fix(oci): pass remote options to SignedUnknown calls

l-qing · l-qing · commit 885b1ba8c661 · 2025-08-24T11:34:05.000+08:00
- Ensure SignedUnknown uses the same remote options as SignedEntity
- Fix insecure registry support for unknown/missing images
- Improve test coverage for secure vs insecure mode validation
diff --git a/pkg/chains/storage/oci/attestation.go b/pkg/chains/storage/oci/attestation.go
@@ -63,7 +63,7 @@ func (s *AttestationStorer) Store(ctx context.Context, req *api.StoreRequest[nam
 	se, err := ociremote.SignedEntity(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))
 	var entityNotFoundError *ociremote.EntityNotFoundError
 	if errors.As(err, &entityNotFoundError) {
-		se = ociremote.SignedUnknown(req.Artifact)
+		se = ociremote.SignedUnknown(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))
 	} else if err != nil {
 		return nil, errors.Wrap(err, "getting signed image")
 	}
diff --git a/pkg/chains/storage/oci/oci_test.go b/pkg/chains/storage/oci/oci_test.go
@@ -246,32 +246,39 @@ func TestBackend_StorePayload(t *testing.T) {
 
 // TestBackend_StorePayload_Insecure tests the StorePayload functionality with both secure and insecure configurations.
 // It verifies that:
-// 1. In secure mode, the backend should reject connections to untrusted registries
-// 2. In insecure mode, the backend should attempt to connect but fail due to missing image
+// 1. In secure mode, the backend should reject connections to untrusted registries due to TLS certificate verification failure
+// 2. In insecure mode, the backend should successfully connect and upload signatures, bypassing TLS verification
 func TestBackend_StorePayload_Insecure(t *testing.T) {
 	// Setup test registry with self-signed certificate
 	s, registryURL := setupTestRegistry(t)
 	defer s.Close()
 
 	testCases := []struct {
-		name       string
-		insecure   bool
-		wantErrMsg string
+		name        string
+		insecure    bool
+		wantErr     bool
+		wantErrMsg  string
+		description string
 	}{
 		{
-			name:       "secure mode - should reject untrusted registry",
-			insecure:   false,
-			wantErrMsg: "tls: failed to verify certificate: x509:",
+			name:        "secure mode with untrusted certificate",
+			insecure:    false,
+			wantErr:     true,
+			wantErrMsg:  "tls: failed to verify certificate: x509:",
+			description: "Should reject connection to registry with self-signed certificate",
 		},
 		{
-			name:       "insecure mode - should attempt connection but fail due to missing image",
-			insecure:   true,
-			wantErrMsg: "getting signed image: entity not found in registry",
+			name:        "insecure mode bypassing TLS verification",
+			insecure:    true,
+			wantErr:     false,
+			wantErrMsg:  "",
+			description: "Should successfully connect and upload signature despite untrusted certificate",
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+
 			// Initialize backend with test configuration
 			b := &Backend{
 				cfg: config.Config{
@@ -311,12 +318,19 @@ func TestBackend_StorePayload_Insecure(t *testing.T) {
 				PayloadFormat: formats.PayloadTypeSimpleSigning,
 			})
 
-			if err == nil {
-				t.Error("expected error but got nil")
-				return
-			}
-			if !strings.Contains(err.Error(), tc.wantErrMsg) {
-				t.Errorf("error message mismatch\ngot: %v\nwant: %v", err, tc.wantErrMsg)
+			// Validate test results based on expected outcome
+			if tc.wantErr {
+				if err == nil {
+					t.Errorf("%s: expected error but got nil", tc.description)
+					return
+				}
+				if tc.wantErrMsg != "" && !strings.Contains(err.Error(), tc.wantErrMsg) {
+					t.Errorf("%s: error message mismatch\ngot: %v\nwant: %v", tc.description, err, tc.wantErrMsg)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("%s: expected success but got error: %v", tc.description, err)
+				}
 			}
 		})
 	}
diff --git a/pkg/chains/storage/oci/simple.go b/pkg/chains/storage/oci/simple.go
@@ -59,7 +59,7 @@ func (s *SimpleStorer) Store(ctx context.Context, req *api.StoreRequest[name.Dig
 	se, err := ociremote.SignedEntity(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))
 	var entityNotFoundError *ociremote.EntityNotFoundError
 	if errors.As(err, &entityNotFoundError) {
-		se = ociremote.SignedUnknown(req.Artifact)
+		se = ociremote.SignedUnknown(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))
 	} else if err != nil {
 		return nil, errors.Wrap(err, "getting signed image")
 	}

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (s AttestationStorer) Store(ctx context.Context, req api.StoreRequest[nam`
`63`	`63`	`se, err := ociremote.SignedEntity(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))`
`64`	`64`	`var entityNotFoundError *ociremote.EntityNotFoundError`
`65`	`65`	`if errors.As(err, &entityNotFoundError) {`
`66`		`- se = ociremote.SignedUnknown(req.Artifact)`
	`66`	`+ se = ociremote.SignedUnknown(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))`
`67`	`67`	`} else if err != nil {`
`68`	`68`	`return nil, errors.Wrap(err, "getting signed image")`
`69`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ func (s SimpleStorer) Store(ctx context.Context, req api.StoreRequest[name.Dig`
`59`	`59`	`se, err := ociremote.SignedEntity(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))`
`60`	`60`	`var entityNotFoundError *ociremote.EntityNotFoundError`
`61`	`61`	`if errors.As(err, &entityNotFoundError) {`
`62`		`- se = ociremote.SignedUnknown(req.Artifact)`
	`62`	`+ se = ociremote.SignedUnknown(req.Artifact, ociremote.WithRemoteOptions(s.remoteOpts...))`
`63`	`63`	`} else if err != nil {`
`64`	`64`	`return nil, errors.Wrap(err, "getting signed image")`
`65`	`65`	`}`