Split descriptionsOfPolicyRequirements out of getPolicyShowOutput

This will evetually allow us to use it for the default scope
as well, which currently uses a simplified version.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

2 files changed, 124 insertions, 23 deletions

diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index aaddcf93e..2d6f1fb87 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -72,33 +72,39 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
 		sort.Strings(scopes)
 		for _, repo := range scopes {
 			repoval := transval[repo]
-			tempTrustShowOutput := Policy{
+			template := Policy{
+				Transport: transport,
 				Name:      repo,
 				RepoName:  repo,
-				Transport: transport,
-				Type:      trustTypeDescription(repoval[0].Type),
 			}
-			uids := []string{}
-			for _, repoele := range repoval {
-				if len(repoele.KeyPath) > 0 {
-					uids = append(uids, idReader(repoele.KeyPath)...)
-				}
-				if len(repoele.KeyData) > 0 {
-					uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
-				}
-			}
-			tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
-
-			registryNamespace := haveMatchRegistry(repo, registryConfigs)
-			if registryNamespace != nil {
-				if registryNamespace.Lookaside != "" {
-					tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside
-				} else { // incl. registryNamespace.SigStore == ""
-					tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
-				}
-			}
-			output = append(output, &tempTrustShowOutput)
+			output = append(output, descriptionsOfPolicyRequirements(repoval, template, registryConfigs, repo, idReader)...)
 		}
 	}
 	return output, nil
 }
+
+// descriptionsOfPolicyRequirements turns reqs into user-readable policy entries, with Transport/Name/Reponame coming from template, potentially looking up scope in registryConfigs.
+func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, registryConfigs *registryConfiguration, scope string, idReader gpgIDReader) []*Policy {
+	tempTrustShowOutput := template
+	tempTrustShowOutput.Type = trustTypeDescription(reqs[0].Type)
+	uids := []string{}
+	for _, repoele := range reqs {
+		if len(repoele.KeyPath) > 0 {
+			uids = append(uids, idReader(repoele.KeyPath)...)
+		}
+		if len(repoele.KeyData) > 0 {
+			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+		}
+	}
+	tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
+
+	registryNamespace := haveMatchRegistry(scope, registryConfigs)
+	if registryNamespace != nil {
+		if registryNamespace.Lookaside != "" {
+			tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside
+		} else { // incl. registryNamespace.SigStore == ""
+			tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
+		}
+	}
+	return []*Policy{&tempTrustShowOutput}
+}
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index 3ee49cc47..ef2d10061 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -90,3 +90,98 @@ func TestPolicyDescription(t *testing.T) {
 		assert.Equal(t, c.expected, res)
 	}
 }
+
+func TestDescriptionsOfPolicyRequirements(t *testing.T) {
+	// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
+	// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
+	idReader := func(keyPath string) []string {
+		require.True(t, strings.HasPrefix(keyPath, "/"))
+		require.True(t, strings.HasSuffix(keyPath, ".pub"))
+		return strings.Split(keyPath[1:len(keyPath)-4], ",")
+	}
+
+	template := Policy{
+		Transport: "transport",
+		Name:      "name",
+		RepoName:  "repoName",
+	}
+	registryConfigs, err := loadAndMergeConfig("./testdata")
+	require.NoError(t, err)
+
+	for _, c := range []struct {
+		scope    string
+		reqs     signature.PolicyRequirements
+		expected []*Policy
+	}{
+		{
+			"",
+			signature.PolicyRequirements{
+				signature.NewPRReject(),
+			},
+			[]*Policy{
+				{
+					Transport: "transport",
+					Name:      "name",
+					RepoName:  "repoName",
+					Type:      "reject",
+				},
+			},
+		},
+		{
+			"quay.io/accepted",
+			signature.PolicyRequirements{
+				signature.NewPRInsecureAcceptAnything(),
+			},
+			[]*Policy{
+				{
+					Transport: "transport",
+					Name:      "name",
+					RepoName:  "repoName",
+					Type:      "accept",
+				},
+			},
+		},
+		{
+			"registry.redhat.io",
+			signature.PolicyRequirements{
+				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat",
+				},
+			},
+		},
+		{
+			"quay.io/multi-signed",
+			signature.PolicyRequirements{
+				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "1, 2, 3",
+				},
+			},
+		},
+	} {
+		reqsJSON, err := json.Marshal(c.reqs)
+		require.NoError(t, err)
+		var parsedRegs []repoContent
+		err = json.Unmarshal(reqsJSON, &parsedRegs)
+		require.NoError(t, err)
+
+		res := descriptionsOfPolicyRequirements(parsedRegs, template, registryConfigs, c.scope, idReader)
+		assert.Equal(t, c.expected, res)
+	}
+}