Merge pull request #1698 from robnester-rh/EC-1679

Use valid sha256 digest formats in test data

Author: robnester-rh

policy/lib/konflux/konflux_test.rego

@@ -7,12 +7,12 @@ import data.lib.konflux
 
 test_is_image_index if {
 	konflux.is_validating_image_index with input.attestations as [_attestation]
-		with input.image.ref as "registry.local/ham@sha256:fff"
+		with input.image.ref as "registry.local/ham@sha256:fff0000000000000000000000000000000000000000000000000000000000fff"
 }
 
 test_is_image_index_unknown_digest if {
 	not konflux.is_validating_image_index with input.attestations as [_attestation]
-		with input.image.ref as "registry.local/ham@sha256:bbb"
+		with input.image.ref as "registry.local/ham@sha256:bbb0000000000000000000000000000000000000000000000000000000000bbb"
 }
 
 test_is_image_index_empty_images if {
@@ -21,7 +21,7 @@ test_is_image_index_empty_images if {
 		[{"op": "add", "path": "/statement/predicate/buildConfig/tasks/0/results/0/value", "value": ""}],
 	)
 	not konflux.is_validating_image_index with input.attestations as [att]
-		with input.image.ref as "registry.local/ham@sha256:fff"
+		with input.image.ref as "registry.local/ham@sha256:fff0000000000000000000000000000000000000000000000000000000000fff"
 }
 
 _attestation := {"statement": {
@@ -32,7 +32,8 @@ _attestation := {"statement": {
 			{
 				"name": "IMAGES",
 				"type": "string",
-				"value": "registry.local/spam@sha256:abc, registry.local/bacon@sha256:bcd",
+				# regal ignore:line-length
+				"value": "registry.local/spam@sha256:abc0000000000000000000000000000000000000000000000000000000000abc, registry.local/bacon@sha256:bcd0000000000000000000000000000000000000000000000000000000000bcd",
 			},
 			{
 				"name": "IMAGE_URL",
@@ -42,7 +43,7 @@ _attestation := {"statement": {
 			{
 				"name": "IMAGE_DIGEST",
 				"type": "string",
-				"value": "sha256:fff",
+				"value": "sha256:fff0000000000000000000000000000000000000000000000000000000000fff",
 			},
 		]}]},
 	},

policy/lib/sbom/sbom.rego

@@ -120,7 +120,7 @@ image_ref_from_purl(raw_purl) := image_ref if {
 	# other SPDX creators might reasonably use "pkg:docker/" in the purl.
 	# purl.type in {"oci", "docker"}
 
-	# Example image_digest: "sha256:012abc"
+	# Example image_digest: "sha256:012abc0000000000000000000000000000000000000000000000000000012abc"
 	image_digest := purl.version
 
 	some qualifier in purl.qualifiers

policy/lib/sbom/sbom_test.rego

@@ -30,7 +30,7 @@ test_cyclonedx_sboms if {
 					{
 						"name": "IMAGE_DIGEST",
 						"type": "string",
-						"value": "sha256:284e3029",
+						"value": "sha256:284e302900000000000000000000000000000000000000000000000284e3029",
 					},
 					{
 						"name": "IMAGE_URL",
@@ -40,7 +40,7 @@ test_cyclonedx_sboms if {
 					{
 						"name": "SBOM_BLOB_URL",
 						"type": "string",
-						"value": "registry.io/repository/image@sha256:f0cacc1a",
+						"value": "registry.io/repository/image@sha256:f0cacc1a00000000000000000000000000000000000000000000000f0cacc1a0",
 					},
 				]}]},
 			},
@@ -72,7 +72,7 @@ test_spdx_sboms if {
 					{
 						"name": "IMAGE_DIGEST",
 						"type": "string",
-						"value": "sha256:284e3029",
+						"value": "sha256:284e302900000000000000000000000000000000000000000000000284e3029",
 					},
 					{
 						"name": "IMAGE_URL",
@@ -82,7 +82,7 @@ test_spdx_sboms if {
 					{
 						"name": "SBOM_BLOB_URL",
 						"type": "string",
-						"value": "registry.io/repository/image@sha256:f0cacc1a",
+						"value": "registry.io/repository/image@sha256:f0cacc1a00000000000000000000000000000000000000000000000f0cacc1a0",
 					},
 				]}]},
 			},
@@ -103,7 +103,7 @@ test_ignore_unrelated_sboms if {
 				{
 					"name": "IMAGE_DIGEST",
 					"type": "string",
-					"value": "sha256:0000000",
+					"value": "sha256:0000000000000000000000000000000000000000000000000000000000000000",
 				},
 				{
 					"name": "IMAGE_URL",
@@ -113,7 +113,7 @@ test_ignore_unrelated_sboms if {
 				{
 					"name": "SBOM_BLOB_URL",
 					"type": "string",
-					"value": "registry.io/repository/image@sha256:f0cacc1a",
+					"value": "registry.io/repository/image@sha256:f0cacc1a00000000000000000000000000000000000000000000000f0cacc1a0",
 				},
 			]}]},
 		}}},
@@ -123,7 +123,7 @@ test_ignore_unrelated_sboms if {
 				{
 					"name": "IMAGE_DIGEST",
 					"type": "string",
-					"value": "sha256:1111111",
+					"value": "sha256:1111111000000000000000000000000000000000000000000000000001111111",
 				},
 				{
 					"name": "IMAGE_URL",
@@ -133,14 +133,15 @@ test_ignore_unrelated_sboms if {
 				{
 					"name": "SBOM_BLOB_URL",
 					"type": "string",
-					"value": "registry.io/repository/image@sha256:f0cacc1b",
+					"value": "registry.io/repository/image@sha256:f0cacc1b00000000000000000000000000000000000000000000000f0cacc1b0",
 				},
 			]}]},
 		}}},
 	]
 
