test: add comprehensive unit tests for internal/attestation package

This commit adds extensive unit test coverage for the attestation
package, including both success and failure scenarios. The changes
include:

Add new test functions for provenance operations:
  - TestProvenance_Type: Tests type getter returning in-toto
    statement type
  - TestProvenance_Statement: Tests statement data retrieval with
    various data states
  - TestProvenance_Signatures: Tests signature collection handling
  - TestProvenance_Subject: Tests subject retrieval from
    attestation statements
  - TestProvenance_MarshalJSON: Tests JSON marshaling with
    different signature configurations
  - TestSLSAProvenance_Subject: Tests SLSA provenance subject
    retrieval with realistic container data

These changes added 6 new test functions.

Assisted-by: Claude Code

Ref: https://issues.redhat.com/browse/EC-1496

Author: cuipinghuo

internal/attestation/attestation_test.go

@@ -20,11 +20,13 @@ package attestation
 
 import (
 	"crypto/x509"
+	"encoding/json"
 	"fmt"
 	"testing"
 
 	"github.com/gkampitakis/go-snaps/snaps"
 	"github.com/google/go-containerregistry/pkg/v1/types"
+	"github.com/in-toto/in-toto-golang/in_toto"
 	ct "github.com/sigstore/cosign/v2/pkg/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -125,3 +127,248 @@ func TestProvenanceFromSignature(t *testing.T) {
 		})
 	}
 }
+
+func TestProvenance_Type(t *testing.T) {
+	tests := []struct {
+		name     string
+		expected string
+	}{
+		{
+			name:     "returns correct in-toto statement type",
+			expected: "https://in-toto.io/Statement/v0.1",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := provenance{}
+			result := p.Type()
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestProvenance_Statement(t *testing.T) {
+	tests := []struct {
+		name     string
+		data     []byte
+		expected []byte
+	}{
+		{
+			name:     "returns stored data correctly",
+			data:     []byte(`{"test": "data"}`),
+			expected: []byte(`{"test": "data"}`),
+		},
+		{
+			name:     "returns empty data when nil",
+			data:     nil,
+			expected: nil,
+		},
+		{
+			name:     "returns empty data when empty slice",
+			data:     []byte{},
+			expected: []byte{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := provenance{data: tt.data}
+			result := p.Statement()
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestProvenance_Signatures(t *testing.T) {
+	mockSig1 := signature.EntitySignature{
+		KeyID:     "key1",
+		Signature: "sig1",
+	}
+	mockSig2 := signature.EntitySignature{
+		KeyID:     "key2",
+		Signature: "sig2",
+	}
+
+	tests := []struct {
+		name       string
+		signatures []signature.EntitySignature
+		expected   []signature.EntitySignature
+	}{
+		{
+			name:       "returns single signature",
+			signatures: []signature.EntitySignature{mockSig1},
+			expected:   []signature.EntitySignature{mockSig1},
+		},
+		{
+			name:       "returns multiple signatures",
+			signatures: []signature.EntitySignature{mockSig1, mockSig2},
+			expected:   []signature.EntitySignature{mockSig1, mockSig2},
+		},
+		{
+			name:       "returns empty slice when no signatures",
+			signatures: []signature.EntitySignature{},
+			expected:   []signature.EntitySignature{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := provenance{signatures: tt.signatures}
+			result := p.Signatures()
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestProvenance_Subject(t *testing.T) {
+	mockSubject1 := in_toto.Subject{
+		Name: "subject1",
+		Digest: map[string]string{
+			"sha256": "digest1",
+		},
+	}
+	mockSubject2 := in_toto.Subject{
+		Name: "subject2",
+		Digest: map[string]string{
+			"sha256": "digest2",
+		},
+	}
+
+	tests := []struct {
+		name      string
+		statement in_toto.Statement
+		expected  []in_toto.Subject
+	}{
+		{
+			name: "returns single subject",
+			statement: in_toto.Statement{
+				StatementHeader: in_toto.StatementHeader{
+					Subject: []in_toto.Subject{mockSubject1},
+				},
+			},
+			expected: []in_toto.Subject{mockSubject1},
+		},
+		{
+			name: "returns multiple subjects",
+			statement: in_toto.Statement{
+				StatementHeader: in_toto.StatementHeader{
+					Subject: []in_toto.Subject{mockSubject1, mockSubject2},
+				},
+			},
+			expected: []in_toto.Subject{mockSubject1, mockSubject2},
+		},
+		{
+			name: "returns empty slice when no subjects",
+			statement: in_toto.Statement{
+				StatementHeader: in_toto.StatementHeader{
+					Subject: []in_toto.Subject{},
+				},
+			},
+			expected: []in_toto.Subject{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := provenance{statement: tt.statement}
+			result := p.Subject()
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestProvenance_MarshalJSON(t *testing.T) {
+	mockSig1 := signature.EntitySignature{
+		KeyID:     "key1",
+		Signature: "sig1",
+	}
+	mockSig2 := signature.EntitySignature{
+		KeyID:     "key2",
+		Signature: "sig2",
+	}
+
+	tests := []struct {
+		name        string
+		provenance  provenance
+		expectedErr bool
+		validate    func(*testing.T, []byte)
+	}{
+		{
+			name: "marshals successfully with single signature",
+			provenance: provenance{
+				statement: in_toto.Statement{
+					StatementHeader: in_toto.StatementHeader{
+						PredicateType: "https://example.com/predicate/v1",
+					},
+				},
+				signatures: []signature.EntitySignature{mockSig1},
+			},
+			expectedErr: false,
+			validate: func(t *testing.T, data []byte) {
+				var result map[string]interface{}
+				err := json.Unmarshal(data, &result)
+				assert.NoError(t, err)
+				assert.Equal(t, "https://in-toto.io/Statement/v0.1", result["type"])
+				assert.Equal(t, "https://example.com/predicate/v1", result["predicateType"])
+				assert.Len(t, result["signatures"], 1)
+			},
+		},
+		{
+			name: "marshals successfully with multiple signatures",
+			provenance: provenance{
+				statement: in_toto.Statement{
+					StatementHeader: in_toto.StatementHeader{
+						PredicateType: "https://example.com/predicate/v2",
+					},
+				},
+				signatures: []signature.EntitySignature{mockSig1, mockSig2},
+			},
+			expectedErr: false,
+			validate: func(t *testing.T, data []byte) {
+				var result map[string]interface{}
+				err := json.Unmarshal(data, &result)
+				assert.NoError(t, err)
+				assert.Equal(t, "https://in-toto.io/Statement/v0.1", result["type"])
+				assert.Equal(t, "https://example.com/predicate/v2", result["predicateType"])
+				assert.Len(t, result["signatures"], 2)
+			},
+		},
+		{
+			name: "marshals successfully with empty signatures",
+			provenance: provenance{
+				statement: in_toto.Statement{
+					StatementHeader: in_toto.StatementHeader{
+						PredicateType: "https://example.com/predicate/v3",
+					},
+				},
+				signatures: []signature.EntitySignature{},
+			},
+			expectedErr: false,
+			validate: func(t *testing.T, data []byte) {
+				var result map[string]interface{}
+				err := json.Unmarshal(data, &result)
+				assert.NoError(t, err)
+				assert.Equal(t, "https://in-toto.io/Statement/v0.1", result["type"])
+				assert.Equal(t, "https://example.com/predicate/v3", result["predicateType"])
+				assert.Len(t, result["signatures"], 0)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			data, err := tt.provenance.MarshalJSON()
+
+			if tt.expectedErr {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+			if tt.validate != nil {
+				tt.validate(t, data)
+			}
+		})
+	}
+}

