Add Referrers API testcase (#18775)

Fix #18617

Signed-off-by: Yang Jiao <jiaoya@vmware.com>
This commit is contained in:
Yang Jiao 2023-06-01 16:34:40 +08:00 committed by GitHub
parent a98711c0fc
commit 97c1fdcd8e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 190 additions and 0 deletions

View File

@ -1,10 +1,21 @@
# -*- coding: utf-8 -*-
import base
import os
def generate_key_pair():
config_key_file = "cosign.key"
config_pub_file = "cosign.pub"
if os.path.exists(config_key_file) and os.path.exists(config_pub_file):
os.remove(config_key_file)
os.remove(config_pub_file)
command = ["cosign", "generate-key-pair"]
base.run_command(command)
def sign_artifact(artifact):
command = ["cosign", "sign", "-y", "--allow-insecure-registry", "--key", "cosign.key", artifact]
base.run_command(command)
def push_artifact_sbom(artifact, sbom_path, type="spdx"):
command = ["cosign", "attach", "sbom", "--allow-insecure-registry", "--registry-referrers-mode", "oci-1-1",
"--type", type, "--sbom", sbom_path, artifact]
base.run_command(command)

View File

@ -0,0 +1,12 @@
# -*- coding: utf-8 -*-
import requests
def call(server, project_name, repo_name, digest, artifactType=None, **kwargs):
url=None
auth = (kwargs.get("username"), kwargs.get("password"))
if artifactType:
artifactType = artifactType.replace("+", "%2B")
url="https://{}/v2/{}/{}/referrers/{}?artifactType={}".format(server, project_name, repo_name, digest, artifactType)
else:
url="https://{}/v2/{}/{}/referrers/{}".format(server, project_name, repo_name, digest)
return requests.get(url, auth=auth, verify=False)

View File

@ -0,0 +1,117 @@
# -*- coding: utf-8 -*-
from __future__ import absolute_import
import unittest
from testutils import harbor_server, files_directory, ADMIN_CLIENT, suppress_urllib3_warning
from library import cosign, referrers_api
from library.project import Project
from library.user import User
from library.artifact import Artifact
from library.repository import push_self_build_image_to_project
from library import docker_api
class TestReferrersApi(unittest.TestCase):
@suppress_urllib3_warning
def setUp(self):
self.project= Project()
self.user= User()
self.artifact = Artifact()
self.image = "artifact_test"
self.tag = "dev"
self.sbom_path = files_directory + "sbom_test.json"
self.sbom_artifact_type = "application/vnd.dev.cosign.artifact.sbom.v1+json"
self.signature_artifact_type = "application/vnd.oci.image.config.v1+json"
def testReferrersApi(self):
"""
Test case:
Referrers Api
Test step and expected result:
1. Create a new user(UA);
2. Create a new project(PA) by user(UA);
3. Push a new image(IA) in project(PA) by user(UA);
4. Push image(IA) SBOM to project(PA) by user(UA);
5. Sign image(IA) with cosign;
6. Sign image(IA) SBOM with cosign;
7. Call the referrers api successfully;
8. Call the referrers api and filter artifact_type;
Tear down:
1. Delete project(PA);
2. Delete user(UA).
"""
url = ADMIN_CLIENT["endpoint"]
user_password = "Aa123456"
# 1. Create user(UA)
_, user_name = self.user.create_user(user_password = user_password, **ADMIN_CLIENT)
user_client = dict(endpoint = url, username = user_name, password = user_password, with_accessory = True)
# 2. Create private project(PA) by user(UA)
_, project_name = self.project.create_project(metadata = {"public": "false"}, **user_client)
# 3. Push a new image(IA) in project(PA) by user(UA)
push_self_build_image_to_project(project_name, harbor_server, user_name, user_password, self.image, self.tag)
# 4. Push image(IA) SBOM to project(PA) by user(UA)
docker_api.docker_login_cmd(harbor_server, user_name, user_password, enable_manifest = False)
cosign.push_artifact_sbom("{}/{}/{}:{}".format(harbor_server, project_name, self.image, self.tag), self.sbom_path)
artifact_info = self.artifact.get_reference_info(project_name, self.image, self.tag, **user_client)
artifact_digest = artifact_info.digest
sbom_digest = artifact_info.accessories[0].digest
# 5. Sign image(IA) with cosign
cosign.generate_key_pair()
cosign.sign_artifact("{}/{}/{}:{}".format(harbor_server, project_name, self.image, self.tag))
artifact_info = self.artifact.get_reference_info(project_name, self.image, self.tag, **user_client)
self.assertEqual(len(artifact_info.accessories), 2)
signature_digest = None
for accessory in artifact_info.accessories:
if accessory.digest != sbom_digest:
signature_digest = accessory.digest
break
# 6. Sign image(IA) SBOM cosign
cosign.sign_artifact("{}/{}/{}@{}".format(harbor_server, project_name, self.image, sbom_digest))
# 7. Call the referrers api successfully
res_json = referrers_api.call(harbor_server, project_name, self.image, artifact_digest, **user_client).json()
self.assertEqual(len(res_json["manifests"]), 2)
for manifest in res_json["manifests"]:
self.assertIn(manifest["digest"], [signature_digest, sbom_digest])
self.assertIn(manifest["artifactType"], [self.signature_artifact_type, self.sbom_artifact_type])
self.assertIsNotNone(manifest["mediaType"])
self.assertIsNotNone(manifest["size"])
res_json = referrers_api.call(harbor_server, project_name, self.image, sbom_digest, **user_client).json()
self.assertEqual(len(res_json["manifests"]), 1)
manifest = res_json["manifests"][0]
self.assertIsNotNone(manifest["digest"])
self.assertIsNotNone(manifest["artifactType"], [self.signature_artifact_type, self.sbom_artifact_type])
self.assertIsNotNone(manifest["mediaType"])
self.assertIsNotNone(manifest["size"])
# 8. Call the referrers api and filter artifact_type
res = referrers_api.call(harbor_server, project_name, self.image, artifact_digest, self.sbom_artifact_type, **user_client)
self.assertEqual(res.headers["Oci-Filters-Applied"], "artifactType")
res_json = res.json()
self.assertEqual(len(res_json["manifests"]), 1)
manifest = res_json["manifests"][0]
self.assertEqual(manifest["digest"], sbom_digest)
self.assertIn(manifest["artifactType"], self.sbom_artifact_type)
self.assertIsNotNone(manifest["mediaType"])
self.assertIsNotNone(manifest["size"])
res = referrers_api.call(harbor_server, project_name, self.image, artifact_digest, self.signature_artifact_type, **user_client)
self.assertEqual(res.headers["Oci-Filters-Applied"], "artifactType")
res_json = res.json()
self.assertEqual(len(res_json["manifests"]), 1)
manifest = res_json["manifests"][0]
self.assertEqual(manifest["digest"], signature_digest)
self.assertIn(manifest["artifactType"], self.signature_artifact_type)
self.assertIsNotNone(manifest["mediaType"])
self.assertIsNotNone(manifest["size"])
if __name__ == '__main__':
unittest.main()

