From bd431806d6a6f6a01afd8f1decfe8d7d7689c377 Mon Sep 17 00:00:00 2001
From: Jason Hall <imjasonh@gmail.com>
Date: Fri, 29 Apr 2022 22:44:05 -0400
Subject: [PATCH] cosigned: Test unsupported KMS providers

This adds a test case to cover the case where a specified KMS provider
isn't supported; in this case, we fire an event describing the error.

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 go.sum                                        |  2 --
 .../clusterimagepolicy/clusterimagepolicy.go  | 16 ++++-----
 .../clusterimagepolicy_test.go                | 35 +++++++++++++++++--
 3 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/go.sum b/go.sum
index 2bbb903c9d4..95f53072fdc 100644
--- a/go.sum
+++ b/go.sum
@@ -235,8 +235,6 @@ github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdII
 github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM=
 github.com/PaesslerAG/gval v1.0.0 h1:GEKnRwkWDdf9dOmKcNrar9EA1bz1z9DqPIO1+iLzhd8=
 github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
-github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
-github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
 github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
 github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk=
 github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY=
diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go
index 4fef03bfd3c..ec6420fe02d 100644
--- a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go
+++ b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go
@@ -155,16 +155,14 @@ func (r *Reconciler) inlinePublicKeys(ctx context.Context, cip *v1alpha1.Cluster
 				return nil, err
 			}
 		}
-		if authority.Key != nil && authority.Key.KMS != "" {
-			if strings.Contains(authority.Key.KMS, "://") {
-				pubKeyString, err := getKMSPublicKey(ctx, authority.Key.KMS)
-				if err != nil {
-					return nil, err
-				}
-
-				authority.Key.Data = pubKeyString
-				authority.Key.KMS = ""
+		if authority.Key != nil && strings.Contains(authority.Key.KMS, "://") {
+			pubKeyString, err := getKMSPublicKey(ctx, authority.Key.KMS)
+			if err != nil {
+				return nil, err
 			}
+
+			authority.Key.Data = pubKeyString
+			authority.Key.KMS = ""
 		}
 	}
 	return ret, nil
diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go
index 95e7ab97a0b..2c25232a2a5 100644
--- a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go
+++ b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go
@@ -511,8 +511,9 @@ func TestReconcile(t *testing.T) {
 				AssertTrackingSecret(system.Namespace(), keylessSecretName),
 			},
 		}, {
-			Name:                    "ClusterImagePolicy with glob and KMS key, added the data after querying the fake signer",
-			Key:                     cipKMSName,
+			Name: "ClusterImagePolicy with glob and KMS key, added the data after querying the fake signer",
+			Key:  cipKMSName,
+
 			SkipNamespaceValidation: true, // Cluster scoped
 			Objects: []runtime.Object{
 				NewClusterImagePolicy(cipKMSName,
@@ -557,7 +558,35 @@ func TestReconcile(t *testing.T) {
 			WantPatches: []clientgotesting.PatchActionImpl{
 				makePatch(replaceCIPKeySourcePatch),
 			},
-		}, {}}
+		}, {
+			Name: "ClusterImagePolicy with glob and KMS key, for unsupported KMS provider",
+			Key:  cipKMSName,
+
+			// gcpkms:// is not enabled in tests; this test serves
+			// as an extra check that "real" KMS providers like GCP
+			// aren't enabled in dependencies of this test.
+			SkipNamespaceValidation: true, // Cluster scoped
+			Objects: []runtime.Object{
+				NewClusterImagePolicy(cipKMSName,
+					WithImagePattern(v1alpha1.ImagePattern{
+						Glob: glob,
+					}),
+					WithAuthority(v1alpha1.Authority{
+						Key: &v1alpha1.KeyRef{
+							KMS: "gcpkms://blah",
+						}},
+					)),
+				makeEmptyConfigMap(), // Make the existing configmap
+			},
+			WantErr: true,
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(system.Namespace(), cipKMSName),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", `Updated "test-kms-cip" finalizers`),
+				Eventf(corev1.EventTypeWarning, "InternalError", `no kms provider found for key reference: gcpkms://blah`),
+			},
+		}}
 
 	logger := logtesting.TestLogger(t)
 	table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler {