|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +GIT_ROOT=$(git rev-parse --show-toplevel) |
| 4 | +EC=${EC:-"${GIT_ROOT}/dist/ec"} |
| 5 | +LOCAL_DIR=${GIT_ROOT}/hack/builtin-experiments |
| 6 | +DATA_DIR=${LOCAL_DIR}/data/data |
| 7 | +POLICY_DIR=${LOCAL_DIR}/policy/policy |
| 8 | + |
| 9 | +mkdir -p ${DATA_DIR} ${POLICY_DIR} |
| 10 | + |
| 11 | +# This has no attestation currently... |
| 12 | +#IMAGE=${IMAGE:-"quay.io/redhat-appstudio/ec-golden-image:latest"} |
| 13 | + |
| 14 | +# This is the ec build for TAS so it should be good 🐕🥣 |
| 15 | +IMAGE=${IMAGE:-"quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v02/cli-v02:c862b0f77bb10082d1440e0d4b6a4e9645b83382"} |
| 16 | + |
| 17 | +# The image digest must be specified explictly so go look it up |
| 18 | +IMAGE_DIGEST=$(skopeo inspect --no-tags docker://$IMAGE | jq -r .Digest) |
| 19 | +FULL_IMAGE_REF="$IMAGE@$IMAGE_DIGEST" |
| 20 | + |
| 21 | +# Input looks like this |
| 22 | +INPUT_JSON='{ |
| 23 | + "image": { |
| 24 | + "ref": "'$FULL_IMAGE_REF'" |
| 25 | + } |
| 26 | +}' |
| 27 | + |
| 28 | +# A minimal ECP using local files |
| 29 | +# ec looks for specific subdirs under the source's root location |
| 30 | +# so that's why we have policy/policy and data/data |
| 31 | +POLICY_JSON='{ |
| 32 | + "sources": [ |
| 33 | + { |
| 34 | + "policy": [ |
| 35 | + "'$LOCAL_DIR'/policy" |
| 36 | + ], |
| 37 | + "data": [ |
| 38 | + "'$LOCAL_DIR'/data" |
| 39 | + ] |
| 40 | + } |
| 41 | + ] |
| 42 | +}' |
| 43 | + |
| 44 | +# Public key for the signature of the image we're verifying |
| 45 | +PUBLIC_KEY="-----BEGIN PUBLIC KEY----- |
| 46 | +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA |
| 47 | +naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g== |
| 48 | +-----END PUBLIC KEY-----" |
| 49 | + |
| 50 | +# Hack hack... |
| 51 | +echo '{ |
| 52 | + "sigstore_opts": { |
| 53 | + "ignore_rekor": true, |
| 54 | + "public_key": "'${PUBLIC_KEY//$'\n'/\\n}'" |
| 55 | + } |
| 56 | +}' > ${DATA_DIR}/sigstore_opts.json |
| 57 | + |
| 58 | +# The acceptance test rego is pretty much prod-ready.. :) |
| 59 | +# Tweak one line to make it work with the sigstore_opts data we just created above |
| 60 | +sed \ |
| 61 | + 's/^_sigstore_opts :=.*/_sigstore_opts := object.union(data.config.default_sigstore_opts, data.sigstore_opts)/' \ |
| 62 | + ${GIT_ROOT}/acceptance/examples/sigstore.rego \ |
| 63 | + > ${POLICY_DIR}/sigstore.rego |
| 64 | + |
| 65 | +echo -e "\n* Input:\n" |
| 66 | +echo "$INPUT_JSON" | yq -P |
| 67 | + |
| 68 | +echo -e "\n* EC results:\n" |
| 69 | +$EC validate input \ |
| 70 | + --file <(echo $INPUT_JSON) \ |
| 71 | + --policy "$(echo $POLICY_JSON)" \ |
| 72 | + --show-successes \ |
| 73 | + --info \ |
| 74 | + | yq -P |
0 commit comments