90b7bf97c5
* add attestation cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add codeowners
Signed-off-by: Meredith Lancaster <malancas@github.com>
* update args passed to the attestation cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use gh-attestation branch for passing iostreams from the root
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add package security team entry to codeowners
Signed-off-by: Meredith Lancaster <malancas@github.com>
* start moving over verify cmd and general verification code
Signed-off-by: Meredith Lancaster <malancas@github.com>
* clean up common and verify specific policy code
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move artifact package over
Signed-off-by: Meredith Lancaster <malancas@github.com>
* start pulling in the github api client wrapper
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix imports
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add logger and test packages
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add additional packages to support verify command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix mock api client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* clean up mock api client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* include missing fields
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use correct owner
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more mock api client options
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add download cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add inspect cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pass factory object to inspect cmd, add inspect sub cmd to attestation cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add verify-tuf-root cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pass iostream struct from command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename logger pkg to logger
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix path in codeowners
Signed-off-by: Meredith Lancaster <malancas@github.com>
* formatter
Signed-off-by: Meredith Lancaster <malancas@github.com>
* go mod tidy
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix printf linter issue
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix printf linter issue
Signed-off-by: Meredith Lancaster <malancas@github.com>
* check user's GH host for compatibility
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pass oci client to commands directly
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* mark tuf-root-verify cmd hidden
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move client initialization back to subcommands
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more verbose options and logging
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add missing logger
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add testing around OCI and API client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add integration test
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix file path
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* build executable before integration test
Signed-off-by: Meredith Lancaster <malancas@github.com>
* split integration tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove integration test steps
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix flag value
Signed-off-by: Meredith Lancaster <malancas@github.com>
* run integration tests on ubuntu for now
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pull over doc updates
Signed-off-by: Meredith Lancaster <malancas@github.com>
* delete unused test data
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove Go patch version
Signed-off-by: Meredith Lancaster <malancas@github.com>
* switch assert to require
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move integration tests to prexisting test workflow
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use platform matrix for integration tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* simplify build step
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use StringEnumFlag handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* typo
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use the iostreams.Test helper func
Signed-off-by: Meredith Lancaster <malancas@github.com>
* create interface for oci client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for oci client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename files
Signed-off-by: Meredith Lancaster <malancas@github.com>
* format file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix shellcheck issues
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use testing TempDir method
Signed-off-by: Meredith Lancaster <malancas@github.com>
* cleanup unused tempdir handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use table driven tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* check correct cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* support repo option in download sub cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* switch over to using RunE
Signed-off-by: Meredith Lancaster <malancas@github.com>
* unexport top level subcommand funcs
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add comment around keychain option
Signed-off-by: Meredith Lancaster <malancas@github.com>
* update comments
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix inconsistent naming
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for CLI commands
Signed-off-by: Meredith Lancaster <malancas@github.com>
* check for noattestationsfound err
Signed-off-by: Meredith Lancaster <malancas@github.com>
* try out metadata abstraction instead
Signed-off-by: Meredith Lancaster <malancas@github.com>
* switch to using MetadataStore abstraction
Signed-off-by: Meredith Lancaster <malancas@github.com>
* include test case with failing metadata store
Signed-off-by: Meredith Lancaster <malancas@github.com>
* look for err specific to file write
Signed-off-by: Meredith Lancaster <malancas@github.com>
* unexport fields
Signed-off-by: Meredith Lancaster <malancas@github.com>
* return err when an unsupported hash alg is provided
Signed-off-by: Meredith Lancaster <malancas@github.com>
* PrintTableToStdOut returns err when rendering fails
Signed-off-by: Meredith Lancaster <malancas@github.com>
* start adding sigstore verifier unit tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more sigstore verifier specific tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use cli table printer
Signed-off-by: Meredith Lancaster <malancas@github.com>
* return JSON results in slice instead of table
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move mock client to test file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove unneeded table printer method
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add initial tests for tufrootverify cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* formatting
Signed-off-by: Meredith Lancaster <malancas@github.com>
* cleanup method
Signed-off-by: Meredith Lancaster <malancas@github.com>
* close file in error handling branch
Signed-off-by: Meredith Lancaster <malancas@github.com>
* normalize artifact path
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove unneeded embedded file system
Signed-off-by: Meredith Lancaster <malancas@github.com>
* include image name reference err
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use GH_DEBUG value for io handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove quiet and verbose flags
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more tufrootveriify tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* GitHubTUFOptions no longer needs to return error
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove unneeded slice
Signed-off-by: Meredith Lancaster <malancas@github.com>
* normalize all relative paths
Signed-off-by: Meredith Lancaster <malancas@github.com>
* clean up nil client checks
Signed-off-by: Meredith Lancaster <malancas@github.com>
* set api server based on host
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add comment about http client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use format flag to handle json output in verify cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use format flag to handle json output
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use normalized path for cli test arg
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for json output
Signed-off-by: Meredith Lancaster <malancas@github.com>
* cleanup error wrapping
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use test fixtures correctly by normalizing path
Signed-off-by: Meredith Lancaster <malancas@github.com>
* dont clean
Signed-off-by: Meredith Lancaster <malancas@github.com>
* escape backwards slash for windows files with replace
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use strings.Split func
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use strings.Replace for all command tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use CLI cache dir to store tuf metadata
Signed-off-by: Meredith Lancaster <malancas@github.com>
* Tweaked docstrings for gh attestation download
* Tweaked docstrings for gh attestation verify
* Fix for bug in gh attestation where the wrong hostname was being passed to the API client.
* lets hide tuf-root-verify eh?
* Forgot verify's short str.
* add remote verification test
Signed-off-by: Meredith Lancaster <malancas@github.com>
* Revert "add remote verification test"
This reverts commit c0ceb99ca8.
* update json result handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add json tags to struct returned by command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix how json results are handled
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add test to ensure JSON output is valid
Signed-off-by: Meredith Lancaster <malancas@github.com>
---------
Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
179 lines
4.6 KiB
Go
179 lines
4.6 KiB
Go
package inspect
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/io"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/test"
|
|
"github.com/cli/cli/v2/pkg/cmdutil"
|
|
|
|
"github.com/cli/cli/v2/pkg/httpmock"
|
|
"github.com/cli/cli/v2/pkg/iostreams"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
const (
|
|
SigstoreSanValue = "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main"
|
|
SigstoreSanRegex = "^https://github.com/sigstore/sigstore-js/"
|
|
)
|
|
|
|
var (
|
|
artifactPath = test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz")
|
|
bundlePath = test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json")
|
|
)
|
|
|
|
func TestNewInspectCmd(t *testing.T) {
|
|
testIO, _, _, _ := iostreams.Test()
|
|
f := &cmdutil.Factory{
|
|
IOStreams: testIO,
|
|
HttpClient: func() (*http.Client, error) {
|
|
reg := &httpmock.Registry{}
|
|
client := &http.Client{}
|
|
httpmock.ReplaceTripper(client, reg)
|
|
return client, nil
|
|
},
|
|
}
|
|
|
|
testcases := []struct {
|
|
name string
|
|
cli string
|
|
wants Options
|
|
wantsErr bool
|
|
wantsExporter bool
|
|
}{
|
|
{
|
|
name: "Invalid digest-alg flag",
|
|
cli: fmt.Sprintf("%s --bundle %s --digest-alg sha384", artifactPath, bundlePath),
|
|
wants: Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha384",
|
|
OCIClient: oci.MockClient{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
{
|
|
name: "Use default digest-alg value",
|
|
cli: fmt.Sprintf("%s --bundle %s", artifactPath, bundlePath),
|
|
wants: Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha256",
|
|
OCIClient: oci.MockClient{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
{
|
|
name: "Use custom digest-alg value",
|
|
cli: fmt.Sprintf("%s --bundle %s --digest-alg sha512", artifactPath, bundlePath),
|
|
wants: Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha512",
|
|
OCIClient: oci.MockClient{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
{
|
|
name: "Missing bundle flag",
|
|
cli: artifactPath,
|
|
wants: Options{
|
|
ArtifactPath: artifactPath,
|
|
DigestAlgorithm: "sha256",
|
|
OCIClient: oci.MockClient{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
{
|
|
name: "Prints output in JSON format",
|
|
cli: fmt.Sprintf("%s --bundle %s --format json", artifactPath, bundlePath),
|
|
wants: Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha256",
|
|
OCIClient: oci.MockClient{},
|
|
},
|
|
wantsExporter: true,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testcases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
var opts *Options
|
|
cmd := NewInspectCmd(f, func(o *Options) error {
|
|
opts = o
|
|
return nil
|
|
})
|
|
|
|
argv := strings.Split(tc.cli, " ")
|
|
cmd.SetArgs(argv)
|
|
cmd.SetIn(&bytes.Buffer{})
|
|
cmd.SetOut(&bytes.Buffer{})
|
|
cmd.SetErr(&bytes.Buffer{})
|
|
_, err := cmd.ExecuteC()
|
|
if tc.wantsErr {
|
|
assert.Error(t, err)
|
|
return
|
|
}
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, tc.wants.ArtifactPath, opts.ArtifactPath)
|
|
assert.Equal(t, tc.wants.BundlePath, opts.BundlePath)
|
|
assert.Equal(t, tc.wants.DigestAlgorithm, opts.DigestAlgorithm)
|
|
assert.NotNil(t, opts.OCIClient)
|
|
assert.NotNil(t, opts.Logger)
|
|
assert.Equal(t, tc.wantsExporter, opts.exporter != nil)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRunInspect(t *testing.T) {
|
|
opts := Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha512",
|
|
Logger: io.NewTestHandler(),
|
|
OCIClient: oci.MockClient{},
|
|
}
|
|
|
|
t.Run("with valid artifact and bundle", func(t *testing.T) {
|
|
require.Nil(t, runInspect(&opts))
|
|
})
|
|
|
|
t.Run("with missing artifact path", func(t *testing.T) {
|
|
customOpts := opts
|
|
customOpts.ArtifactPath = test.NormalizeRelativePath("../test/data/non-existent-artifact.zip")
|
|
require.Error(t, runInspect(&customOpts))
|
|
})
|
|
|
|
t.Run("with missing bundle path", func(t *testing.T) {
|
|
customOpts := opts
|
|
customOpts.BundlePath = test.NormalizeRelativePath("../test/data/non-existent-sigstoreBundle.json")
|
|
require.Error(t, runInspect(&customOpts))
|
|
})
|
|
}
|
|
|
|
func TestJSONOutput(t *testing.T) {
|
|
testIO, _, out, _ := iostreams.Test()
|
|
opts := Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha512",
|
|
Logger: io.NewHandler(testIO),
|
|
OCIClient: oci.MockClient{},
|
|
exporter: cmdutil.NewJSONExporter(),
|
|
}
|
|
require.Nil(t, runInspect(&opts))
|
|
|
|
var target []AttestationDetail
|
|
err := json.Unmarshal(out.Bytes(), &target)
|
|
require.NoError(t, err)
|
|
}
|