Fail when verifying with insecure

If implemented we fails when trying to verify with insecure set. This will likely change once cosign add support for insecure registries. Signed-off-by: Soule BA <soule@weave.works>
fluxcd · Sep 29, 2022 · 6c590b6 · 6c590b6
1 parent a866866
commit 6c590b6
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/controllers/ocirepository_controller.go b/controllers/ocirepository_controller.go
@@ -347,7 +347,7 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 		return sreconcile.ResultEmpty, e
 	}
 
-	opts := r.makeOptions(ctx, obj, withTransport(transport), withKeychainOrAuth(keychain, auth))
+	opts := makeOptions(ctx, obj, withTransport(transport), withKeychainOrAuth(keychain, auth))
 
 	// Determine which artifact revision to pull
 	url, err := r.getArtifactURL(obj, opts.craneOpts)
@@ -399,6 +399,17 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 	} else if !obj.GetArtifact().HasRevision(revision) ||
 		conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation ||
 		conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) {
+
+		// Insecure is not supported for verification
+		if obj.Spec.Insecure {
+			e := serror.NewGeneric(
+				fmt.Errorf("cosign does not support insecure registries"),
+				sourcev1.VerificationError,
+			)
+			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
+			return sreconcile.ResultEmpty, e
+		}
+
 		err := r.verifySignature(ctx, obj, url, opts.verifyOpts...)
 		if err != nil {
 			provider := obj.Spec.Verify.Provider
@@ -1163,8 +1174,7 @@ func craneOptions(ctx context.Context, insecure bool) []crane.Option {
 	return options
 }
 
-
-func (r *OCIRepositoryReconciler) makeOptions(ctxTimeout context.Context, obj *sourcev1.OCIRepository, opts ...Option) remoteOptions {
+func makeOptions(ctxTimeout context.Context, obj *sourcev1.OCIRepository, opts ...Option) remoteOptions {
 	o := remoteOptions{
 		craneOpts:  craneOptions(ctxTimeout, obj.Spec.Insecure),
 		verifyOpts: []remote.Option{},

diff --git a/controllers/ocirepository_controller_test.go b/controllers/ocirepository_controller_test.go
@@ -1036,6 +1036,7 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature(t *testing.T) {
 	tests := []struct {
 		name             string
 		reference        *sourcev1.OCIRepositoryRef
+		insecure         bool
 		digest           string
 		want             sreconcile.Result
 		wantErr          bool
@@ -1132,6 +1133,22 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature(t *testing.T) {
 				*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, "Verified", "verified"),
 			},
 		},
+		{
+			name: "insecure registries are not supported",
+			reference: &sourcev1.OCIRepositoryRef{
+				Tag: "6.1.4",
+			},
+			digest:     img4.digest.Hex,
+			shouldSign: true,
+			insecure:   true,
+			wantErr:    true,
+			want:       sreconcile.ResultEmpty,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.ReconcilingCondition, "NewRevision", "new revision '<digest>' for '<url>'"),
+				*conditions.TrueCondition(sourcev1.ArtifactOutdatedCondition, "NewRevision", "new revision '<digest>' for '<url>'"),
+				*conditions.FalseCondition(sourcev1.SourceVerifiedCondition, sourcev1.VerificationError, "cosign does not support insecure registries"),
+			},
+		},
 	}
 
 	builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme())
@@ -1181,6 +1198,10 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature(t *testing.T) {
 				},
 			}
 
+			if tt.insecure {
+				obj.Spec.Insecure = true
+			}
+
 			if !tt.keyless {
 				obj.Spec.Verify.SecretRef = &meta.LocalObjectReference{Name: "cosign-key"}
 			}