From 99111a335737b8e79c7d4b434e33abd85b703723 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 14 Mar 2024 19:11:42 -0600 Subject: [PATCH] add more sigstore verifier specific tests Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/inspect/inspect_test.go | 15 -------- .../attestation/verification/sigstore_test.go | 34 ++++++++++++------- pkg/cmd/attestation/verify/verify_test.go | 16 --------- 3 files changed, 22 insertions(+), 43 deletions(-) diff --git a/pkg/cmd/attestation/inspect/inspect_test.go b/pkg/cmd/attestation/inspect/inspect_test.go index 8296b8e56..98e2c4a95 100644 --- a/pkg/cmd/attestation/inspect/inspect_test.go +++ b/pkg/cmd/attestation/inspect/inspect_test.go @@ -160,21 +160,6 @@ func TestRunInspect(t *testing.T) { require.Error(t, runInspect(&customOpts)) }) - t.Run("with invalid signature", func(t *testing.T) { - customOpts := opts - customOpts.BundlePath = "../test/data/sigstoreBundle-invalid-signature.json" - - err := runInspect(&customOpts) - require.Error(t, err) - require.ErrorContains(t, err, "at least one attestation failed to verify") - }) - - t.Run("with valid artifact and JSON lines file containing multiple bundles", func(t *testing.T) { - customOpts := opts - customOpts.BundlePath = "../test/data/sigstore-js-2.1.0_with_2_bundles.jsonl" - require.Nil(t, runInspect(&customOpts)) - }) - t.Run("with missing OCI client", func(t *testing.T) { customOpts := opts customOpts.ArtifactPath = "oci://ghcr.io/github/test" diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_test.go index 8d681b9f5..7fd2a8590 100644 --- a/pkg/cmd/attestation/verification/sigstore_test.go +++ b/pkg/cmd/attestation/verification/sigstore_test.go @@ -23,28 +23,38 @@ func buildPolicy(a artifact.DigestedArtifact) (verify.PolicyBuilder, error) { func TestNewSigstoreVerifier(t *testing.T) { artifactPath := test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz") + artifact, err := artifact.NewDigestedArtifact(nil, artifactPath, "sha512") + require.NoError(t, err) + + policy, err := buildPolicy(*artifact) + require.NoError(t, err) + + c := SigstoreConfig{ + Logger: logging.NewTestLogger(), + } + verifier, err := NewSigstoreVerifier(c, policy) + require.NoError(t, err) t.Run("with invalid signature", func(t *testing.T) { - artifact, err := artifact.NewDigestedArtifact(nil, artifactPath, "sha512") - require.NoError(t, err) - bundlePath := test.NormalizeRelativePath("../test/data/sigstoreBundle-invalid-signature.json") attestations, err := GetLocalAttestations(bundlePath) require.NotNil(t, attestations) require.NoError(t, err) - policy, err := buildPolicy(*artifact) - require.NoError(t, err) - - c := SigstoreConfig{ - Logger: logging.NewTestLogger(), - } - verifier, err := NewSigstoreVerifier(c, policy) - require.NoError(t, err) - res := verifier.Verify(attestations) require.Error(t, res.Error) require.ErrorContains(t, res.Error, "verifying with issuer \"sigstore.dev\"") require.Nil(t, res.VerifyResults) }) + + t.Run("with valid artifact and JSON lines file containing multiple Sigstore bundles", func(t *testing.T) { + bundlePath := test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0_with_2_bundles.jsonl") + attestations, err := GetLocalAttestations(bundlePath) + require.Len(t, attestations, 2) + require.NoError(t, err) + + res := verifier.Verify(attestations) + require.Len(t, res.VerifyResults, 2) + require.NoError(t, res.Error) + }) } diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 929a1ee73..69c73e50c 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -262,16 +262,6 @@ func TestRunVerify(t *testing.T) { require.Error(t, runVerify(&opts)) }) - t.Run("with invalid signature", func(t *testing.T) { - opts := publicGoodOpts - opts.BundlePath = "../test/data/sigstoreBundle-invalid-signature.json" - - err := runVerify(&opts) - require.Error(t, err) - require.ErrorContains(t, err, "at least one attestation failed to verify") - require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\"") - }) - t.Run("with owner", func(t *testing.T) { opts := publicGoodOpts opts.BundlePath = "" @@ -355,12 +345,6 @@ func TestRunVerify(t *testing.T) { require.Error(t, runVerify(&opts)) }) - t.Run("with valid artifact and JSON lines file containing multiple Sigstore bundles", func(t *testing.T) { - opts := publicGoodOpts - opts.BundlePath = "../test/data/sigstore-js-2.1.0_with_2_bundles.jsonl" - require.Nil(t, runVerify(&opts)) - }) - t.Run("with missing OCI client", func(t *testing.T) { customOpts := publicGoodOpts customOpts.ArtifactPath = "oci://ghcr.io/github/test"