Merge pull request #114 from kubewarden/fix-broken-e2e-tests

fix broken e2e tests

README.md

@@ -23,11 +23,11 @@ kind: ClusterAdmissionPolicy
 metadata:
   name: verify-image-signatures
 spec:
-  module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.1.7
+  module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.9
   rules:
     - apiGroups: [""]
       apiVersions: ["v1"]
-      resources: [ "pods" ]
+      resources: ["pods"]
       operations: ["CREATE", "UPDATE"]
     - apiGroups: [""]
       apiVersions: ["v1"]

e2e.bats

@@ -178,6 +178,10 @@
 }
 
 @test "Certificate verification with Rekor enabled" {
+  # This is a test that verifies an image that was signed with the
+  # key associated with a certificate. The signature was then registered
+  # inside of Rekor's transparency log.
+  #
   # Need to run the command inside of `bash -c` because of a bats
   # limitation: https://bats-core.readthedocs.io/en/stable/gotchas.html?highlight=pipe#my-piped-command-does-not-work-under-run
 
@@ -207,3 +211,34 @@
   [ $(expr "$output" : '.*Certificate not trusted: Certificate is not trusted by the provided cert chain.*') -ne 0 ]
 }
 
+@test "Keyless verification" {
+  # Need to run the command inside of `bash -c` because of a bats
+  # limitation: https://bats-core.readthedocs.io/en/stable/gotchas.html?highlight=pipe#my-piped-command-does-not-work-under-run
+
+  run bash -c 'kwctl run \
+    --request-path test_data/pod_creation_signed_with_keyless_mode.json \
+    --settings-path test_data/settings-keyless-signing.yaml \
+    annotated-policy.wasm | jq -r ".patch | @base64d"'
+
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*ghcr.io/kubewarden/tests/pod-privileged:v0.2.1@sha256:db48aecd83c2826eba154a84c4fbabe0977f96b3360b4c6098578eae5c2d2882.*') -ne 0 ]
+}
+
+@test "Keyless verification with wrong subject" {
+  run kwctl run \
+    --request-path test_data/pod_creation_signed_with_keyless_mode.json \
+    --settings-path test_data/settings-keyless-signing-wrong-subject.yaml \
+    annotated-policy.wasm
+
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"allowed":false.*') -ne 0 ]
+  [ $(expr "$output" : '.*is not accepted.*subject: !equal [email protected].*') -ne 0 ]
+  [ $(expr "$output" : '.*subject: !equal [email protected].*') -ne 0 ]
+}
+

test_data/certificate-signing/Makefile

@@ -7,6 +7,19 @@ ca.pem: ca.json
 	@tput sgr0
 	cfssl gencert -initca ca.json | cfssljson -bare ca
 
+.PHONY: sunlight
+sunlight: sunlight.pem
+
+sunlight.pem: sunlight.json ca.pem cfssl.json
+	@tput setaf 1
+	@echo Generate sunlight certificate
+	@tput sgr0
+	cfssl gencert -ca ca.pem \
+		-ca-key ca-key.pem \
+		-config cfssl.json \
+		-profile=sunlight sunlight.json \
+		| cfssljson -bare sunlight
+
 .PHONY: intermediate-ca
 intermediate-ca: intermediate_ca.pem
 
@@ -34,6 +47,19 @@ user-1-sigstore-key.pem: intermediate_ca.pem user-1.json cfssl.json
 		-profile=sigstore user-1.json \
 		| cfssljson -bare user-1-sigstore
 
+.PHONY: user-ctl
+user-ctl: user-ctl-sigstore-key.pem
+
+user-ctl-sigstore-key.pem: intermediate_ca.pem user-1.json cfssl.json
+	@tput setaf 1
+	@echo Generate user certificate with certificate transparency log signed by local instance of sunlight
+	@tput sgr0
+	cfssl gencert -ca intermediate_ca.pem \
+		-ca-key intermediate_ca-key.pem \
+		-config cfssl.json \
+		-profile=sigstore-with-sunlight user-1.json \
+		| cfssljson -bare user-ctl-sigstore
+
 .PHONY: cosign-import
 cosign-import: import-cosign.key
 
