Refactor insecure registry E2E tests (#3701)

* Fix e2e test copypaste error

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

* Clean up kind-e2e-insecure-registry workflow

- These tests don't use KinD, don't set it up
- Don't install yq, ko, or kustomize
- The scripts build cosign, no need to build it in its own step
- Don't use global environment variables when they're only needed for
  individual steps

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

* Move insecure OCI 1.0 registry tests to Go suite

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

* Move insecure OCI 1.1 registry tests to Go suite

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

* Make registry tests hermetic

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

* Move insecure registry workflow to e2e tests

Condense the kind-e2e-insecure-registry workflow into the rest of the
E2E tests workflow. The workflow name was misleading because these tests
don't relate to KinD except as an implementation detail of the
scaffolding action. Combining it makes it more discoverable and reduces
clutter inthe GitHub Actions UI.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

---------

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

.github/workflows/e2e-tests.yml

@@ -107,3 +107,109 @@ jobs:
 
       - name: Acceptance Tests
         run: go test -tags=e2e,kms -v ./test/...
+
+  e2e-registry:
+    runs-on: ubuntu-latest
+
+    env:
+      SCAFFOLDING_RELEASE_VERSION: "v0.6.17"
+
+    steps:
+    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      with:
+        go-version: '1.21'
+        check-latest: true
+
+    - name: Setup mirror
+      uses: chainguard-dev/actions/setup-mirror@main
+      with:
+        mirror: mirror.gcr.io
+
+    - name: Install cluster + sigstore
+      uses: sigstore/scaffolding/actions/setup@main
+      with:
+        version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
+
+    - name: Setup local insecure registry
+      run: |
+        # Create a self-signed SSL cert
+        mkdir -p insecure-certs
+        openssl req \
+          -subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
+          -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
+          -x509 -days 365 -out insecure-certs/domain.crt
+        # Run a registry.
+        docker run -d  --restart=always \
+          --name $INSECURE_REGISTRY_NAME \
+          -v "$(pwd)"/insecure-certs:/insecure-certs \
+          -e REGISTRY_HTTP_ADDR=0.0.0.0:$INSECURE_REGISTRY_PORT \
+          -e REGISTRY_HTTP_TLS_CERTIFICATE=/insecure-certs/domain.crt \
+          -e REGISTRY_HTTP_TLS_KEY=/insecure-certs/domain.key \
+          -p $INSECURE_REGISTRY_PORT:$INSECURE_REGISTRY_PORT \
+          registry:2
+        sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
+      env:
+        # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
+        # '*.local' hostnames.
+        INSECURE_REGISTRY_NAME: insecure-registry.notlocal
+        INSECURE_REGISTRY_PORT: 5001
+
+    - name: Run Insecure Registry Tests
+      run: go test -tags=e2e,registry -v ./test/...
+      env:
+        COSIGN_TEST_REPO: insecure-registry.notlocal:5001
+
+    - name: Setup local insecure OCI 1.1 registry
+      run: |
+        # Create a self-signed SSL cert
+        mkdir -p insecure-certs
+        openssl req \
+          -subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
+          -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
+          -x509 -days 365 -out insecure-certs/domain.crt
+        cat > config.json << EOF
+        {
+          "distSpecVersion": "1.1.0-dev",
+          "storage": {
+            "rootDirectory": "/tmp/zot"
+          },
+          "http": {
+            "address": "0.0.0.0",
+            "port": "5002",
+            "realm": "zot",
+            "tls": {
+              "cert": "/insecure-certs/domain.crt",
+              "key": "/insecure-certs/domain.key"
+            }
+          },
+          "log": {
+            "level": "debug"
+          }
+        }
+        EOF
+        # Run a registry.
+        docker run -d  --restart=always \
+          --name $INSECURE_OCI_REGISTRY_NAME \
+          -v "$(pwd)"/insecure-certs:/insecure-certs \
+          -v "$(pwd)"/config.json:/etc/zot/config.json \
+          -p $INSECURE_OCI_REGISTRY_PORT:$INSECURE_OCI_REGISTRY_PORT \
+          ghcr.io/project-zot/zot-minimal-linux-amd64:$ZOT_VERSION
+        sudo echo "127.0.0.1 $INSECURE_OCI_REGISTRY_NAME" | sudo tee -a /etc/hosts
+      env:
+        ZOT_VERSION: v2.0.0-rc6
+        # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
+        # '*.local' hostnames.
+        INSECURE_OCI_REGISTRY_NAME: insecure-oci-registry.notlocal
+        INSECURE_OCI_REGISTRY_PORT: 5002
+
+
+    - name: Run Insecure OCI 1.1 Registry Tests
+      run: go test -tags=e2e,registry -v ./test/...
+      env:
+        OCI11: yes
+        COSIGN_TEST_REPO: insecure-oci-registry.notlocal:5002
+
+    - name: Collect diagnostics
+      if: ${{ failure() }}
+      uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main

