From b19c2db9bc38ab28c6086e0375324a151a5a9a46 Mon Sep 17 00:00:00 2001 From: greg pereira Date: Sat, 16 Dec 2023 14:15:07 -0800 Subject: [PATCH] swap clientserver to correct image + linting --- automated-testing.sh | 108 ++++-- .../templates/clientserver-deployment.yaml | 1 - .../templates/segment-backup-job.yaml | 3 +- charts/trusted-artifact-signer/values.yaml | 6 +- tas-easy-install.sh | 1 + testing/Dockerfile.test | 2 + testing/automated-testing.sh | 321 ++++++++++++++++++ testing/cosign-blob.txt | 1 + testing/jdoe-client-secret.txt | 3 + 9 files changed, 421 insertions(+), 25 deletions(-) create mode 100644 testing/Dockerfile.test create mode 100755 testing/automated-testing.sh create mode 100644 testing/cosign-blob.txt create mode 100644 testing/jdoe-client-secret.txt diff --git a/automated-testing.sh b/automated-testing.sh index 713572b0..83d0af6a 100755 --- a/automated-testing.sh +++ b/automated-testing.sh @@ -28,48 +28,118 @@ fi source ./tas-env-variables.sh ## Binary testing -### Deps: jq, yq, +### Deps: jq, yq, podman, oc +echo "{}" > /tmp/tas-report.json clientserver_namespace=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.namespace) +clientserver_name=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.name) OS_FAMILY=$(uname | tr '[:upper:]' '[:lower:]') ARCH=$(uname -m) #### Cosign binary="cosign" cosign_download_link="" + +# Generate cosign entry in report +jq -c '.cosign = {}' -i /tmp/tas-report.json + +# find correct download link if [[ $OS_FAMILY == "linux" && $ARCH == "amd64" ]]; then cosign_download_link="https://$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary.gz" else - cosign_download_options=($(oc get -n $clientserver_namespace consoleclidownloads.console.openshift.io cosign -o json | jq ".spec.links[].href")) + cosign_download_options=($(oc get -n $clientserver_namespace consoleclidownloads.console.openshift.io cosign -o json | jq ".spec.links[].href" | cut -d "\"" -f 2 )) for cosign_download_option in "${cosign_download_options[@]}"; do - if [[ $cosign_download_option == "https://$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary-$ARCH.gz" ]]; then + if [[ $cosign_download_option == "https://$clientserver_name-$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary-$ARCH.gz" ]]; then cosign_download_link=$cosign_download_option fi done fi +# check cosign download link if [[ -z $cosign_download_link ]]; then echo "error getting cosign download link" - exit 1 #THIS IS A TEMPORARY PLACEHOLDER + jq --arg OS "$OS_FAMILY" --arg ARCH "$ARCH" '.cosign.download = {"status": "failure", "os": $OS, "arch": $ARCH, "link": ""}' -i /tmp/tas-report.json +else + echo "download matching OS: $OS_FAMILY and ARCH: $ARCH found: + $cosign_download_link + continuing... " + jq --arg OS "$OS_FAMILY" --arg ARCH "$ARCH" --arg LINK "$cosign_download_link" '.cosign.download = {"os": $OS, "arch": $ARCH, "link": $LINK}' -i /tmp/tas-report.json fi -cosign_download=$(curl -sL $cosign_download_link -o /tmp/cosign-$OS_FAMIL-$ARCH.gz) -not_found_html_string=" -404 Not Found -" -if [[ $(cat $cosign_download | grep "$not_found_html_string") ]] +dir=$(pwd) + +# idempotency + +if [ -d "/tmp/cosign" ]; then + rm -rf /tmp/cosign +fi +mkdir /tmp/cosign && cd /tmp/cosign -# 2 options for testing cosign, could test by downloading the binary from console-cli-downloads, or we could use the cosign pod with kubectl exec -# 1. download the binary from cluster +cosign_download=$(curl -sL $cosign_download_link -o /tmp/cosign/cosign-$OS_FAMILY-$ARCH.gz) +cosign_download_status=$(echo $?) +cosign_download_404=$(cat /tmp/cosign/cosign-$OS_FAMILY-$ARCH.gz | grep "404 Not Found") +gzip -d /tmp/cosign/cosign-$OS_FAMILY-$ARCH.gz --force +cosign_unizp_status=$(echo $?) +# checking download status of cosign +if [[ $cosign_download_status == 0 && -z $cosign_download_404 && $cosign_unizp_status == 0 ]]; then + jq '.cosign.download.status = "success"' -i /tmp/tas-report.json +else + jq '.cosign.download.status = "failure"' -i /tmp/tas-report.json +fi + +chmod +x /tmp/cosign/cosign-$OS_FAMILY-$ARCH + +podman pull registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb +/tmp/cosign/cosign-$OS_FAMILY-$ARCH initialize --mirror=$TUF_URL --root=$TUF_URL/root.json +cosign_initialize_status=$(echo $?) +if [[ $cosign_initialize_status == 0 ]]; then + jq '.cosign.initialize.status = "success"' -i /tmp/tas-report.json +else + jq '.cosign.initialize.status = "failure"' -i /tmp/tas-report.json + +fi + +### Cosign keyless flow (no upload) +/tmp/cosign/cosign-$OS_FAMILY-$ARCH sign registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \ + --yes \ + --rekor-url=$REKOR_URL \ + --fulcio-url=$FULCIO_URL \ + --oidc-issuer=$OIDC_ISSUER_URL \ + --upload=false + # --output-file=/tmp/test-output # THIS DOES NOT WORK + # --timestamp-server-url= \ # THIS HAS YET TO BE INCLUDED IN THE CHARTS +cosign_keyless_signing_status=$(echo $?) + +if [[ $cosign_keyless_signing_status == 0 ]]; then + jq --arg STATUS_CODE "$cosign_keyless_signing_status" '.cosign.sign.keyless = {"result": "success", "status_code": "$STATUS_CODE"}' -i /tmp/tas-report.json +else + # ADD FAILURE CASE +fi + +### Cosign generate-key-pair + +export COSIGN_PASSWORD="tmp_cosign_password" +/tmp/cosign/cosign-$OS_FAMILY-$ARCH generate-key-pair --output-key-prefix tas-cosign +cosign_generate_key_statues=$(echo $?) +if [[ $cosign_generate_key_statues == 0 ]]; then + jq --arg STATUS_CODE "$cosign_generate_key_statues" '.cosign.keyed = {"generate-key-pair": {"result": "success", "status_code": "$STATUS_CODE"}}' -i /tmp/tas-report.json +else + # ADD FAILURE CASE +fi -# for binary in "${!binaries[@]}"; do -# oc get consoleclidownloads.console.openshift.io cosign -n openshift-console -o json | jq ".spec.links[].href" +## Cosign keyed flow +export COSIGN_PASSWORD="tmp_cosign_password" +tmp/cosign/cosign-$OS_FAMILY-$ARCH sign registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \ + --key=/tmp/cosign/tas-cosign.key \ + --rekor-url=$REKOR_URL \ + --upload=false +cosign_keyed_signing_status=$(echo $?) -# cosign_options=$(oc get consoleclidownloads.console.openshift.io cosign -n openshift-console -o json | jq ".spec.links") -# 2. kubectl exec (in progress) - # cosign_pod=$(oc get pods -n cosign | tail -n 1 | awk '{print $1}')1 - # kubectl exec -n cosign $cosign_pod - # oc rsh $cosign_pod -# cosign --help \ No newline at end of file +## COSIGN VERIFY --> this needs some where where we can push attestations +export COSIGN_PASSWORD="tmp_cosign_password" +tmp/cosign/cosign-$OS_FAMILY-$ARCH verify registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \ + --key=/tmp/cosign/tas-cosign.key \ + --rekor-url=$REKOR_URL +cosign_keyed_signing_status=$(echo $?) diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml index c36c7dd4..db702daa 100644 --- a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml +++ b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml @@ -22,7 +22,6 @@ spec: containers: - name: tas-clients image: "{{ template "image" .Values.configs.clientserver.image }}" - #image: quay.io/sallyom/tas-clients:httpd imagePullPolicy: IfNotPresent ports: - containerPort: 8080 diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml index 096d6514..4e9f83ea 100644 --- a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml +++ b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml @@ -19,8 +19,7 @@ spec: serviceAccountName: segment-backup-job containers: - name: {{ .Values.configs.segment_backup_job.name }} - # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}" - image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}" + image: "{{ template "image" .Values.configs.segment_backup_job.image }}" command: ["/bin/bash", "/opt/app-root/src/script.sh"] env: - name: RUN_TYPE diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml index be384fed..a69a545f 100644 --- a/charts/trusted-artifact-signer/values.yaml +++ b/charts/trusted-artifact-signer/values.yaml @@ -27,9 +27,9 @@ configs: namespace_create: true namespace: trusted-artifact-signer-clientserver image: - registry: registry.redhat.io - repository: rhtas-tech-preview/client-server-rhel9 - version: sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1 + registry: quay.io + repository: redhat-user-workloads/rhtas-tenant/access-1-0-gamma/client-server-1-0-gamma + version: sha256:d8540b72f67c3947287d30913a9277770a43eb37eff2dd3efcb8e24759a106ac pullPolicy: IfNotPresent ctlog: namespace: ctlog-system diff --git a/tas-easy-install.sh b/tas-easy-install.sh index 222d9773..73d30c0b 100755 --- a/tas-easy-install.sh +++ b/tas-easy-install.sh @@ -144,6 +144,7 @@ oc -n rekor-system create secret generic rekor-private-key --from-file=private=. #OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm install --debug trusted-artifact-signer trusted-artifact-signer/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values - OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values - +oc set env -n fulcio-system deployment/fulcio-server SSL_CERT_DIR=/var/run/fulcio # Create the script to initialize the environment variables for the service endpoints generate_env_script diff --git a/testing/Dockerfile.test b/testing/Dockerfile.test new file mode 100644 index 00000000..1475ecc2 --- /dev/null +++ b/testing/Dockerfile.test @@ -0,0 +1,2 @@ +FROM scratch +ADD test-file.txt / \ No newline at end of file diff --git a/testing/automated-testing.sh b/testing/automated-testing.sh new file mode 100755 index 00000000..e245522d --- /dev/null +++ b/testing/automated-testing.sh @@ -0,0 +1,321 @@ +#!/bin/bash + +## Enablement, script meant for linux and OSX + +# 0. Helper functions + +log_step() { + local step_number="$1" + local line_length=40 + + # Calculate the number of spaces needed for centering + local spaces_before=$(( (line_length - ${#step_number}) / 2 )) + local spaces_after=$(( line_length - ${#step_number} - spaces_before )) + + # Print the line of # characters above the centered step number + printf "%*s\n" "$line_length" | tr ' ' '#' + + # Print the centered step number + printf "%*s%s%*s\n" "$spaces_before" "" "$step_number" "$spaces_after" "" + + # Print the line of # characters below the centered step number + printf "%*s\n" "$line_length" | tr ' ' '#' +} + +log_y_sub_step() { + sub_step_number="$1" + sub_step_name="$2" + echo "====> $sub_step_number $sub_step_name" +} + +log_z_sub_step() { + sub_step_number="$1" + sub_step_name="$2" + echo "=========> $sub_step_number $sub_step_name" +} + +wipe_file_if_exists(){ + file_path="$1" + if [[ -e $file_path ]]; then + rm -f $file_path + fi +} + +git_root=$(git rev-parse --show-toplevel) + +# 1. SETUP SECTION +# ------------------------------------------------------------------------------------------------ +## Self-signed cert check, fix in place for mac, thank you @sabre1041, need one for linux +### Deps: oc, curl + +log_step "1. Setup" +log_y_sub_step "1.1" "Self-signed cert check and remediation" + +oc_console_route=$(oc get route console -n openshift-console | grep "console-openshift-console" | awk '{print $2}') +https_curl_response=$(curl -X GET