From 324ea5c27ea2d96a7d1fb274ffc32c6a718d9c99 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sat, 18 Jun 2022 17:14:45 -0400 Subject: [PATCH 1/5] ensure fallback logic executes if attestation key is empty Signed-off-by: Bob Callaway --- .github/workflows/main.yml | 22 +++++ pkg/api/entries.go | 40 +++++---- pkg/storage/storage.go | 3 +- tests/intoto_dsse.json | 1 + tests/intoto_dsse.pem | 4 + tests/issue-872-e2e-test.sh | 167 ++++++++++++++++++++++++++++++++++++ 6 files changed, 219 insertions(+), 18 deletions(-) create mode 100644 tests/intoto_dsse.json create mode 100644 tests/intoto_dsse.pem create mode 100755 tests/issue-872-e2e-test.sh diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4efa8b533..26dcc6d49 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -112,3 +112,25 @@ jobs: with: name: Docker Compose logs path: /tmp/docker-compose.log + + issue-872-e2e: + runs-on: ubuntu-20.04 + needs: build + + steps: + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 + - name: Docker Build + run: docker-compose build + - name: Extract version of Go to use + run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV + - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.1.0 + with: + go-version: ${{ env.GOVERSION }} + - name: Test for Attestation begin returned that was previously persisted in tlog + run: ./tests/issue-872-e2e-test.sh + - name: Upload logs if they exist + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3 + if: failure() + with: + name: Docker Compose logs + path: /tmp/*docker-compose.log diff --git a/pkg/api/entries.go b/pkg/api/entries.go index 782d8d3cc..b2132c115 100644 --- a/pkg/api/entries.go +++ b/pkg/api/entries.go @@ -106,27 +106,33 @@ func logEntryFromLeaf(ctx context.Context, signer signature.Signer, tc TrillianC if err != nil { return nil, err } + + var att []byte + var fetchErr error attKey := eimpl.AttestationKey() + // if we're given a key by the type logic, let's try that first if attKey != "" { - att, err := storageClient.FetchAttestation(ctx, attKey) + att, fetchErr = storageClient.FetchAttestation(ctx, attKey) + if fetchErr != nil { + log.Logger.Errorf("error fetching attestation by key, trying by UUID: %s %w", attKey, fetchErr) + } + } + // if looking up by key failed or we weren't able to generate a key, try looking up by uuid + if attKey == "" || fetchErr != nil { + activeTree := fmt.Sprintf("%x", tc.logID) + entryIDstruct, err := sharding.CreateEntryIDFromParts(activeTree, uuid) if err != nil { - log.Logger.Errorf("error fetching attestation by key, trying by UUID: %s %s", attKey, err) - // the original attestation implementation stored this by uuid instead of by digest - activeTree := fmt.Sprintf("%x", tc.logID) - entryIDstruct, err := sharding.CreateEntryIDFromParts(activeTree, uuid) - if err != nil { - err := fmt.Errorf("error creating EntryID from active treeID %v and uuid %v: %w", activeTree, uuid, err) - return nil, err - } - att, err = storageClient.FetchAttestation(ctx, entryIDstruct.UUID) - if err != nil { - log.Logger.Errorf("error fetching attestation by uuid: %s %s", entryIDstruct.UUID, err) - } + err := fmt.Errorf("error creating EntryID from active treeID %v and uuid %v: %w", activeTree, uuid, err) + return nil, err } - if err == nil { - logEntryAnon.Attestation = &models.LogEntryAnonAttestation{ - Data: att, - } + att, fetchErr = storageClient.FetchAttestation(ctx, entryIDstruct.UUID) + if fetchErr != nil { + log.Logger.Errorf("error fetching attestation by uuid: %s %s", entryIDstruct.UUID, err) + } + } + if fetchErr == nil { + logEntryAnon.Attestation = &models.LogEntryAnonAttestation{ + Data: att, } } } diff --git a/pkg/storage/storage.go b/pkg/storage/storage.go index 2e182e495..16803148c 100644 --- a/pkg/storage/storage.go +++ b/pkg/storage/storage.go @@ -18,6 +18,7 @@ package storage import ( "context" "errors" + "fmt" "github.com/sigstore/rekor/pkg/log" @@ -72,7 +73,7 @@ func (b *Blob) FetchAttestation(ctx context.Context, key