pkg/trust/trust_test.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

package trust

import (
	"encoding/json"
	"os"
	"path/filepath"
	"strings"
	"testing"

	"github.com/containers/image/v5/signature"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestPolicyDescription(t *testing.T) {
	tempDir := t.TempDir()
	policyPath := filepath.Join(tempDir, "policy.json")

	// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
	// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
	idReader := func(keyPath string) []string {
		require.True(t, strings.HasPrefix(keyPath, "/"))
		require.True(t, strings.HasSuffix(keyPath, ".pub"))
		return strings.Split(keyPath[1:len(keyPath)-4], ",")
	}

	for _, c := range []struct {
		policy   *signature.Policy
		expected []*Policy
	}{
		{
			&signature.Policy{
				Default: signature.PolicyRequirements{
					signature.NewPRReject(),
				},
				Transports: map[string]signature.PolicyTransportScopes{
					"docker": {
						"quay.io/accepted": {
							signature.NewPRInsecureAcceptAnything(),
						},
						"registry.redhat.io": {
							xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
						},
						"quay.io/multi-signed": {
							xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
							xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
						},
					},
				},
			},
			[]*Policy{
				{
					Transport: "all",
					Name:      "* (default)",
					RepoName:  "default",
					Type:      "reject",
				},
				{
					Transport: "repository",
					Name:      "quay.io/accepted",
					RepoName:  "quay.io/accepted",
					Type:      "accept",
				},
				{
					Transport:      "repository",
					Name:           "quay.io/multi-signed",
					RepoName:       "quay.io/multi-signed",
					Type:           "signed",
					SignatureStore: "https://quay.example.com/sigstore",
					GPGId:          "1, 2, 3",
				},
				{
					Transport:      "repository",
					Name:           "registry.redhat.io",
					RepoName:       "registry.redhat.io",
					Type:           "signed",
					SignatureStore: "https://registry.redhat.io/containers/sigstore",
					GPGId:          "redhat",
				},
			},
		},
	} {
		policyJSON, err := json.Marshal(c.policy)
		require.NoError(t, err)
		err = os.WriteFile(policyPath, policyJSON, 0600)
		require.NoError(t, err)

		res, err := policyDescriptionWithGPGIDReader(policyPath, "./testdata", idReader)
		require.NoError(t, err)
		assert.Equal(t, c.expected, res)
	}
}