From 562fd7b9be6bb0994ccd196732b3d932413526d3 Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Wed, 26 Apr 2023 16:27:27 -0400
Subject: [PATCH 1/3] add resource update tests, force-new on sign, use OCI
 validators

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 .github/workflows/test.yml                    |  17 +-
 go.mod                                        |   1 +
 internal/provider/attest_resource_test.go     |  89 ---------
 internal/provider/digest_validator.go         |  27 ---
 internal/provider/json_validator.go           |  27 ---
 internal/provider/ref_validator.go            |  25 ---
 ...{attest_resource.go => resource_attest.go} |   7 +-
 internal/provider/resource_attest_test.go     | 187 ++++++++++++++++++
 .../{sign_resource.go => resource_sign.go}    |   3 +-
 internal/provider/resource_sign_test.go       | 142 +++++++++++++
 internal/provider/sign_resource_test.go       |  63 ------
 internal/provider/url_validator.go            |  25 ---
 internal/provider/verify_data_source.go       |   3 +-
 13 files changed, 341 insertions(+), 275 deletions(-)
 delete mode 100644 internal/provider/attest_resource_test.go
 delete mode 100644 internal/provider/digest_validator.go
 delete mode 100644 internal/provider/json_validator.go
 delete mode 100644 internal/provider/ref_validator.go
 rename internal/provider/{attest_resource.go => resource_attest.go} (96%)
 create mode 100644 internal/provider/resource_attest_test.go
 rename internal/provider/{sign_resource.go => resource_sign.go} (97%)
 create mode 100644 internal/provider/resource_sign_test.go
 delete mode 100644 internal/provider/sign_resource_test.go
 delete mode 100644 internal/provider/url_validator.go

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fd56aa54..1f21edaa 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.18'
+        go-version: 1.20.x
     - run: go generate ./...
     - name: git diff
       run: |
@@ -43,22 +43,11 @@ jobs:
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.18'
-
-    - uses: imjasonh/setup-crane@v0.3
-    - uses: chainguard-dev/actions/setup-registry@main
-      with:
-        port: 5000
-
+        go-version: 1.20.x
     - uses: hashicorp/setup-terraform@v2
       with:
         terraform_version: ${{ matrix.terraform }}
         terraform_wrapper: false
-
     - run: go mod download
     - run: go build -v .
-    - run: |
-        crane copy --insecure cgr.dev/chainguard/static:latest-glibc localhost:5000/cosign-testing
-        export TEST_IMAGE=localhost:5000/cosign-testing@$(crane digest --insecure localhost:5000/cosign-testing)
-
-        TF_ACC=1 go test -v -cover ./internal/provider/
+    - run: TF_ACC=1 go test -v -cover ./internal/provider/
diff --git a/go.mod b/go.mod
index a4d028c6..70223d3d 100644
--- a/go.mod
+++ b/go.mod
@@ -3,6 +3,7 @@ module github.com/chainguard-dev/terraform-provider-cosign
 go 1.19
 