test/e2e_insecure_registry_test.go

@@ -0,0 +1,125 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e && registry
+
+package test
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/random"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
+	cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
+	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
+)
+
+const (
+	oci11Var    = "OCI11"
+	rekorURLVar = "REKOR_URL"
+)
+
+func TestInsecureRegistry(t *testing.T) {
+	if os.Getenv("COSIGN_TEST_REPO") == "" {
+		t.Fatal("COSIGN_TEST_REPO must be set to an insecure registry for this test")
+	}
+	repo, stop := reg(t)
+	defer stop()
+	td := t.TempDir()
+
+	imgName := path.Join(repo, "cosign-registry-e2e")
+	cleanup := makeImageIndexWithInsecureRegistry(t, imgName)
+	defer cleanup()
+
+	_, privKey, pubKey := keypair(t, td)
+
+	useOCI11 := os.Getenv("oci11Var") != ""
+
+	rekorURL := os.Getenv(rekorURLVar)
+	must(downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td), t)
+
+	ko := options.KeyOpts{
+		KeyRef:           privKey,
+		PassFunc:         passFunc,
+		RekorURL:         rekorURL,
+		SkipConfirmation: true,
+	}
+	so := options.SignOptions{
+		Upload:     true,
+		TlogUpload: true,
+	}
+	mustErr(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+	so.Registry = options.RegistryOptions{
+		AllowInsecure: true,
+	}
+	if useOCI11 {
+		so.RegistryExperimental = options.RegistryExperimentalOptions{
+			RegistryReferrersMode: options.RegistryReferrersModeOCI11,
+		}
+	}
+	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+	mustErr(verify(pubKey, imgName, true, nil, "", false), t)
+	cmd := cliverify.VerifyCommand{
+		KeyRef:      pubKey,
+		CheckClaims: true,
+		RegistryOptions: options.RegistryOptions{
+			AllowInsecure: true,
+		},
+	}
+	if useOCI11 {
+		cmd.ExperimentalOCI11 = true
+	}
+	must(cmd.Exec(context.Background(), []string{imgName}), t)
+}
+
+func makeImageIndexWithInsecureRegistry(t *testing.T, n string) func() {
+	ref, err := name.ParseReference(n, name.WeakValidation)
+	if err != nil {
+		t.Fatal(err)
+	}
+	index, err := random.Index(512, 1, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	regClientOpts := registryClientOpts(context.Background())
+	// Add TLS config to allow us to push the image to the insecure registry
+	insecureTransport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+	regClientOpts = append(regClientOpts, remote.WithTransport(insecureTransport))
+	if err := remote.WriteIndex(ref, index, regClientOpts...); err != nil {
+		t.Fatal(err)
+	}
+	remoteImage, err := remote.Get(ref, regClientOpts...)
+	if err != nil {
+		t.Fatal(err)
+	}
+	cleanup := func() {
+		_ = remote.Delete(ref, regClientOpts...)
+		ref, _ := ociremote.SignatureTag(ref.Context().Digest(remoteImage.Descriptor.Digest.String()), ociremote.WithRemoteOptions(regClientOpts...))
+		_ = remote.Delete(ref, regClientOpts...)
+	}
+	return cleanup
+}