fix: e2e tests (#7)

Signed-off-by: Vishal Choudhary <[email protected]>
nirmata · Jul 31, 2024 · 8806d5c · 8806d5c
1 parent c6b1ae0
commit 8806d5c
Show file tree

Hide file tree

Showing 6 changed files with 158 additions and 4 deletions.
diff --git a/cmd/e2e_test.go b/cmd/e2e_test.go
@@ -75,12 +75,26 @@ func Test_Verify(t *testing.T) {
 			fail:         false,
 		},
 		{
-			name:         "external api test",
+			name:         "external api test fail",
 			policyPath:   "./examples/external-api-image-verification/fail-policy.yaml",
 			resourcePath: "./examples/external-api-image-verification/payload.json",
 			outputPath:   "./examples/external-api-image-verification/fail-out.txt",
 			fail:         false,
 		},
+		{
+			name:         "external api test context entry",
+			policyPath:   "./examples/external-api-image-verification/policy-api-call.yaml",
+			resourcePath: "./examples/external-api-image-verification/payload.json",
+			outputPath:   "./examples/external-api-image-verification/api-call-out.txt",
+			fail:         false,
+		},
+		{
+			name:         "external api test context entry error",
+			policyPath:   "./examples/external-api-image-verification/policy-api-call-err.yaml",
+			resourcePath: "./examples/external-api-image-verification/payload.json",
+			outputPath:   "./examples/external-api-image-verification/api-call-err-out.txt",
+			fail:         false,
+		},
 		{
 			name:         "wrong output test",
 			policyPath:   "./examples/notary-image-verification/policy.yaml",

diff --git a/cmd/examples/external-api-image-verification/api-call-err-out.txt b/cmd/examples/external-api-image-verification/api-call-err-out.txt
@@ -0,0 +1,6 @@
+Verification Result:
+Results for policy: test
+Results for rule: external-api
+Verifying image: , result: ERROR
+Error encountered: failed to fetch data for APICall: HTTP 406 Not Acceptable: no images were provided
+
diff --git a/cmd/examples/external-api-image-verification/api-call-out.txt b/cmd/examples/external-api-image-verification/api-call-out.txt
@@ -0,0 +1,4 @@
+Verification Result:
+Results for policy: test
+Results for rule: external-api
+Verifying image: ghcr.io/kyverno/test-verify-image:signed, result: PASS
diff --git a/cmd/examples/external-api-image-verification/policy-api-call-err.yaml b/cmd/examples/external-api-image-verification/policy-api-call-err.yaml
@@ -0,0 +1,64 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ImageVerificationPolicy
+metadata:
+  name: test
+spec:
+  rules:
+    - name: external-api
+      match: 
+        any:
+          - (length(containerDefinitions) > `0`): true
+      context:
+      - name: resp
+        apiCall:
+          method: POST
+          data:
+          - key: imageReferences
+            value: 
+            - "844333597536.dkr.ecr.us-west-2.amazonaws.com*"
+          - key: attestations
+            value: 
+            - imageReference: "*"
+              type: 
+              - name: sbom/example
+                conditions:
+                  all:
+                  - key: \{{creationInfo.licenseListVersion}}
+                    operator: Equals
+                    value: "3.17"
+                    message: invalid license version
+          service:
+            url: http://127.0.0.1:3000/
+      imageExtractors:
+        - name: test
+          path: /containerDefinitions/*/image/
+      verify:
+      - imageReferences: ghcr.io/kyverno/test-verify-image*
+        externalService:
+        - apiCall:
+            method: POST
+            data:
+            - key: images
+              value: "{{images}}"
+            - key: imageReferences
+              value: 
+              - "844333597536.dkr.ecr.us-west-2.amazonaws.com*"
+            - key: attestations
+              value: 
+              - imageReference: "*"
+                type: 
+                - name: sbom/example
+                  conditions:
+                    all:
+                    - key: \{{creationInfo.licenseListVersion}}
+                      operator: Equals
+                      value: "3.17"
+                      message: invalid license version
+            service:
+              url: http://127.0.0.1:3000/
+          conditions:
+          - all:
+            - key: "{{ verified }}"
+              operator: Equals
+              value: true
+              message: aws signer verification failed
diff --git a/cmd/examples/external-api-image-verification/policy-api-call.yaml b/cmd/examples/external-api-image-verification/policy-api-call.yaml
@@ -0,0 +1,66 @@
+apiVersion: nirmata.io/v1alpha1
+kind: ImageVerificationPolicy
+metadata:
+  name: test
+spec:
+  rules:
+    - name: external-api
+      match: 
+        any:
+          - (length(containerDefinitions) > `0`): true
+      context:
+      - name: resp
+        apiCall:
+          method: POST
+          data:
+          - key: images
+            value: "{{images}}"
+          - key: imageReferences
+            value: 
+            - "844333597536.dkr.ecr.us-west-2.amazonaws.com*"
+          - key: attestations
+            value: 
+            - imageReference: "*"
+              type: 
+              - name: sbom/example
+                conditions:
+                  all:
+                  - key: \{{creationInfo.licenseListVersion}}
+                    operator: Equals
+                    value: "3.17"
+                    message: invalid license version
+          service:
+            url: http://127.0.0.1:3000/
+      imageExtractors:
+        - name: test
+          path: /containerDefinitions/*/image/
+      verify:
+      - imageReferences: ghcr.io/kyverno/test-verify-image*
+        externalService:
+        - apiCall:
+            method: POST
+            data:
+            - key: images
+              value: "{{images}}"
+            - key: imageReferences
+              value: 
+              - "844333597536.dkr.ecr.us-west-2.amazonaws.com*"
+            - key: attestations
+              value: 
+              - imageReference: "*"
+                type: 
+                - name: sbom/example
+                  conditions:
+                    all:
+                    - key: \{{creationInfo.licenseListVersion}}
+                      operator: Equals
+                      value: "3.17"
+                      message: invalid license version
+            service:
+              url: http://127.0.0.1:3000/
+          conditions:
+          - all:
+            - key: "{{ verified }}"
+              operator: Equals
+              value: true
+              message: aws signer verification failed
diff --git a/pkg/imageverifier/engine.go b/pkg/imageverifier/engine.go
@@ -121,7 +121,7 @@ func (e *engine) Apply(request Request) Response {
 				continue
 			}
 
-			err = addContextEntriesToJsonContext(jsonContext, e.client, jp, r.Context)
+			images, err := policy.GetImages(request.Resource, r.ImageExtractor)
 			if err != nil {
 				ruleResponse.VerificationResult = VerificationResult{
 					VerificationOutcome: ERROR,
@@ -131,7 +131,7 @@ func (e *engine) Apply(request Request) Response {
 				continue
 			}
 
-			images, err := policy.GetImages(request.Resource, r.ImageExtractor)
+			err = addImagesToJsonContext(jsonContext, images)
 			if err != nil {
 				ruleResponse.VerificationResult = VerificationResult{
 					VerificationOutcome: ERROR,
@@ -141,7 +141,7 @@ func (e *engine) Apply(request Request) Response {
 				continue
 			}
 
-			err = addImagesToJsonContext(jsonContext, images)
+			err = addContextEntriesToJsonContext(jsonContext, e.client, jp, r.Context)
 			if err != nil {
 				ruleResponse.VerificationResult = VerificationResult{
 					VerificationOutcome: ERROR,