-
Notifications
You must be signed in to change notification settings - Fork 50
Expand file tree
/
Copy pathvsa.feature
More file actions
211 lines (201 loc) · 10.3 KB
/
vsa.feature
File metadata and controls
211 lines (201 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
Feature: VSA generation and storage
The ec command line should generate and store Verification Summary Attestation (VSA)
Background:
Given a stub cluster running
Given stub rekord running
Given stub registry running
Given stub git daemon running
Given stub tuf running
Scenario: VSA generation with local storage backend
Given a key pair named "vsa-test"
Given an image named "acceptance/vsa-test-image"
Given a valid image signature of "acceptance/vsa-test-image" image signed by the "vsa-test" key
Given a valid attestation of "acceptance/vsa-test-image" signed by the "vsa-test" key
Given a git repository named "vsa-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-policy.git"
]
}
]
}
"""
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-test-image --policy acceptance/vsa-ec-policy --public-key ${vsa-test_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-test_PRIVATE_KEY} --vsa-upload local@${TMPDIR}/vsa-output --vsa-expiration 0 --output json"
Then the exit status should be 0
Then the output should match the snapshot
And VSA envelope files should exist in "${TMPDIR}/vsa-output"
Scenario: VSA generation with Rekor storage backend
Given a key pair named "vsa-rekor"
Given an image named "acceptance/vsa-rekor-image"
Given a valid image signature of "acceptance/vsa-rekor-image" image signed by the "vsa-rekor" key
Given a valid attestation of "acceptance/vsa-rekor-image" signed by the "vsa-rekor" key
Given a git repository named "vsa-rekor-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-rekor-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-rekor-policy.git"
]
}
]
}
"""
Given VSA upload to Rekor should be expected
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-rekor-image --policy acceptance/vsa-rekor-ec-policy --public-key ${vsa-rekor_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-rekor_PRIVATE_KEY} --vsa-upload rekor@${REKOR} --vsa-expiration 0 --output json"
Then the exit status should be 0
Then the output should match the snapshot
And VSA should be uploaded to Rekor successfully
Scenario: VSA generation with multiple storage backends
Given a key pair named "vsa-multi"
Given an image named "acceptance/vsa-multi-image"
Given a valid image signature of "acceptance/vsa-multi-image" image signed by the "vsa-multi" key
Given a valid attestation of "acceptance/vsa-multi-image" signed by the "vsa-multi" key
Given a git repository named "vsa-multi-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-multi-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-multi-policy.git"
]
}
]
}
"""
Given VSA upload to Rekor should be expected
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-multi-image --policy acceptance/vsa-multi-ec-policy --public-key ${vsa-multi_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-multi_PRIVATE_KEY} --vsa-upload local@${TMPDIR}/vsa-multi-output --vsa-upload rekor@${REKOR} --vsa-expiration 0 --output json"
Then the exit status should be 0
Then the output should match the snapshot
And VSA envelope files should exist in "${TMPDIR}/vsa-multi-output"
And VSA should be uploaded to Rekor successfully
Scenario: VSA generation with invalid storage backend configuration
Given a key pair named "vsa-invalid"
Given an image named "acceptance/vsa-invalid-image"
Given a valid image signature of "acceptance/vsa-invalid-image" image signed by the "vsa-invalid" key
Given a valid attestation of "acceptance/vsa-invalid-image" signed by the "vsa-invalid" key
Given a git repository named "vsa-invalid-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-invalid-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-invalid-policy.git"
]
}
]
}
"""
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-invalid-image --policy acceptance/vsa-invalid-ec-policy --public-key ${vsa-invalid_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-invalid_PRIVATE_KEY} --vsa-upload invalid-backend@somewhere --vsa-expiration 0 --output json"
Then the exit status should be 0
Then the output should match the snapshot
Scenario: VSA expiration flag functionality
Given a key pair named "vsa-expiration"
Given an image named "acceptance/vsa-expiration-image"
