From 1af6118ce187141cafcd4d265038e2b99357c546 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <rchincha@cisco.com>
Date: Wed, 20 Sep 2023 20:15:06 +0000
Subject: [PATCH] ci: add a OCI registry test for referrers support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

zot is a strongly OCI conformant registry with referrers support.

---

Note the new --registry-referrers-mode flag which must be set to
“oci-1-1”.

References:

[1] https://www.chainguard.dev/unchained/building-towards-oci-v1-1-support-in-cosign

[2] https://zotregistry.io

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 .../workflows/kind-e2e-insecure-registry.yaml | 50 +++++++++++++++++++
 test/e2e_test_insecure_oci_registry.sh        | 50 +++++++++++++++++++
 2 files changed, 100 insertions(+)
 create mode 100755 test/e2e_test_insecure_oci_registry.sh

diff --git a/.github/workflows/kind-e2e-insecure-registry.yaml b/.github/workflows/kind-e2e-insecure-registry.yaml
index 63bdeaf39c54..f2c87542a5f3 100644
--- a/.github/workflows/kind-e2e-insecure-registry.yaml
+++ b/.github/workflows/kind-e2e-insecure-registry.yaml
@@ -41,6 +41,8 @@ jobs:
       REGISTRY_PORT: 5000
       INSECURE_REGISTRY_NAME: insecure-registry.notlocal
       INSECURE_REGISTRY_PORT: 5001
+      INSECURE_OCI_REGISTRY_NAME: insecure-oci-registry.notlocal
+      INSECURE_OCI_REGISTRY_PORT: 5002
       KO_DOCKER_REPO: registry.local:5000/policy-controller
 
     steps:
@@ -100,6 +102,54 @@ jobs:
         go install github.com/google/go-containerregistry/cmd/crane
         ./test/e2e_test_insecure_registry.sh
 
+    - name: Setup local insecure OCI registry
+      run: |
+        # Create a self-signed SSL cert
+        mkdir -p insecure-certs
+        openssl req \
+          -subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
+          -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
+          -x509 -days 365 -out insecure-certs/domain.crt
+        cat > config.json << EOF
+        {
+          "distSpecVersion": "1.1.0-dev",
+          "storage": {
+            "rootDirectory": "/tmp/zot"
+          },
+          "http": {
+            "address": "0.0.0.0",
+            "port": "5000",
+            "realm": "zot",
+            "tls": {
+              "cert": "/insecure-certs/domain.crt",
+              "key": "/insecure-certs/domain.key"
+            }
+          },
+          "log": {
+            "level": "debug"
+          }
+        }
+        EOF
+        # Run a registry.
+        docker run -d  --restart=always \
+          --name $INSECURE_OCI_REGISTRY_NAME \
+          -v "$(pwd)"/insecure-certs:/insecure-certs \
+          -v "$(pwd)"/config.json:/etc/zot/config.json \
+          -p $INSECURE_OCI_REGISTRY_PORT:$REGISTRY_PORT \
+          ghcr.io/project-zot/zot-minimal-linux-amd64:$ZOT_VERSION
+        # Connect the registry to the KinD network.
+        docker network connect "kind" $INSECURE_OCI_REGISTRY_NAME
+        # Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
+        # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
+        sudo echo "127.0.0.1 $INSECURE_OCI_REGISTRY_NAME" | sudo tee -a /etc/hosts
+      env:
+        ZOT_VERSION: v2.0.0-rc6
+
+    - name: Run Insecure OCI Registry Tests
+      run: |
+        go install github.com/google/go-containerregistry/cmd/crane
+        ./test/e2e_test_insecure_oci_registry.sh
+
     - name: Collect diagnostics
       if: ${{ failure() }}
       uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
diff --git a/test/e2e_test_insecure_oci_registry.sh b/test/e2e_test_insecure_oci_registry.sh
new file mode 100755
index 000000000000..02ec28185854
--- /dev/null
+++ b/test/e2e_test_insecure_oci_registry.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#
+# Copyright 2023 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+go build -o cosign ./cmd/cosign
+tmp=$(mktemp -d)
+cp cosign $tmp/
+
+INSECURE_REGISTRY_NAME=${INSECURE_OCI_REGISTRY_NAME:-insecure-oci-registry.notlocal}
+INSECURE_REGISTRY_PORT=${INSECURE_OCI_REGISTRY_PORT:-5002}
+
+pushd $tmp
+
+pass="$RANDOM"
+export COSIGN_PASSWORD=$pass
+export COSIGN_YES="true"
+export COSIGN_EXPERIMENTAL=1
+
+./cosign generate-key-pair
+signing_key=cosign.key
+verification_key=cosign.pub
+
+img="${INSECURE_REGISTRY_NAME}:${INSECURE_REGISTRY_PORT}/test"
+(crane delete $(./cosign triangulate $img)) || true
+crane cp ghcr.io/distroless/static $img --insecure
+
+# Operations with insecure registries should fail by default, then succeed
+# with `--allow-insecure-registry`
+if (./cosign sign --key ${signing_key} $img); then false; fi
+./cosign sign --allow-insecure-registry --registry-referrers-mode=oci-1-1 --key ${signing_key} $img
+if (./cosign verify --key ${verification_key} $img); then false; fi
+./cosign verify --allow-insecure-registry --experimental-oci11=true --key ${verification_key} $img
+
+echo "SUCCESS"