9
"github.com/containers/image/v5/signature"
10
"github.com/stretchr/testify/assert"
11
"github.com/stretchr/testify/require"
14
func TestAddPolicyEntries(t *testing.T) {
15
tempDir := t.TempDir()
16
policyPath := filepath.Join(tempDir, "policy.json")
18
minimalPolicy := &signature.Policy{
19
Default: []signature.PolicyRequirement{
20
signature.NewPRInsecureAcceptAnything(),
23
minimalPolicyJSON, err := json.Marshal(minimalPolicy)
24
require.NoError(t, err)
25
err = os.WriteFile(policyPath, minimalPolicyJSON, 0600)
26
require.NoError(t, err)
29
for _, invalid := range []AddPolicyEntriesInput{
33
PubKeyFiles: []string{"/does-not-make-sense"},
37
Type: "insecureAcceptAnything",
38
PubKeyFiles: []string{"/does-not-make-sense"},
43
PubKeyFiles: []string{"/does-not-make-sense"},
48
PubKeyFiles: []string{}, // A key is missing
52
Type: "sigstoreSigned",
53
PubKeyFiles: []string{}, // A key is missing
57
Type: "this-is-unknown",
58
PubKeyFiles: []string{},
61
err := AddPolicyEntries(policyPath, invalid)
62
assert.Error(t, err, "%#v", invalid)
65
err = AddPolicyEntries(policyPath, AddPolicyEntriesInput{
69
assert.NoError(t, err)
70
err = AddPolicyEntries(policyPath, AddPolicyEntriesInput{
71
Scope: "quay.io/accepted",
74
assert.NoError(t, err)
75
err = AddPolicyEntries(policyPath, AddPolicyEntriesInput{
76
Scope: "quay.io/multi-signed",
78
PubKeyFiles: []string{"/1.pub", "/2.pub"},
80
assert.NoError(t, err)
81
err = AddPolicyEntries(policyPath, AddPolicyEntriesInput{
82
Scope: "quay.io/sigstore-signed",
83
Type: "sigstoreSigned",
84
PubKeyFiles: []string{"/1.pub", "/2.pub"},
86
assert.NoError(t, err)
88
// Test that the outcome is consumable, and compare it with the expected values.
89
parsedPolicy, err := signature.NewPolicyFromFile(policyPath)
90
require.NoError(t, err)
91
assert.Equal(t, &signature.Policy{
92
Default: signature.PolicyRequirements{
93
signature.NewPRReject(),
95
Transports: map[string]signature.PolicyTransportScopes{
98
signature.NewPRInsecureAcceptAnything(),
100
"quay.io/multi-signed": {
101
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
102
xNewPRSignedByKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
104
"quay.io/sigstore-signed": {
105
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
106
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
112
// Test that completely unknown JSON is preserved
113
jsonWithUnknownData := `{
116
"type": "this is unknown",
117
"unknown field": "should be preserved"
125
"type":"this is unknown 2",
126
"unknown field 2": "should be preserved 2"
131
err = os.WriteFile(policyPath, []byte(jsonWithUnknownData), 0600)
132
require.NoError(t, err)
133
err = AddPolicyEntries(policyPath, AddPolicyEntriesInput{
134
Scope: "quay.io/innocuous",
136
PubKeyFiles: []string{"/1.pub"},
138
require.NoError(t, err)
139
updatedJSONWithUnknownData, err := os.ReadFile(policyPath)
140
require.NoError(t, err)
141
// Decode updatedJSONWithUnknownData so that this test does not depend on details of the encoding.
142
// To reduce noise in the constants below:
143
type a = []interface{}
144
type m = map[string]interface{}
145
var parsedUpdatedJSON m
146
err = json.Unmarshal(updatedJSONWithUnknownData, &parsedUpdatedJSON)
147
require.NoError(t, err)
151
"type": "this is unknown",
152
"unknown field": "should be preserved",
159
"type": "this is unknown 2",
160
"unknown field 2": "should be preserved 2",
165
"quay.io/innocuous": a{
168
"keyType": "GPGKeys",
174
}, parsedUpdatedJSON)
177
// xNewPRSignedByKeyPath is a wrapper for NewPRSignedByKeyPath which must not fail.
178
func xNewPRSignedByKeyPath(t *testing.T, keyPath string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
179
pr, err := signature.NewPRSignedByKeyPath(signature.SBKeyTypeGPGKeys, keyPath, signedIdentity)
180
require.NoError(t, err)
184
// xNewPRSignedByKeyPaths is a wrapper for NewPRSignedByKeyPaths which must not fail.
185
func xNewPRSignedByKeyPaths(t *testing.T, keyPaths []string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
186
pr, err := signature.NewPRSignedByKeyPaths(signature.SBKeyTypeGPGKeys, keyPaths, signedIdentity)
187
require.NoError(t, err)
191
// xNewPRSigstoreSignedKeyPath is a wrapper for NewPRSigstoreSignedKeyPath which must not fail.
192
func xNewPRSigstoreSignedKeyPath(t *testing.T, keyPath string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
193
pr, err := signature.NewPRSigstoreSignedKeyPath(keyPath, signedIdentity)
194
require.NoError(t, err)