diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 4b0f0adfb..0b15e823e 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -83,6 +83,33 @@ func TestVerifyIntegration(t *testing.T) { require.Error(t, err) require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/fakeowner/fakerepo, got https://github.com/sigstore/sigstore-js") }) + + t.Run("with no matching OIDC issuer", func(t *testing.T) { + opts := publicGoodOpts + opts.OIDCIssuer = "some-other-issuer" + + err := runVerify(&opts) + require.Error(t, err) + require.ErrorContains(t, err, "expected Issuer to be some-other-issuer, got https://token.actions.githubusercontent.com") + }) + + t.Run("with invalid SAN", func(t *testing.T) { + opts := publicGoodOpts + opts.SAN = "fake san" + + err := runVerify(&opts) + require.Error(t, err) + require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\"") + }) + + t.Run("with invalid SAN regex", func(t *testing.T) { + opts := publicGoodOpts + opts.SANRegex = "^https://github.com/sigstore/not-real/" + + err := runVerify(&opts) + require.Error(t, err) + require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\"") + }) } func TestVerifyIntegrationCustomIssuer(t *testing.T) { diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 306ff8b35..93ad4bdbc 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -453,75 +453,6 @@ func TestRunVerify(t *testing.T) { require.ErrorContains(t, err, "failed to fetch attestations from wrong-owner") }) - // TODO: this test can only be tested with a live SigstoreVerifier - // add integration tests or HTTP mocked sigstore verifier tests - // to test this case - t.Run("with invalid OIDC issuer", func(t *testing.T) { - t.Skip() - opts := publicGoodOpts - opts.OIDCIssuer = "not-a-real-issuer" - require.Error(t, runVerify(&opts)) - }) - - // TODO: this test can only be tested with a live SigstoreVerifier - // add integration tests or HTTP mocked sigstore verifier tests - // to test this case - t.Run("with SAN enforcement", func(t *testing.T) { - t.Skip() - opts := Options{ - ArtifactPath: artifactPath, - BundlePath: bundlePath, - APIClient: api.NewTestClient(), - DigestAlgorithm: "sha512", - Logger: logger, - OIDCIssuer: verification.GitHubOIDCIssuer, - Owner: "sigstore", - SAN: SigstoreSanValue, - SigstoreVerifier: verification.NewMockSigstoreVerifier(t), - } - require.Nil(t, runVerify(&opts)) - }) - - // TODO: this test can only be tested with a live SigstoreVerifier - // add integration tests or HTTP mocked sigstore verifier tests - // to test this case - t.Run("with invalid SAN", func(t *testing.T) { - t.Skip() - opts := publicGoodOpts - opts.SAN = "fake san" - require.Error(t, runVerify(&opts)) - }) - - // TODO: this test can only be tested with a live SigstoreVerifier - // add integration tests or HTTP mocked sigstore verifier tests - // to test this case - t.Run("with SAN regex enforcement", func(t *testing.T) { - t.Skip() - opts := publicGoodOpts - opts.SANRegex = SigstoreSanRegex - require.Nil(t, runVerify(&opts)) - }) - - // TODO: this test can only be tested with a live SigstoreVerifier - // add integration tests or HTTP mocked sigstore verifier tests - // to test this case - t.Run("with invalid SAN regex", func(t *testing.T) { - t.Skip() - opts := publicGoodOpts - opts.SANRegex = "^https://github.com/sigstore/not-real/" - require.Error(t, runVerify(&opts)) - }) - - // TODO: this test can only be tested with a live SigstoreVerifier - // add integration tests or HTTP mocked sigstore verifier tests - // to test this case - t.Run("with no matching OIDC issuer", func(t *testing.T) { - t.Skip() - opts := publicGoodOpts - opts.OIDCIssuer = "some-other-issuer" - require.Error(t, runVerify(&opts)) - }) - t.Run("with missing API client", func(t *testing.T) { customOpts := publicGoodOpts customOpts.APIClient = nil