STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cli/pkg/cmd/attestation/verify/verify_integration_test.go
Meredith Lancaster cd5562f5ac
Add signer-repo and signer-workflow flags to gh attestation verify (#9137) 
* add signer-repo and signer-workflow flags

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add check for SignerRepo option

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add helper function and comment for clarity

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update flag comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* reference correct field

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move function to more relevant file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Update pkg/cmd/attestation/verify/verify.go

Co-authored-by: Zach Steindler <steiza@github.com>

* Update pkg/cmd/attestation/verify/verify.go

Co-authored-by: Zach Steindler <steiza@github.com>

* make all reusable workflow flags mutually exclusive

Signed-off-by: Meredith Lancaster <malancas@github.com>

* accept signer workflow without host

Signed-off-by: Meredith Lancaster <malancas@github.com>

* support client optionally providing host with signer workflow flag

Signed-off-by: Meredith Lancaster <malancas@github.com>

* comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add tests for parsing signer workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Zach Steindler <steiza@github.com>
2024-05-30 07:40:55 -06:00

237 lines
6.7 KiB
Go
Raw Blame History

//go:build integration
package verify
import (
"testing"
"github.com/cli/cli/v2/pkg/cmd/attestation/api"
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
"github.com/cli/cli/v2/pkg/cmd/attestation/io"
"github.com/cli/cli/v2/pkg/cmd/attestation/test"
"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
"github.com/cli/cli/v2/pkg/cmd/factory"
"github.com/stretchr/testify/require"
)
func TestVerifyIntegration(t *testing.T) {
logger := io.NewTestHandler()
sigstoreConfig := verification.SigstoreConfig{
Logger: logger,
}
cmdFactory := factory.New("test")
hc, err := cmdFactory.HttpClient()
if err != nil {
t.Fatal(err)
}
publicGoodOpts := Options{
APIClient: api.NewLiveClient(hc, logger),
ArtifactPath: artifactPath,
BundlePath: bundlePath,
DigestAlgorithm: "sha512",
Logger: logger,
OCIClient: oci.NewLiveClient(),
OIDCIssuer: GitHubOIDCIssuer,
Owner: "sigstore",
SANRegex: "^https://github.com/sigstore/",
SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
}
t.Run("with valid owner", func(t *testing.T) {
err := runVerify(&publicGoodOpts)
require.NoError(t, err)
})
t.Run("with valid repo", func(t *testing.T) {
opts := publicGoodOpts
opts.Repo = "sigstore/sigstore-js"
err := runVerify(&opts)
require.NoError(t, err)
})
t.Run("with valid owner and invalid repo", func(t *testing.T) {
opts := publicGoodOpts
opts.Repo = "sigstore/fakerepo"
err := runVerify(&opts)
require.Error(t, err)
require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
})
t.Run("with invalid owner", func(t *testing.T) {
opts := publicGoodOpts
opts.Owner = "fakeowner"
err := runVerify(&opts)
require.Error(t, err)
require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
})
t.Run("with invalid owner and invalid repo", func(t *testing.T) {
opts := publicGoodOpts
opts.Repo = "fakeowner/fakerepo"
err := runVerify(&opts)
require.Error(t, err)
require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
})
}
func TestVerifyIntegrationReusableWorkflow(t *testing.T) {
artifactPath := test.NormalizeRelativePath("../test/data/reusable-workflow-artifact")
bundlePath := test.NormalizeRelativePath("../test/data/reusable-workflow-attestation.sigstore.json")
logger := io.NewTestHandler()
sigstoreConfig := verification.SigstoreConfig{
Logger: logger,
}
cmdFactory := factory.New("test")
hc, err := cmdFactory.HttpClient()
if err != nil {
t.Fatal(err)
}
baseOpts := Options{
APIClient: api.NewLiveClient(hc, logger),
ArtifactPath: artifactPath,
BundlePath: bundlePath,
DigestAlgorithm: "sha256",
Logger: logger,
OCIClient: oci.NewLiveClient(),
OIDCIssuer: GitHubOIDCIssuer,
SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
}
t.Run("with owner and valid reusable workflow SAN", func(t *testing.T) {
opts := baseOpts
opts.Owner = "malancas"
opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d"
err := runVerify(&opts)
require.NoError(t, err)
})
t.Run("with owner and valid reusable workflow SAN regex", func(t *testing.T) {
opts := baseOpts
opts.Owner = "malancas"
opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/"
err := runVerify(&opts)
require.NoError(t, err)
})
t.Run("with owner and valid reusable signer repo", func(t *testing.T) {
opts := baseOpts
opts.Owner = "malancas"
opts.SignerRepo = "github/artifact-attestations-workflows"
err := runVerify(&opts)
require.NoError(t, err)
})
t.Run("with repo and valid reusable workflow SAN", func(t *testing.T) {
opts := baseOpts
opts.Owner = "malancas"
opts.Repo = "malancas/attest-demo"
opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d"
err := runVerify(&opts)
require.NoError(t, err)
})
t.Run("with repo and valid reusable workflow SAN regex", func(t *testing.T) {
opts := baseOpts
opts.Owner = "malancas"
opts.Repo = "malancas/attest-demo"
opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/"
err := runVerify(&opts)
require.NoError(t, err)
})
t.Run("with repo and valid reusable signer repo", func(t *testing.T) {
opts := baseOpts
opts.Owner = "malancas"
opts.Repo = "malancas/attest-demo"
opts.SignerRepo = "github/artifact-attestations-workflows"
err := runVerify(&opts)
require.NoError(t, err)
})
}
func TestVerifyIntegrationReusableWorkflowSignerWorkflow(t *testing.T) {
artifactPath := test.NormalizeRelativePath("../test/data/reusable-workflow-artifact")
bundlePath := test.NormalizeRelativePath("../test/data/reusable-workflow-attestation.sigstore.json")
logger := io.NewTestHandler()
sigstoreConfig := verification.SigstoreConfig{
Logger: logger,
}
cmdFactory := factory.New("test")
hc, err := cmdFactory.HttpClient()
if err != nil {
t.Fatal(err)
}
baseOpts := Options{
APIClient: api.NewLiveClient(hc, logger),
ArtifactPath: artifactPath,
BundlePath: bundlePath,
Config: cmdFactory.Config,
DigestAlgorithm: "sha256",
Logger: logger,
OCIClient: oci.NewLiveClient(),
OIDCIssuer: GitHubOIDCIssuer,
Owner: "malancas",
Repo: "malancas/attest-demo",
SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
}
type testcase struct {
name string
signerWorkflow string
expectErr bool
}
testcases := []testcase{
{
name: "with invalid signer workflow",
signerWorkflow: "foo/bar/.github/workflows/attest.yml",
expectErr: true,
},
{
name: "valid signer workflow with host",
signerWorkflow: "github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
expectErr: false,
},
{
name: "valid signer workflow without host (defaults to github.com)",
signerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
expectErr: false,
},
}
for _, tc := range testcases {
opts := baseOpts
opts.SignerWorkflow = tc.signerWorkflow
err := runVerify(&opts)
if tc.expectErr {
require.Error(t, err, "expected error for '%s'", tc.name)
} else {
require.NoError(t, err, "unexpected error for '%s'", tc.name)
}
}
}
Reference in a new issue View git blame Copy permalink