Merge branch 'dev' into crl-e2e-update

CONTRIBUTING.md

@@ -39,12 +39,12 @@ This approach ensures that the changes are well-documented and reviewed before i
 
 If you'd like to start contributing to Ratify, you can search for issues tagged as "good first issue" [here](https://github.com/ratify-project/ratify/labels/good%20first%20issue).
 
-We use the `dev` branch as the our default branch. PRs passing the basic set of validation can be merged to the `dev` branch, we then run the full suite of validation including cloud specific tests on `dev` before changes can be merged into `main`. All ratify release are cut from the `main` branch. A sample PR process is outlined below:
-1. Fork this repo and create your dev branch from default `dev` branch.
-2. Create a PR against default branch.
-3. Add new unit test and [e2e test](https://github.com/ratify-project/ratify/tree/dev/test/bats) where approriate.
+We use the `dev` branch as our default branch. PRs passing the basic set of validation can be merged to the `dev` branch, we then run the full suite of validation including cloud-specific tests on `dev` before changes can be merged into `main`. All ratify releases are cut from the `main` branch. A sample PR process is outlined below:
+1. Fork this repo and create your dev branch from the default `dev` branch.
+2. Create a PR against the default branch.
+3. Add new unit test and [e2e test](https://github.com/ratify-project/ratify/tree/dev/test/bats) where appropriate.
 4. Maintainer approval and e2e test validation is required for completing the PR.
-5. On PR complete, the `push` event will trigger an automated PR targeting the `main` branch where we run a full suite validation including cloud specific tests.
+5. On PR complete, the `push` event will trigger an automated PR targeting the `main` branch where we run a full suite validation including cloud-specific tests.
 6. Manual merge is required to complete the PR. (**Please keep individual commits to maintain commit history**)
 
 If the PR contains a regression that could not pass the full validation, please revert the change to unblock others:
@@ -55,7 +55,7 @@ If the PR contains a regression that could not pass the full validation, please
 
 ### Commit
 
-You should follow [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) to write commit message. As the Ratify Project repositories enforces the [DCO (Developer Certificate of Origin)](https://github.com/apps/dco) on Pull Requests, contributors are required to sign off that they adhere to those requirements by adding a `Signed-off-by` line to the commit messages. Git has even provided a `-s` command line option to append that automatically to your commit messages, please use it when you commit your changes. 
+You should follow [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) to write commit message. As the Ratify Project repositories enforce the [DCO (Developer Certificate of Origin)](https://github.com/apps/dco) on Pull Requests, contributors are required to sign off that they adhere to those requirements by adding a `Signed-off-by` line to the commit messages. Git has even provided a `-s` command line option to append that automatically to your commit messages, please use it when you commit your changes. 
 
 The Ratify Project repositories require signed commits, please refer to [SSH commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification) on signing commits using SSH as it is easy to set up. You can find other methods to sign commits in the document [commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification). Git has provided a `-S` flag to create a signed commit.
 

charts/ratify/templates/verifier.yaml

@@ -101,10 +101,11 @@ spec:
             {{- end }}
           {{- end}}
           trustedIdentities:
-            {{- range $j, $store := $policy.trustedIdentities }}
-            {{- if eq $store "*" }}
+            {{- $trustedIdentities := $policy.trustedIdentities | default (list "*") }}
+            {{- range $j, $identity := $trustedIdentities }}
+            {{- if eq $identity "*" }}
             - "*"
-            {{- else }} 
+            {{- else }}
             - "x509.subject: {{ . }}"
             {{- end }}
             {{- end }}

httpserver/Dockerfile

@@ -11,7 +11,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM golang:1.23@sha256:70031844b8c225351d0bb63e2c383f80db85d92ba894e3da7e13bcf80efa9a37 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23@sha256:7ea4c9dcb2b97ff8ee80a67db3d44f98c8ffa0d191399197007d8459c1453041 as builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS

