Merge pull request #1610 from lcarva/EC-334

Add acceptance tests to cover param for v-e-c Task

Author: lcarva

acceptance/kubernetes/kind/kubernetes.go

@@ -244,20 +244,20 @@ func (k *kindCluster) CreateNamespace(ctx context.Context) (context.Context, err
 	return ctx, applyConfiguration(ctx, k, yaml)
 }
 
-// stringParam generates a Tekton Parameter optionally expanding the
-// `${NAMESPACE}` and `${POLICY_NAME}` variables
-func stringParam(name, value string, t *testState) pipeline.Param {
-	v := os.Expand(value, func(variable string) string {
-		switch variable {
-		case "NAMESPACE":
-			return t.namespace
-		case "POLICY_NAME":
-			return t.policy
-		case "REGISTRY":
-			return t.registry
-		}
+// stringParam generates a Tekton Parameter optionally expanding certain variables
+func stringParam(ctx context.Context, name, value string, t *testState) pipeline.Param {
+	vars := map[string]string{
+		"NAMESPACE":   t.namespace,
+		"POLICY_NAME": t.policy,
+		"REGISTRY":    t.registry,
+	}
+	publicKeys := crypto.PublicKeysFrom(ctx)
+	for name, key := range publicKeys {
+		vars[fmt.Sprintf("%s_PUBLIC_KEY", name)] = key
+	}
 
-		return ""
+	v := os.Expand(value, func(variable string) string {
+		return vars[variable]
 	})
 
 	return pipeline.Param{
@@ -281,7 +281,7 @@ func (k *kindCluster) RunTask(ctx context.Context, version, name, workspace stri
 
 	tknParams := make([]pipeline.Param, 0, len(params))
 	for n, v := range params {
-		tknParams = append(tknParams, stringParam(n, v, t))
+		tknParams = append(tknParams, stringParam(ctx, n, v, t))
 	}
 
 	timeout, err := time.ParseDuration("10m")
@@ -309,9 +309,9 @@ func (k *kindCluster) RunTask(ctx context.Context, version, name, workspace stri
 				ResolverRef: pipeline.ResolverRef{
 					Resolver: "bundles",
 					Params: []pipeline.Param{
-						stringParam("bundle", fmt.Sprintf("registry.image-registry.svc.cluster.local:%d/ec-task-bundle:%s", k.registryPort, version), t),
-						stringParam("name", name, t),
-						stringParam("kind", "task", t),
+						stringParam(ctx, "bundle", fmt.Sprintf("registry.image-registry.svc.cluster.local:%d/ec-task-bundle:%s", k.registryPort, version), t),
+						stringParam(ctx, "name", name, t),
+						stringParam(ctx, "kind", "task", t),
 					},
 				},
 			},
@@ -400,10 +400,16 @@ func (k *kindCluster) TaskInfo(ctx context.Context) (*types.TaskInfo, error) {
 			return nil, err
 		}
 
+		envVars, err := k.envVars(ctx, t.namespace, tr.Status.PodName, s.Container)
+		if err != nil {
+			return nil, err
+		}
+
 		info.Steps = append(info.Steps, types.Step{
-			Name:   s.Name,
-			Status: s.Terminated.Reason,
-			Logs:   logs,
+			Name:    s.Name,
+			Status:  s.Terminated.Reason,
+			Logs:    logs,
+			EnvVars: envVars,
 		})
 	}
 
@@ -437,3 +443,22 @@ func (k *kindCluster) logs(ctx context.Context, namespace, pod, container string
 
 	return string(bytes), nil
 }
+
+func (k *kindCluster) envVars(ctx context.Context, namespace, podName, containerName string) (map[string]string, error) {
+	pod, err := k.client.CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	for _, container := range pod.Spec.Containers {
+		if container.Name != containerName {
+			continue
+		}
+		envVars := make(map[string]string)
+		for _, env := range container.Env {
+			envVars[env.Name] = env.Value
+		}
+		return envVars, nil
+	}
+	return nil, fmt.Errorf("could not find %q container in %q pod", containerName, podName)
+}

acceptance/kubernetes/kubernetes.go

@@ -381,6 +381,59 @@ func taskResultsShouldMatchTheSnapshot(ctx context.Context) error {
 	return snaps.MatchSnapshot(ctx, "results", string(j), nil)
 }
 