@@ -104,6 +130,8 @@ verify: bundle.pem
 clean:
 	rm -f ca.csr ca-key.pem ca.pem
 	rm -f intermediate_ca.csr intermediate_ca-key.pem intermediate_ca.pem
+	rm -f sunlight.csr sunlight-key.pem sunlight.pem
 	rm -f user-1-sigstore.csr user-1-sigstore-key.pem user-1-sigstore.pem
+	rm -f user-ctl-sigstore.csr user-ctl-sigstore-key.pem user-ctl-sigstore.pem
 	rm -f import-cosign.key import-cosign.pub
 	rm -f bundle.pem

test_data/certificate-signing/README.md

@@ -13,9 +13,9 @@ following scenario:
 
 The following binaries must be available on the system:
 
-* `make`
-* `cfssl` and `cfssljson`: both can be be downloaded from [here](https://github.com/cloudflare/cfssl/releases)
-* `cosign`
+- `make`
+- `cfssl` and `cfssljson`: both can be be downloaded from [here](https://github.com/cloudflare/cfssl/releases)
+- `cosign`
 
 ## Creating all the certificates
 
@@ -105,3 +105,69 @@ IMAGE=registry-testing.svc.lan/kubewarden/pod-privileged:v0.1.9 make verify
 ```
 
 You can see the actual `cosign` commands being printed on the standard output.
+
+## Create user certificate using a local Certificate Transparency log
+
+This is really complex and most users will never do that. However, this can be accomplished
+by running a local instance of [sunlight](https://github.com/FiloSottile/sunlight) to create
+a local Certificate Transparency log.
+
+First of all, create the certificate used by sunlight:
+
+```console
+make sunlight
+```
+
+This certificate is going to be signed by the root CA.
+
+Then create the bundle:
+
+```console
+make bundle
+```
+
+Create a directory where all the sunlight data is going to be stored:
+
+```console
+mkdir ~/sunlight-data
+cp bundle.pem ~/sunlight-data/chain.pem
+cp -v sunlight*.pem ~/sunlight-data
+```
+
+Create a configuration file for sunlight undeer `~/sunlight-data/sunlight.yaml`:
+
+```yaml
+listen: ":8080"
+
+checkpoints: checkpoints.db
+
+logs:
+  - name: sunlight.127.0.0.1.sslip.io/2024h1
+    shortname: bergamo2024h1
+    # the day the sunlight process is started
+    inception: 2024-06-26
+    httpprefix: /2024h1
+    roots: ./chain.pem
+    key: ./key.pem
+    cache: bergamo2024h1.db
+    poolsize: 750
+    # change these dates accordingly
+    notafterstart: 2024-06-26T00:00:00Z
+    notafterlimit: 2024-07-01T00:00:00Z
+```
+
+Finally, run sunlight:
+
+```console
+cd ~/sunlight-data
+sqlite3 checkpoints.db "CREATE TABLE checkpoints (logID BLOB PRIMARY KEY, body TEXT)"
+sunlight -testcert
+```
+
+Ensure the root CA is trusted by the system, how to do that depends on the operating system.
+
+Then create the user certificate:
+
+```console
+make user-ctl
+```

test_data/certificate-signing/cfssl.json

@@ -6,23 +6,53 @@
     "profiles": {
       "intermediate_ca": {
         "usages": [
-            "cert sign",
-            "crl sign",
-            "code signing"
+          "client auth",
+          "cert sign",
+          "crl sign",
+          "code signing"
         ],
         "expiry": "8760h",
         "ca_constraint": {
-            "is_ca": true,
-            "max_path_len": 0, 
-            "max_path_len_zero": true
-        }
+          "is_ca": true,
+          "max_path_len": 0,
+          "max_path_len_zero": true
+        },
+        "copy_extensions": true