test/bats/base-test.bats

@@ -57,6 +57,119 @@ RATIFY_NAMESPACE=gatekeeper-system
     assert_failure
 }
 
+@test "test rendering notation verifier with modified trust policies settings" {
+    teardown() {
+        echo "cleaning up"
+        rm -f notation-file1.crt
+        rm -f notation-file2.crt
+        rm -f notation-file3.crt
+    }
+
+    touch notation-file1.crt
+    echo "fake cert 1" > notation-file1.crt
+    touch notation-file2.crt
+    echo "fake cert 2" > notation-file2.crt
+    touch notation-file2.crt
+    echo "fake cert 3" > notation-file3.crt
+
+    # Happy path:
+    # Capture Helm template output
+    rendered=$(helm template multiple-trust-policies ./charts/ratify \
+        --set featureFlags.RATIFY_CERT_ROTATION=true \
+        --set-file notationCerts[0]="notation-file1.crt" \
+        --set-file notationCerts[1]="notation-file2.crt" \
+        --set-file notationCerts[2]="notation-file3.crt" \
+        --set notation.trustPolicies[0].registryScopes[0]="registry1.azurecr.io/" \
+        --set notation.trustPolicies[0].trustedIdentities[0]="cert identity 1" \
+        --set notation.trustPolicies[0].trustStores[0]=ca:notationCerts[0] \
+        --set notation.trustPolicies[0].trustStores[1]=tsa:notationCerts[1] \
+        --set notation.trustPolicies[0].trustStores[2]=signingAuthority:notationCerts[2] \
+        --set notation.trustPolicies[1].registryScopes[0]="registry2.azurecr.io/" \
+        --set notation.trustPolicies[1].trustStores[0]=ca:notationCerts[1])
+
+    # the expected partial output
+    expected_verifier_notation=$(cat <<EOF
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Verifier
+metadata:
+  name: verifier-notation
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "5"
+spec:
+  name: notation
+  version: 1.0.0
+  artifactTypes: application/vnd.cncf.notary.signature
+  parameters:
+    verificationCertStores:
+      ca:
+        cert-0:
+          - multiple-trust-policies-ratify-notation-inline-cert-0
+        cert-3:
+          - multiple-trust-policies-ratify-notation-inline-cert-1
+      signingAuthority:
+        cert-2:
+          - multiple-trust-policies-ratify-notation-inline-cert-2
+      tsa:
+        cert-1:
+          - multiple-trust-policies-ratify-notation-inline-cert-1
+    trustPolicyDoc:
+      version: "1.0"
+      trustPolicies:
+        - name: trustPolicy-0  
+          registryScopes:
+            - "registry1.azurecr.io/"
+          signatureVerification:
+            level: strict  
+          trustStores:
+            - ca:cert-0
+            - tsa:cert-1
+            - signingAuthority:cert-2
+          trustedIdentities:
+            - "x509.subject: cert identity 1"
+        - name: trustPolicy-1  
+          registryScopes:
+            - "registry2.azurecr.io/"
+          signatureVerification:
+            level: strict  
+          trustStores:
+            - ca:cert-3
+          trustedIdentities:
+            - "*"
+EOF
+    )
+
+    # Assert that the rendered Helm output contains the expected section
+    [[ "$rendered" == *"$expected_verifier_notation"* ]] || {
+        echo "Rendered output does not contain the expected verifier-notation section."
+        echo "Rendered output:"
+        echo "$rendered"
+        echo "Expected section:"
+        echo "$expected_verifier_notation"
+        return 1
+    }
+
+    # failure path:
+    # Capture Helm template output
+    run helm template multiple-trust-policies ./charts/ratify \
+        --set featureFlags.RATIFY_CERT_ROTATION=true \
+        --set-file notationCerts[0]="notation-file1.crt" \
+        --set notation.trustPolicies[0].registryScopes[0]="registry1.azurecr.io/" \
+        --set notation.trustPolicies[0].trustedIdentities[0]="cert identity 1" \
+        --set notation.trustPolicies[0].trustStores[0]=ca:unknownCert
+
+    assert_failure
+
+    # the expected error message
+    expected_verifier_notation=$(cat <<EOF
+Unknown trust store reference: unknownCert
+EOF
+    )
+
+    # Assert that the rendered Helm output contains the expected error message
+    [[ "$output" == *"$expected_verifier_notation"* ]]
+}
+
 @test "crd version test" {
     run kubectl delete verifiers.config.ratify.deislabs.io/verifier-notation
     assert_success