8c8423aa3d
Signed-off-by: Brian DeHamer <bdehamer@github.com> Co-authored-by: Zach Steindler <steiza@github.com> Co-authored-by: Phill MV <phillmv@github.com>
150 lines
6 KiB
Go
150 lines
6 KiB
Go
package verification
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
|
|
"github.com/sigstore/sigstore-go/pkg/verify"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestVerifyCertExtensions(t *testing.T) {
|
|
results := []*AttestationProcessingResult{
|
|
{
|
|
VerificationResult: &verify.VerificationResult{
|
|
Signature: &verify.SignatureVerificationResult{
|
|
Certificate: &certificate.Summary{
|
|
Extensions: certificate.Extensions{
|
|
SourceRepositoryOwnerURI: "https://github.com/owner",
|
|
SourceRepositoryURI: "https://github.com/owner/repo",
|
|
Issuer: "https://token.actions.githubusercontent.com",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "owner/repo", GitHubOIDCIssuer)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with owner and repo, but wrong tenant", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", GitHubOIDCIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/owner, got https://github.com/owner")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "", GitHubOIDCIssuer)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "wrong", "", GitHubOIDCIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "wrong", GitHubOIDCIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "", "wrong")
|
|
require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com")
|
|
})
|
|
}
|
|
|
|
func TestVerifyCertExtensionsCustomizedIssuer(t *testing.T) {
|
|
results := []*AttestationProcessingResult{
|
|
{
|
|
VerificationResult: &verify.VerificationResult{
|
|
Signature: &verify.SignatureVerificationResult{
|
|
Certificate: &certificate.Summary{
|
|
Extensions: certificate.Extensions{
|
|
SourceRepositoryOwnerURI: "https://github.com/owner",
|
|
SourceRepositoryURI: "https://github.com/owner/repo",
|
|
Issuer: "https://token.actions.githubusercontent.com/foo-bar",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
t.Run("VerifyCertExtensions with exact issuer match", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "owner/repo", "https://token.actions.githubusercontent.com/foo-bar")
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with partial issuer match", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "owner/repo", "https://token.actions.githubusercontent.com")
|
|
require.ErrorContains(t, err, "expected Issuer to be https://token.actions.githubusercontent.com, got https://token.actions.githubusercontent.com/foo-bar -- if you have a custom OIDC issuer")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "", "wrong")
|
|
require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com/foo-bar")
|
|
})
|
|
}
|
|
|
|
func TestVerifyTenancyCertExtensions(t *testing.T) {
|
|
defaultIssuer := GitHubOIDCIssuer
|
|
|
|
results := []*AttestationProcessingResult{
|
|
{
|
|
VerificationResult: &verify.VerificationResult{
|
|
Signature: &verify.SignatureVerificationResult{
|
|
Certificate: &certificate.Summary{
|
|
Extensions: certificate.Extensions{
|
|
SourceRepositoryOwnerURI: "https://foo.ghe.com/owner",
|
|
SourceRepositoryURI: "https://foo.ghe.com/owner/repo",
|
|
Issuer: "https://token.actions.foo.ghe.com",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", defaultIssuer)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with owner and repo, no tenant", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "", "owner", "owner/repo", defaultIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://foo.ghe.com/owner")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with owner and repo, wrong tenant", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "bar", "owner", "owner/repo", defaultIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://bar.ghe.com/owner, got https://foo.ghe.com/owner")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "owner", "", defaultIssuer)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "wrong", "", defaultIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "owner", "wrong", defaultIssuer)
|
|
require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner/repo")
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with correct, non-default issuer", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", "https://token.actions.foo.ghe.com")
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
|
|
err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", "wrong")
|
|
require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.foo.ghe.com")
|
|
})
|
|
}
|