sigstore · naveensrinivasan · Jan 1, 2023 · Sep 25, 2023
@@ -20,10 +20,16 @@ package main
 import (
 	"bufio"
 	"bytes"
+	"context"
+	"crypto"
+	"crypto/ecdsa"
 	"crypto/sha256"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
+	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -36,6 +42,15 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/in-toto/in-toto-golang/in_toto"
+	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"github.com/sigstore/rekor/pkg/generated/models"
+	sigx509 "github.com/sigstore/rekor/pkg/pki/x509"
+	"github.com/sigstore/rekor/pkg/types"
+	"github.com/sigstore/sigstore/pkg/signature"
+
 	"github.com/sigstore/rekor/pkg/sharding"
 
 	"github.com/sigstore/rekor/pkg/util"
@@ -109,6 +124,7 @@ func TestMetricsCounts(t *testing.T) {
 		t.Error("rekor_qps_by_api did not increment")
 	}
 }
+
 func getRekorMetricCount(metricLine string, t *testing.T) (int, error) {
 	t.Helper()
 	re, err := regexp.Compile(fmt.Sprintf("^%s\\s*([0-9]+)$", regexp.QuoteMeta(metricLine)))
@@ -138,12 +154,14 @@ func getRekorMetricCount(metricLine string, t *testing.T) (int, error) {
 	}
 	return 0, nil
 }
+
 func TestEnvVariableValidation(t *testing.T) {
 	os.Setenv("REKOR_FORMAT", "bogus")
 	defer os.Unsetenv("REKOR_FORMAT")
 
 	util.RunCliErr(t, "loginfo")
 }
+
 func TestGetCLI(t *testing.T) {
 	// Create something and add it to the log
 	artifactPath := filepath.Join(t.TempDir(), "artifact")
@@ -211,6 +229,7 @@ func TestGetCLI(t *testing.T) {
 	}
 	out = util.RunCli(t, "get", "--format=json", "--uuid", entryID.ReturnEntryIDString())
 }
+
 func getTreeID(t *testing.T) int64 {
 	t.Helper()
 	out := util.RunCli(t, "loginfo")
@@ -222,9 +241,11 @@ func getTreeID(t *testing.T) int64 {
 	t.Log("Tree ID:", tid)
 	return tid
 }
+
 func TestSearchNoEntriesRC1(t *testing.T) {
 	util.RunCliErr(t, "search", "--email", "[email protected]")
 }
+
 func TestHostnameInSTH(t *testing.T) {
 	// get ID of container
 	rekorContainerID := strings.Trim(util.Run(t, "", "docker", "ps", "-q", "-f", "name=rekor-server"), "\n")
@@ -246,12 +267,14 @@ func TestHostnameInSTH(t *testing.T) {
 		t.Errorf("logInfo contains rekor.sigstore.dev which should not be set by default")
 	}
 }
+
 func rekorServer() string {
 	if s := os.Getenv("REKOR_SERVER"); s != "" {
 		return s
 	}
 	return "http://localhost:3000"
 }
+
 func TestSearchSHA512(t *testing.T) {
 	sha512 := "c7694a1112ea1404a3c5852bdda04c2cc224b3567ef6ceb8204dbf2b382daacfc6837ee2ed9d5b82c90b880a3c7289778dbd5a8c2c08193459bcf7bd44581ed0"
 	var out string
@@ -264,6 +287,7 @@ func TestSearchSHA512(t *testing.T) {
 	out = util.RunCli(t, "search", "--sha", fmt.Sprintf("sha512:%s", sha512))
 	util.OutputContains(t, out, uuid)
 }
+
 func TestVerifyNonExistentUUID(t *testing.T) {
 	// this uuid is extremely likely to not exist
 	out := util.RunCliErr(t, "verify", "--uuid", "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff")
@@ -292,6 +316,7 @@ func TestVerifyNonExistentUUID(t *testing.T) {
 		t.Fatalf("expected empty JSON array as response, got %s instead", string(c))
 	}
 }
+
 func TestSearchQueryLimit(t *testing.T) {
 	tests := []struct {
 		description string
@@ -332,6 +357,7 @@ func TestSearchQueryLimit(t *testing.T) {
 		})
 	}
 }
+
 func getBody(t *testing.T, limit int) []byte {
 	t.Helper()
 	s := fmt.Sprintf("{\"logIndexes\": [%d", limit)
@@ -341,6 +367,7 @@ func getBody(t *testing.T, limit int) []byte {
 	s += "]}"
 	return []byte(s)
 }
+
 func TestSearchQueryMalformedEntry(t *testing.T) {
 	wd, err := os.Getwd()
 	if err != nil {
@@ -362,6 +389,271 @@ func TestSearchQueryMalformedEntry(t *testing.T) {
 	}
 }
 
+func entryID(t *testing.T, uuid string) string {
+	t.Helper()
