feat: secure build phase 1 — cosign cell-side image verification (warn default) + Dockerfile validation
Unit Tests / test (push) Successful in 13m28s
Unit Tests / test (push) Successful in 13m28s
- config/cosign/cosign.pub: public verification key committed to repo (safe); cosign private key lives in /home/roof/.pic-secrets/ and is NEVER committed - api/config_manager.py: image_verification config block (modes: off|warn|enforce, default: warn) so existing deployments are unaffected until images are signed - api/service_composer.py: cosign verify before pull/up; enforce aborts the operation, warn logs and proceeds, off skips entirely; also fixes the prior unsafe proceed-on-pull-failure path - api/service_store_manager.py: store-image digest requirement (warn default, reject under enforce) - api/Dockerfile: cosign binary copied from the official cosign image - docker-compose.yml: config/cosign/ bind-mounted into cell-api container - install.sh: ensure/verify bundled cosign pubkey on new cell installs - api/manifest_validator.py: validate_build_context() — Dockerfile lint - tests: full coverage for config modes, composer verify paths, store digest guard, and validate_build_context Verification defaults to warn so nothing breaks in production until images are signed (phase 2). Private key stored outside git at /home/roof/.pic-secrets/. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -517,5 +517,41 @@ class TestEmailManagerApply(unittest.TestCase):
|
||||
self.assertEqual(result['restarted'], [])
|
||||
|
||||
|
||||
class TestImageVerificationConfig(unittest.TestCase):
|
||||
"""image_verification config round-trip and warn-by-default behaviour."""
|
||||
|
||||
def setUp(self):
|
||||
self.temp_dir = tempfile.mkdtemp()
|
||||
self.config_file = os.path.join(self.temp_dir, 'cell_config.json')
|
||||
self.data_dir = os.path.join(self.temp_dir, 'data')
|
||||
os.makedirs(self.data_dir, exist_ok=True)
|
||||
self.cm = ConfigManager(self.config_file, self.data_dir)
|
||||
|
||||
def tearDown(self):
|
||||
shutil.rmtree(self.temp_dir)
|
||||
|
||||
def test_default_mode_is_warn(self):
|
||||
self.assertEqual(self.cm.get_image_verification_mode(), 'warn')
|
||||
self.assertEqual(self.cm.get_image_verification(), {'mode': 'warn'})
|
||||
|
||||
def test_set_and_get_round_trip(self):
|
||||
for mode in ('off', 'warn', 'enforce'):
|
||||
self.cm.set_image_verification_mode(mode)
|
||||
self.assertEqual(self.cm.get_image_verification_mode(), mode)
|
||||
|
||||
def test_set_mode_persists_across_reload(self):
|
||||
self.cm.set_image_verification_mode('enforce')
|
||||
cm2 = ConfigManager(self.config_file, self.data_dir)
|
||||
self.assertEqual(cm2.get_image_verification_mode(), 'enforce')
|
||||
|
||||
def test_invalid_mode_rejected(self):
|
||||
with self.assertRaises(ValueError):
|
||||
self.cm.set_image_verification_mode('paranoid')
|
||||
|
||||
def test_corrupt_section_falls_back_to_warn(self):
|
||||
self.cm.configs['image_verification'] = {'mode': 'bogus'}
|
||||
self.assertEqual(self.cm.get_image_verification_mode(), 'warn')
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main()
|
||||
|
||||
Reference in New Issue
Block a user