta: cdv2.ObjectMeta{ + Name: "github.com/component-cli/test-component-child", + Version: "v0.1.0", + }, + Provider: cdv2.InternalProvider, + Resources: []cdv2.Resource{ + { + IdentityObjectMeta: cdv2.IdentityObjectMeta{ + Name: "resource2", + Version: "v0.0.1", + ExtraIdentity: cdv2.Identity{ + "key": "value2", + }, + Type: "ociImage", + }, + Access: &childResAccess, + }, + }, + }, + } +} + +func uploadTestResource(ref string, layerData string) { + ctx := context.Background() + defer ctx.Done() + + configData := []byte("config-data") + layersData := [][]byte{ + []byte("layer-1-data"), + []byte(layerData), + } + + testutils.UploadTestImage(ctx, client, ref, ocispecv1.MediaTypeImageManifest, configData, layersData) +} + +func uploadTestCd(cd cdv2.ComponentDescriptor, ref string) { + ctx := context.TODO() + fs := memoryfs.New() + + ociRepo := cdv2.NewOCIRegistryRepository(ref, "") + repoCtx, err := cdv2.NewUnstructured( + ociRepo, + ) + Expect(err).ToNot(HaveOccurred()) + + err = cdv2.InjectRepositoryContext(&cd, &repoCtx) + Expect(err).ToNot(HaveOccurred()) + + manifest, err := cdoci.NewManifestBuilder(ociCache, ctf.NewComponentArchive(&cd, fs)).Build(ctx) + Expect(err).ToNot(HaveOccurred()) + + ociRef, err := cdoci.OCIRef(*ociRepo, cd.Name, cd.Version) + Expect(err).ToNot(HaveOccurred()) + + Expect(client.PushManifest(ctx, ociRef, manifest)).To(Succeed()) + + cdresolver := cdoci.NewResolver(client) + _, err = cdresolver.Resolve(ctx, ociRepo, cd.Name, cd.Version) + Expect(err).ToNot(HaveOccurred()) + +} + +var _ = Describe("signature", func() { + Context("add digest", func() { + It("should sign a cd with referenced cd and resource each", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedChildCd := digestedCds[0] + digestedParentCd := digestedCds[1] + + Expect(digestedChildCd.Resources[0].Digest).ToNot(BeNil()) + Expect(digestedChildCd.Resources[0].Digest).ToNot(Equal(cdv2.NewExcludeFromSignatureDigest())) + + Expect(digestedParentCd.Resources[0].Digest).ToNot(BeNil()) + Expect(digestedParentCd.Resources[0].Digest).ToNot(Equal(cdv2.NewExcludeFromSignatureDigest())) + + Expect(digestedParentCd.ComponentReferences[0].Digest).ToNot(BeNil()) + Expect(digestedParentCd.ComponentReferences[0].Digest).ToNot(Equal(cdv2.NewExcludeFromSignatureDigest())) + }) + + It("should fail signing if existing cd reference digest mismatch", func() { + parentCd := getParentCd() + childCd := getChildCd() + + //add a wrong digest + parentCd.ComponentReferences[0].Digest = &cdv2.DigestSpec{ + HashAlgorithm: "FAKE", + NormalisationAlgorithm: "FAKE", + Value: "FAKE", + } + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).To(HaveOccurred()) + Expect(digestedCds).To(BeNil()) + }) + It("should fail signing if existing parent cd resource digest mismatch", func() { + parentCd := getParentCd() + childCd := getChildCd() + + //add a wrong digest + parentCd.Resources[0].Digest = &cdv2.DigestSpec{ + HashAlgorithm: "FAKE", + NormalisationAlgorithm: "FAKE", + Value: "FAKE", + } + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).To(HaveOccurred()) + Expect(digestedCds).To(BeNil()) + }) + It("should fail signing if existing child cd resource digest mismatch", func() { + parentCd := getParentCd() + childCd := getChildCd() + + //add a wrong digest + childCd.Resources[0].Digest = &cdv2.DigestSpec{ + HashAlgorithm: "FAKE", + NormalisationAlgorithm: "FAKE", + Value: "FAKE", + } + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).To(HaveOccurred()) + Expect(digestedCds).To(BeNil()) + }) + It("should add a exclude-from-signature digest to skip-access-types", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{"ociRegistry": true}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedChildCd := digestedCds[0] + digestedParentCd := digestedCds[1] + + Expect(digestedChildCd.Resources[0].Digest).ToNot(BeNil()) + Expect(digestedChildCd.Resources[0].Digest).To(Equal(cdv2.NewExcludeFromSignatureDigest())) + + Expect(digestedParentCd.Resources[0].Digest).ToNot(BeNil()) + Expect(digestedParentCd.Resources[0].Digest).To(Equal(cdv2.NewExcludeFromSignatureDigest())) + + Expect(digestedParentCd.ComponentReferences[0].Digest).ToNot(BeNil()) + Expect(digestedParentCd.ComponentReferences[0].Digest).ToNot(Equal(cdv2.NewExcludeFromSignatureDigest())) + }) + + }) + + Context("verify", func() { + It("should verify a cd with referenced cd and resource each", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1] + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).ToNot(HaveOccurred()) + }) + It("should succeed with resource in different location", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1] + + //change location of resource of child + refResChild := fmt.Sprintf("%s/%s", testenv.Addr, "different-location/test-resource-child:v0.0.1") + uploadTestResource(refResChild, "data-child") + childResAccess, err := cdv2.NewUnstructured(cdv2.NewOCIRegistryAccess(refResChild)) + Expect(err).ToNot(HaveOccurred()) + childCd.Resources[0].Access = &childResAccess + uploadTestCd(childCd, ref) + + //change location of resource of parent + refResParent := fmt.Sprintf("%s/%s", testenv.Addr, "different-location/test-resource-parent:v0.0.1") + uploadTestResource(refResParent, "data-parent") + parentResAccess, err := cdv2.NewUnstructured(cdv2.NewOCIRegistryAccess(refResParent)) + Expect(err).ToNot(HaveOccurred()) + parentCd.Resources[0].Access = &parentResAccess + uploadTestCd(parentCd, ref) + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).ToNot(HaveOccurred()) + }) + It("should fail verify with manipulated resource in child", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1] + + //change access imageReference of child to wrong resource (=resource of parent) --> content=digest is different + refWrongResource := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0/test-resource-parent:v0.0.1") + wrongResourceAccess, err := cdv2.NewUnstructured(cdv2.NewOCIRegistryAccess(refWrongResource)) + Expect(err).ToNot(HaveOccurred()) + childCd.Resources[0].Access = &wrongResourceAccess + uploadTestCd(childCd, ref) + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).To(HaveOccurred()) + }) + It("should fail verify with manipulated resource in parent", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1] + + //change access imageReference of parent to wrong resource (= resource of child) --> content=digest is different + refWrongResource := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0/test-resource-child:v0.0.1") + wrongResourceAccess, err := cdv2.NewUnstructured(cdv2.NewOCIRegistryAccess(refWrongResource)) + Expect(err).ToNot(HaveOccurred()) + digestedParentCd.Resources[0].Access = &wrongResourceAccess + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).To(HaveOccurred()) + }) + It("should fail verify with component reference digest manipulation", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1] + + //manipulate digest of component descriptor + digestedParentCd.ComponentReferences[0].Digest.Value = "faked" + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).To(HaveOccurred()) + }) + It("should fail verify with access type manipulation", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1] + + //set resource access nil -> content will not be digested + digestedParentCd.Resources[0].Access = nil + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).To(HaveOccurred()) + + //set resource access none -> content will not be digested + digestedParentCd.Resources[0].Access = cdv2.NewEmptyUnstructured("None") + + err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) + Expect(err).To(HaveOccurred()) + }) + It("should fail verify with exclude-from-signature manipulation", func() { + parentCd := getParentCd() + childCd := getChildCd() + + ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") + uploadTestCd(parentCd, ref) + uploadTestCd(childCd, ref) + + //add digests + digestedCds, err := signatures.RecursivelyAddDigestsToCd(&parentCd, *cdv2.NewOCIRegistryRepository(ref, ""), client, map[string]ctf.BlobResolver{}, context.TODO(), map[string]bool{}) + Expect(err).ToNot(HaveOccurred()) + Expect(len(digestedCds)).To(Equal(2)) + + digestedParentCd := digestedCds[1].DeepCopy() + + //calculate hash + hasher, err := cdv2Sign.HasherForName("sha256") + Expect(err).ToNot(HaveOccurred()) + + hashedDigestOriginal, err := cdv2Sign.HashForComponentDescriptor(*digestedParentCd, *hasher) + Expect(err).ToNot(HaveOccurred()) + + //set parent resource to exclude from digest + digestedParentCd.Resources[0].Digest = cdv2.NewExcludeFromSignatureDigest() + + //check that cd digest is not the same + hashedDigestExcludeFromSignature, err := cdv2Sign.HashForComponentDescriptor(*digestedParentCd, *hasher) + Expect(err).ToNot(HaveOccurred()) + + Expect(hashedDigestOriginal).ToNot(Equal(hashedDigestExcludeFromSignature)) + + //set child resource to exlcude from digest (without manipulating parent) + childCd.Resources[0].Digest = cdv2.NewExcludeFromSignatureDigest() + uploadTestCd(childCd, ref) + + repoCtx := cdv2.NewOCIRegistryRepository(ref, "") + err = verify.CheckCdDigests(digestedCds[1], *repoCtx, client, context.TODO()) + Expect(err).To(HaveOccurred()) + }) + }) +}) From 4e359515d80f6a2ca1be3b32e8693e32531c3a10 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:12:13 +0200 Subject: [PATCH 02/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index ea83243c..6c5f947d 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -130,7 +130,7 @@ func uploadTestCd(cd cdv2.ComponentDescriptor, ref string) { var _ = Describe("signature", func() { Context("add digest", func() { - It("should sign a cd with referenced cd and resource each", func() { + It("should add digests to a cd and referenced cd", func() { parentCd := getParentCd() childCd := getChildCd() From ed3e6c491732a3b00129eb91d1a621736b78183c Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:13:09 +0200 Subject: [PATCH 03/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 6c5f947d..9a176cd4 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -156,7 +156,7 @@ var _ = Describe("signature", func() { Expect(digestedParentCd.ComponentReferences[0].Digest).ToNot(Equal(cdv2.NewExcludeFromSignatureDigest())) }) - It("should fail signing if existing cd reference digest mismatch", func() { + It("should fail to add digests if preexisting digest in component ref mismatches calculated digest", func() { parentCd := getParentCd() childCd := getChildCd() From ba5ee991f719c2e900e3c36eecec29b5ebb57df2 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:13:51 +0200 Subject: [PATCH 04/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 9a176cd4..5410afbe 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -176,7 +176,7 @@ var _ = Describe("signature", func() { Expect(err).To(HaveOccurred()) Expect(digestedCds).To(BeNil()) }) - It("should fail signing if existing parent cd resource digest mismatch", func() { + It("should fail to add digests if preexisting digest in parent cd resource mismatches calculated digest", func() { parentCd := getParentCd() childCd := getChildCd() From 13482c365767f8326a41c4d4f32b94345f874298 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:14:21 +0200 Subject: [PATCH 05/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 5410afbe..30496cda 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -196,7 +196,7 @@ var _ = Describe("signature", func() { Expect(err).To(HaveOccurred()) Expect(digestedCds).To(BeNil()) }) - It("should fail signing if existing child cd resource digest mismatch", func() { + It("should fail to add digests if preexisting digest in child cd resource mismatches calculated digest", func() { parentCd := getParentCd() childCd := getChildCd() From aab60031f16e8e09b18b72d1e4f37bd4a85605c3 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:14:45 +0200 Subject: [PATCH 06/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 30496cda..add23f56 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -216,7 +216,7 @@ var _ = Describe("signature", func() { Expect(err).To(HaveOccurred()) Expect(digestedCds).To(BeNil()) }) - It("should add a exclude-from-signature digest to skip-access-types", func() { + It("should add a exclude-from-signature digest for resources that are excluded from calculation via skip-access-types", func() { parentCd := getParentCd() childCd := getChildCd() From e491a8f52a75e09a3ad428d1bcb0a2dca7f2ba17 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:14:58 +0200 Subject: [PATCH 07/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index add23f56..3765a304 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -245,7 +245,7 @@ var _ = Describe("signature", func() { }) Context("verify", func() { - It("should verify a cd with referenced cd and resource each", func() { + It("should verify a digested cd", func() { parentCd := getParentCd() childCd := getChildCd() From 326c5e1fb367d3e8c05db8bf6ef88c648803472e Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:15:26 +0200 Subject: [PATCH 08/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 3765a304..150cb043 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -264,7 +264,7 @@ var _ = Describe("signature", func() { err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) Expect(err).ToNot(HaveOccurred()) }) - It("should succeed with resource in different location", func() { + It("should verify a digested cd if resource location changes but equal resource content", func() { parentCd := getParentCd() childCd := getChildCd() From a503d9d693b89e047538ddc5a093216e4f24828c Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:15:49 +0200 Subject: [PATCH 09/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 150cb043..fae6e7c8 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -299,7 +299,7 @@ var _ = Describe("signature", func() { err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) Expect(err).ToNot(HaveOccurred()) }) - It("should fail verify with manipulated resource in child", func() { + It("should fail to verify a digested cd with manipulated resource in child", func() { parentCd := getParentCd() childCd := getChildCd() From bfeec10a1878d68285c7bea8e73ef723c1e25946 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:16:04 +0200 Subject: [PATCH 10/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index fae6e7c8..142f1631 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -325,7 +325,7 @@ var _ = Describe("signature", func() { err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) Expect(err).To(HaveOccurred()) }) - It("should fail verify with manipulated resource in parent", func() { + It("should fail to verify a digested cd with manipulated resource in parent", func() { parentCd := getParentCd() childCd := getChildCd() From 4474fd913c0006cc96697908d5fe95f0bc84f486 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:16:27 +0200 Subject: [PATCH 11/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 142f1631..a0dccf48 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -350,7 +350,7 @@ var _ = Describe("signature", func() { err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) Expect(err).To(HaveOccurred()) }) - It("should fail verify with component reference digest manipulation", func() { + It("should fail to verify a digested cd with component reference digest manipulation", func() { parentCd := getParentCd() childCd := getChildCd() From 468e024d980613fe4b84b2b816e7ca6bc239a9ea Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:19:18 +0200 Subject: [PATCH 12/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index a0dccf48..1aa19c28 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -372,7 +372,7 @@ var _ = Describe("signature", func() { err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) Expect(err).To(HaveOccurred()) }) - It("should fail verify with access type manipulation", func() { + It("should fail to verify a digested cd if a resource is excluded from calculation afterwards via access type none", func() { parentCd := getParentCd() childCd := getChildCd() From 3227b481a3ab16fca8a3bfbe4ad3db27c2e3fc70 Mon Sep 17 00:00:00 2001 From: Enrico Kaack Date: Thu, 19 May 2022 16:19:43 +0200 Subject: [PATCH 13/15] Update