 require (
+	github.com/chainguard-dev/terraform-provider-oci v0.0.0-20230425204147-f48901367805
 	github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/terraform-plugin-docs v0.14.1
diff --git a/internal/provider/attest_resource_test.go b/internal/provider/attest_resource_test.go
deleted file mode 100644
index 25d80f13..00000000
--- a/internal/provider/attest_resource_test.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package provider
-
-import (
-	"fmt"
-	"os"
-	"regexp"
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-)
-
-func TestAccResourceCosignAttest(t *testing.T) {
-	digest := os.Getenv("TEST_IMAGE")
-
-	url := "https://example.com/" + uuid.New().String()
-
-	value := uuid.New().String()
-
-	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { testAccPreCheck(t) },
-		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
-		Steps: []resource.TestStep{{
-			Config: fmt.Sprintf(`
-resource "cosign_attest" "foo" {
-  image          = %q
-  predicate_type = %q
-  predicate      = jsonencode({
-    foo = %q
-  })
-}
-
-data "cosign_verify" "bar" {
-  image  = cosign_attest.foo.attested_ref
-  policy = jsonencode({
-    apiVersion = "policy.sigstore.dev/v1beta1"
-    kind       = "ClusterImagePolicy"
-    metadata = {
-      name = "attested-it"
-    }
-    spec = {
-      images = [{
-        glob = %q
-      }]
-      authorities = [{
-        keyless = {
-          url = "https://fulcio.sigstore.dev"
-          identities = [{
-            issuer  = "https://token.actions.githubusercontent.com"
-            subject = "https://github.com/chainguard-dev/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
-          }]
-        }
-        attestations = [{
-          name = "must-have-attestation"
-          predicateType = %q
-          policy = {
-            type = "cue"
-            // When we do things in this style, we can use file("foo.cue") too!
-            data = <<EOF
-              predicateType: %q
-              predicate: {
-                foo: string
-                // Uncommenting this leads to a failure.
-                // foo: "bar"
-                foo: %q
-              }
-            EOF
-          }
-        }]
-        ctlog = {
-          url = "https://rekor.sigstore.dev"
-        }
-      }]
-    }
-  })
-}
-`, digest, url, value, digest, url, url, value),
-			Check: resource.ComposeTestCheckFunc(
-				resource.TestMatchResourceAttr(
-					"cosign_attest.foo", "image", regexp.MustCompile("^"+digest)),
-				resource.TestMatchResourceAttr(
-					"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+digest)),
-				// Check that it got attested!
-				resource.TestMatchResourceAttr(
-					"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+digest)),
-			),
-		}},
-	})
-}
diff --git a/internal/provider/digest_validator.go b/internal/provider/digest_validator.go
deleted file mode 100644
index 695340a6..00000000
--- a/internal/provider/digest_validator.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package provider
-
-import (
-	"context"
-
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
-)
-
-type digestValidator struct{}
-
-var _ validator.String = digestValidator{}
-
-func (v digestValidator) Description(context.Context) string {
-	return "value must be a valid OCI digest"
-}
-func (v digestValidator) MarkdownDescription(ctx context.Context) string { return v.Description(ctx) }
-
-func (v digestValidator) ValidateString(_ context.Context, req validator.StringRequest, resp *validator.StringResponse) {
-	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
-		return
-	}
-	val := req.ConfigValue.ValueString()
-	if _, err := name.NewDigest(val); err != nil {
-		resp.Diagnostics.AddError("Invalid OCI digest", err.Error())
-	}
-}
diff --git a/internal/provider/json_validator.go b/internal/provider/json_validator.go
deleted file mode 100644
index ee4bba0c..00000000
--- a/internal/provider/json_validator.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package provider
-
-import (
-	"context"
-	"encoding/json"
-
-	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
-)
-
-type jsonValidator struct{}
-
-var _ validator.String = jsonValidator{}
-
-func (v jsonValidator) Description(context.Context) string             { return "value must be valid json" }
-func (v jsonValidator) MarkdownDescription(ctx context.Context) string { return v.Description(ctx) }
-
-func (v jsonValidator) ValidateString(_ context.Context, req validator.StringRequest, resp *validator.StringResponse) {
-	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
-		return
-	}
-	val := req.ConfigValue.ValueString()
-
-	var untyped interface{}
-	if err := json.Unmarshal([]byte(val), &untyped); err != nil {
-		resp.Diagnostics.AddError("Invalid json", err.Error())
-	}
-}
diff --git a/internal/provider/ref_validator.go b/internal/provider/ref_validator.go
deleted file mode 100644
index 1bac9d46..00000000
--- a/internal/provider/ref_validator.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package provider
-
-import (
-	"context"
-
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
-)
-
-type refValidator struct{}
-
-var _ validator.String = refValidator{}
-
-func (v refValidator) Description(context.Context) string             { return "value must be a valid OCI ref" }
-func (v refValidator) MarkdownDescription(ctx context.Context) string { return v.Description(ctx) }
-
-func (v refValidator) ValidateString(_ context.Context, req validator.StringRequest, resp *validator.StringResponse) {
-	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
-		return
-	}
-	val := req.ConfigValue.ValueString()
-	if _, err := name.ParseReference(val); err != nil {
-		resp.Diagnostics.AddError("Invalid image reference", err.Error())
-	}
-}
diff --git a/internal/provider/attest_resource.go b/internal/provider/resource_attest.go
similarity index 96%
rename from internal/provider/attest_resource.go
rename to internal/provider/resource_attest.go
index a99aac62..bc35ce66 100644
--- a/internal/provider/attest_resource.go
+++ b/internal/provider/resource_attest.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/chainguard-dev/terraform-provider-oci/pkg/validators"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -57,7 +58,7 @@ func (r *AttestResource) Schema(ctx context.Context, req resource.SchemaRequest,
 				MarkdownDescription: "The digest of the container image to attest.",
 				Optional:            false,
 				Required:            true,
-				Validators:          []validator.String{digestValidator{}},
+				Validators:          []validator.String{validators.DigestValidator{}},
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
@@ -66,7 +67,7 @@ func (r *AttestResource) Schema(ctx context.Context, req resource.SchemaRequest,
