Merge pull request #461 from vaikas/test-rekor-upload

If TLog.url is specified, use it if trustroot does not have one + test.
sigstore · Dec 21, 2022 · e0d304b · e0d304b
2 parents 77e766f + 70e386b
commit e0d304b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
@@ -1396,6 +1396,10 @@ func rekorClientAndKeysFromAuthority(ctx context.Context, tlog *v1alpha1.TLog) (
 		if err != nil {
 			return nil, nil, fmt.Errorf("fetching keys for trustRootRef: %w", err)
 		}
+		if rekorURL == "" && tlog.URL != nil {
+			// Pull this from the tlog entry in this case.
+			rekorURL = tlog.URL.String()
+		}
 		rekorClient, err := rekor.GetRekorClient(rekorURL)
 		if err != nil {
 			logging.FromContext(ctx).Errorf("failed creating rekor client: %v", err)

diff --git a/test/e2e_test_cluster_image_policy_with_repository.sh b/test/e2e_test_cluster_image_policy_with_repository.sh
@@ -130,9 +130,22 @@ expected_error='no matching attestations'
 assert_error ${expected_error}
 echo '::endgroup::'
 
-# Create attestation and it should pass.
-echo '::group:: Create one keyless attestation and verify it'
+# Create an attestation but do not add it to Rekor and since our attestation
+# specifies Rekor, this should still fail
+echo '::group:: Create one keyless attestation and verify it, but no tlog upload'
 echo -n 'foobar e2e test' > ./predicate-file-custom
+COSIGN_EXPERIMENTAL=1 cosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${demoimage} --no-tlog-upload --identity-token `curl $ISSUER_URL`
+COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type=custom --rekor-url= --allow-insecure-registry ${demoimage}
+echo '::endgroup::'
+
+# This image has an attestation, but was not added to TLog
+echo '::group:: test job rejection'
+expected_error='No leaf found for hash'
+assert_error ${expected_error}
+echo '::endgroup::'
+
+# Create attestation and upload to tlog and it should now pass.
+echo '::group:: Create one keyless attestation and verify it'
 COSIGN_EXPERIMENTAL=1 cosign attest --predicate ./predicate-file-custom --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --force ${demoimage} --identity-token ${OIDC_TOKEN}
 
 COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type=custom --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage}