From 506536d525c836ca44a442c709b86e468d5e0366 Mon Sep 17 00:00:00 2001
From: Joe Lanford <joe.lanford@gmail.com>
Date: Thu, 24 Apr 2025 16:11:11 -0400
Subject: [PATCH] pkg/image: fixup containers/image registry test with a
 test-defined signature policy

This avoids a dependency on the developer CI environment's system/user
system policy.

Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
---
 pkg/image/registry_test.go | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/pkg/image/registry_test.go b/pkg/image/registry_test.go
index 4fc638c8f..f4de78564 100644
--- a/pkg/image/registry_test.go
+++ b/pkg/image/registry_test.go
@@ -38,8 +38,7 @@ type cleanupFunc func()
 type newRegistryFunc func(t *testing.T, serverCert *x509.Certificate) (image.Registry, cleanupFunc)
 
 func caDirForCert(t *testing.T, serverCert *x509.Certificate) string {
-	caDir, err := os.MkdirTemp("", "opm-registry-test-ca-")
-	require.NoError(t, err)
+	caDir := t.TempDir()
 	caFile, err := os.Create(filepath.Join(caDir, "ca.crt"))
 	require.NoError(t, err)
 
@@ -51,6 +50,29 @@ func caDirForCert(t *testing.T, serverCert *x509.Certificate) string {
 	return caDir
 }
 
+const insecureSignaturePolicy = `{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}`
+
+func createSignaturePolicyFile(t *testing.T) string {
+	policyDir := t.TempDir()
+	policyFilePath := filepath.Join(policyDir, "policy.json")
+	err := os.WriteFile(policyFilePath, []byte(insecureSignaturePolicy), 0600)
+	require.NoError(t, err)
+	return policyFilePath
+}
+
 func poolForCert(serverCert *x509.Certificate) *x509.CertPool {
 	rootCAs := x509.NewCertPool()
 	rootCAs.AddCert(serverCert)
@@ -61,10 +83,12 @@ func TestRegistries(t *testing.T) {
 	registries := map[string]newRegistryFunc{
 		"containersimage": func(t *testing.T, serverCert *x509.Certificate) (image.Registry, cleanupFunc) {
 			caDir := caDirForCert(t, serverCert)
+			policyFile := createSignaturePolicyFile(t)
 			sourceCtx := &types.SystemContext{
 				OCICertPath:              caDir,
 				DockerCertPath:           caDir,
 				DockerPerHostCertDirPath: caDir,
+				SignaturePolicyPath:      policyFile,
 			}
 			r, err := containersimageregistry.New(sourceCtx, containersimageregistry.WithTemporaryImageCache())
 			require.NoError(t, err)