1#!/bin/bash
2#
3# Copyright 2022 The Sigstore Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -e
18testdir=$(dirname "$0")
19
20echo "* starting services"
21docker-compose up -d
22
23echo "* building CLI"
24go build -o rekor-cli ./cmd/rekor-cli
25REKOR_CLI=$(pwd)/rekor-cli
26
27function waitForRekorServer () {
28 echo -n "* waiting up to 60 sec for system to start"
29 count=0
30
31 until [ $(docker ps -a | grep -c "(healthy)") == 3 ];
32 do
33 if [ $count -eq 6 ]; then
34 echo "! timeout reached"
35 exit 1
36 else
37 echo -n "."
38 sleep 10
39 let 'count+=1'
40 fi
41 done
42
43 echo
44}
45
46REKORTMPDIR="$(mktemp -d -t rekor_test.XXXXXX)"
47touch $REKORTMPDIR.rekor.yaml
48trap "rm -rf $REKORTMPDIR" EXIT
49
50waitForRekorServer
51
52echo "* stopping rekor to test issue #872"
53docker-compose stop rekor-server
54
55docker volume rm -f issue872_attestations || true
56ATT_VOLUME=$(docker volume create --name issue872_attestations)
57# set permissions on docker volume to be friendly to non-root since v0.6.0 container is based on distroless
58docker run --rm -v $ATT_VOLUME:/att:z busybox /bin/sh -c 'touch /att/.initialized && chown -R 65532:65532 /att && chmod 777 /att'
59
60V060_COMPOSE_FILE=$REKORTMPDIR/docker-compose-issue872-v060.yaml
61cat << EOF > $V060_COMPOSE_FILE
62version: '3.4'
63services:
64 rekor-server-issue-872-v060:
65 # this container image is built on v0.6.0 with the fix for issue #800
66 image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server@sha256:568aee99574e6d796d70b7b1fd59438bd54b3b9f44cc2c9a086629597c66d324
67 user: "65532:65532"
68 command: [
69 "serve",
70 "--trillian_log_server.address=trillian-log-server",
71 "--trillian_log_server.port=8090",
72 "--redis_server.address=redis-server",
73 "--redis_server.port=6379",
74 "--rekor_server.address=0.0.0.0",
75 "--rekor_server.signer=memory",
76 "--enable_attestation_storage",
77 "--attestation_storage_bucket=file:///ko-app/attestations",
78 # Uncomment this for production logging
79 # "--log_type=prod",
80 ]
81 volumes:
82 - "$ATT_VOLUME:/ko-app/attestations:z"
83 restart: always # keep the server running
84 ports:
85 - "0.0.0.0:3000:3000"
86 - "0.0.0.0:2112:2112"
87volumes:
88 $ATT_VOLUME:
89 external: true
90EOF
91
92echo "* starting rekor v0.6.0 to test issue #872"
93docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD up -d rekor-server-issue-872-v060
94sleep 5
95
96# this rekor-cli image is based on v0.6.0 and has the fix for issue #800
97ISSUE800_CONTAINER=gcr.io/projectsigstore/rekor/ci/rekor/rekor-cli@sha256:34f6ec6324a6f32f118dc14d33e5cc081fb8b49a5026d388f782a3566afa2ca8
98ISSUE800_CONTAINER_ID=$(docker create $ISSUE800_CONTAINER)
99ISSUE800_CLI=$REKORTMPDIR/rekor-cli-issue-800
100docker cp "$ISSUE800_CONTAINER_ID:/ko-app/rekor-cli" $ISSUE800_CLI
101docker rm $ISSUE800_CONTAINER_ID >/dev/null
102
103V060_UPLOAD_OUTPUT=$REKORTMPDIR/issue-872-upload-output
104echo "* inserting intoto entry into Rekor v0.6.0"
105if ! $ISSUE800_CLI upload --type intoto --artifact tests/intoto_dsse.json --public-key tests/intoto_dsse.pem --format=json --rekor_server=http://localhost:3000 > $V060_UPLOAD_OUTPUT; then
106 echo "* failed to insert intoto entry to test issue #872, exiting"
107 docker-compose logs --no-color > /tmp/docker-compose.log
108 docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log
109 exit 1
110fi
111
112ISSUE872_UPLOAD_INDEX=$(jq -r .Index $V060_UPLOAD_OUTPUT)
113V060_GET_OUTPUT=$REKORTMPDIR/issue-872-get-output
114echo "* read back entry from Rekor v0.6.0"
115if ! $ISSUE800_CLI get --log-index=$ISSUE872_UPLOAD_INDEX --format=json --rekor_server=http://localhost:3000 > $V060_GET_OUTPUT; then
116 echo "* failed to retrieve entry from rekor v0.6.0 to test issue #872, exiting"
117 docker-compose logs --no-color > /tmp/docker-compose.log
118 docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log
119 exit 1
120fi
121
122echo "* checking to ensure attestation is successfully returned from rekor v0.6.0"
123V060_ATT_LENGTH=$(jq -r '.Attestation | length' $V060_GET_OUTPUT)
124if [ $V060_ATT_LENGTH -eq 0 ]; then
125 echo "* failed to read back attestation while testing issue #872 against rekor v0.6.0, exiting"
126 cat $V060_GET_OUTPUT
127 docker-compose logs --no-color > /tmp/docker-compose.log
128 docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log
129 exit 1
130fi
131
132echo "* grabbing TreeID to use when starting older version"
133REKOR_TRILLIAN_LOG_SERVER_TLOG_ID=$($ISSUE800_CLI loginfo --rekor_server=http://localhost:3000 --format=json | jq -r .TreeID)
134echo "* stopping rekor v0.6.0 to test issue #872"
135docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD logs rekor-server-issue-872-v060 > /tmp/post-insert-docker-compose.log
136docker-compose -f $V060_COMPOSE_FILE --project-directory=$PWD stop rekor-server-issue-872-v060
137
138COMPOSE_FILE=$REKORTMPDIR/docker-compose-issue872.yaml
139cat << EOF > $COMPOSE_FILE
140version: '3.4'
141services:
142 rekor-server:
143 build:
144 context: .
145 target: "deploy"
146 command: [
147 "rekor-server",
148 "serve",
149 "--trillian_log_server.address=trillian-log-server",
150 "--trillian_log_server.port=8090",
151 "--redis_server.address=redis-server",
152 "--redis_server.port=6379",
153 "--rekor_server.address=0.0.0.0",
154 "--rekor_server.signer=memory",
155 "--enable_attestation_storage",
156 "--attestation_storage_bucket=file:///var/run/attestations",
157 "--trillian_log_server.tlog_id=$REKOR_TRILLIAN_LOG_SERVER_TLOG_ID",
158 # Uncomment this for production logging
159 # "--log_type=prod",
160 ]
161 volumes:
162 - "$ATT_VOLUME:/var/run/attestations:z"
163 restart: always # keep the server running
164 ports:
165 - "3000:3000"
166 - "2112:2112"
167 healthcheck:
168 test: ["CMD", "curl", "-f", "http://localhost:3000/ping"]
169 interval: 10s
170 timeout: 3s
171 retries: 3
172 start_period: 5s
173volumes:
174 $ATT_VOLUME:
175 external: true
176EOF
177
178docker network prune -f
179echo "* starting rekor under test to ensure attestation inserted in old version is successfully returned"
180docker-compose -f $COMPOSE_FILE --project-directory=$PWD up -d
181waitForRekorServer
182
183ISSUE872_GET_ENTRY=$REKORTMPDIR/issue-872-get-entry
184echo "* fetching previous entry made under v0.6.0"
185if ! $REKOR_CLI get --log-index=$ISSUE872_UPLOAD_INDEX --rekor_server=http://localhost:3000 --format=json > $ISSUE872_GET_ENTRY; then
186 echo "* failed to read back intoto entry while testing issue #872, exiting"
187 docker-compose logs --no-color > /tmp/docker-compose.log
188 exit 1
189fi
190
191#ensure attestation of len() > 0 returned
192echo "* checking to ensure attestation is successfully returned"
193ATT_LENGTH=$(jq -r '.Attestation | length' $ISSUE872_GET_ENTRY)
194if [ $ATT_LENGTH -eq 0 ]; then
195 echo "* failed to read back attestation while testing issue #872, exiting"
196 cat $ISSUE872_GET_ENTRY
197 docker-compose logs --no-color > /tmp/docker-compose.log
198 exit 1
199else
200 echo "* tests succeeded!"
201fiView as plain text