Given a valid image signature of "acceptance/vsa-expiration-image" image signed by the "vsa-expiration" key
Given a valid attestation of "acceptance/vsa-expiration-image" signed by the "vsa-expiration" key
Given VSA index search should return no results
Given a git repository named "vsa-expiration-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-expiration-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-expiration-policy.git"
]
}
]
}
"""
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-expiration-image@sha256:${REGISTRY_acceptance/vsa-expiration-image:latest_DIGEST} --policy acceptance/vsa-expiration-ec-policy --public-key ${vsa-expiration_PUBLIC_KEY} --rekor-url ${REKOR} --vsa-expiration 1h --vsa-upload rekor@${REKOR} --output json"
Then the exit status should be 0
Then the output should match the snapshot
Scenario: VSA expiration with existing valid VSA
Given a key pair named "vsa-existing"
Given an image named "acceptance/vsa-existing-image"
Given a valid image signature of "acceptance/vsa-existing-image" image signed by the "vsa-existing" key
Given a valid attestation of "acceptance/vsa-existing-image" signed by the "vsa-existing" key
Given VSA index search should return valid VSA
Given a git repository named "vsa-existing-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-existing-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-existing-policy.git"
]
}
]
}
"""
Given VSA upload to Rekor should be expected
# First, generate a VSA and upload it to Rekor
Given VSA upload to Rekor should be expected
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-existing-image@sha256:${REGISTRY_acceptance/vsa-existing-image:latest_DIGEST} --policy acceptance/vsa-existing-ec-policy --public-key ${vsa-existing_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-existing_PRIVATE_KEY} --vsa-upload rekor@${REKOR} --vsa-expiration 0 --output json"
Then the exit status should be 0
And VSA should be uploaded to Rekor successfully
# Then test expiration checking with that existing VSA
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-existing-image@sha256:${REGISTRY_acceptance/vsa-existing-image:latest_DIGEST} --policy acceptance/vsa-existing-ec-policy --public-key ${vsa-existing_PUBLIC_KEY} --rekor-url ${REKOR} --vsa-expiration 24h --output json"
Then the exit status should be 0
Then the output should match the snapshot
Scenario: VSA generation without upload backends shows warning
Given a key pair named "vsa-no-upload"
Given an image named "acceptance/vsa-no-upload-image"
Given a valid image signature of "acceptance/vsa-no-upload-image" image signed by the "vsa-no-upload" key
Given a valid attestation of "acceptance/vsa-no-upload-image" signed by the "vsa-no-upload" key
Given a git repository named "vsa-no-upload-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-no-upload-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-no-upload-policy.git"
]
}
]
}
"""
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-no-upload-image --policy acceptance/vsa-no-upload-ec-policy --public-key ${vsa-no-upload_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-no-upload_PRIVATE_KEY} --vsa-expiration 0 --output json"
Then the exit status should be 0
Then the output should match the snapshot
And the log output should contain "[VSA] VSA files generated but not uploaded (no --vsa-upload backends specified)"
Scenario: VSA upload failure handling
Given a key pair named "vsa-upload-fail"
Given an image named "acceptance/vsa-upload-fail-image"
Given a valid image signature of "acceptance/vsa-upload-fail-image" image signed by the "vsa-upload-fail" key
Given a valid attestation of "acceptance/vsa-upload-fail-image" signed by the "vsa-upload-fail" key
Given a git repository named "vsa-upload-fail-policy" with
| main.rego | examples/happy_day.rego |
Given policy configuration named "vsa-upload-fail-ec-policy" with specification
"""
{
"sources": [
{
"policy": [
"git::https://${GITHOST}/git/vsa-upload-fail-policy.git"
]
}
]
}
"""
Given Rekor upload should fail
When ec command is run with "validate image --image ${REGISTRY}/acceptance/vsa-upload-fail-image --policy acceptance/vsa-upload-fail-ec-policy --public-key ${vsa-upload-fail_PUBLIC_KEY} --rekor-url ${REKOR} --vsa --vsa-signing-key ${vsa-upload-fail_PRIVATE_KEY} --vsa-upload rekor@${REKOR} --vsa-expiration 0 --output json"
Then the exit status should be 0
And the log output should contain "[VSA] Failed to upload in-toto 0.0.2 entry"