string) ([]byte, error) return nil, err } if !exists { - return nil, nil + return nil, fmt.Errorf("attestation %v does not exist", key) } data, err := b.bucket.ReadAll(ctx, key) diff --git a/tests/intoto_dsse.json b/tests/intoto_dsse.json new file mode 100644 index 000000000..a8a7e6d47 --- /dev/null +++ b/tests/intoto_dsse.json @@ -0,0 +1 @@ +{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJmb29iYXIiLCJkaWdlc3QiOnsiZm9vIjoiYmFyIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJmb29ISzFiZ2Y1WC8xckNxZz09In0sImJ1aWxkVHlwZSI6IiIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7fX19fQ==","signatures":[{"keyid":"","sig":"MEQCIAIlnxHC3eU4jmUsqJExxfzqyy8bk+61btgnRiGcRDxgAiBwmdnJ/GX1yCYhYAvwAtkuYN0yFlVPQVAx9R6JpUUBiA=="}]} \ No newline at end of file diff --git a/tests/intoto_dsse.pem b/tests/intoto_dsse.pem new file mode 100644 index 000000000..6892c7831 --- /dev/null +++ b/tests/intoto_dsse.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx+ikqUxXurlxZltajRBV2ju31j32 +baT2ax2dXBcpInWaFESqGF35KISflP1EmMvEnfG+AzHecQ0WQp5QzNId+w== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/tests/issue-872-e2e-test.sh b/tests/issue-872-e2e-test.sh new file mode 100755 index 000000000..f6c55c576 --- /dev/null +++ b/tests/issue-872-e2e-test.sh @@ -0,0 +1,167 @@ +#!/bin/bash +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +testdir=$(dirname "$0") + +echo "* starting services" +docker-compose up -d + +echo "* building CLI" +go build -o rekor-cli ./cmd/rekor-cli + +function waitForRekorServer () { + echo -n "* waiting up to 60 sec for system to start" + count=0 + + until [ $(docker ps -a | grep -c "(healthy)") == 3 ]; + do + if [ $count -eq 6 ]; then + echo "! timeout reached" + exit 1 + else + echo -n "." + sleep 10 + let 'count+=1' + fi + done + + echo +} + +REKORTMPDIR="$(mktemp -d -t rekor_test.XXXXXX)" +touch $REKORTMPDIR.rekor.yaml +trap "rm -rf $REKORTMPDIR" EXIT + +waitForRekorServer + +echo "* stopping rekor to test issue #872" +docker-compose stop rekor-server +V060_COMPOSE_FILE=$REKORTMPDIR/docker-compose-issue872-v060.yaml +cat << EOF > $V060_COMPOSE_FILE +version: '3.4' +services: + rekor-server-issue-872-v060: + # this container image is built on v0.6.0 with the fix for issue #800 + image: gcr.io/projectsigstore/rekor-server@sha256:568aee99574e6d796d70b7b1fd59438bd54b3b9f44cc2c9a086629597c66d324 + command: [ + "serve", + "--trillian_log_server.address=trillian-log-server", + "--trillian_log_server.port=8090", + "--redis_server.address=redis-server", + "--redis_server.port=6379", + "--rekor_server.address=0.0.0.0", + "--rekor_server.signer=memory", + "--enable_attestation_storage", + "--attestation_storage_bucket=file:///var/run/attestations", + # Uncomment this for production logging + # "--log_type=prod", + ] + volumes: + - "/var/run/attestations:/var/run/attestations" + restart: always # keep the server running + ports: + - "0.0.0.0:3000:3000" + - "0.0.0.0:2112:2112" +EOF + +echo "* starting rekor v0.6.0 to test issue #872" +docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD up -d rekor-server-issue-872-v060 +sleep 5 + +# this rekor-cli image is based on v0.6.0 and has the fix for issue #800 +ISSUE800_CONTAINER=gcr.io/projectsigstore/rekor/ci/rekor/rekor-cli@sha256:34f6ec6324a6f32f118dc14d33e5cc081fb8b49a5026d388f782a3566afa2ca8 +ISSUE800_CONTAINER_ID=$(docker create $ISSUE800_CONTAINER) +ISSUE800_CLI=$REKORTMPDIR/rekor-cli-issue-800 +docker cp "$ISSUE800_CONTAINER_ID:/ko-app/rekor-cli" $ISSUE800_CLI +docker rm $ISSUE800_CONTAINER_ID >/dev/null + +V060_UPLOAD_OUTPUT=$REKORTMPDIR/issue-872-upload-output +echo "* inserting intoto entry into Rekor v0.6.0" +if ! $ISSUE800_CLI upload --type intoto --artifact tests/intoto_dsse.json --public-key tests/intoto_dsse.pem --format=json --rekor_server=http://localhost:3000 > $V060_UPLOAD_OUTPUT; then + echo "* failed to insert intoto entry to test issue #872, exiting" + docker-compose logs --no-color > /tmp/docker-compose.log + docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 >> /tmp/docker-compose.log + exit 1 +fi +echo "* grabbing TreeID to use when starting older version" +REKOR_TRILLIAN_LOG_SERVER_TLOG_ID=$($ISSUE800_CLI loginfo --rekor_server=http://localhost:3000 --format=json | jq -r .TreeID) +echo "* stopping rekor v0.6.0 to test issue #872" +docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log +docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD stop rekor-server-issue-872-v060 + +COMPOSE_FILE=$REKORTMPDIR/docker-compose-issue872.yaml +cat << EOF > $COMPOSE_FILE +version: '3.4' +services: + rekor-server: + build: + context: . + target: "deploy" + command: [ + "rekor-server", + "serve", + "--trillian_log_server.address=trillian-log-server", + "--trillian_log_server.port=8090", + "--redis_server.address=redis-server", + "--redis_server.port=6379", + "--rekor_server.address=0.0.0.0", + "--rekor_server.signer=memory", + "--enable_attestation_storage", + "--attestation_storage_bucket=file:///var/run/attestations", + "--trillian_log_server.tlog_id=$REKOR_TRILLIAN_LOG_SERVER_TLOG_ID", + # Uncomment this for production logging + # "--log_type=prod", + ] + volumes: + - "/var/run/attestations:/var/run/attestations" + restart: always # keep the server running + ports: + - "3000:3000" + - "2112:2112" + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:3000/ping"] + interval: 10s + timeout: 3s + retries: 3 + start_period: 5s +EOF + +docker network prune -f +echo "* starting rekor under test to ensure attestation inserted in old version is successfully returned" +docker-compose -f $COMPOSE_FILE --project-directory=$PWD up -d +waitForRekorServer + +ISSUE872_UPLOAD_INDEX=$(jq -r .Index $V060_UPLOAD_OUTPUT) +ISSUE872_GET_ENTRY=$REKORTMPDIR/issue-872-get-entry +echo "* fetching previous entry made under v0.6.0" +if ! rekor-cli get --log-index=$ISSUE872_UPLOAD_INDEX --rekor_server=http://localhost:3000 --format=json > $ISSUE872_GET_ENTRY; then + echo "* failed to read back intoto entry while testing issue #872, exiting" + docker-compose logs --no-color > /tmp/docker-compose.log + exit 1 +fi + +#ensure attestation of len() > 0 returned +echo "* checking to ensure attestation is successfully returned" +ATT_LENGTH=$(jq -r '.Attestation | length' $ISSUE872_GET_ENTRY) +if [ $ATT_LENGTH -eq 0 ]; then + echo "* failed to read back attestation while testing issue #872, exiting" + cat $ISSUE872_GET_ENTRY + docker-compose logs --no-color > /tmp/docker-compose.log + exit 1 +else + echo "* tests succeeded!" +fi \ No newline at end of file From 06d0624fcc7a667c1343515df129d6aaef99b7ba Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sat, 18 Jun 2022 17:32:21 -0400 Subject: [PATCH 2/5] add gcloud auth to get containers Signed-off-by: Bob Callaway --- .github/workflows/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 26dcc6d49..75a502707 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -126,6 +126,14 @@ jobs: - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.1.0 with: go-version: ${{ env.GOVERSION }} + - name: Set up Cloud SDK + uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0.8.0 + with: + workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-rekor' + service_account: 'github-actions-rekor@projectsigstore.iam.gserviceaccount.com' + + - name: creds + run: gcloud auth configure-docker --quiet - name: Test for Attestation begin returned that was previously persisted in tlog run: ./tests/issue-872-e2e-test.sh - name: Upload logs if they exist From ad98ad223a12615bd7544dbfd359afdd1f23ab4d Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sat, 18 Jun 2022 21:46:16 -0400 Subject: [PATCH 3/5] use correct ref, not a creds problem Signed-off-by: Bob Callaway --- .github/workflows/main.yml | 8 -------- tests/issue-872-e2e-test.sh | 2 +- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 75a502707..26dcc6d49 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -126,14 +126,6 @@ jobs: - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.1.0 with: go-version: ${{ env.GOVERSION }} - - name: Set up Cloud SDK - uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0.8.0 - with: - workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-rekor' - service_account: 'github-actions-rekor@projectsigstore.iam.gserviceaccount.com' - - - name: creds - run: gcloud auth configure-docker --quiet - name: Test for Attestation begin returned that was previously persisted in tlog run: ./tests/issue-872-e2e-test.sh - name: Upload logs if they exist diff --git a/tests/issue-872-e2e-test.sh b/tests/issue-872-e2e-test.sh index f6c55c576..1887b4c30 100755 --- a/tests/issue-872-e2e-test.sh +++ b/tests/issue-872-e2e-test.sh @@ -56,7 +56,7 @@ version: '3.4' services: rekor-server-issue-872-v060: # this container image is built on v0.6.0 with the fix for issue #800 - image: gcr.io/projectsigstore/rekor-server@sha256:568aee99574e6d796d70b7b1fd59438bd54b3b9f44cc2c9a086629597c66d324 + image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server@sha256:568aee99574e6d796d70b7b1fd59438bd54b3b9f44cc2c9a086629597c66d324 command: [ "serve", "--trillian_log_server.address=trillian-log-server", From fe836801fc05b8da5fe12fc3ebf01fac69ad11d8 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sat, 18 Jun 2022 21:58:58 -0400 Subject: [PATCH 4/5] use full path to rekor-cli, not safe to assume path is set Signed-off-by: Bob Callaway --- tests/issue-872-e2e-test.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/issue-872-e2e-test.sh b/tests/issue-872-e2e-test.sh index 1887b4c30..1436b3164 100755 --- a/tests/issue-872-e2e-test.sh +++ b/tests/issue-872-e2e-test.sh @@ -22,6 +22,7 @@ docker-compose up -d echo "* building CLI" go build -o rekor-cli ./cmd/rekor-cli +REKOR_CLI=$(pwd)/rekor-cli function waitForRekorServer () { echo -n "* waiting up to 60 sec for system to start" @@ -148,7 +149,7 @@ waitForRekorServer ISSUE872_UPLOAD_INDEX=$(jq -r .Index $V060_UPLOAD_OUTPUT) ISSUE872_GET_ENTRY=$REKORTMPDIR/issue-872-get-entry echo "* fetching previous entry made under v0.6.0" -if ! rekor-cli get --log-index=$ISSUE872_UPLOAD_INDEX --rekor_server=http://localhost:3000 --format=json > $ISSUE872_GET_ENTRY; then +if ! $REKOR_CLI get --log-index=$ISSUE872_UPLOAD_INDEX --rekor_server=http://localhost:3000 --format=json > $ISSUE872_GET_ENTRY; then echo "* failed to read back intoto entry while testing issue #872, exiting" docker-compose logs --no-color > /tmp/docker-compose.log exit 1 From 8212c788deec07be9472d646d3b55bbdd2c3a3a2 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 19 Jun 2022 07:07:43 -0400 Subject: [PATCH 5/5] use external volume and set perms Signed-off-by: Bob Callaway --- pkg/api/entries.go | 5 ++--- tests/issue-872-e2e-test.sh | 43 ++++++++++++++++++++++++++++++++----- 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/pkg/api/entries.go b/pkg/api/entries.go index b2132c115..e379f7ffd 100644 --- a/pkg/api/entries.go +++ b/pkg/api/entries.go @@ -122,12 +122,11 @@ func logEntryFromLeaf(ctx context.Context, signer signature.Signer, tc TrillianC activeTree := fmt.Sprintf("%x", tc.logID) entryIDstruct, err := sharding.CreateEntryIDFromParts(activeTree, uuid) if err != nil { - err := fmt.Errorf("error creating EntryID from active treeID %v and uuid %v: %w", activeTree, uuid, err) - return nil, err + return nil, fmt.Errorf("error creating EntryID from active treeID %v and uuid %v: %w", activeTree, uuid, err) } att, fetchErr = storageClient.FetchAttestation(ctx, entryIDstruct.UUID) if fetchErr != nil { - log.Logger.Errorf("error fetching attestation by uuid: %s %s", entryIDstruct.UUID, err) + log.Logger.Errorf("error fetching attestation by uuid: %s %v", entryIDstruct.UUID, fetchErr) } } if fetchErr == nil { diff --git a/tests/issue-872-e2e-test.sh b/tests/issue-872-e2e-test.sh index 1436b3164..86d751ece 100755 --- a/tests/issue-872-e2e-test.sh +++ b/tests/issue-872-e2e-test.sh @@ -51,6 +51,12 @@ waitForRekorServer echo "* stopping rekor to test issue #872" docker-compose stop rekor-server + +docker