Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revamping rekor e2e - part 4 of N #1218

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,8 @@ jobs:

- name: CLI
run: ./tests/e2e-test.sh
- name: PKG-CLI # this will a WIP to move all the CLI tests to the pkg repo
run: ./pkg/e2e-test.sh
- name: Refactor-e2e # this will a WIP to move all the tests to respective packages
run: ./e2e-test.sh
- name: Upload logs if they exist
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
if: failure()
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ logid
!rekor-cli/
rekor-cli
rekor-server
!rekor-server/
/tests/rekor-server
/server
swagger
Expand Down
223 changes: 223 additions & 0 deletions cmd/rekor-server/e2e_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
//
// Copyright 2022 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build e2e

package main

import (
"bufio"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"fmt"
"github.com/sigstore/rekor/pkg/sharding"
"io/ioutil"
"net/http"
"os"
"path/filepath"
"regexp"
"strconv"
"strings"
"testing"

"github.com/sigstore/rekor/pkg/util"
)

func TestDuplicates(t *testing.T) {
artifactPath := filepath.Join(t.TempDir(), "artifact")
sigPath := filepath.Join(t.TempDir(), "signature.asc")

util.CreatedPGPSignedArtifact(t, artifactPath, sigPath)

// Write the public key to a file
pubPath := filepath.Join(t.TempDir(), "pubKey.asc")
if err := ioutil.WriteFile(pubPath, []byte(util.PubKey), 0644); err != nil {
t.Fatal(err)
}

// Now upload to rekor!
out := util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath, "--public-key", pubPath)
util.OutputContains(t, out, "Created entry at")

// Now upload the same one again, we should get a dupe entry.
out = util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath, "--public-key", pubPath)
util.OutputContains(t, out, "Entry already exists")

// Now do a new one, we should get a new entry
util.CreatedPGPSignedArtifact(t, artifactPath, sigPath)
out = util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath, "--public-key", pubPath)
util.OutputContains(t, out, "Created entry at")
}

// Smoke test to ensure we're publishing and recording metrics when an API is
// called.
// TODO: use a more robust test approach here e.g. prometheus client-based?
// TODO: cover all endpoints to make sure none are dropped.
func TestMetricsCounts(t *testing.T) {
latencyMetric := "rekor_latency_by_api_count{method=\"GET\",path=\"/api/v1/log\"}"
qpsMetric := "rekor_qps_by_api{code=\"200\",method=\"GET\",path=\"/api/v1/log\"}"

latencyCount, err := getRekorMetricCount(latencyMetric, t)
if err != nil {
t.Fatal(err)
}

qpsCount, err := getRekorMetricCount(qpsMetric, t)
if err != nil {
t.Fatal(err)
}

resp, err := http.Get("http://localhost:3000/api/v1/log")
if err != nil {
t.Fatal(err)
}
resp.Body.Close()

latencyCount2, err := getRekorMetricCount(latencyMetric, t)
if err != nil {
t.Fatal(err)
}

qpsCount2, err := getRekorMetricCount(qpsMetric, t)
if err != nil {
t.Fatal(err)
}

if latencyCount2-latencyCount != 1 {
t.Error("rekor_latency_by_api_count did not increment")
}

if qpsCount2-qpsCount != 1 {
t.Error("rekor_qps_by_api did not increment")
}
}
func getRekorMetricCount(metricLine string, t *testing.T) (int, error) {
t.Helper()
re, err := regexp.Compile(fmt.Sprintf("^%s.*([0-9]+)$", regexp.QuoteMeta(metricLine)))
if err != nil {
return 0, err
}

resp, err := http.Get("http://localhost:2112/metrics")
if err != nil {
return 0, err
}
defer resp.Body.Close()

scanner := bufio.NewScanner(resp.Body)
for scanner.Scan() {
match := re.FindStringSubmatch(scanner.Text())
if len(match) != 2 {
continue
}

result, err := strconv.Atoi(match[1])
if err != nil {
return 0, nil
}
t.Log("Matched metric line: " + scanner.Text())
return result, nil
}
return 0, nil
}
func TestEnvVariableValidation(t *testing.T) {
os.Setenv("REKOR_FORMAT", "bogus")
defer os.Unsetenv("REKOR_FORMAT")

util.RunCliErr(t, "loginfo")
}
func TestGetCLI(t *testing.T) {
// Create something and add it to the log
artifactPath := filepath.Join(t.TempDir(), "artifact")
sigPath := filepath.Join(t.TempDir(), "signature.asc")
t.Cleanup(func() {
os.Remove(artifactPath)
os.Remove(sigPath)
})
util.CreatedPGPSignedArtifact(t, artifactPath, sigPath)

// Write the public key to a file
pubPath := filepath.Join(t.TempDir(), "pubKey.asc")
if err := ioutil.WriteFile(pubPath, []byte(util.PubKey), 0644); err != nil {
t.Error(err)
}
t.Cleanup(func() {
os.Remove(pubPath)
})
out := util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath, "--public-key", pubPath)
util.OutputContains(t, out, "Created entry at")

uuid, err := sharding.GetUUIDFromIDString(util.GetUUIDFromUploadOutput(t, out))
if err != nil {
t.Error(err)
}

// since we at least have 1 valid entry, check the log at index 0
util.RunCli(t, "get", "--log-index", "0")

out = util.RunCli(t, "get", "--format=json", "--uuid", uuid)

// The output here should be in JSON with this structure:
g := util.GetOut{}
if err := json.Unmarshal([]byte(out), &g); err != nil {
t.Error(err)
}

if g.IntegratedTime == 0 {
t.Errorf("Expected IntegratedTime to be set. Got %s", out)
}
// Get it with the logindex as well
util.RunCli(t, "get", "--format=json", "--log-index", strconv.Itoa(g.LogIndex))

