diff --git a/Dockerfile b/Dockerfile index f8409ace..cb1ac5f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,8 @@ FROM docker.io/snyk/snyk:linux@sha256:c7f21c3d71f64d592e427e78d5043375c9b93e304f70fdbbd8ca7306cbb0ba1f as snyk FROM quay.io/enterprise-contract/ec-cli:snapshot@sha256:141a7cd25ce0d098b1e40fd75d6f75873f8709c5f96f6340993b269c56e3f387 AS ec-cli FROM gcr.io/projectsigstore/cosign:v1.13.6@sha256:366bf5a7e882e9748e2b05f620258f8eab89ef4e3597001279291a88486c4fdf as cosign-bin +#FROM quay.io/konflux-ci/oras:latest as oras +FROM quay.io/redhat-user-workloads/ralphjbean-tenant/oras/oras:f281406da00d033e9f99a4d2010a66b69257972e as oras FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612 # Note that the version of OPA used by pr-checks must be updated manually to reflect conftest updates @@ -50,6 +52,7 @@ COPY --from=ec-cli /usr/bin/ec /usr/local/bin/ec COPY --from=cosign-bin /ko-app/cosign /usr/local/bin/cosign +COPY --from=oras /usr/bin/oras /usr/local/bin/oras COPY policies $POLICY_PATH COPY test/conftest.sh $POLICY_PATH diff --git a/test/utils.sh b/test/utils.sh index f80fec12..ef11b436 100644 --- a/test/utils.sh +++ b/test/utils.sh @@ -148,13 +148,60 @@ parse_test_output() { then echo "Task $TEST_NAME failed because of the following issues:" jq '.[].failures // []|map(.metadata.details.name) | unique' "$TEST_RESULT_FILE" - fi + fi else echo "Unsupported TEST_RESULT_FORMAT $TEST_RESULT_FORMAT" exit 1 fi } +# Push a file to quay registry +upload_file() { + # The artifact to which the file pertains + OCI_SUBJECT=$1 + # The type of the file + MEDIA_TYPE=$2 + # The suffix of the tag to push + SUFFIX=$3 + # The file to upload + UPLOAD_FILE=$4 + + if [ -z "$OCI_SUBJECT" ]; then + echo "Missing parameter OCI_SUBJECT" >&2 + exit 2 + fi + if [ -z "$MEDIA_TYPE" ]; then + echo "Missing parameter MEDIA_TYPE" >&2 + exit 2 + fi + if [ -z "$SUFFIX" ]; then + echo "Missing parameter SUFFIX" >&2 + exit 2 + fi + if [ -z "$UPLOAD_FILE" ]; then + echo "Missing parameter UPLOAD_FILE" >&2 + exit 2 + fi + + if [ ! -f "$UPLOAD_FILE" ]; then + echo "File ${UPLOAD_FILE} doesn't exist" >&2 + exit 2 + fi + + if ! raw_inspect_output=$(skopeo inspect --no-tags docker://"${OCI_SUBJECT}"); then + echo "Failed to inspect ${OCI_SUBJECT}" >&2 + exit 2 + fi + if ! DIGEST=$(echo "${raw_inspect_output}" | jq -r .Digest | sed 's/:/-/'); then + echo "Failed to identify digest of ${OCI_SUBJECT}" + exit 2 + fi + + REPO=$(echo "$OCI_SUBJECT" | awk -F ':' '{ print $1 }' | awk -F '@' '{ print $1 }') + + oras push --no-tty "${REPO}:${DIGEST}.${SUFFIX}" "${UPLOAD_FILE}:${MEDIA_TYPE}" +} + # The function will be used by the tekton tasks of build-definitions # It need tekton result path as parameter when generating TEST_OUTPUT task result is needed handle_error() diff --git a/unittests_bash/test_utils.bats b/unittests_bash/test_utils.bats index e4fcb53b..ea1d5052 100644 --- a/unittests_bash/test_utils.bats +++ b/unittests_bash/test_utils.bats @@ -31,6 +31,15 @@ setup() { fi } + oras() { + if [[ $1 == "push" && $2 == "--no-tty" && $3 == "valid-image-manifest-url:sha256-826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d.sarif" && $4 == "unittests_bash/data/sarif_successes.json:application/sarif+json" ]]; then + echo 'Pushed [registry] valid-image-manifest-url:sha256-826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d.sarif' + echo 'Digest: sha256:826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d' + else + echo 'Unrecognized call to mock oras' + return 1 + fi + } } @test "Result: missing result" { @@ -113,6 +122,14 @@ setup() { test_json_eq "${EXPECTED_JSON}" "${TEST_OUTPUT}" } +@test "ORAS upload: sarif file" { + TEST_OUTPUT=$(upload_file valid-image-manifest-url application/sarif+json sarif unittests_bash/data/sarif_successes.json) + EXPECTED_OUTPUT='Pushed [registry] valid-image-manifest-url:sha256-826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d.sarif +Digest: sha256:826def60fd1aa34f5090c9db60016773d91ecc324304d0ac3b01d' + /usr/bin/diff -u <(echo "$TEST_OUTPUT") <(echo "$EXPECTED_OUTPUT") + [[ "${EXPECTED_OUTPUT}" = "${TEST_OUTPUT}" ]] +} + @test "Get Image Index Manifests: missing IMAGE_URL" { run get_image_manifests [ "$status" -eq 2 ]