volume rm -f issue872_attestations || true +ATT_VOLUME=$(docker volume create --name issue872_attestations) +# set permissions on docker volume to be friendly to non-root since v0.6.0 container is based on distroless +docker run --rm -v $ATT_VOLUME:/att:z busybox /bin/sh -c 'touch /att/.initialized && chown -R 65532:65532 /att && chmod 777 /att' + V060_COMPOSE_FILE=$REKORTMPDIR/docker-compose-issue872-v060.yaml cat << EOF > $V060_COMPOSE_FILE version: '3.4' @@ -58,6 +64,7 @@ services: rekor-server-issue-872-v060: # this container image is built on v0.6.0 with the fix for issue #800 image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server@sha256:568aee99574e6d796d70b7b1fd59438bd54b3b9f44cc2c9a086629597c66d324 + user: "65532:65532" command: [ "serve", "--trillian_log_server.address=trillian-log-server", @@ -67,16 +74,19 @@ services: "--rekor_server.address=0.0.0.0", "--rekor_server.signer=memory", "--enable_attestation_storage", - "--attestation_storage_bucket=file:///var/run/attestations", + "--attestation_storage_bucket=file:///ko-app/attestations", # Uncomment this for production logging # "--log_type=prod", ] volumes: - - "/var/run/attestations:/var/run/attestations" + - "$ATT_VOLUME:/ko-app/attestations:z" restart: always # keep the server running ports: - "0.0.0.0:3000:3000" - "0.0.0.0:2112:2112" +volumes: + $ATT_VOLUME: + external: true EOF echo "* starting rekor v0.6.0 to test issue #872" @@ -95,9 +105,30 @@ echo "* inserting intoto entry into Rekor v0.6.0" if ! $ISSUE800_CLI upload --type intoto --artifact tests/intoto_dsse.json --public-key tests/intoto_dsse.pem --format=json --rekor_server=http://localhost:3000 > $V060_UPLOAD_OUTPUT; then echo "* failed to insert intoto entry to test issue #872, exiting" docker-compose logs --no-color > /tmp/docker-compose.log - docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 >> /tmp/docker-compose.log + docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log + exit 1 +fi + +ISSUE872_UPLOAD_INDEX=$(jq -r .Index $V060_UPLOAD_OUTPUT) +V060_GET_OUTPUT=$REKORTMPDIR/issue-872-get-output +echo "* read back entry from Rekor v0.6.0" +if ! $ISSUE800_CLI get --log-index=$ISSUE872_UPLOAD_INDEX --format=json --rekor_server=http://localhost:3000 > $V060_GET_OUTPUT; then + echo "* failed to retrieve entry from rekor v0.6.0 to test issue #872, exiting" + docker-compose logs --no-color > /tmp/docker-compose.log + docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log exit 1 fi + +echo "* checking to ensure attestation is successfully returned from rekor v0.6.0" +V060_ATT_LENGTH=$(jq -r '.Attestation | length' $V060_GET_OUTPUT) +if [ $V060_ATT_LENGTH -eq 0 ]; then + echo "* failed to read back attestation while testing issue #872 against rekor v0.6.0, exiting" + cat $V060_GET_OUTPUT + docker-compose logs --no-color > /tmp/docker-compose.log + docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log + exit 1 +fi + echo "* grabbing TreeID to use when starting older version" REKOR_TRILLIAN_LOG_SERVER_TLOG_ID=$($ISSUE800_CLI loginfo --rekor_server=http://localhost:3000 --format=json | jq -r .TreeID) echo "* stopping rekor v0.6.0 to test issue #872" @@ -128,7 +159,7 @@ services: # "--log_type=prod", ] volumes: - - "/var/run/attestations:/var/run/attestations" + - "$ATT_VOLUME:/var/run/attestations:z" restart: always # keep the server running ports: - "3000:3000" @@ -139,6 +170,9 @@ services: timeout: 3s retries: 3 start_period: 5s +volumes: + $ATT_VOLUME: + external: true EOF docker network prune -f @@ -146,7 +180,6 @@ echo "* starting rekor under test to ensure attestation inserted in old version docker-compose -f $COMPOSE_FILE --project-directory=$PWD up -d waitForRekorServer -ISSUE872_UPLOAD_INDEX=$(jq -r .Index $V060_UPLOAD_OUTPUT) ISSUE872_GET_ENTRY=$REKORTMPDIR/issue-872-get-entry echo "* fetching previous entry made under v0.6.0" if ! $REKOR_CLI get --log-index=$ISSUE872_UPLOAD_INDEX --rekor_server=http://localhost:3000 --format=json > $ISSUE872_GET_ENTRY; then