https://$oc_console_route &> /dev/null) +https_curl_status=$(echo $?) + +if [[ $https_curl_status == "60" ]]; then + echo "self-signed cert for cluster" + if [[ $(uname) == "Darwin" ]]; then + $git_root/scripts/configure-local-env.sh + echo "certificate should be imported to OSX keychain, trying again" + https_curl_response=$(curl -X GET https://$oc_console_route &> /dev/null) + https_curl_status=$(echo $?) + if [[ $https_curl_status != "0" ]]; then + echo "Error: \`curl -X GET https://$oc_console_route produced status code $https_curl_status \`" + exit 1 + fi + else + echo "currently no option scripted for linux, please add the certificate for your cluster to your trusted store and continue" + exit 1 + fi +fi + +log_y_sub_step "1.2" "source env vars" +source $git_root/tas-env-variables.sh &> /dev/null + + +# 2. BINARY DOWNLOADS AND TESTING +# ---------------------------------------------------------------------------------------------------------- +## Binary testing +### Deps: jq, yq, podman, oc, openssl (just for generating unique sha), file, git + +log_step "2. Binaries" + +if [[ -d "/tmp/tas" ]]; then + rm -rf /tmp/tas +fi + +mkdir /tmp/tas + + +REPORT_FILE_ABS_PATH=/tmp/tas/tas-report.json +REPORT_TMP_FILE_ABS_PATH=/tmp/tas/tmp-tas-report.json + +# idempotency +if [ -e "/tmp/tas/tas-report.json" ]; then + rm -f /tmp/tas/tas-report.json +fi + +if [ -e "/tmp/tas/tmp-tas-report.json" ]; then + rm -f /tmp/tas/tmp-tas-report.json +fi + +random_string=$(LC_ALL=C openssl rand -base64 12 | tr -dc 'a-zA-Z0-9' | head -c 10) +run_sha=$(echo -n "$random_string" | sha256sum | awk '{print $1}') + +jq -n '{"run_sha": $ARGS.named["run_sha"], "cosign": {}, "gitsign": {}, "rekor-server": {}, "rekor-cli": {}}' \ + --arg run_sha "$run_sha" > $REPORT_FILE_ABS_PATH + + +jq_update_file() { + if [[ $? != 0 ]]; then + echo "jq could not parse file" + exit $? + fi + mv $REPORT_TMP_FILE_ABS_PATH $REPORT_FILE_ABS_PATH +} + + + +clientserver_namespace=$(cat $git_root/charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.namespace) +clientserver_name=$(cat $git_root/charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.name) +OS_FAMILY=$(uname | tr '[:upper:]' '[:lower:]') +ARCH=$(uname -m) + +#### Cosign +log_y_sub_step "2.1" "cosign-cli" + +binary="cosign" +cosign_download_link="" + +# find correct download link +if [[ $OS_FAMILY == "linux" && $ARCH == "amd64" ]]; then + cosign_download_link="https://$clientserver_name-$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary.gz" +else + cosign_download_options=($(oc get -n $clientserver_namespace consoleclidownloads.console.openshift.io cosign -o json | jq ".spec.links[].href" | cut -d "\"" -f 2 )) + for cosign_download_option in "${cosign_download_options[@]}"; do + if [[ $cosign_download_option == "https://$clientserver_name-$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary-$ARCH.gz" ]]; then + cosign_download_link=$cosign_download_option + fi + done +fi + +# check cosign download link +if [[ -z $cosign_download_link ]]; then + echo "error getting cosign download link" + jq --arg OS "$OS_FAMILY" --arg ARCH "$ARCH" '.cosign.download = {"status": "failure", "os": $OS, "arch": $ARCH}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file +else + # # IF I ADD LOGLEVELS PUT THIS BACK IN +# echo "download matching OS: $OS_FAMILY and ARCH: $ARCH found: +# $cosign_download_link +# continuing... " + jq --arg OS "$OS_FAMILY" --arg ARCH "$ARCH" --arg LINK "$cosign_download_link" '.cosign.download = {"os": $OS, "arch": $ARCH, "link": $LINK}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file +fi + +# idempotency +if [ -d "/tmp/tas/cosign" ]; then + rm -rf /tmp/tas/cosign +fi + +mkdir /tmp/tas/cosign + +# Cosign Download +cosign_download=$(curl -sL $cosign_download_link -o /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH.gz) +cosign_download_status=$(echo $?) +cosign_download_is_html=$(file /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH.gz | grep "HTML document text") +gzip -d /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH.gz --force +cosign_unizp_status=$(echo $?) + +# checking download status of cosign +if [[ $cosign_download_status == 0 && -z $cosign_download_is_html && $cosign_unizp_status == 0 ]]; then + jq '.cosign.download.result = "success"' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file +else + # add Additional Identifiers to figure what the error was + jq '.cosign.download.result = "failure"' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file +fi + +if [[ $(cat $REPORT_FILE_ABS_PATH | jq '.cosign.download.result' | cut -d "\"" -f 2 ) == "success" ]]; then + log_y_sub_step "2.2" "setup for cosign unit tests" + + echo "making binary executable ..." + chmod +x /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH + + echo "Building base image ..." + podman build $git_root/testing -f Dockerfile.test -t localhost/tas-infra-test &> /dev/null + + log_y_sub_step "2.3" "cosign unit tests" + log_z_sub_step "2.3.1" "cosign initialize" + + wipe_file_if_exists "/tmp/tas/cosign/tmp-stdout.log" && wipe_file_if_exists "/tmp/tas/cosign/tmp-stderr.log" + /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH initialize --mirror=$TUF_URL --root=$TUF_URL/root.json 2>/tmp/tas/cosign/tmp-stderr.log 1>/tmp/tas/cosign/tmp-stdout.log + cosign_initialize_status=$(echo $?) + if [[ $cosign_initialize_status == 0 ]]; then + stdout=$(cat /tmp/tas/cosign/tmp-stdout.log) + jq '.cosign.initialize = {"result": "success"}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + else + stderr=$(cat /tmp/tas/cosign/tmp-stderr.log) + jq --arg STDERR "$stderr" '.cosign.initialize = {"result": "failure", "stderr": $STDERR}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + fi + + log_z_sub_step "2.3.2" "cosign sign keyless" + + cosign_keyless_signing_image_tag="ttl.sh/tas-cosign-keyless-sign-$run_sha:1h" + podman tag localhost/tas-infra-test $cosign_keyless_signing_image_tag + podman push $cosign_keyless_signing_image_tag &> /dev/null + + ### Cosign keyless flow (no upload) + wipe_file_if_exists "/tmp/tas/cosign/keyless-sign.log" + /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH sign $cosign_keyless_signing_image_tag \ + --fulcio-url=$FULCIO_URL \ + --oidc-issuer=$OIDC_ISSUER_URL \ + --rekor-url=$REKOR_URL \ + --upload=true \ + --yes &> /tmp/tas/cosign/keyless-sign.log + cosign_keyless_signing_status=$(echo $?) + + ################ DEV NOTES ################## + + # COSIGN SIGN OPTIONS THAT DID NOT WORK: + # --oidc-client-secret-file=jdoe-client-secret.txt \ #THIS DOES NOT WORK + # --output-file=/tmp/test-output # THIS DOES NOT WORK + # COSIGN SIGN OPTIONS TO IMPLEMENT LATER: + # --timestamp-server-url= \ # THIS HAS YET TO BE INCLUDED IN THE CHARTS + # Issue: + # I tried redirecting above cosign sign command output like so: `2>/tmp/tas/cosign/tmp-stderr.log 1>/tmp/tas/cosign/tmp-stdout.log`, however everything ended up on stderr, even when it succeeded + + ############### END DEV NOTES ############### + + if [[ $cosign_keyless_signing_status == 0 ]]; then + tlog_index=$(cat /tmp/tas/cosign/keyless-sign.log | grep "tlog entry created with index: ") + tlog_index=${tlog_index:31:(( ${#tlog_index} - 31))} + jq --arg IMAGE "$cosign_keyless_signing_image_tag" --arg TLOG_INDEX "$tlog_index" '.cosign.sign.keyless = {"result": "success", "image": $IMAGE, "tlog_index": $TLOG_INDEX}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + else + jq --arg STATUS_CODE "$cosign_keyless_signing_status" '.cosign.sign.keyless = {"result": "failure", "status_code": $STATUS_CODE}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + fi + + log_z_sub_step "2.3.3" "cosign generate key pair" + + ### Cosign generate-key-pair + + wipe_file_if_exists "/tmp/tas/cosign/generate-key-pair.log" + cd /tmp/tas/cosign + export COSIGN_PASSWORD="tmp_cosign_password" + /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH generate-key-pair --output-key-prefix tas-cosign &> /tmp/tas/cosign/generate-key-pair.log + cosign_generate_key_statues=$(echo $?) + cd $git_root/testing + generate_key_pair_check_string="Private key written to tas-cosign.key +Public key written to tas-cosign.pub" + if [[ $cosign_generate_key_statues == 0 && "$(cat /tmp/tas/cosign/generate-key-pair.log)" == $generate_key_pair_check_string ]]; then + jq --arg STATUS_CODE "$cosign_generate_key_statues" '.cosign.generate_key_pair = {"result": "success"}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + else + jq --arg LOG "$(cat /tmp/tas/cosign/generate-key-pair.log)" --arg STATUS_CODE "$cosign_generate_key_statues" '.cosign.generate_key_pair = {"result": "failure", "status_code": "$STATUS_CODE", "log": $LOG}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + fi + + log_z_sub_step "2.3.4" "cosign sign keyed" + + # ## Cosign keyed flow + cosign_keyed_signing_image_tag="ttl.sh/tas-cosign-keyed-sign-$run_sha:1h" + # cosign_keyed_signing_image_tag="$quay_repo:cosign-keyed-sign-$run_sha" + podman tag localhost/tas-infra-test $cosign_keyed_signing_image_tag + podman push $cosign_keyed_signing_image_tag &> /dev/null + + wipe_file_if_exists "/tmp/tas/cosign/keyed-sign.log" + export COSIGN_PASSWORD="tmp_cosign_password" + /tmp/tas/cosign/cosign-$OS_FAMILY-$ARCH sign $cosign_keyed_signing_image_tag \ + --key=/tmp/tas/cosign/tas-cosign.key \ + --rekor-url=$REKOR_URL \ + --upload=true \ + --yes &> /tmp/tas/cosign/keyed-sign.log + cosign_keyed_signing_status=$(echo $?) + + if [[ $cosign_keyed_signing_status == 0 ]]; then + tlog_index=$(cat /tmp/tas/cosign/keyed-sign.log | grep "tlog entry created with index: ") + tlog_index=${tlog_index:31:(( ${#tlog_index} - 31))} + jq --arg IMAGE "$cosign_keyed_signing_image_tag" --arg TLOG_INDEX "$tlog_index" '.cosign.sign.keyed = {"result": "success", "image": $IMAGE, "tlog_index": $TLOG_INDEX}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + else + jq --arg IMAGE "$cosign_keyed_signing_image_tag" --arg STATUS_CODE "$cosign_keyed_signing_status" '.cosign.sign.keyed = {"result": "failure", "image": $IMAGE, "status_code": $STATUS_CODE}' $REPORT_FILE_ABS_PATH > $REPORT_TMP_FILE_ABS_PATH + jq_update_file + fi + + ## COSIGN SIGN BLOB (keyless) + + ## COSIGN PUBLIC KEY + + ## COSIGN DOCKERFILE + + ## COSIGN ATTEST + + ## COSIGN ATTEST BLOB + + ## COSIGN VERIFY + + ## COSIGN VERIFY BLOB + + ## COSIGN COPY + + ## COSIGN Clean + + + + # ## COSIGN VERIFY --> this needs some where where we can push attestations + # export COSIGN_PASSWORD="tmp_cosign_password" + # tmp/cosign/cosign-$OS_FAMILY-$ARCH verify registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \ + # --key=/tmp/tas/cosign/tas-cosign.key \ + # --rekor-url=$REKOR_URL + # cosign_keyed_signing_status=$(echo $?) +fi + + diff --git a/testing/cosign-blob.txt b/testing/cosign-blob.txt new file mode 100644 index 00000000..b5f90786 --- /dev/null +++ b/testing/cosign-blob.txt @@ -0,0 +1 @@ +supersecret diff --git a/testing/jdoe-client-secret.txt b/testing/jdoe-client-secret.txt new file mode 100644 index 00000000..82ccccf6 --- /dev/null +++ b/testing/jdoe-client-secret.txt @@ -0,0 +1,3 @@ +username=jdoe +password=secure +