+	if sharding.ValidateEntryID(uuid) == nil {
+		return uuid
+	}
+	treeID, err := strconv.Atoi(os.Getenv("TREE_ID"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	tid := strconv.FormatInt(int64(treeID), 16)
+	ts, err := sharding.PadToTreeIDLen(tid)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return ts + uuid
+}
+
+func TestHarnessGetAllEntriesUUID(t *testing.T) {
+	if util.RekorCLIIncompatible() {
+		t.Skipf("Skipping getting entries by UUID, old rekor-cli version %s is incompatible with server version %s", os.Getenv("CLI_VERSION"), os.Getenv("SERVER_VERSION"))
+	}
+
+	treeSize := util.ActiveTreeSize(t)
+	if treeSize == 0 {
+		t.Fatal("There are 0 entries in the log, there should be at least 2")
+	}
+	_, entries := util.GetEntries(t)
+
+	for _, e := range entries {
+		outUUID := util.RunCli(t, "get", "--uuid", e.UUID, "--format", "json")
+		outEntryID := util.RunCli(t, "get", "--uuid", entryID(t, e.UUID), "--format", "json")
+
+		if outUUID != outEntryID {
+			t.Fatalf("Getting by uuid %s and entryID %s gave different outputs:\nuuid: %v\nentryID:%v\n", e.UUID, entryID(t, e.UUID), outUUID, outEntryID)
+		}
+
+		if !strings.Contains(outUUID, "IntotoObj") {
+			continue
+		}
+		var intotoObj struct {
+			Attestation string
+		}
+		if err := json.Unmarshal([]byte(outUUID), &intotoObj); err != nil {
+			t.Fatal(err)
+		}
+		if intotoObj.Attestation != e.Attestation {
+			t.Fatalf("attestations don't match, got %v expected %v", intotoObj.Attestation, e.Attestation)
+		}
+	}
+}
+
+// Make sure we can get and verify all entries
+// For attestations, make sure we can see the attestation
+// Older versions of the CLI may not be able to parse the retrieved entry.
+func TestHarnessGetAllEntriesLogIndex(t *testing.T) {
+	if util.RekorCLIIncompatible() {
+		t.Skipf("Skipping getting entries by UUID, old rekor-cli version %s is incompatible with server version %s", os.Getenv("CLI_VERSION"), os.Getenv("SERVER_VERSION"))
+	}
+
+	treeSize := util.ActiveTreeSize(t)
+	if treeSize == 0 {
+		t.Fatal("There are 0 entries in the log, there should be at least 2")
+	}
+	for i := 0; i < treeSize; i++ {
+		out := util.RunCli(t, "get", "--log-index", fmt.Sprintf("%d", i), "--format", "json")
+		if !strings.Contains(out, "IntotoObj") {
+			continue
+		}
+		var intotoObj struct {
+			Attestation string
+		}
+		if err := json.Unmarshal([]byte(out), &intotoObj); err != nil {
+			t.Fatal(err)
+		}
+		util.CompareAttestation(t, i, intotoObj.Attestation)
+		t.Log("IntotoObj matches stored attestation")
+	}
+}
+
+type StoredEntry struct {
+	Attestation string
+	UUID        string
+}
+
+// Make sure we can add an entry
+func TestHarnessAddEntry(t *testing.T) {
+	// Create a random artifact and sign it.
+	artifactPath := filepath.Join(t.TempDir(), "artifact")
+	sigPath := filepath.Join(t.TempDir(), "signature.asc")
+
+	sigx509.CreatedX509SignedArtifact(t, artifactPath, sigPath)
+	dataBytes, _ := ioutil.ReadFile(artifactPath)
+	h := sha256.Sum256(dataBytes)
+	dataSHA := hex.EncodeToString(h[:])
+
+	// Write the public key to a file
+	pubPath := filepath.Join(t.TempDir(), "pubKey.asc")
+	if err := ioutil.WriteFile(pubPath, []byte(sigx509.RSACert), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify should fail initially
+	util.RunCliErr(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+
+	// It should upload successfully.
+	out := util.RunCli(t, "upload", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	util.OutputContains(t, out, "Created entry at")
+	uuid := util.GetUUIDFromUploadOutput(t, out)
+	logIndex := util.GetLogIndexFromUploadOutput(t, out)
+
+	if !util.RekorCLIIncompatible() {
+		// Now we should be able to verify it.