 				MarkdownDescription: "The in-toto predicate type of the claim being attested.",
 				Optional:            false,
 				Required:            true,
-				Validators:          []validator.String{urlValidator{}},
+				Validators:          []validator.String{validators.URLValidator{}},
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
@@ -75,7 +76,7 @@ func (r *AttestResource) Schema(ctx context.Context, req resource.SchemaRequest,
 				MarkdownDescription: "The JSON body of the in-toto predicate's claim.",
 				Optional:            false,
 				Required:            true,
-				Validators:          []validator.String{jsonValidator{}},
+				Validators:          []validator.String{validators.JSONValidator{}},
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
diff --git a/internal/provider/resource_attest_test.go b/internal/provider/resource_attest_test.go
new file mode 100644
index 00000000..9200bcb4
--- /dev/null
+++ b/internal/provider/resource_attest_test.go
@@ -0,0 +1,187 @@
+package provider
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	ocitesting "github.com/chainguard-dev/terraform-provider-oci/testing"
+	"github.com/google/go-containerregistry/pkg/v1/random"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/uuid"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccResourceCosignAttest(t *testing.T) {
+	repo, cleanup := ocitesting.SetupRepository(t, "test")
+	defer cleanup()
+
+	// Push two images by digest.
+	img1, err := random.Image(1024, 1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dig1, err := img1.Digest()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := remote.Write(repo.Digest(dig1.String()), img1); err != nil {
+		t.Fatal(err)
+	}
+
+	img2, err := random.Image(1024, 1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dig2, err := img2.Digest()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := remote.Write(repo.Digest(dig2.String()), img2); err != nil {
+		t.Fatal(err)
+	}
+
+	url := "https://example.com/" + uuid.New().String()
+
+	value := uuid.New().String()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Attest and verify the first image.
+			{
+				Config: fmt.Sprintf(`
+resource "cosign_attest" "foo" {
+  image          = %q
+  predicate_type = %q
+  predicate      = jsonencode({
+    foo = %q
+  })
+}
+
+data "cosign_verify" "bar" {
+  image  = cosign_attest.foo.attested_ref
+  policy = jsonencode({
+    apiVersion = "policy.sigstore.dev/v1beta1"
+    kind       = "ClusterImagePolicy"
+    metadata = {
+      name = "attested-it"
+    }
+    spec = {
+      images = [{
+        glob = %q
+      }]
+      authorities = [{
+        keyless = {
+          url = "https://fulcio.sigstore.dev"
+          identities = [{
+            issuer  = "https://token.actions.githubusercontent.com"
+            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+          }]
+        }
+        attestations = [{
+          name = "must-have-attestation"
+          predicateType = %q
+          policy = {
+            type = "cue"
+            // When we do things in this style, we can use file("foo.cue") too!
+            data = <<EOF
+              predicateType: %q
+              predicate: {
+                foo: string
+                // Uncommenting this leads to a failure.
+                // foo: "bar"
+                foo: %q
+              }
+            EOF
+          }
+        }]
+        ctlog = {
+          url = "https://rekor.sigstore.dev"
+        }
+      }]
+    }
+  })
+}
+`, dig1, url, value, dig1, url, url, value),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr(
+						"cosign_attest.foo", "image", regexp.MustCompile("^"+dig1.String())),
+					resource.TestMatchResourceAttr(
+						"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+dig1.String())),
+					// Check that it got attested!
+					resource.TestMatchResourceAttr(
+						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+dig1.String())),
+				),
+			},
+
+			// Update the resource to attest the second image, and verify it.
+			{
+				Config: fmt.Sprintf(`
+resource "cosign_attest" "foo" {
+  image          = %q
+  predicate_type = %q
+  predicate      = jsonencode({
+    foo = %q
+  })
+}
+
+data "cosign_verify" "bar" {
+  image  = cosign_attest.foo.attested_ref
+  policy = jsonencode({
+    apiVersion = "policy.sigstore.dev/v1beta1"
+    kind       = "ClusterImagePolicy"
+    metadata = {
+      name = "attested-it"
+    }
+    spec = {
+      images = [{
+        glob = %q
+      }]
+      authorities = [{
+        keyless = {
+          url = "https://fulcio.sigstore.dev"
+          identities = [{
+            issuer  = "https://token.actions.githubusercontent.com"
+            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+          }]
+        }
+        attestations = [{
+          name = "must-have-attestation"
+          predicateType = %q
+          policy = {
+            type = "cue"
+            // When we do things in this style, we can use file("foo.cue") too!
+            data = <<EOF
+              predicateType: %q
+              predicate: {
+                foo: string
+                // Uncommenting this leads to a failure.
+                // foo: "bar"
+                foo: %q
+              }
+            EOF
+          }
+        }]
+        ctlog = {
+          url = "https://rekor.sigstore.dev"
+        }
+      }]
+    }
+  })
+}
+`, dig2, url, value, dig2, url, url, value),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr(
+						"cosign_attest.foo", "image", regexp.MustCompile("^"+dig2.String())),
+					resource.TestMatchResourceAttr(
+						"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+dig2.String())),
+					// Check that it got attested!
+					resource.TestMatchResourceAttr(
+						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+dig2.String())),
+				),
+			},
+		},
+	})
+}
diff --git a/internal/provider/sign_resource.go b/internal/provider/resource_sign.go
similarity index 97%
rename from internal/provider/sign_resource.go
rename to internal/provider/resource_sign.go
index 74c671e3..5d671ccc 100644
--- a/internal/provider/sign_resource.go
+++ b/internal/provider/resource_sign.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/chainguard-dev/terraform-provider-oci/pkg/validators"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -54,7 +55,7 @@ func (r *SignResource) Schema(ctx context.Context, req resource.SchemaRequest, r
 				MarkdownDescription: "The digest of the container image to sign.",
 				Optional:            false,
 				Required:            true,
-				Validators:          []validator.String{digestValidator{}},
+				Validators:          []validator.String{validators.DigestValidator{}},
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},
