add test for sigstore monotonic verification

Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 11:23:15 -06:00 · 2024-10-31 11:23:15 -06:00 · 3e90628abb
commit 3e90628abb
parent d29a4a751a
2 changed files with 28 additions and 13 deletions
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@ -48,7 +48,7 @@ func TestVerifyCertExtensions(t *testing.T) {
 		twoResults[1].VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI = "https://github.com/wrong"

 		err := VerifyCertExtensions(twoResults, "", "owner", "owner/repo", GitHubOIDCIssuer)
-		require.NoError(t, err)
+		require.Error(t, err)
 	})
 }

--- a/pkg/cmd/attestation/verification/sigstore_integration_test.go
+++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go
@ -52,18 +52,33 @@ func TestLiveSigstoreVerifier(t *testing.T) {
 			Logger: io.NewTestHandler(),
 		})

-		res := verifier.Verify(tc.attestations, publicGoodPolicy(t))
+		results, err := verifier.Verify(tc.attestations, publicGoodPolicy(t))

 		if tc.expectErr {
-			require.Error(t, res.Error, "test case: %s", tc.name)
-			require.ErrorContains(t, res.Error, tc.errContains, "test case: %s", tc.name)
-			require.Nil(t, res.VerifyResults, "test case: %s", tc.name)
+			require.Error(t, err, "test case: %s", tc.name)
+			require.ErrorContains(t, err, tc.errContains, "test case: %s", tc.name)
+			require.Nil(t, results, "test case: %s", tc.name)
 		} else {
-			require.Equal(t, len(tc.attestations), len(res.VerifyResults), "test case: %s", tc.name)
-			require.NoError(t, res.Error, "test case: %s", tc.name)
+			require.Equal(t, len(tc.attestations), len(results), "test case: %s", tc.name)
+			require.NoError(t, err, "test case: %s", tc.name)
 		}
 	}

+	t.Run("with 2/3 verified attestations", func(t *testing.T) {
+		verifier := NewLiveSigstoreVerifier(SigstoreConfig{
+			Logger: io.NewTestHandler(),
+		})
+
+		invalidBundle := getAttestationsFor(t, "../test/data/sigstore-js-2.1.0-bundle-v0.1.json")
+		attestations := getAttestationsFor(t, "../test/data/sigstore-js-2.1.0_with_2_bundles.jsonl")
+		attestations = append(attestations, invalidBundle[0])
+
+		results, err := verifier.Verify(attestations, publicGoodPolicy(t))
+
+		require.Equal(t, len(attestations), len(results))
+		require.NoError(t, err)
+	})
+
 	t.Run("with GitHub Sigstore artifact", func(t *testing.T) {
 		githubArtifactPath := test.NormalizeRelativePath("../test/data/github_provenance_demo-0.0.12-py3-none-any.whl")
 		githubArtifact, err := artifact.NewDigestedArtifact(nil, githubArtifactPath, "sha256")
@ -77,9 +92,9 @@ func TestLiveSigstoreVerifier(t *testing.T) {
 			Logger: io.NewTestHandler(),
 		})

-		res := verifier.Verify(attestations, githubPolicy)
-		require.Len(t, res.VerifyResults, 1)
-		require.NoError(t, res.Error)
+		results, err := verifier.Verify(attestations, githubPolicy)
+		require.Len(t, results, 1)
+		require.NoError(t, err)
 	})

 	t.Run("with custom trusted root", func(t *testing.T) {
@ -90,9 +105,9 @@ func TestLiveSigstoreVerifier(t *testing.T) {
 			TrustedRoot: test.NormalizeRelativePath("../test/data/trusted_root.json"),
 		})

-		res := verifier.Verify(attestations, publicGoodPolicy(t))
-		require.Len(t, res.VerifyResults, 2)
-		require.NoError(t, res.Error)
+		results, err := verifier.Verify(attestations, publicGoodPolicy(t))
+		require.Len(t, results, 2)
+		require.NoError(t, err)
 	})
 }