 	lib.assert_equal(sbom.all_sboms, []) with input.attestations as attestations
-		with input.image as {"ref": "registry.io/repository/image@sha256:284e3029"}
+		# regal ignore:line-length
+with 		input.image as {"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029"}
 		with ec.oci.blob as ""
 		with ec.oci.descriptor as {"mediaType": "application/vnd.oci.image.manifest.v1+json"}
 }
@@ -159,11 +160,11 @@ mock_ec_oci_cyclonedx_blob := `{"sbom": "from oci blob", "bomFormat": "CycloneDX
 mock_ec_oci_spdx_blob := `{"sbom": "from oci blob", "SPDXID": "SPDXRef-DOCUMENT"}`
 
 _cyclonedx_image := {
-	"ref": "registry.io/repository/image@sha256:284e3029",
+	"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029",
 	"config": {"Labels": {"vendor": "Red Hat, Inc."}},
 }
 
 _spdx_image := {
-	"ref": "registry.io/repository/image@sha256:284e3029",
+	"ref": "registry.io/repository/image@sha256:284e302900000000000000000000000000000000000000000000000284e3029",
 	"config": {"Labels": {"vendor": "Red Hat, Inc."}},
 }

policy/lib/tekton/pipeline_test.rego

@@ -12,7 +12,7 @@ test_pipeline_label_selector_build_task_slsa_v1_0 if {
 		task_w_labels,
 		[
 			{"name": "IMAGE_URL", "value": "localhost:5000/repo:latest"},
-			{"name": "IMAGE_DIGEST", "value": "sha256:abc"},
+			{"name": "IMAGE_DIGEST", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"},
 		],
 	)
 
@@ -30,7 +30,8 @@ test_pipeline_label_selector_build_task_slsa_v0_2 if {
 		"ref": {"name": "build-container", "kind": "Task"},
 		"results": [
 			{"name": "IMAGE_URL", "type": "string", "value": "localhost:5000/repo:latest"},
-			{"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc"},
+			# regal ignore:line-length
+			{"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"},
 		],
 		"invocation": {"environment": {"labels": {tekton.task_label: "generic"}}},
 	}
@@ -64,7 +65,8 @@ test_pipeline_label_selector_pipeline_run_slsa_v0_2 if {
 		"ref": {"name": "build-container", "kind": "Task"},
 		"results": [
 			{"name": "IMAGE_URL", "type": "string", "value": "localhost:5000/repo:latest"},
-			{"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc"},
+			# regal ignore:line-length
+			{"name": "IMAGE_DIGEST", "type": "string", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"},
 		],
 	}
 

policy/lib/tekton/refs_test.rego

@@ -5,11 +5,11 @@ import rego.v1
 import data.lib
 import data.lib.tekton
 
-_image := "registry.img/test@sha256:digest"
+_image := "registry.img/test@sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"
 
 _image_key := "oci://registry.img/test"
 
-_image_digest := "sha256:digest"
+_image_digest := "sha256:d19e5700000000000000000000000000000000000000000000000000d19e5700"
 
 _unpinned_image := "registry.img/test:latest"
 

