zot/pkg/extensions/extension_image_trust_disabled_test.go

//go:build !imagetrust

package extensions_test

import (
	"os"
	"testing"

	. "github.com/smartystreets/goconvey/convey"

	"zotregistry.dev/zot/pkg/api"
	"zotregistry.dev/zot/pkg/api/config"
	extconf "zotregistry.dev/zot/pkg/extensions/config"
	test "zotregistry.dev/zot/pkg/test/common"
)

func TestImageTrustExtension(t *testing.T) {
	Convey("periodic signature verification is skipped when binary doesn't include imagetrust", t, func() {
		conf := config.New()
		port := test.GetFreePort()

		globalDir := t.TempDir()
		defaultValue := true

		logFile, err := os.CreateTemp(globalDir, "zot-log*.txt")
		So(err, ShouldBeNil)
		defer os.Remove(logFile.Name())

		conf.HTTP.Port = port
		conf.Storage.RootDirectory = globalDir
		conf.Storage.Commit = true
		conf.Extensions = &extconf.ExtensionConfig{}
		conf.Extensions.Trust = &extconf.ImageTrustConfig{}
		conf.Extensions.Trust.Enable = &defaultValue
		conf.Extensions.Trust.Cosign = defaultValue
		conf.Extensions.Trust.Notation = defaultValue
		conf.Log.Level = "warn"
		conf.Log.Output = logFile.Name()

		ctlr := api.NewController(conf)
		ctlrManager := test.NewControllerManager(ctlr)

		ctlrManager.StartAndWait(port)
		defer ctlrManager.StopServer()

		data, err := os.ReadFile(logFile.Name())
		So(err, ShouldBeNil)

		So(string(data), ShouldContainSubstring,
			"skipping adding to the scheduler a generator for updating signatures validity because "+
				"given binary doesn't include this feature, please build a binary that does so")
	})
}
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-08-02 13:58:34 -05:00			`//go:build !imagetrust`
feat: upload certificates and public keys for verifying signatures (#1485) In order to verify signatures, users could upload their certificates and public keys using these routes: -> for public keys: /v2/_zot/ext/mgmt?resource=signatures&tool=cosign -> for certificates: /v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under $rootdir/_notation/truststore/x509/$truststoreType/$truststoreName. Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be updated with a new entry "$truststoreType:$truststoreName". Also based on the uploaded files, the information about the signatures validity will be updated periodically. Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com> 2023-07-06 06:57:59 -05:00
			`package extensions_test`

			`import (`
			`"os"`
			`"testing"`

			`. "github.com/smartystreets/goconvey/convey"`

refactor: rename go module from zotregistry.io/zot to zotregistry.dev/zot (#2187) Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2024-01-31 23:34:07 -05:00			`"zotregistry.dev/zot/pkg/api"`
			`"zotregistry.dev/zot/pkg/api/config"`
			`extconf "zotregistry.dev/zot/pkg/extensions/config"`
			`test "zotregistry.dev/zot/pkg/test/common"`
feat: upload certificates and public keys for verifying signatures (#1485) In order to verify signatures, users could upload their certificates and public keys using these routes: -> for public keys: /v2/_zot/ext/mgmt?resource=signatures&tool=cosign -> for certificates: /v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under $rootdir/_notation/truststore/x509/$truststoreType/$truststoreName. Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be updated with a new entry "$truststoreType:$truststoreName". Also based on the uploaded files, the information about the signatures validity will be updated periodically. Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com> 2023-07-06 06:57:59 -05:00			`)`

refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-08-02 13:58:34 -05:00			`func TestImageTrustExtension(t *testing.T) {`
			`Convey("periodic signature verification is skipped when binary doesn't include imagetrust", t, func() {`
feat: upload certificates and public keys for verifying signatures (#1485) In order to verify signatures, users could upload their certificates and public keys using these routes: -> for public keys: /v2/_zot/ext/mgmt?resource=signatures&tool=cosign -> for certificates: /v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under $rootdir/_notation/truststore/x509/$truststoreType/$truststoreName. Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be updated with a new entry "$truststoreType:$truststoreName". Also based on the uploaded files, the information about the signatures validity will be updated periodically. Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com> 2023-07-06 06:57:59 -05:00			`conf := config.New()`
			`port := test.GetFreePort()`

			`globalDir := t.TempDir()`
			`defaultValue := true`

			`logFile, err := os.CreateTemp(globalDir, "zot-log*.txt")`
			`So(err, ShouldBeNil)`
			`defer os.Remove(logFile.Name())`

			`conf.HTTP.Port = port`
			`conf.Storage.RootDirectory = globalDir`
			`conf.Storage.Commit = true`
			`conf.Extensions = &extconf.ExtensionConfig{}`
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-08-02 13:58:34 -05:00			`conf.Extensions.Trust = &extconf.ImageTrustConfig{}`
			`conf.Extensions.Trust.Enable = &defaultValue`
			`conf.Extensions.Trust.Cosign = defaultValue`
			`conf.Extensions.Trust.Notation = defaultValue`
feat: upload certificates and public keys for verifying signatures (#1485) In order to verify signatures, users could upload their certificates and public keys using these routes: -> for public keys: /v2/_zot/ext/mgmt?resource=signatures&tool=cosign -> for certificates: /v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under $rootdir/_notation/truststore/x509/$truststoreType/$truststoreName. Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be updated with a new entry "$truststoreType:$truststoreName". Also based on the uploaded files, the information about the signatures validity will be updated periodically. Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com> 2023-07-06 06:57:59 -05:00			`conf.Log.Level = "warn"`
			`conf.Log.Output = logFile.Name()`

			`ctlr := api.NewController(conf)`
			`ctlrManager := test.NewControllerManager(ctlr)`

			`ctlrManager.StartAndWait(port)`
			`defer ctlrManager.StopServer()`

			`data, err := os.ReadFile(logFile.Name())`
			`So(err, ShouldBeNil)`

			`So(string(data), ShouldContainSubstring,`
			`"skipping adding to the scheduler a generator for updating signatures validity because "+`
			`"given binary doesn't include this feature, please build a binary that does so")`
			`})`
			`}`