aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--pkg/trust/trust.go52
-rw-r--r--pkg/trust/trust_test.go95
2 files changed, 124 insertions, 23 deletions
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index aaddcf93e..2d6f1fb87 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -72,33 +72,39 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
sort.Strings(scopes)
for _, repo := range scopes {
repoval := transval[repo]
- tempTrustShowOutput := Policy{
+ template := Policy{
+ Transport: transport,
Name: repo,
RepoName: repo,
- Transport: transport,
- Type: trustTypeDescription(repoval[0].Type),
}
- uids := []string{}
- for _, repoele := range repoval {
- if len(repoele.KeyPath) > 0 {
- uids = append(uids, idReader(repoele.KeyPath)...)
- }
- if len(repoele.KeyData) > 0 {
- uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
- }
- }
- tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
-
- registryNamespace := haveMatchRegistry(repo, registryConfigs)
- if registryNamespace != nil {
- if registryNamespace.Lookaside != "" {
- tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside
- } else { // incl. registryNamespace.SigStore == ""
- tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
- }
- }
- output = append(output, &tempTrustShowOutput)
+ output = append(output, descriptionsOfPolicyRequirements(repoval, template, registryConfigs, repo, idReader)...)
}
}
return output, nil
}
+
+// descriptionsOfPolicyRequirements turns reqs into user-readable policy entries, with Transport/Name/Reponame coming from template, potentially looking up scope in registryConfigs.
+func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, registryConfigs *registryConfiguration, scope string, idReader gpgIDReader) []*Policy {
+ tempTrustShowOutput := template
+ tempTrustShowOutput.Type = trustTypeDescription(reqs[0].Type)
+ uids := []string{}
+ for _, repoele := range reqs {
+ if len(repoele.KeyPath) > 0 {
+ uids = append(uids, idReader(repoele.KeyPath)...)
+ }
+ if len(repoele.KeyData) > 0 {
+ uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+ }
+ }
+ tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
+
+ registryNamespace := haveMatchRegistry(scope, registryConfigs)
+ if registryNamespace != nil {
+ if registryNamespace.Lookaside != "" {
+ tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside
+ } else { // incl. registryNamespace.SigStore == ""
+ tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
+ }
+ }
+ return []*Policy{&tempTrustShowOutput}
+}
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index 3ee49cc47..ef2d10061 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -90,3 +90,98 @@ func TestPolicyDescription(t *testing.T) {
assert.Equal(t, c.expected, res)
}
}
+
+func TestDescriptionsOfPolicyRequirements(t *testing.T) {
+ // Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
+ // Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
+ idReader := func(keyPath string) []string {
+ require.True(t, strings.HasPrefix(keyPath, "/"))
+ require.True(t, strings.HasSuffix(keyPath, ".pub"))
+ return strings.Split(keyPath[1:len(keyPath)-4], ",")
+ }
+
+ template := Policy{
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ }
+ registryConfigs, err := loadAndMergeConfig("./testdata")
+ require.NoError(t, err)
+
+ for _, c := range []struct {
+ scope string
+ reqs signature.PolicyRequirements
+ expected []*Policy
+ }{
+ {
+ "",
+ signature.PolicyRequirements{
+ signature.NewPRReject(),
+ },
+ []*Policy{
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "reject",
+ },
+ },
+ },
+ {
+ "quay.io/accepted",
+ signature.PolicyRequirements{
+ signature.NewPRInsecureAcceptAnything(),
+ },
+ []*Policy{
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "accept",
+ },
+ },
+ },
+ {
+ "registry.redhat.io",
+ signature.PolicyRequirements{
+ xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ },
+ []*Policy{
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "signed",
+ SignatureStore: "https://registry.redhat.io/containers/sigstore",
+ GPGId: "redhat",
+ },
+ },
+ },
+ {
+ "quay.io/multi-signed",
+ signature.PolicyRequirements{
+ xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ },
+ []*Policy{
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "signed",
+ SignatureStore: "https://quay.example.com/sigstore",
+ GPGId: "1, 2, 3",
+ },
+ },
+ },
+ } {
+ reqsJSON, err := json.Marshal(c.reqs)
+ require.NoError(t, err)
+ var parsedRegs []repoContent
+ err = json.Unmarshal(reqsJSON, &parsedRegs)
+ require.NoError(t, err)
+
+ res := descriptionsOfPolicyRequirements(parsedRegs, template, registryConfigs, c.scope, idReader)
+ assert.Equal(t, c.expected, res)
+ }
+}