+func taskLogsShouldContain(ctx context.Context, stepName, needle string) error {
+	c := testenv.FetchState[ClusterState](ctx)
+
+	if err := mustBeUp(ctx, *c); err != nil {
+		return err
+	}
+
+	info, err := c.cluster.TaskInfo(ctx)
+	if err != nil {
+		return err
+	}
+
+	var found bool
+	for _, step := range info.Steps {
+		if step.Name == stepName {
+			if strings.Contains(step.Logs, needle) {
+				found = true
+			}
+		}
+	}
+
+	if !found {
+		return fmt.Errorf("not able to find %q in the %q step logs", needle, stepName)
+	}
+
+	return nil
+}
+
+func stepEnvVarShouldBe(ctx context.Context, stepName, envName, want string) error {
+	c := testenv.FetchState[ClusterState](ctx)
+
+	if err := mustBeUp(ctx, *c); err != nil {
+		return err
+	}
+
+	info, err := c.cluster.TaskInfo(ctx)
+	if err != nil {
+		return err
+	}
+
+	for _, step := range info.Steps {
+		if step.Name != stepName {
+			continue
+		}
+		got := step.EnvVars[envName]
+		if got != want {
+			return fmt.Errorf("unexpected value for the %q env var in the %q step: got %q, want %q", envName, step.Name, got, want)
+		}
+		return nil
+	}
+	return fmt.Errorf("step %q not found when looking for the %q env var", stepName, envName)
+}
+
 // AddStepsTo adds cluster-related steps to the context
 func AddStepsTo(sc *godog.ScenarioContext) {
 	sc.Step(`^a stub cluster running$`, startAndSetupState(stub.Start))
@@ -395,6 +448,8 @@ func AddStepsTo(sc *godog.ScenarioContext) {
 	sc.Step(`^an Snapshot named "([^"]*)" with specification$`, createNamedSnapshot)
 	sc.Step(`^an Snapshot named "([^"]*)" with (\d+) components signed with "([^"]*)" key`, createNamedSnapshotWithManyComponents)
 	sc.Step(`^the task logs for step "([^"]*)" should match the snapshot$`, taskLogsShouldMatchTheSnapshot)
+	sc.Step(`^the task logs for step "([^"]*)" should contain "([^"]*)"$`, taskLogsShouldContain)
+	sc.Step(`^the task env var for step "([^"]*)" named "([^"]*)" should be set to "([^"]*)"$`, stepEnvVarShouldBe)
 	sc.Step(`^the task results should match the snapshot$`, taskResultsShouldMatchTheSnapshot)
 	sc.Step(`^policy configuration named "([^"]*)" with (\d+) policy sources from "([^"]*)"$`, createNamedPolicyWithManySources)
 	// stop usage of the cluster once a test is done, godog will call this

acceptance/kubernetes/types/types.go

@@ -44,7 +44,8 @@ type TaskInfo struct {
 }
 
 type Step struct {
-	Name   string
-	Status string
-	Logs   string
+	Name    string
+	Status  string
+	Logs    string
+	EnvVars map[string]string
 }

features/__snapshots__/task_validate_image.snap

@@ -1261,3 +1261,95 @@ true
   "effective-time": "${TIMESTAMP}"
 }
 ---
+
+[PUBLIC_KEY param overwrites key from policy:report - 1]
+components:
+- attestations:
+  - predicateBuildType: https://tekton.dev/attestations/chains/pipelinerun@v2
+    predicateType: https://slsa.dev/provenance/v0.2
+    signatures:
+    - keyid: ""
+      sig: ${ATTESTATION_SIGNATURE_acceptance/public-key-param}
+    type: https://in-toto.io/Statement/v0.1
+  containerImage: ${REGISTRY}/acceptance/public-key-param@sha256:${REGISTRY_acceptance/public-key-param:latest_DIGEST}
+  name: ""
+  signatures:
+  - keyid: ""
+    sig: ${IMAGE_SIGNATURE_acceptance/public-key-param}
+  source: {}
+  success: true
+  successes:
+  - metadata:
+      code: builtin.attestation.signature_check
+      description: The attestation signature matches available signing materials.
+      title: Attestation signature check passed
+    msg: Pass
+  - metadata:
+      code: builtin.attestation.syntax_check
+      description: The attestation has correct syntax.
+      title: Attestation syntax check passed
+    msg: Pass
+  - metadata:
+      code: builtin.image.signature_check
+      description: The image signature matches available signing materials.
+      title: Image signature check passed
+    msg: Pass
+ec-version: ${EC_VERSION}
+effective-time: "${TIMESTAMP}"
+key: |
+${__known_PUBLIC_KEY}
+policy:
+  publicKey: |
+${____known_PUBLIC_KEY}
+success: true
+
+---
+
+[PUBLIC_KEY param overwrites key from policy:results - 1]
+{
+  "TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":3,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
+}
+---
+
+[Titles and descriptions can be excluded:report - 1]
+components:
+- attestations:
+  - predicateBuildType: https://tekton.dev/attestations/chains/pipelinerun@v2
+    predicateType: https://slsa.dev/provenance/v0.2
+    signatures:
+    - keyid: ""
+      sig: ${ATTESTATION_SIGNATURE_acceptance/info}
+    type: https://in-toto.io/Statement/v0.1
+  containerImage: ${REGISTRY}/acceptance/info@sha256:${REGISTRY_acceptance/info:latest_DIGEST}
+  name: ""
+  signatures:
+  - keyid: ""
+    sig: ${IMAGE_SIGNATURE_acceptance/info}
+  source: {}
+  success: true
+  successes:
+  - metadata:
+      code: builtin.attestation.signature_check
+    msg: Pass
+  - metadata:
+      code: builtin.attestation.syntax_check
+    msg: Pass
+  - metadata:
+      code: builtin.image.signature_check
+    msg: Pass
+ec-version: ${EC_VERSION}
+effective-time: "${TIMESTAMP}"
+key: |
+${__known_PUBLIC_KEY}
+policy:
+  publicKey: |
+${____known_PUBLIC_KEY}
+success: true
+
+---
+
+[Titles and descriptions can be excluded:results - 1]
+{
+  "TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":3,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
+}
+---