+		out = util.RunCli(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+		util.OutputContains(t, out, "Inclusion Proof:")
+	}
+
+	saveEntry(t, logIndex, StoredEntry{UUID: uuid})
+}
+
+// Make sure we can add an intoto entry
+func TestHarnessAddIntoto(t *testing.T) {
+	td := t.TempDir()
+	attestationPath := filepath.Join(td, "attestation.json")
+	pubKeyPath := filepath.Join(td, "pub.pem")
+
+	// Get some random data so it's unique each run
+	d := util.RandomData(t, 10)
+	id := base64.StdEncoding.EncodeToString(d)
+
+	it := in_toto.ProvenanceStatement{
+		StatementHeader: in_toto.StatementHeader{
+			Type:          in_toto.StatementInTotoV01,
+			PredicateType: slsa.PredicateSLSAProvenance,
+			Subject: []in_toto.Subject{
+				{
+					Name: "foobar",
+					Digest: slsa.DigestSet{
+						"foo": "bar",
+					},
+				},
+			},
+		},
+		Predicate: slsa.ProvenancePredicate{
+			Builder: slsa.ProvenanceBuilder{
+				ID: "foo" + id,
+			},
+		},
+	}
+
+	b, err := json.Marshal(it)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pb, _ := pem.Decode([]byte(sigx509.ECDSAPriv))
+	priv, err := x509.ParsePKCS8PrivateKey(pb.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	s, err := signature.LoadECDSASigner(priv.(*ecdsa.PrivateKey), crypto.SHA256)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	signer, err := dsse.NewEnvelopeSigner(&sigx509.Verifier{
+		S: s,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	env, err := signer.SignPayload(context.Background(), "application/vnd.in-toto+json", b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	eb, err := json.Marshal(env)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	util.Write(t, string(eb), attestationPath)
+	util.Write(t, sigx509.ECDSAPub, pubKeyPath)
+
+	// If we do it twice, it should already exist
+	out := util.RunCliStdout(t, "upload", "--artifact", attestationPath, "--type", "intoto", "--public-key", pubKeyPath)
+	util.OutputContains(t, out, "Created entry at")
+	uuid := util.GetUUIDFromUploadOutput(t, out)
+	logIndex := util.GetLogIndexFromUploadOutput(t, out)
+
+	out = util.RunCli(t, "get", "--log-index", fmt.Sprintf("%d", logIndex), "--format=json")
+	g := util.GetOut{}
+	if err := json.Unmarshal([]byte(out), &g); err != nil {
+		t.Fatal(err)
+	}
+	// The attestation should be stored at /var/run/attestations/sha256:digest
+
+	got := in_toto.ProvenanceStatement{}
+	if err := json.Unmarshal([]byte(g.Attestation), &got); err != nil {
+		t.Fatal(err)
+	}
+	if diff := cmp.Diff(it, got); diff != "" {
+		t.Errorf("diff: %s", diff)
+	}
+
+	attHash := sha256.Sum256(b)
+
+	intotoModel := &models.IntotoV002Schema{}
+	if err := types.DecodeEntry(g.Body.(map[string]interface{})["IntotoObj"], intotoModel); err != nil {
+		t.Errorf("could not convert body into intoto type: %v", err)
+	}
+	if intotoModel.Content == nil || intotoModel.Content.PayloadHash == nil {
+		t.Errorf("could not find hash over attestation %v", intotoModel)
+	}
+	recordedPayloadHash, err := hex.DecodeString(*intotoModel.Content.PayloadHash.Value)
+	if err != nil {
+		t.Errorf("error converting attestation hash to []byte: %v", err)
+	}
+
+	if !bytes.Equal(attHash[:], recordedPayloadHash) {
+		t.Fatal(fmt.Errorf("attestation hash %v doesnt match the payload we sent %v", hex.EncodeToString(attHash[:]),
+			*intotoModel.Content.PayloadHash.Value))
+	}
+
+	out = util.RunCli(t, "upload", "--artifact", attestationPath, "--type", "intoto", "--public-key", pubKeyPath)
+	util.OutputContains(t, out, "Entry already exists")
+	saveEntry(t, logIndex, StoredEntry{Attestation: g.Attestation, UUID: uuid})
+}
+
+func getEntries(t *testing.T) (string, map[int]StoredEntry) {
+	tmpDir := os.Getenv("REKOR_HARNESS_TMPDIR")
+	if tmpDir == "" {
+		t.Skip("Skipping test, REKOR_HARNESS_TMPDIR is not set")
+	}
+	file := filepath.Join(tmpDir, "attestations")
+
+	t.Log("Reading", file)
+	attestations := map[int]StoredEntry{}
+	contents, err := os.ReadFile(file)
+	if errors.Is(err, os.ErrNotExist) || contents == nil {
+		return file, attestations
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := json.Unmarshal(contents, &attestations); err != nil {
+		t.Fatal(err)
+	}
+	return file, attestations
+}
+
+func saveEntry(t *testing.T, logIndex int, entry StoredEntry) {
+	file, attestations := getEntries(t)
+	t.Logf("Storing entry for logIndex %d", logIndex)
+	attestations[logIndex] = entry
+	contents, err := json.Marshal(attestations)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(file, contents, 0777); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestHTTPMaxRequestBodySize(t *testing.T) {
 	// default value is 32Mb so let's try to propose something bigger
 	pipeR, pipeW := io.Pipe()