1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
package trust
import (
"encoding/json"
"os"
"path/filepath"
"strings"
"testing"
"github.com/containers/image/v5/signature"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestPolicyDescription(t *testing.T) {
tempDir := t.TempDir()
policyPath := filepath.Join(tempDir, "policy.json")
// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
idReader := func(keyPath string) []string {
require.True(t, strings.HasPrefix(keyPath, "/"))
require.True(t, strings.HasSuffix(keyPath, ".pub"))
return strings.Split(keyPath[1:len(keyPath)-4], ",")
}
for _, c := range []struct {
policy *signature.Policy
expected []*Policy
}{
{
&signature.Policy{
Default: signature.PolicyRequirements{
signature.NewPRReject(),
},
Transports: map[string]signature.PolicyTransportScopes{
"docker": {
"quay.io/accepted": {
signature.NewPRInsecureAcceptAnything(),
},
"registry.redhat.io": {
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
"quay.io/multi-signed": {
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
},
},
},
[]*Policy{
{
Transport: "all",
Name: "* (default)",
RepoName: "default",
Type: "reject",
},
{
Transport: "repository",
Name: "quay.io/accepted",
RepoName: "quay.io/accepted",
Type: "accept",
},
{
Transport: "repository",
Name: "quay.io/multi-signed",
RepoName: "quay.io/multi-signed",
Type: "signed",
SignatureStore: "",
GPGId: "1, 2, 3",
},
{
Transport: "repository",
Name: "registry.redhat.io",
RepoName: "registry.redhat.io",
Type: "signed",
SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "redhat",
},
},
},
} {
policyJSON, err := json.Marshal(c.policy)
require.NoError(t, err)
err = os.WriteFile(policyPath, policyJSON, 0600)
require.NoError(t, err)
res, err := policyDescriptionWithGPGIDReader(policyPath, "./testdata", idReader)
require.NoError(t, err)
assert.Equal(t, c.expected, res)
}
}
|
