diff --git a/pkg/chains/signing/kms/kms.go b/pkg/chains/signing/kms/kms.go index 8db5c1669a..c280fc888a 100644 --- a/pkg/chains/signing/kms/kms.go +++ b/pkg/chains/signing/kms/kms.go @@ -17,8 +17,9 @@ package kms import ( "context" "crypto" - - "github.com/tektoncd/chains/pkg/config" + "net" + "strings" + "time" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/kms" @@ -27,6 +28,7 @@ import ( _ "github.com/sigstore/sigstore/pkg/signature/kms/gcp" _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" "github.com/sigstore/sigstore/pkg/signature/options" + "github.com/tektoncd/chains/pkg/config" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" "github.com/spiffe/go-spiffe/v2/workloadapi" @@ -41,6 +43,19 @@ type Signer struct { // NewSigner returns a configured Signer func NewSigner(ctx context.Context, cfg config.KMSSigner) (*Signer, error) { kmsOpts := []signature.RPCOption{} + + // Checks if the vault address provide by the user is a valid address or not + if cfg.Auth.Address != "" { + vaultAddress := strings.TrimPrefix(cfg.Auth.Address, "http://") + vaultAddress = strings.TrimPrefix(vaultAddress, "https://") + + conn, err := net.DialTimeout("tcp", vaultAddress, 5*time.Second) + if err != nil { + return nil, err + } + defer conn.Close() + } + // pass through configuration options to RPCAuth used by KMS in sigstore rpcAuth := options.RPCAuth{ Address: cfg.Auth.Address, diff --git a/pkg/chains/signing/kms/kms_test.go b/pkg/chains/signing/kms/kms_test.go new file mode 100644 index 0000000000..af2114224b --- /dev/null +++ b/pkg/chains/signing/kms/kms_test.go @@ -0,0 +1,45 @@ +/* +Copyright 2023 The Tekton Authors +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package kms creates a signer using a key management server + +package kms + +import ( + "context" + "testing" + + "github.com/tektoncd/chains/pkg/config" +) + +func TestInValidVaultAddressTimeout(t *testing.T) { + cfg := config.KMSSigner{} + cfg.Auth.Address = "http://8.8.8.8:8200" + + _, err := NewSigner(context.TODO(), cfg) + expectedErrorMessage := "dial tcp 8.8.8.8:8200: i/o timeout" + if err.Error() != expectedErrorMessage { + t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error()) + } +} + +func TestInValidVaultAddressConnectionRefused(t *testing.T) { + cfg := config.KMSSigner{} + cfg.Auth.Address = "http://127.0.0.1:8200" + + _, err := NewSigner(context.TODO(), cfg) + expectedErrorMessage := "dial tcp 127.0.0.1:8200: connect: connection refused" + if err.Error() != expectedErrorMessage { + t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error()) + } +}