From 97262d8ce76f71e4d6b9cf5618c2c4fde45371c4 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 31 Oct 2024 10:25:45 -0600
Subject: [PATCH] add test case for monotonic verification success

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 .../attestation/verification/extensions.go    |  6 ++--
 .../verification/extensions_test.go           | 33 ++++++++++++-------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
index 94ba88208..046f24509 100644
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -24,11 +24,11 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner,
 		atLeastOneVerified = true
 	}
 
-	if atLeastOneVerified {
-		return nil
-	} else {
+	if !atLeastOneVerified {
 		return ErrNoAttestationsVerified
 	}
+
+	return nil
 }
 
 func verifyCertExtensions(attestation *AttestationProcessingResult, tenant, owner, repo, issuer string) error {
diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go
index 5eb28829d..445234652 100644
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@@ -8,28 +8,39 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestVerifyCertExtensions(t *testing.T) {
-	results := []*AttestationProcessingResult{
-		{
-			VerificationResult: &verify.VerificationResult{
-				Signature: &verify.SignatureVerificationResult{
-					Certificate: &certificate.Summary{
-						Extensions: certificate.Extensions{
-							SourceRepositoryOwnerURI: "https://github.com/owner",
-							SourceRepositoryURI:      "https://github.com/owner/repo",
-							Issuer:                   "https://token.actions.githubusercontent.com",
-						},
+func createSampleResult() *AttestationProcessingResult {
+	return &AttestationProcessingResult{
+		VerificationResult: &verify.VerificationResult{
+			Signature: &verify.SignatureVerificationResult{
+				Certificate: &certificate.Summary{
+					Extensions: certificate.Extensions{
+						SourceRepositoryOwnerURI: "https://github.com/owner",
+						SourceRepositoryURI:      "https://github.com/owner/repo",
+						Issuer:                   "https://token.actions.githubusercontent.com",
 					},
 				},
 			},
 		},
 	}
+}
+
+func TestVerifyCertExtensions(t *testing.T) {
+	results := []*AttestationProcessingResult{createSampleResult()}
 
 	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
 		err := VerifyCertExtensions(results, "", "owner", "owner/repo", GitHubOIDCIssuer)
 		require.NoError(t, err)
 	})
 
+	t.Run("VerifyCertExtensions passes with at least one successful verification", func(t *testing.T) {
+		twoResults := []*AttestationProcessingResult{createSampleResult(), createSampleResult()}
+		require.Len(t, twoResults, 2)
+		twoResults[1].VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI = "https://github.com/wrong"
+
+		err := VerifyCertExtensions(twoResults, "", "owner", "owner/repo", GitHubOIDCIssuer)
+		require.NoError(t, err)
+	})
+
 	t.Run("VerifyCertExtensions with owner and repo, but wrong tenant", func(t *testing.T) {
 		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", GitHubOIDCIssuer)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/owner, got https://github.com/owner")