cd5562f5ac
* add signer-repo and signer-workflow flags Signed-off-by: Meredith Lancaster <malancas@github.com> * add check for SignerRepo option Signed-off-by: Meredith Lancaster <malancas@github.com> * add helper function and comment for clarity Signed-off-by: Meredith Lancaster <malancas@github.com> * update flag comment Signed-off-by: Meredith Lancaster <malancas@github.com> * reference correct field Signed-off-by: Meredith Lancaster <malancas@github.com> * move function to more relevant file Signed-off-by: Meredith Lancaster <malancas@github.com> * Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Zach Steindler <steiza@github.com> * Update pkg/cmd/attestation/verify/verify.go Co-authored-by: Zach Steindler <steiza@github.com> * make all reusable workflow flags mutually exclusive Signed-off-by: Meredith Lancaster <malancas@github.com> * accept signer workflow without host Signed-off-by: Meredith Lancaster <malancas@github.com> * support client optionally providing host with signer workflow flag Signed-off-by: Meredith Lancaster <malancas@github.com> * comment Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for parsing signer workflow Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Zach Steindler <steiza@github.com>
95 lines
3 KiB
Go
95 lines
3 KiB
Go
package verify
|
|
|
|
import (
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
|
|
"github.com/cli/cli/v2/pkg/cmd/factory"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// This tests that a policy can be built from a valid artifact
|
|
// Note that policy use is tested in verify_test.go in this package
|
|
func TestBuildPolicy(t *testing.T) {
|
|
ociClient := oci.MockClient{}
|
|
artifactPath := "../test/data/sigstore-js-2.1.0.tgz"
|
|
digestAlg := "sha256"
|
|
|
|
artifact, err := artifact.NewDigestedArtifact(ociClient, artifactPath, digestAlg)
|
|
require.NoError(t, err)
|
|
|
|
opts := &Options{
|
|
ArtifactPath: artifactPath,
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
}
|
|
|
|
_, err = buildVerifyPolicy(opts, *artifact)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func ValidateSignerWorkflow(t *testing.T) {
|
|
type testcase struct {
|
|
name string
|
|
providedSignerWorkflow string
|
|
expectedWorkflowRegex string
|
|
ghHost string
|
|
authHost string
|
|
}
|
|
|
|
testcases := []testcase{
|
|
{
|
|
name: "workflow with no host specified",
|
|
providedSignerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
expectedWorkflowRegex: "^https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
},
|
|
{
|
|
name: "workflow with host specified",
|
|
providedSignerWorkflow: "github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
expectedWorkflowRegex: "^https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
},
|
|
{
|
|
name: "workflow with GH_HOST set",
|
|
providedSignerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
expectedWorkflowRegex: "^https://myhost.github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
ghHost: "myhost.github.com",
|
|
},
|
|
{
|
|
name: "workflow with authenticated host",
|
|
providedSignerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
expectedWorkflowRegex: "^https://authedhost.github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
|
|
authHost: "authedhost.github.com",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testcases {
|
|
cmdFactory := factory.New("test")
|
|
|
|
opts := &Options{
|
|
Config: cmdFactory.Config,
|
|
SignerWorkflow: tc.providedSignerWorkflow,
|
|
}
|
|
|
|
if tc.ghHost != "" {
|
|
err := os.Setenv("GH_HOST", tc.ghHost)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
if tc.authHost != "" {
|
|
cfg, err := opts.Config()
|
|
require.NoError(t, err)
|
|
|
|
// if authenticated, return the authenticated host
|
|
authCfg := cfg.Authentication()
|
|
authCfg.SetDefaultHost(tc.authHost, "")
|
|
}
|
|
|
|
workflowRegex, err := validateSignerWorkflow(opts)
|
|
require.NoError(t, err)
|
|
require.Equal(t, tc.expectedWorkflowRegex, workflowRegex)
|
|
}
|
|
}
|