features/task_validate_image.feature

@@ -4,6 +4,7 @@ Feature: Verify Enterprise Contract Tekton Tasks
   Background:
     Given a cluster running
     Given stub tuf running
+    Given stub git daemon running
 
   Scenario: Golden container image
     Given a working namespace
@@ -259,3 +260,78 @@ Feature: Verify Enterprise Contract Tekton Tasks
      And the task logs for step "assert" should match the snapshot
      And the task logs for step "report-json" should match the snapshot
      And the task results should match the snapshot
+
+  Scenario: Titles and descriptions can be excluded
+    Given a working namespace
+      And a key pair named "known"
+      And an image named "acceptance/info"
+      And a valid image signature of "acceptance/info" image signed by the "known" key
+      And a valid attestation of "acceptance/info" signed by the "known" key
+      And a cluster policy with content:
+      ```
+      {"publicKey": ${known_PUBLIC_KEY}}
+      ```
+    When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
+      | IMAGES               | {"components": [{"containerImage": "${REGISTRY}/acceptance/info"}]} |
+      | POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME}                                         |
+      | IGNORE_REKOR         | true                                                                |
+      | INFO                 | false                                                               |
+    Then the task should succeed
+      And the task logs for step "report" should match the snapshot
+      And the task results should match the snapshot
+
+  Scenario: Effective-time is honored
+    Given a working namespace
+      And a key pair named "known"
+      And an image named "acceptance/effective-time"
+      And a valid image signature of "acceptance/effective-time" image signed by the "known" key
+      And a valid attestation of "acceptance/effective-time" signed by the "known" key
+      And a cluster policy with content:
+      ```
+      {"publicKey": ${known_PUBLIC_KEY}}
+      ```
+    When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
+      | IMAGES               | {"components": [{"containerImage": "${REGISTRY}/acceptance/effective-time"}]} |
+      | POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME}                                                   |
+      | IGNORE_REKOR         | true                                                                          |
+      | EFFECTIVE_TIME       | 2020-01-01T00:00:00Z                                                          |
+    Then the task should succeed
+      And the task logs for step "validate" should contain "Using provided effective time 2020-01-01T00:00:00Z"
+
+  Scenario: SSL_CERT_DIR environment variable is customized
+    Given a working namespace
+    And a key pair named "known"
+    And an image named "acceptance/ssl-cert-dir"
+    And a valid image signature of "acceptance/ssl-cert-dir" image signed by the "known" key
+    And a valid attestation of "acceptance/ssl-cert-dir" signed by the "known" key
+    And a cluster policy with content:
+    ```
+    {"publicKey": ${known_PUBLIC_KEY}}
+    ```
+    When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
+      | IMAGES               | {"components": [{"containerImage": "${REGISTRY}/acceptance/ssl-cert-dir"}]} |
+      | POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME}                                                 |
+      | IGNORE_REKOR         | true                                                                        |
+      | SSL_CERT_DIR         | /spam/certs                                                                 |
+    Then the task should succeed
+      And the task env var for step "validate" named "SSL_CERT_DIR" should be set to "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/spam/certs"
+
+  Scenario: PUBLIC_KEY param overwrites key from policy
+    Given a working namespace
+    And a key pair named "known"
+    And an image named "acceptance/public-key-param"
+    And a valid image signature of "acceptance/public-key-param" image signed by the "known" key
+    And a valid attestation of "acceptance/public-key-param" signed by the "known" key
+    And a valid attestation of "acceptance/public-key-param" signed by the "known" key
+    And a cluster policy with content:
+    ```
+    {"publicKey": "ignored"}
+    ```
+    When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
+      | IMAGES               | {"components": [{"containerImage": "${REGISTRY}/acceptance/public-key-param"}]} |
+      | POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME}                                                     |
+      | PUBLIC_KEY           | ${known_PUBLIC_KEY}                                                             |
+      | IGNORE_REKOR         | true                                                                            |
+    Then the task should succeed
+      And the task logs for step "report" should match the snapshot
+      And the task results should match the snapshot