add test case for monotonic verification success

Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 10:25:45 -06:00 · 2024-10-31 10:25:45 -06:00 · 97262d8ce7
commit 97262d8ce7
parent 01f63c5cc3
2 changed files with 25 additions and 14 deletions
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@ -24,11 +24,11 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner,
 		atLeastOneVerified = true
 	}

-	if atLeastOneVerified {
-		return nil
-	} else {
+	if !atLeastOneVerified {
 		return ErrNoAttestationsVerified
 	}
+
+	return nil
 }

 func verifyCertExtensions(attestation *AttestationProcessingResult, tenant, owner, repo, issuer string) error {
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@ -8,28 +8,39 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func TestVerifyCertExtensions(t *testing.T) {
-	results := []*AttestationProcessingResult{
-		{
-			VerificationResult: &verify.VerificationResult{
-				Signature: &verify.SignatureVerificationResult{
-					Certificate: &certificate.Summary{
-						Extensions: certificate.Extensions{
-							SourceRepositoryOwnerURI: "https://github.com/owner",
-							SourceRepositoryURI:      "https://github.com/owner/repo",
-							Issuer:                   "https://token.actions.githubusercontent.com",
-						},
+func createSampleResult() *AttestationProcessingResult {
+	return &AttestationProcessingResult{
+		VerificationResult: &verify.VerificationResult{
+			Signature: &verify.SignatureVerificationResult{
+				Certificate: &certificate.Summary{
+					Extensions: certificate.Extensions{
+						SourceRepositoryOwnerURI: "https://github.com/owner",
+						SourceRepositoryURI:      "https://github.com/owner/repo",
+						Issuer:                   "https://token.actions.githubusercontent.com",
 					},
 				},
 			},
 		},
 	}
+}
+
+func TestVerifyCertExtensions(t *testing.T) {
+	results := []*AttestationProcessingResult{createSampleResult()}

 	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
 		err := VerifyCertExtensions(results, "", "owner", "owner/repo", GitHubOIDCIssuer)
 		require.NoError(t, err)
 	})

+	t.Run("VerifyCertExtensions passes with at least one successful verification", func(t *testing.T) {
+		twoResults := []*AttestationProcessingResult{createSampleResult(), createSampleResult()}
+		require.Len(t, twoResults, 2)
+		twoResults[1].VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI = "https://github.com/wrong"
+
+		err := VerifyCertExtensions(twoResults, "", "owner", "owner/repo", GitHubOIDCIssuer)
+		require.NoError(t, err)
+	})
+
 	t.Run("VerifyCertExtensions with owner and repo, but wrong tenant", func(t *testing.T) {
 		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", GitHubOIDCIssuer)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/owner, got https://github.com/owner")