Merge pull request #16247 from YangJiao0817/add-cosign-api-testcase

Add cosign Artifact API test case
This commit is contained in:
Yang Jiao 2022-01-20 16:01:20 +08:00 committed by GitHub
commit 9afe596403
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 133 additions and 3 deletions

View File

@ -16,7 +16,10 @@ class Artifact(base.Base, object):
super(Artifact,self).__init__(api_type = "artifact")
def list_artifacts(self, project_name, repo_name, **kwargs):
return self._get_client(**kwargs).list_artifacts(project_name, repo_name)
params = {}
if "with_accessory" in kwargs:
params["with_accessory"] = kwargs["with_accessory"]
return self._get_client(**kwargs).list_artifacts(project_name, repo_name, **params)
def get_reference_info(self, project_name, repo_name, reference, expect_status_code = 200, ignore_not_found = False,**kwargs):
params = {}
@ -29,6 +32,8 @@ class Artifact(base.Base, object):
params["x_accept_vulnerabilities"] = ",".join(report_mime_types)
if "with_immutable_status" in kwargs:
params["with_immutable_status"] = kwargs["with_immutable_status"]
if "with_accessory" in kwargs:
params["with_accessory"] = kwargs["with_accessory"]
try:
data, status_code, _ = self._get_client(**kwargs).get_artifact_with_http_info(project_name, repo_name, reference, **params)
@ -104,6 +109,9 @@ class Artifact(base.Base, object):
base._assert_status_code(expect_status_code, status_code)
base._assert_status_code(200, status_code)
def list_accessories(self, project_name, repo_name, reference, **kwargs):
return self._get_client(**kwargs).list_accessories(project_name, repo_name, reference)
def check_image_scan_result(self, project_name, repo_name, reference, expected_scan_status = "Success", **kwargs):
timeout_count = 30
scan_status=""

View File

@ -0,0 +1,10 @@
# -*- coding: utf-8 -*-
import base
def generate_key_pair():
command = ["cosign", "generate-key-pair"]
base.run_command(command)
def sign_artifact(artifact):
command = ["cosign", "sign", "--allow-insecure-registry", "--key", "cosign.key", artifact]
base.run_command(command)

