From 84c823c55fec23d4d306f43cd198d880840e90e6 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 30 Oct 2024 16:12:57 -0600 Subject: [PATCH] clean up extension verification tests Signed-off-by: Meredith Lancaster --- .../verification/extensions_test.go | 152 +----------------- 1 file changed, 8 insertions(+), 144 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go index e1a1555c5..734ee1943 100644 --- a/pkg/cmd/attestation/verification/extensions_test.go +++ b/pkg/cmd/attestation/verification/extensions_test.go @@ -33,172 +33,36 @@ func TestVerifyCertExtensions(t *testing.T) { OIDCIssuer: GitHubOIDCIssuer, } - t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) { + t.Run("success", func(t *testing.T) { err := VerifyCertExtensions(results, c) require.NoError(t, err) }) - t.Run("VerifyCertExtensions with owner and repo, but wrong tenant", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://foo.ghe.com/owner" - expectedCriteria.Extensions.SourceRepositoryURI = "https://foo.ghe.com/owner/repo" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/owner, got https://github.com/owner") - }) - - t.Run("VerifyCertExtensions with owner", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryURI = "" - err := VerifyCertExtensions(results, expectedCriteria) - require.NoError(t, err) - }) - - t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) { + t.Run("with wrong SourceRepositoryOwnerURI", func(t *testing.T) { expectedCriteria := c expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://github.com/wrong" - expectedCriteria.Extensions.SourceRepositoryURI = "" err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner") + require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://github.com/wrong") }) - t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) { + t.Run("with wrong SourceRepositoryURI", func(t *testing.T) { expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/owner/wrong" + expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/foo/wrong" err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo") + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/owner/wrong, got https://github.com/wrong/bar") }) - t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) { + t.Run("with wrong OIDCIssuer", func(t *testing.T) { expectedCriteria := c expectedCriteria.OIDCIssuer = "wrong" err := VerifyCertExtensions(results, expectedCriteria) require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com") }) -} -func TestVerifyCertExtensionsCustomizedIssuer(t *testing.T) { - results := []*AttestationProcessingResult{ - { - VerificationResult: &verify.VerificationResult{ - Signature: &verify.SignatureVerificationResult{ - Certificate: &certificate.Summary{ - Extensions: certificate.Extensions{ - SourceRepositoryOwnerURI: "https://github.com/owner", - SourceRepositoryURI: "https://github.com/owner/repo", - Issuer: "https://token.actions.githubusercontent.com/foo-bar", - }, - }, - }, - }, - }, - } - - c := EnforcementCriteria{ - Extensions: Extensions{ - SourceRepositoryOwnerURI: "https://github.com/owner", - SourceRepositoryURI: "https://github.com/owner/repo", - }, - OIDCIssuer: "https://token.actions.githubusercontent.com/foo-bar", - } - - t.Run("VerifyCertExtensions with exact issuer match", func(t *testing.T) { - err := VerifyCertExtensions(results, c) - require.NoError(t, err) - }) - - t.Run("VerifyCertExtensions with partial issuer match", func(t *testing.T) { + t.Run("with partial OIDCIssuer match", func(t *testing.T) { expectedCriteria := c expectedCriteria.OIDCIssuer = "https://token.actions.githubusercontent.com" err := VerifyCertExtensions(results, expectedCriteria) require.ErrorContains(t, err, "expected Issuer to be https://token.actions.githubusercontent.com, got https://token.actions.githubusercontent.com/foo-bar -- if you have a custom OIDC issuer") }) - - t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.OIDCIssuer = "wrong" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com/foo-bar") - }) -} - -func TestVerifyTenancyCertExtensions(t *testing.T) { - results := []*AttestationProcessingResult{ - { - VerificationResult: &verify.VerificationResult{ - Signature: &verify.SignatureVerificationResult{ - Certificate: &certificate.Summary{ - Extensions: certificate.Extensions{ - SourceRepositoryOwnerURI: "https://foo.ghe.com/owner", - SourceRepositoryURI: "https://foo.ghe.com/owner/repo", - Issuer: "https://token.actions.foo.ghe.com", - }, - }, - }, - }, - }, - } - - c := EnforcementCriteria{ - Extensions: Extensions{ - SourceRepositoryOwnerURI: "https://foo.ghe.com/owner", - SourceRepositoryURI: "https://foo.ghe.com/owner/repo", - }, - OIDCIssuer: GitHubOIDCIssuer, - } - - t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) { - err := VerifyCertExtensions(results, c) - require.NoError(t, err) - }) - - t.Run("VerifyCertExtensions with owner and repo, no tenant", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://github.com/owner" - expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/owner/repo" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://foo.ghe.com/owner") - }) - - t.Run("VerifyCertExtensions with owner and repo, wrong tenant", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://bar.ghe.com/owner" - expectedCriteria.Extensions.SourceRepositoryURI = "https://bar.ghe.com/owner/repo" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://bar.ghe.com/owner, got https://foo.ghe.com/owner") - }) - - t.Run("VerifyCertExtensions with owner", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryURI = "" - err := VerifyCertExtensions(results, expectedCriteria) - require.NoError(t, err) - }) - - t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryOwnerURI = "https://foo.ghe.com/wrong" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner") - }) - - t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.Extensions.SourceRepositoryURI = "https://foo.ghe.com/owner/wrong" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner/repo") - }) - - t.Run("VerifyCertExtensions with correct, non-default issuer", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.OIDCIssuer = "https://token.actions.foo.ghe.com" - err := VerifyCertExtensions(results, expectedCriteria) - require.NoError(t, err) - }) - - t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) { - expectedCriteria := c - expectedCriteria.OIDCIssuer = "wrong" - err := VerifyCertExtensions(results, expectedCriteria) - require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.foo.ghe.com") - }) }