       },
       "sigstore": {
         "usages": [
+          "client auth",
           "digital signature",
-          "code signing"
+          "code signing",
+          "server auth"
+        ],
+        "expiry": "24h",
+        "copy_extensions": true
+      },
+      "sunlight": {
+        "usages": [
+          "cert sign",
+          "client auth",
+          "code signing",
+          "crl sign",
+          "key encipherment",
+          "server auth",
+          "signing"
         ],
         "expiry": "8760h"
+      },
+      "sigstore-with-sunlight": {
+        "usages": [
+          "client auth",
+          "digital signature",
+          "code signing",
+          "server auth"
+        ],
+        "ct_log_servers": [
+          "https://sunlight.127.0.0.1.sslip.io:8080/2024h1"
+        ],
+        "expiry": "24h",
+        "copy_extensions": true
       }
     }
   }

test_data/certificate-signing/sunlight.json

@@ -0,0 +1,18 @@
+{
+  "CN": "sunlight.127.0.0.1.sslip.io",
+  "key": {
+    "algo": "ecdsa"
+  },
+  "names": [
+    {
+      "C": "DE",
+      "L": "Nuremberg",
+      "O": "Kubewarden",
+      "ST": "Bavaria",
+      "OU": "sunlight"
+    }
+  ],
+  "hosts": [
+    "sunlight.127.0.0.1.sslip.io"
+  ]
+}

test_data/certificate-signing/user-1.json

@@ -4,15 +4,31 @@
     "algo": "ecdsa"
   },
   "names": [
-  {
-    "C": "DE",
-    "L": "Nuremberg",
-    "O": "Kubewarden",
-    "ST": "Bavaria",
-    "OU": "Kubewarden User"
-  }
+    {
+      "C": "DE",
+      "L": "Nuremberg",
+      "O": "Kubewarden",
+      "ST": "Bavaria",
+      "OU": "Kubewarden User"
+    }
   ],
   "hosts": [
     "[email protected]"
+  ],
+  "extensions": [
+    {
+      "id": [
+        1,
+        3,
+        6,
+        1,
+        4,
+        1,
+        57264,
+        1,
+        1
+      ],
+      "value": "a3ctb3duLWluZnJh"
+    }
   ]
 }

test_data/pod_creation_signed_with_keyless_mode.json

@@ -0,0 +1,39 @@
+{
+  "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
+  "kind": {
+    "group": "",
+    "kind": "Pod",
+    "version": "v1"
+  },
+  "resource": {
+    "group": "",
+    "version": "v1",
+    "resource": "pods"
+  },
+  "object": {
+    "metadata": {
+      "name": "nginx"
+    },
+    "spec": {
+      "containers": [
+        {
+          "image": "ghcr.io/kubewarden/tests/pod-privileged:v0.2.1",
+          "name": "test-verify-image-signatures"
+        }
+      ]
+    }
+  },
+  "operation": "CREATE",
+  "requestKind": {
+    "group": "",
+    "version": "v1",
+    "kind": "Pod"
+  },
+  "userInfo": {
+    "username": "alice",
+    "uid": "alice-uid",
+    "groups": [
+      "system:authenticated"
+    ]
+  }
+}

test_data/settings-keyless-signing-wrong-subject.yaml

@@ -0,0 +1,6 @@
+modifyImagesWithDigest: true
+signatures:
+  - image: "ghcr.io/kubewarden/tests/pod-privileged:v0.2.1"
+    keyless:
+      - issuer: "https://github.com/login/oauth"
+        subject: "[email protected]"

test_data/settings-keyless-signing.yaml

@@ -0,0 +1,6 @@
+modifyImagesWithDigest: true
+signatures:
+  - image: "ghcr.io/kubewarden/tests/pod-privileged:v0.2.1"
+    keyless:
+      - issuer: "https://github.com/login/oauth"
+        subject: "[email protected]"