// check index via the file and public key to ensure that the index has updated correctly
out = util.RunCli(t, "search", "--artifact", artifactPath)
util.OutputContains(t, out, uuid)

out = util.RunCli(t, "search", "--public-key", pubPath)
util.OutputContains(t, out, uuid)

artifactBytes, err := ioutil.ReadFile(artifactPath)
if err != nil {
t.Error(err)
}
sha := sha256.Sum256(artifactBytes)

out = util.RunCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha[:])))
util.OutputContains(t, out, uuid)

// Exercise GET with the new EntryID (TreeID + UUID)
tid := getTreeID(t)
entryID, err := sharding.CreateEntryIDFromParts(fmt.Sprintf("%x", tid), uuid)
if err != nil {
t.Error(err)
}
out = util.RunCli(t, "get", "--format=json", "--uuid", entryID.ReturnEntryIDString())
}

func getTreeID(t *testing.T) int64 {
t.Helper()
out := util.RunCli(t, "loginfo")
tidStr := strings.TrimSpace(strings.Split(out, "TreeID: ")[1])
tid, err := strconv.ParseInt(tidStr, 10, 64)
if err != nil {
t.Errorf(err.Error())
}
t.Log("Tree ID:", tid)
return tid
}
func TestSearchNoEntriesRC1(t *testing.T) {
util.RunCliErr(t, "search", "--email", "noone@internetz.com")
}
2 changes: 1 addition & 1 deletion pkg/e2e-test.sh → e2e-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ REKORTMPDIR="$(mktemp -d -t rekor_test.XXXXXX)"
cp $dir/rekor-cli $REKORTMPDIR/rekor-cli
touch $REKORTMPDIR.rekor.yaml
trap "rm -rf $REKORTMPDIR" EXIT
if ! REKORTMPDIR=$REKORTMPDIR go test -tags=e2e ./pkg/...; then
if ! REKORTMPDIR=$REKORTMPDIR go test -tags=e2e $(go list ./... | grep -v ./tests) ; then
docker-compose logs --no-color > /tmp/docker-compose.log
exit 1
fi
Expand Down
121 changes: 121 additions & 0 deletions pkg/pki/minisign/minisign_e2e_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
//
// Copyright 2022 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build e2e

package minisign

import (
"path/filepath"
"reflect"
"strings"
"testing"

"github.com/sigstore/rekor/pkg/util"
)

func TestMinisign(t *testing.T) {
// Create a keypair
keyPath := filepath.Join(t.TempDir(), "minisign.key")
pubPath := filepath.Join(t.TempDir(), "minisign.pub")

// Set an empty password, we have to hit enter twice to confirm
util.Run(t, "\n\n", "minisign", "-G", "-s", keyPath, "-p", pubPath)

// Create a random artifact and sign it.
artifactPath := filepath.Join(t.TempDir(), "artifact")
sigPath := filepath.Join(t.TempDir(), "signature.asc")
util.CreateArtifact(t, artifactPath)

// Send in one empty password over stdin
out := util.Run(t, "\n", "minisign", "-S", "-s", keyPath, "-m", artifactPath, "-x", sigPath)
t.Log(out)

// Now upload to the log!
out = util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath,
"--public-key", pubPath, "--pki-format", "minisign")
util.OutputContains(t, out, "Created entry at")

uuidA := util.GetUUIDFromUploadOutput(t, out)

out = util.RunCli(t, "verify", "--artifact", artifactPath, "--signature", sigPath,
"--public-key", pubPath, "--pki-format", "minisign")
util.OutputContains(t, out, "Inclusion Proof")

out = util.RunCli(t, "search", "--public-key", pubPath, "--pki-format", "minisign")
util.OutputContains(t, out, uuidA)

// crease a second artifact and sign it
artifactPath_B := filepath.Join(t.TempDir(), "artifact2")
util.CreateArtifact(t, artifactPath_B)
out = util.Run(t, "\n", "minisign", "-S", "-s", keyPath, "-m", artifactPath_B, "-x", sigPath)
// Now upload to the log!
out = util.RunCli(t, "upload", "--artifact", artifactPath_B, "--signature", sigPath,
"--public-key", pubPath, "--pki-format", "minisign")
util.OutputContains(t, out, "Created entry at")
uuidB := util.GetUUIDFromUploadOutput(t, out)

tests := []struct {
name string
expectedUuidACount int
expectedUuidBCount int
artifact string
operator string
}{
{
name: "artifact A AND signature should return artifact A",
expectedUuidACount: 1,
expectedUuidBCount: 0,
artifact: artifactPath,
operator: "and",
},
{
name: "artifact A OR signature should return artifact A and B",
expectedUuidACount: 1,
expectedUuidBCount: 1,
artifact: artifactPath,
operator: "or",
},
{
name: "artifact B AND signature should return artifact B",
expectedUuidACount: 0,
expectedUuidBCount: 1,
artifact: artifactPath_B,
operator: "and",
},
{
name: "artifact B OR signature should return artifact A and B",
expectedUuidACount: 1,
expectedUuidBCount: 1,
artifact: artifactPath_B,
operator: "or",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
out = util.RunCli(t, "search", "--public-key", pubPath, "--pki-format", "minisign",
"--operator", test.operator, "--artifact", test.artifact)

expected := map[string]int{uuidA: test.expectedUuidACount, uuidB: test.expectedUuidBCount}
actual := map[string]int{
uuidA: strings.Count(out, uuidA),
uuidB: strings.Count(out, uuidB),
}
if !reflect.DeepEqual(expected, actual) {
t.Errorf("expected to find %v, found %v", expected, actual)
}
})
}
}
Loading