diff --git a/internal/provider/resource_sign_test.go b/internal/provider/resource_sign_test.go
new file mode 100644
index 00000000..c8a5c64d
--- /dev/null
+++ b/internal/provider/resource_sign_test.go
@@ -0,0 +1,142 @@
+package provider
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	ocitesting "github.com/chainguard-dev/terraform-provider-oci/testing"
+	"github.com/google/go-containerregistry/pkg/v1/random"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccResourceCosignSign(t *testing.T) {
+	repo, cleanup := ocitesting.SetupRepository(t, "test")
+	defer cleanup()
+
+	// Push two images by digest.
+	img1, err := random.Image(1024, 1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dig1, err := img1.Digest()
+	if err != nil {
+		t.Fatal(err)
+	}
+	ref1 := repo.Digest(dig1.String())
+	if err := remote.Write(ref1, img1); err != nil {
+		t.Fatal(err)
+	}
+
+	img2, err := random.Image(1024, 1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dig2, err := img2.Digest()
+	if err != nil {
+		t.Fatal(err)
+	}
+	ref2 := repo.Digest(dig2.String())
+	if err := remote.Write(ref2, img2); err != nil {
+		t.Fatal(err)
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Sign and verify the first image.
+			{
+				Config: fmt.Sprintf(`
+resource "cosign_sign" "foo" {
+  image = %q
+}
+
+data "cosign_verify" "bar" {
+  image  = cosign_sign.foo.signed_ref
+  policy = jsonencode({
+    apiVersion = "policy.sigstore.dev/v1beta1"
+    kind       = "ClusterImagePolicy"
+    metadata = {
+      name = "signed-it"
+    }
+    spec = {
+      images = [{
+        glob = %q
+      }]
+      authorities = [{
+        keyless = {
+          url = "https://fulcio.sigstore.dev"
+          identities = [{
+            issuer  = "https://token.actions.githubusercontent.com"
+            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+          }]
+        }
+        ctlog = {
+          url = "https://rekor.sigstore.dev"
+        }
+      }]
+    }
+  })
+}
+`, ref1, ref1),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr(
+						"cosign_sign.foo", "image", regexp.MustCompile("^"+ref1.String())),
+					resource.TestMatchResourceAttr(
+						"cosign_sign.foo", "signed_ref", regexp.MustCompile("^"+ref1.String())),
+					// Check that it got signed!
+					resource.TestMatchResourceAttr(
+						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+ref1.String())),
+				),
+			},
+
+			// Update the sign resource to sign the second image, and verify that.
+			{
+				Config: fmt.Sprintf(`
+resource "cosign_sign" "foo" {
+  image = %q
+}
+
+data "cosign_verify" "bar" {
+  image  = cosign_sign.foo.signed_ref
+  policy = jsonencode({
+    apiVersion = "policy.sigstore.dev/v1beta1"
+    kind       = "ClusterImagePolicy"
+    metadata = {
+      name = "signed-it"
+    }
+    spec = {
+      images = [{
+        glob = %q
+      }]
+      authorities = [{
+        keyless = {
+          url = "https://fulcio.sigstore.dev"
+          identities = [{
+            issuer  = "https://token.actions.githubusercontent.com"
+            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+          }]
+        }
+        ctlog = {
+          url = "https://rekor.sigstore.dev"
+        }
+      }]
+    }
+  })
+}
+`, ref2, ref2),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr(
+						"cosign_sign.foo", "image", regexp.MustCompile("^"+ref2.String())),
+					resource.TestMatchResourceAttr(
+						"cosign_sign.foo", "signed_ref", regexp.MustCompile("^"+ref2.String())),
+					// Check that it got signed!
+					resource.TestMatchResourceAttr(
+						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+ref2.String())),
+				),
+			},
+		},
+	})
+}
diff --git a/internal/provider/sign_resource_test.go b/internal/provider/sign_resource_test.go
deleted file mode 100644
index 1109762a..00000000
--- a/internal/provider/sign_resource_test.go
+++ /dev/null
@@ -1,63 +0,0 @@
-package provider
-
-import (
-	"fmt"
-	"os"
-	"regexp"
-	"testing"
-
-	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-)
-
-func TestAccResourceCosignSign(t *testing.T) {
-	digest := os.Getenv("TEST_IMAGE")
-
-	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { testAccPreCheck(t) },
-		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
-		Steps: []resource.TestStep{{
-			Config: fmt.Sprintf(`
-resource "cosign_sign" "foo" {
-  image = %q
-}
-
-data "cosign_verify" "bar" {
-  image  = cosign_sign.foo.signed_ref
-  policy = jsonencode({
-    apiVersion = "policy.sigstore.dev/v1beta1"
-    kind       = "ClusterImagePolicy"
-    metadata = {
-      name = "signed-it"
-    }
-    spec = {
-      images = [{
-        glob = %q
-      }]
-      authorities = [{
-        keyless = {
-          url = "https://fulcio.sigstore.dev"
-          identities = [{
-            issuer  = "https://token.actions.githubusercontent.com"
-            subject = "https://github.com/chainguard-dev/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
-          }]
-        }
-        ctlog = {
-          url = "https://rekor.sigstore.dev"
-        }
-      }]
-    }
-  })
-}
-`, digest, digest),
-			Check: resource.ComposeTestCheckFunc(
-				resource.TestMatchResourceAttr(
-					"cosign_sign.foo", "image", regexp.MustCompile("^"+digest)),
-				resource.TestMatchResourceAttr(
-					"cosign_sign.foo", "signed_ref", regexp.MustCompile("^"+digest)),
-				// Check that it got signed!
-				resource.TestMatchResourceAttr(
-					"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+digest)),
-			),
-		}},
-	})
-}
diff --git a/internal/provider/url_validator.go b/internal/provider/url_validator.go
deleted file mode 100644
index 53e47b56..00000000
--- a/internal/provider/url_validator.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package provider
-
-import (
-	"context"
-	"net/url"
-
-	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
-)
-
-type urlValidator struct{}
-
-var _ validator.String = urlValidator{}
-
-func (v urlValidator) Description(context.Context) string             { return "value must be a valid URL" }
-func (v urlValidator) MarkdownDescription(ctx context.Context) string { return v.Description(ctx) }
-
-func (v urlValidator) ValidateString(_ context.Context, req validator.StringRequest, resp *validator.StringResponse) {
-	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
-		return
-	}
-	val := req.ConfigValue.ValueString()
-	if _, err := url.Parse(val); err != nil {
-		resp.Diagnostics.AddError("Invalid url", err.Error())
-	}
-}
diff --git a/internal/provider/verify_data_source.go b/internal/provider/verify_data_source.go
index ad14b725..9b979d09 100644
--- a/internal/provider/verify_data_source.go
+++ b/internal/provider/verify_data_source.go
@@ -3,6 +3,7 @@ package provider
 import (
 	"context"
 