pkg/commands/componentarchive/signature/signature_test.go Co-authored-by: Johannes Schicktanz --- pkg/commands/componentarchive/signature/signature_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 1aa19c28..1ab808a5 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -400,7 +400,7 @@ var _ = Describe("signature", func() { err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) Expect(err).To(HaveOccurred()) }) - It("should fail verify with exclude-from-signature manipulation", func() { + It("should fail to verify a digested cd if a resource is excluded from calculation afterwards via exclude from signature digest", func() { parentCd := getParentCd() childCd := getChildCd() From 2ffb5b2c3e9b01ac3dad455c41477cd6d6ac2901 Mon Sep 17 00:00:00 2001 From: enrico-kaack-comp Date: Thu, 19 May 2022 16:43:58 +0200 Subject: [PATCH 14/15] use a real-looking fake digest --- .../componentarchive/signature/signature_test.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index 1ab808a5..cc00586d 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -2,10 +2,11 @@ package signature_test import ( "context" + "crypto/sha256" + "encoding/hex" "fmt" cdv2 "github.com/gardener/component-spec/bindings-go/apis/v2" - v2 "github.com/gardener/component-spec/bindings-go/apis/v2" cdv2Sign "github.com/gardener/component-spec/bindings-go/apis/v2/signatures" "github.com/gardener/component-spec/bindings-go/ctf" @@ -32,12 +33,12 @@ func getParentCd() cdv2.ComponentDescriptor { Version: "v0.1.0", }, Provider: cdv2.InternalProvider, - ComponentReferences: []v2.ComponentReference{ + ComponentReferences: []cdv2.ComponentReference{ { Name: "test-component-child", ComponentName: "github.com/component-cli/test-component-child", Version: "v0.1.0", - ExtraIdentity: v2.Identity{ + ExtraIdentity: cdv2.Identity{ "refkey": "refName", }, }, @@ -129,6 +130,9 @@ func uploadTestCd(cd cdv2.ComponentDescriptor, ref string) { } var _ = Describe("signature", func() { + fakeSha256 := sha256.Sum256([]byte("fake")) + fakedDigest := hex.EncodeToString(fakeSha256[:]) + Context("add digest", func() { It("should add digests to a cd and referenced cd", func() { parentCd := getParentCd() @@ -164,7 +168,7 @@ var _ = Describe("signature", func() { parentCd.ComponentReferences[0].Digest = &cdv2.DigestSpec{ HashAlgorithm: "FAKE", NormalisationAlgorithm: "FAKE", - Value: "FAKE", + Value: fakedDigest, } ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") @@ -184,7 +188,7 @@ var _ = Describe("signature", func() { parentCd.Resources[0].Digest = &cdv2.DigestSpec{ HashAlgorithm: "FAKE", NormalisationAlgorithm: "FAKE", - Value: "FAKE", + Value: fakedDigest, } ref := fmt.Sprintf("%s/%s", testenv.Addr, "cd/0") @@ -366,7 +370,7 @@ var _ = Describe("signature", func() { digestedParentCd := digestedCds[1] //manipulate digest of component descriptor - digestedParentCd.ComponentReferences[0].Digest.Value = "faked" + digestedParentCd.ComponentReferences[0].Digest.Value = fakedDigest repoCtx := cdv2.NewOCIRegistryRepository(ref, "") err = verify.CheckCdDigests(digestedParentCd, *repoCtx, client, context.TODO()) From 8b16668053facd055672a67819826d3e591c52d2 Mon Sep 17 00:00:00 2001 From: enrico-kaack-comp Date: Tue, 24 May 2022 16:26:51 +0200 Subject: [PATCH 15/15] formating --- pkg/commands/componentarchive/signature/signature_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/commands/componentarchive/signature/signature_test.go b/pkg/commands/componentarchive/signature/signature_test.go index cc00586d..e3037346 100644 --- a/pkg/commands/componentarchive/signature/signature_test.go +++ b/pkg/commands/componentarchive/signature/signature_test.go @@ -15,10 +15,11 @@ import ( . "github.com/onsi/gomega" ocispecv1 "github.com/opencontainers/image-spec/specs-go/v1" + . "github.com/onsi/ginkgo" + "github.com/gardener/component-cli/pkg/commands/componentarchive/signature/verify" "github.com/gardener/component-cli/pkg/signatures" "github.com/gardener/component-cli/pkg/testutils" - . "github.com/onsi/ginkgo" ) func getParentCd() cdv2.ComponentDescriptor {