policy/lib/tekton/task_results_test.rego

@@ -54,11 +54,13 @@ test_artifact_result if {
 test_images_result if {
 	results := [{
 		"name": "IMAGES",
-		"value": "img1@sha256:digest1, img2@sha256:digest2\n",
+		# regal ignore:line-length
+		"value": "img1@sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701, img2@sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702\n",
 	}]
 	lib.assert_equal(["img1", "img2"], tekton.task_result_artifact_url(resolved_slsav1_task("task1", [], results)))
 	lib.assert_equal(
-		["sha256:digest1", "sha256:digest2"],
+		# regal ignore:line-length
+		["sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701", "sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702"],
 		tekton.task_result_artifact_digest(resolved_slsav1_task("task1", [], results)),
 	)
 }
@@ -153,43 +155,46 @@ test_mixed_results if {
 		},
 		{
 			"name": "IMAGES",
-			"value": "images-1@sha256:4567,images-2@sha256:5678",
+			# regal ignore:line-length
+			"value": "images-1@sha256:4567000000000000000000000000000000000000000000000000000000004567,images-2@sha256:5678000000000000000000000000000000000000000000000000000000005678",
 		},
 		{
 			"name": "image1_ARTIFACT_URI",
 			"value": "image-artifact-1",
 		},
 		{
 			"name": "image1_ARTIFACT_DIGEST",
-			"value": "sha256:6789",
+			"value": "sha256:6789000000000000000000000000000000000000000000000000000000006789",
 		},
 		{
 			"name": "image2_ARTIFACT_URI",
 			"value": "image-artifact-1",
 		},
 		{
 			"name": "image2_ARTIFACT_DIGEST",
-			"value": "sha256:7890",
+			"value": "sha256:7890000000000000000000000000000000000000000000000000000000007890",
 		},
 		{
 			"name": "image1_ARTIFACT_OUTPUTS",
-			"value": {"uri": "artifact-outputs-img1", "digest": "sha256:1234"},
+			# regal ignore:line-length
+			"value": {"uri": "artifact-outputs-img1", "digest": "sha256:1234000000000000000000000000000000000000000000000000000000001234"},
 		},
 		{
 			"name": "image2_ARTIFACT_OUTPUTS",
-			"value": {"uri": "artifact-outputs-img2", "digest": "sha256:9801"},
+			# regal ignore:line-length
+			"value": {"uri": "artifact-outputs-img2", "digest": "sha256:9801000000000000000000000000000000000000000000000000000000009801"},
 		},
 	]
 
 	expected := [
 		"image-url-img1@2345",
 		"image-url-img2@3456",
-		"image-artifact-1@sha256:6789",
-		"image-artifact-1@sha256:7890",
-		"images-1@sha256:4567",
-		"images-2@sha256:5678",
-		"artifact-outputs-img1@sha256:1234",
-		"artifact-outputs-img2@sha256:9801",
+		"image-artifact-1@sha256:6789000000000000000000000000000000000000000000000000000000006789",
+		"image-artifact-1@sha256:7890000000000000000000000000000000000000000000000000000000007890",
+		"images-1@sha256:4567000000000000000000000000000000000000000000000000000000004567",
+		"images-2@sha256:5678000000000000000000000000000000000000000000000000000000005678",
+		"artifact-outputs-img1@sha256:1234000000000000000000000000000000000000000000000000000000001234",
+		"artifact-outputs-img2@sha256:9801000000000000000000000000000000000000000000000000000000009801",
 	]
 
 	lib.assert_equal(expected, tekton.images_with_digests([resolved_slsav1_task("task1", [], results)]))

policy/lib/tekton/task_test.rego

@@ -234,7 +234,8 @@ test_build_task_with_images if {
 		{
 			"op": "replace",
 			"path": "/statement/predicate/buildConfig/tasks/0/results/0/value",
-			"value": "img1@sha256:digest1, img2@sha256:digest2",
+			# regal ignore:line-length
+			"value": "img1@sha256:d19e5701000000000000000000000000000000000000000000000000d19e5701, img2@sha256:d19e5702000000000000000000000000000000000000000000000000d19e5702",
 		},
 		{
 			"op": "remove",
@@ -503,12 +504,14 @@ test_missing_required_tasks_data if {
 
 test_task_step_image_ref if {
 	lib.assert_equal(
-		"redhat.io/openshift/rhel8@sha256:af7dd5b3b",
-		tekton.task_step_image_ref({"name": "mystep", "imageID": "redhat.io/openshift/rhel8@sha256:af7dd5b3b"}),
+		"redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b",
+		# regal ignore:line-length
+		tekton.task_step_image_ref({"name": "mystep", "imageID": "redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b"}),
 	)
 	lib.assert_equal(
-		"redhat.io/openshift/rhel8@sha256:af7dd5b3b",
-		tekton.task_step_image_ref({"environment": {"image": "redhat.io/openshift/rhel8@sha256:af7dd5b3b"}}),
+		"redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b",
+		# regal ignore:line-length
+		tekton.task_step_image_ref({"environment": {"image": "redhat.io/openshift/rhel8@sha256:af7dd5b3b0000000000000000000000000000000000000000000000af7dd5b3b"}}),
 	)
 }
 
@@ -733,7 +736,8 @@ with_params(task, task_params) := json.patch(
 )
 
 # Helper to set results on an existing task
-# Usage: with_results(slsav1_task("build"), [{"name": "IMAGE_DIGEST", "value": "sha256:abc"}])
+# regal ignore:line-length
+# Usage: with_results(slsav1_task("build"), [{"name": "IMAGE_DIGEST", "value": "sha256:abc0000000000000000000000000000000000000000000000000000000000abc"}])
 with_results(task, task_results) := json.patch(
 	task,
 	[{"op": "replace", "path": "/status/results", "value": task_results}],
@@ -764,7 +768,8 @@ with_annotations(task, annotations) := json.patch(
 )
 
 # Helper to set the bundle reference on an existing task
-# Usage: with_bundle(slsav1_task("build"), "quay.io/konflux/task-buildah:0.1@sha256:abc")
+# regal ignore:line-length
+# Usage: with_bundle(slsav1_task("build"), "quay.io/konflux/task-buildah:0.1@sha256:abc0000000000000000000000000000000000000000000000000000000000abc")
 with_bundle(task, bundle) := json.patch(
 	task,
 	[{