internal/attestation/slsa_provenance_02_test.go

@@ -31,6 +31,7 @@ import (
 	"github.com/gkampitakis/go-snaps/snaps"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/types"
+	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
 	ct "github.com/sigstore/cosign/v2/pkg/types"
 	"github.com/stretchr/testify/assert"
@@ -365,3 +366,78 @@ func encode(payload string) string {
 func buffy(data string) io.ReadCloser {
 	return io.NopCloser(bytes.NewBufferString(data))
 }
+
+func TestSLSAProvenance_Subject(t *testing.T) {
+	mockSubject1 := in_toto.Subject{
+		Name: "registry.io/example/image@sha256:abc123",
+		Digest: map[string]string{
+			"sha256": "abc123def456",
+		},
+	}
+	mockSubject2 := in_toto.Subject{
+		Name: "registry.io/example/artifact@sha256:def456",
+		Digest: map[string]string{
+			"sha256": "def456abc123",
+			"sha512": "fea789bcd012",
+		},
+	}
+
+	tests := []struct {
+		name      string
+		statement in_toto.ProvenanceStatementSLSA02
+		expected  []in_toto.Subject
+		wantPanic bool
+	}{
+		{
+			name: "returns single subject successfully",
+			statement: in_toto.ProvenanceStatementSLSA02{
+				StatementHeader: in_toto.StatementHeader{
+					Subject: []in_toto.Subject{mockSubject1},
+				},
+			},
+			expected: []in_toto.Subject{mockSubject1},
+		},
+		{
+			name: "returns multiple subjects successfully",
+			statement: in_toto.ProvenanceStatementSLSA02{
+				StatementHeader: in_toto.StatementHeader{
+					Subject: []in_toto.Subject{mockSubject1, mockSubject2},
+				},
+			},
+			expected: []in_toto.Subject{mockSubject1, mockSubject2},
+		},
+		{
+			name: "returns empty slice when no subjects",
+			statement: in_toto.ProvenanceStatementSLSA02{
+				StatementHeader: in_toto.StatementHeader{
+					Subject: []in_toto.Subject{},
+				},
+			},
+			expected: []in_toto.Subject{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.wantPanic {
+				defer func() {
+					if r := recover(); r == nil {
+						t.Errorf("expected panic but none occurred")
+					}
+				}()
+			}
+
+			slsa := slsaProvenance{statement: tt.statement}
+			result := slsa.Subject()
+
+			if !tt.wantPanic {
+				assert.Equal(t, tt.expected, result)
+				// Verify that the returned slice is independent of the original
+				if len(result) > 0 && len(tt.expected) > 0 {
+					assert.Equal(t, tt.expected[0].Name, result[0].Name)
+					assert.Equal(t, tt.expected[0].Digest, result[0].Digest)
+				}
+			}
+		})
+	}
+}