+	"github.com/chainguard-dev/terraform-provider-oci/pkg/validators"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
@@ -43,7 +44,7 @@ func (d *VerifyDataSource) Schema(ctx context.Context, req datasource.SchemaRequ
 			"image": schema.StringAttribute{
 				MarkdownDescription: "The image tag or digest of the container image to verify.",
 				Required:            true,
-				Validators:          []validator.String{refValidator{}},
+				Validators:          []validator.String{validators.RefValidator{}},
 			},
 			"policy": schema.StringAttribute{
 				MarkdownDescription: "The sigstore policy-controller policy to verify the image against.",

From 528aa86d1a809e2bba50146b3bc08d251e49845e Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Wed, 26 Apr 2023 16:41:22 -0400
Subject: [PATCH 2/3] fix go.mod, also rename data_source_verify.go

---
 go.mod                                                          | 2 +-
 go.sum                                                          | 2 ++
 .../provider/{verify_data_source.go => data_source_verify.go}   | 0
 .../{verify_data_source_test.go => data_source_verify_test.go}  | 0
 4 files changed, 3 insertions(+), 1 deletion(-)
 rename internal/provider/{verify_data_source.go => data_source_verify.go} (100%)
 rename internal/provider/{verify_data_source_test.go => data_source_verify_test.go} (100%)

