update extensions test

Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-30 15:44:53 -06:00 · 2024-10-30 15:44:53 -06:00 · 4fa5f0c5ee
commit 4fa5f0c5ee
parent fa2574c1a8
1 changed files with 73 additions and 19 deletions
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@ -25,33 +25,53 @@ func TestVerifyCertExtensions(t *testing.T) {
 		},
 	}

+	c := EnforcementCriteria{
+		Extensions: Extensions{
+			SourceRepositoryOwnerURI: "https://github.com/owner",
+			SourceRepositoryURI:      "https://github.com/owner/repo",
+		},
+		OIDCIssuer: GitHubOIDCIssuer,
+	}
+
 	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", GitHubOIDCIssuer)
+		err := VerifyCertExtensions(results, c)
 		require.NoError(t, err)
 	})

 	t.Run("VerifyCertExtensions with owner and repo, but wrong tenant", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", GitHubOIDCIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://foo.ghe.com/owner"
+		expectedCriteria.Extensions.SourceRepositoryURI = "https://foo.ghe.com/owner/repo"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/owner, got https://github.com/owner")
 	})

 	t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "", GitHubOIDCIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryURI = ""
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.NoError(t, err)
 	})

 	t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "wrong", "", GitHubOIDCIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://github.com/wrong"
+		expectedCriteria.Extensions.SourceRepositoryURI = ""
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner")
 	})

 	t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "wrong", GitHubOIDCIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/owner/wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
 	})

 	t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "", "wrong")
+		expectedCriteria := c
+		expectedCriteria.OIDCIssuer = "wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com")
 	})
 }
@ -73,25 +93,35 @@ func TestVerifyCertExtensionsCustomizedIssuer(t *testing.T) {
 		},
 	}

+	c := EnforcementCriteria{
+		Extensions: Extensions{
+			SourceRepositoryOwnerURI: "https://github.com/owner",
+			SourceRepositoryURI:      "https://github.com/owner/repo",
+		},
+		OIDCIssuer: "https://token.actions.githubusercontent.com/foo-bar",
+	}
+
 	t.Run("VerifyCertExtensions with exact issuer match", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", "https://token.actions.githubusercontent.com/foo-bar")
+		err := VerifyCertExtensions(results, c)
 		require.NoError(t, err)
 	})

 	t.Run("VerifyCertExtensions with partial issuer match", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", "https://token.actions.githubusercontent.com")
+		expectedCriteria := c
+		expectedCriteria.OIDCIssuer = "https://token.actions.githubusercontent.com"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected Issuer to be https://token.actions.githubusercontent.com, got https://token.actions.githubusercontent.com/foo-bar -- if you have a custom OIDC issuer")
 	})

 	t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "", "wrong")
+		expectedCriteria := c
+		expectedCriteria.OIDCIssuer = "wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com/foo-bar")
 	})
 }

 func TestVerifyTenancyCertExtensions(t *testing.T) {
-	defaultIssuer := GitHubOIDCIssuer
-
 	results := []*AttestationProcessingResult{
 		{
 			VerificationResult: &verify.VerificationResult{
@ -108,43 +138,67 @@ func TestVerifyTenancyCertExtensions(t *testing.T) {
 		},
 	}

+	c := EnforcementCriteria{
+		Extensions: Extensions{
+			SourceRepositoryOwnerURI: "https://foo.ghe.com/owner",
+			SourceRepositoryURI:      "https://foo.ghe.com/owner/repo",
+		},
+		OIDCIssuer: GitHubOIDCIssuer,
+	}
+
 	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", defaultIssuer)
+		err := VerifyCertExtensions(results, c)
 		require.NoError(t, err)
 	})

 	t.Run("VerifyCertExtensions with owner and repo, no tenant", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", defaultIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://github.com/owner"
+		expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/owner/repo"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://foo.ghe.com/owner")
 	})

 	t.Run("VerifyCertExtensions with owner and repo, wrong tenant", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "bar", "owner", "owner/repo", defaultIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://bar.ghe.com/owner"
+		expectedCriteria.Extensions.SourceRepositoryURI = "https://bar.ghe.com/owner/repo"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://bar.ghe.com/owner, got https://foo.ghe.com/owner")
 	})

 	t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "", defaultIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryURI = ""
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.NoError(t, err)
 	})

 	t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "wrong", "", defaultIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://foo.ghe.com/wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner")
 	})

 	t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "wrong", defaultIssuer)
+		expectedCriteria := c
+		expectedCriteria.Extensions.SourceRepositoryURI = "https://foo.ghe.com/owner/wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner/repo")
 	})

 	t.Run("VerifyCertExtensions with correct, non-default issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", "https://token.actions.foo.ghe.com")
+		expectedCriteria := c
+		expectedCriteria.OIDCIssuer = "https://token.actions.foo.ghe.com"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.NoError(t, err)
 	})

 	t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", "wrong")
+		expectedCriteria := c
+		expectedCriteria.OIDCIssuer = "wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.foo.ghe.com")
 	})
 }