View File

@ -0,0 +1,46 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2023-05-31T07:43:35.672590648Z",
"creators": [
"Tool: trivy",
"Organization: aquasecurity"
]
},
"dataLicense": "CC0-1.0",
"documentDescribes": [
"SPDXRef-ContainerImage-8e8b2798af13ee89"
],
"documentNamespace": "http://aquasecurity.github.io/trivy/container_image/artifact_test:dev-9648faf4-428e-46ad-a9e6-1d3f84c6f297",
"name": "artifact_test:dev",
"packages": [
{
"SPDXID": "SPDXRef-ContainerImage-8e8b2798af13ee89",
"attributionTexts": [
"SchemaVersion: 2",
"ImageID: sha256:9517d37fc3457e070719ed8dead2a9134dd9d5126dd6ef55d15685337c3dc711",
"RepoDigest: 10.202.250.222/test02/test@sha256:0feefb1b81993c1299a7f75a2c86d7cfed4b25859037657377d563d955e8e20f",
"DiffID: sha256:6b245f040973e14e29f371ff2b4059c84ab2de8b7b9a04bc21fd4a7b0a72c446",
"DiffID: sha256:6491a698ac806b35795f23098e169f50b2b6f179900b5625e5677cb1df2651ca",
"RepoTag: artifact_test:dev"
],
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:oci/test@sha256:0feefb1b81993c1299a7f75a2c86d7cfed4b25859037657377d563d955e8e20f?repository_url=10.202.250.222%2Ftest02%2Ftest\u0026arch=amd64",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"name": "artifact_test:dev"
}
],
"relationships": [
{
"relatedSpdxElement": "SPDXRef-ContainerImage-8e8b2798af13ee89",
"relationshipType": "DESCRIBE",
"spdxElementId": "SPDXRef-DOCUMENT"
}
],
"spdxVersion": "SPDX-2.2"
}

View File

@ -182,3 +182,7 @@ Test Case - Job Service Dashboard
Test Case - Retain Image Last Pull Time
[Tags] retain_image_last_pull_time
Harbor API Test ./tests/apitests/python/test_retain_image_last_pull_time.py
Test Case - Referrers API
[Tags] referrers
Harbor API Test ./tests/apitests/python/test_referrers_api.py