View File

@ -0,0 +1,107 @@
# -*- coding: utf-8 -*-
from __future__ import absolute_import
import unittest
from testutils import harbor_server, suppress_urllib3_warning
from library import cosign
from testutils import ADMIN_CLIENT
from testutils import TEARDOWN
from library.project import Project
from library.user import User
from library.repository import Repository
from library.repository import push_self_build_image_to_project
from library import docker_api
from library.artifact import Artifact
class TestCosign(unittest.TestCase):
@suppress_urllib3_warning
def setUp(self):
self.project= Project()
self.user= User()
self.artifact = Artifact()
self.repo = Repository()
self.image = "alpine"
self.tag = "latest"
self.expect_accessory_type = "signature.cosign"
@unittest.skipIf(TEARDOWN == False, "Test data won't be erased.")
def tearDown(self):
#1. Delete repository by user(UA);
self.repo.delete_repository(TestCosign.project_name, self.image, **TestCosign.user_client)
#2. Delete project(PA);
self.project.delete_project(TestCosign.project_id, **TestCosign.user_client)
#3. Delete user(UA).
self.user.delete_user(TestCosign.user_id, **ADMIN_CLIENT)
def testCosignArtifact(self):
"""
Test case:
Cosign Artifact API
Test step and expected result:
1. Create a new user(UA);
2. Create a new project(PA) by user(UA);
3. Push a new image(IA) in project(PA) by user(UA);
4. Verify that the image (IA) is not signed by cosign;
5. Sign image(IA) with cosign;
6. Verify that the image (IA) is signed by cosign;
Tear down:
1. Delete project(PA);
2. Delete user(UA).
"""
url = ADMIN_CLIENT["endpoint"]
user_password = "Aa123456"
# 1. Create user(UA)
TestCosign.user_id, user_name = self.user.create_user(user_password = user_password, **ADMIN_CLIENT)
TestCosign.user_client = dict(endpoint = url, username = user_name, password = user_password, with_accessory = True)
# 2.1. Create private project(PA) by user(UA)
TestCosign.project_id, TestCosign.project_name = self.project.create_project(metadata = {"public": "false"}, **TestCosign.user_client)
# 2.2. Get private project of uesr-001, uesr-001 can see only one private project which is project-001
self.project.projects_should_exist(dict(public=False), expected_count = 1, expected_project_id = TestCosign.project_id, **TestCosign.user_client)
# 3. Push a new image(IA) in project(PA) by user(UA)
TestCosign.repo_name, tag = push_self_build_image_to_project(TestCosign.project_name, harbor_server, user_name, user_password, self.image, self.tag)
# 4.1. Verify list_artifacts API;
artifact_list = self.artifact.list_artifacts(TestCosign.project_name, self.image, **TestCosign.user_client)
first_artifact = artifact_list[0]
artifact_reference = first_artifact.digest
self.assertTrue(len(artifact_list) == 1)
self.assertIsNone(artifact_list[0].accessories)
# 4.2. Verify get_reference_info API;
artifact_info = self.artifact.get_reference_info(TestCosign.project_name, self.image, artifact_reference, **TestCosign.user_client)
self.assertIsNone(artifact_info.accessories)
# 4.3. Verify list_accessories API;
accessory_list = self.artifact.list_accessories(TestCosign.project_name, self.image, artifact_reference, **TestCosign.user_client)
self.assertTrue(len(accessory_list) == 0)
# 5.1. Generate cosign key pair;
cosign.generate_key_pair()
# 5.2. Generate cosign key pair;
docker_api.docker_login_cmd(harbor_server, user_name, user_password, enable_manifest = False)
cosign.sign_artifact("{}/{}/{}:{}".format(harbor_server, TestCosign.project_name, self.image, self.tag))
# 6.1. Verify list_artifacts API;
artifact_list = self.artifact.list_artifacts(TestCosign.project_name, self.image, **TestCosign.user_client)
self.assertTrue(len(artifact_list) == 1)
first_artifact = artifact_list[0]
self.assertTrue(len(first_artifact.accessories) == 1)
first_accessory = first_artifact.accessories[0]
self.assertEqual(first_accessory.type, self.expect_accessory_type)
accessory_reference = first_accessory.digest
# 6.2. Verify get_reference_info API;
artifact_info = self.artifact.get_reference_info(TestCosign.project_name, self.image, artifact_reference, **TestCosign.user_client)
self.assertEqual(artifact_info.accessories[0].type, self.expect_accessory_type)
# 6.3. Verify list_accessories API;
accessory_list = self.artifact.list_accessories(TestCosign.project_name, self.image, artifact_reference, **TestCosign.user_client)
self.assertTrue(len(accessory_list) == 1)
self.assertEqual(accessory_list[0].type, self.expect_accessory_type)
# 6.4. Verify list_accessories API;
accessory_info = self.artifact.get_reference_info(TestCosign.project_name, self.image, accessory_reference, **TestCosign.user_client)
self.assertEqual(accessory_info.digest, accessory_reference)
if __name__ == '__main__':
unittest.main()

View File

@ -8,7 +8,7 @@ sudo gsutil version -l
harbor_logs_bucket="harbor-ci-logs"
DIR="$(cd "$(dirname "$0")" && pwd)"
E2E_IMAGE="goharbor/harbor-e2e-engine:4.1.0-api"
E2E_IMAGE="goharbor/harbor-e2e-engine:4.2.0-api"
# GS util
function uploader {

View File

@ -176,3 +176,7 @@ Test Case - Project Level Policy Content Trust
Test Case - Webhook CRUD
[Tags] webhook
Harbor API Test ./tests/apitests/python/test_webhook_crud.py
Test Case - Cosign Sign Artifact
[Tags] cosign
Harbor API Test ./tests/apitests/python/test_cosign_sign_artifact.py

View File

@ -3,6 +3,7 @@
FROM photon:4.0
ENV LANG C.UTF-8
ENV HELM_EXPERIMENTAL_OCI=1
ENV COSIGN_PASSWORD=Harbor12345
COPY --from=tool_builder /tool/tools.tar.gz /usr/local/bin