From 7a9b7681267ac2d6401f1592279cc86988e94071 Mon Sep 17 00:00:00 2001 From: Christian Clauss Date: Mon, 30 Dec 2024 04:12:40 +0100 Subject: [PATCH 1/3] docs: Fix typos in CONTRIBUTING.md (#2005) --- CONTRIBUTING.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7ac0a452b..7a3812a98 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -39,12 +39,12 @@ This approach ensures that the changes are well-documented and reviewed before i If you'd like to start contributing to Ratify, you can search for issues tagged as "good first issue" [here](https://github.com/ratify-project/ratify/labels/good%20first%20issue). -We use the `dev` branch as the our default branch. PRs passing the basic set of validation can be merged to the `dev` branch, we then run the full suite of validation including cloud specific tests on `dev` before changes can be merged into `main`. All ratify release are cut from the `main` branch. A sample PR process is outlined below: -1. Fork this repo and create your dev branch from default `dev` branch. -2. Create a PR against default branch. -3. Add new unit test and [e2e test](https://github.com/ratify-project/ratify/tree/dev/test/bats) where approriate. +We use the `dev` branch as our default branch. PRs passing the basic set of validation can be merged to the `dev` branch, we then run the full suite of validation including cloud-specific tests on `dev` before changes can be merged into `main`. All ratify releases are cut from the `main` branch. A sample PR process is outlined below: +1. Fork this repo and create your dev branch from the default `dev` branch. +2. Create a PR against the default branch. +3. Add new unit test and [e2e test](https://github.com/ratify-project/ratify/tree/dev/test/bats) where appropriate. 4. Maintainer approval and e2e test validation is required for completing the PR. -5. On PR complete, the `push` event will trigger an automated PR targeting the `main` branch where we run a full suite validation including cloud specific tests. +5. On PR complete, the `push` event will trigger an automated PR targeting the `main` branch where we run a full suite validation including cloud-specific tests. 6. Manual merge is required to complete the PR. (**Please keep individual commits to maintain commit history**) If the PR contains a regression that could not pass the full validation, please revert the change to unblock others: @@ -55,7 +55,7 @@ If the PR contains a regression that could not pass the full validation, please ### Commit -You should follow [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) to write commit message. As the Ratify Project repositories enforces the [DCO (Developer Certificate of Origin)](https://github.com/apps/dco) on Pull Requests, contributors are required to sign off that they adhere to those requirements by adding a `Signed-off-by` line to the commit messages. Git has even provided a `-s` command line option to append that automatically to your commit messages, please use it when you commit your changes. +You should follow [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) to write commit message. As the Ratify Project repositories enforce the [DCO (Developer Certificate of Origin)](https://github.com/apps/dco) on Pull Requests, contributors are required to sign off that they adhere to those requirements by adding a `Signed-off-by` line to the commit messages. Git has even provided a `-s` command line option to append that automatically to your commit messages, please use it when you commit your changes. The Ratify Project repositories require signed commits, please refer to [SSH commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification) on signing commits using SSH as it is easy to set up. You can find other methods to sign commits in the document [commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification). Git has provided a `-S` flag to create a signed commit. From 781f0b32547fda90ef8011db3fc5c5c613e14800 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Dec 2024 15:28:00 +0800 Subject: [PATCH 2/3] chore: Bump golang from `7003184` to `7ea4c9d` in /httpserver (#2006) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- httpserver/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile index 20c448601..b134a0569 100644 --- a/httpserver/Dockerfile +++ b/httpserver/Dockerfile @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.23@sha256:70031844b8c225351d0bb63e2c383f80db85d92ba894e3da7e13bcf80efa9a37 as builder +FROM --platform=$BUILDPLATFORM golang:1.23@sha256:7ea4c9dcb2b97ff8ee80a67db3d44f98c8ffa0d191399197007d8459c1453041 as builder ARG TARGETPLATFORM ARG TARGETOS From 8f8dba230ba8e9a7afba5aed1d6a0f211df8db22 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Thu, 2 Jan 2025 12:55:02 +1000 Subject: [PATCH 3/3] chore: add notation-trust-policy e2e test (#2002) Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 7 +- test/bats/base-test.bats | 113 ++++++++++++++++++++++++++ 2 files changed, 117 insertions(+), 3 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index bdf953291..cfbafe248 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -101,10 +101,11 @@ spec: {{- end }} {{- end}} trustedIdentities: - {{- range $j, $store := $policy.trustedIdentities }} - {{- if eq $store "*" }} + {{- $trustedIdentities := $policy.trustedIdentities | default (list "*") }} + {{- range $j, $identity := $trustedIdentities }} + {{- if eq $identity "*" }} - "*" - {{- else }} + {{- else }} - "x509.subject: {{ . }}" {{- end }} {{- end }} diff --git a/test/bats/base-test.bats b/test/bats/base-test.bats index 28e708845..424137a7e 100644 --- a/test/bats/base-test.bats +++ b/test/bats/base-test.bats @@ -57,6 +57,119 @@ RATIFY_NAMESPACE=gatekeeper-system assert_failure } +@test "test rendering notation verifier with modified trust policies settings" { + teardown() { + echo "cleaning up" + rm -f notation-file1.crt + rm -f notation-file2.crt + rm -f notation-file3.crt + } + + touch notation-file1.crt + echo "fake cert 1" > notation-file1.crt + touch notation-file2.crt + echo "fake cert 2" > notation-file2.crt + touch notation-file2.crt + echo "fake cert 3" > notation-file3.crt + + # Happy path: + # Capture Helm template output + rendered=$(helm template multiple-trust-policies ./charts/ratify \ + --set featureFlags.RATIFY_CERT_ROTATION=true \ + --set-file notationCerts[0]="notation-file1.crt" \ + --set-file notationCerts[1]="notation-file2.crt" \ + --set-file notationCerts[2]="notation-file3.crt" \ + --set notation.trustPolicies[0].registryScopes[0]="registry1.azurecr.io/" \ + --set notation.trustPolicies[0].trustedIdentities[0]="cert identity 1" \ + --set notation.trustPolicies[0].trustStores[0]=ca:notationCerts[0] \ + --set notation.trustPolicies[0].trustStores[1]=tsa:notationCerts[1] \ + --set notation.trustPolicies[0].trustStores[2]=signingAuthority:notationCerts[2] \ + --set notation.trustPolicies[1].registryScopes[0]="registry2.azurecr.io/" \ + --set notation.trustPolicies[1].trustStores[0]=ca:notationCerts[1]) + + # the expected partial output + expected_verifier_notation=$(cat <