diff --git a/go.mod b/go.mod
index 70223d3d..20a07633 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/chainguard-dev/terraform-provider-cosign
 go 1.19
 
 require (
-	github.com/chainguard-dev/terraform-provider-oci v0.0.0-20230425204147-f48901367805
+	github.com/chainguard-dev/terraform-provider-oci v0.0.0-20230426201150-f82273dff08e
 	github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/terraform-plugin-docs v0.14.1
diff --git a/go.sum b/go.sum
index 30379200..cf0f5ab4 100644
--- a/go.sum
+++ b/go.sum
@@ -248,6 +248,8 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chainguard-dev/terraform-provider-oci v0.0.0-20230426201150-f82273dff08e h1:9FgJN0uYkNRTKa9b4ds8yKWD0ic5ETUlP5mmAZfYmOc=
+github.com/chainguard-dev/terraform-provider-oci v0.0.0-20230426201150-f82273dff08e/go.mod h1:c0UCXzRaVhzUcS1raw1wrDsXJpOkwWvyv5RcnvAmX7U=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20221002210726-e883f69e0206 h1:lG6Usi/kX/JBZzGz1H+nV+KwM97vThQeKunCbS6PutU=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20221002210726-e883f69e0206/go.mod h1:1UmFRnmMnVsHwD+ZntmLkoVBB1ZLa6V+XXEbF6hZCxU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
diff --git a/internal/provider/verify_data_source.go b/internal/provider/data_source_verify.go
similarity index 100%
rename from internal/provider/verify_data_source.go
rename to internal/provider/data_source_verify.go
diff --git a/internal/provider/verify_data_source_test.go b/internal/provider/data_source_verify_test.go
similarity index 100%
rename from internal/provider/verify_data_source_test.go
rename to internal/provider/data_source_verify_test.go

From 8226e908f8129091dfd3820cc7846b1b15e785bb Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Wed, 26 Apr 2023 16:52:08 -0400
Subject: [PATCH 3/3] fix tests, skip locally

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 internal/provider/resource_attest_test.go | 31 ++++++++++++++---------
 internal/provider/resource_sign_test.go   |  9 +++++--
 2 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/internal/provider/resource_attest_test.go b/internal/provider/resource_attest_test.go
index 9200bcb4..144bde01 100644
--- a/internal/provider/resource_attest_test.go
+++ b/internal/provider/resource_attest_test.go
@@ -2,6 +2,7 @@ package provider
 
 import (
 	"fmt"
+	"os"
 	"regexp"
 	"testing"
 
@@ -13,6 +14,10 @@ import (
 )
 
 func TestAccResourceCosignAttest(t *testing.T) {
+	if _, ok := os.LookupEnv("ACTIONS_ID_TOKEN_REQUEST_URL"); !ok {
+		t.Skip("Unable to keylessly attest without an actions token")
+	}
+
 	repo, cleanup := ocitesting.SetupRepository(t, "test")
 	defer cleanup()
 
@@ -25,7 +30,8 @@ func TestAccResourceCosignAttest(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := remote.Write(repo.Digest(dig1.String()), img1); err != nil {
+	ref1 := repo.Digest(dig1.String())
+	if err := remote.Write(ref1, img1); err != nil {
 		t.Fatal(err)
 	}
 
@@ -37,7 +43,8 @@ func TestAccResourceCosignAttest(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := remote.Write(repo.Digest(dig2.String()), img2); err != nil {
+	ref2 := repo.Digest(dig2.String())
+	if err := remote.Write(ref2, img2); err != nil {
 		t.Fatal(err)
 	}
 
@@ -77,7 +84,7 @@ data "cosign_verify" "bar" {
           url = "https://fulcio.sigstore.dev"
           identities = [{
             issuer  = "https://token.actions.githubusercontent.com"
-            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+            subject = "https://github.com/chainguard-dev/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
           }]
         }
         attestations = [{
@@ -104,15 +111,15 @@ data "cosign_verify" "bar" {
     }
   })
 }
-`, dig1, url, value, dig1, url, url, value),
+`, ref1, url, value, ref1, url, url, value),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestMatchResourceAttr(
-						"cosign_attest.foo", "image", regexp.MustCompile("^"+dig1.String())),
+						"cosign_attest.foo", "image", regexp.MustCompile("^"+ref1.String())),
 					resource.TestMatchResourceAttr(
-						"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+dig1.String())),
+						"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+ref1.String())),
 					// Check that it got attested!
 					resource.TestMatchResourceAttr(
-						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+dig1.String())),
+						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+ref1.String())),
 				),
 			},
 
@@ -144,7 +151,7 @@ data "cosign_verify" "bar" {
           url = "https://fulcio.sigstore.dev"
           identities = [{
             issuer  = "https://token.actions.githubusercontent.com"
-            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+            subject = "https://github.com/chainguard-dev/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
           }]
         }
         attestations = [{
@@ -171,15 +178,15 @@ data "cosign_verify" "bar" {
     }
   })
 }
-`, dig2, url, value, dig2, url, url, value),
+`, ref2, url, value, ref2, url, url, value),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestMatchResourceAttr(
-						"cosign_attest.foo", "image", regexp.MustCompile("^"+dig2.String())),
+						"cosign_attest.foo", "image", regexp.MustCompile("^"+ref2.String())),
 					resource.TestMatchResourceAttr(
-						"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+dig2.String())),
+						"cosign_attest.foo", "attested_ref", regexp.MustCompile("^"+ref2.String())),
 					// Check that it got attested!
 					resource.TestMatchResourceAttr(
-						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+dig2.String())),
+						"data.cosign_verify.bar", "verified_ref", regexp.MustCompile("^"+ref2.String())),
 				),
 			},
 		},
diff --git a/internal/provider/resource_sign_test.go b/internal/provider/resource_sign_test.go
index c8a5c64d..ba4d6947 100644
--- a/internal/provider/resource_sign_test.go
+++ b/internal/provider/resource_sign_test.go
@@ -2,6 +2,7 @@ package provider
 
 import (
 	"fmt"
+	"os"
 	"regexp"
 	"testing"
 
@@ -12,6 +13,10 @@ import (
 )
 
 func TestAccResourceCosignSign(t *testing.T) {
+	if _, ok := os.LookupEnv("ACTIONS_ID_TOKEN_REQUEST_URL"); !ok {
+		t.Skip("Unable to keylessly sign without an actions token")
+	}
+
 	repo, cleanup := ocitesting.SetupRepository(t, "test")
 	defer cleanup()
 
@@ -70,7 +75,7 @@ data "cosign_verify" "bar" {
           url = "https://fulcio.sigstore.dev"
           identities = [{
             issuer  = "https://token.actions.githubusercontent.com"
-            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+            subject = "https://github.com/chainguard-dev/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
           }]
         }
         ctlog = {
@@ -116,7 +121,7 @@ data "cosign_verify" "bar" {
           url = "https://fulcio.sigstore.dev"
           identities = [{
             issuer  = "https://token.actions.githubusercontent.com"
-            subject = "https://github.com/imjasonh/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
+            subject = "https://github.com/chainguard-dev/terraform-provider-cosign/.github/workflows/test.yml@refs/heads/main"
           }]
         }
         ctlog = {