Skip to content
This repository was archived by the owner on Sep 23, 2025. It is now read-only.

Commit 27c8ab4

Browse files
codysoylandcodysoyland
committed
Add tests for bundle checkopts
Signed-off-by: Cody Soyland <[email protected]>
1 parent 2c06b75 commit 27c8ab4

File tree

1 file changed

+85
-6
lines changed

1 file changed

+85
-6
lines changed

pkg/webhook/validator_test.go

Lines changed: 85 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ import (
3333
"time"
3434

3535
"github.com/google/go-cmp/cmp"
36+
"github.com/google/go-cmp/cmp/cmpopts"
3637
"github.com/google/go-containerregistry/pkg/authn/k8schain"
3738
"github.com/google/go-containerregistry/pkg/name"
3839
"github.com/sigstore/cosign/v2/pkg/cosign"
@@ -46,6 +47,8 @@ import (
4647
"github.com/sigstore/policy-controller/pkg/apis/signaturealgo"
4748
policycontrollerconfig "github.com/sigstore/policy-controller/pkg/config"
4849
webhookcip "github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy"
50+
pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
51+
"github.com/sigstore/sigstore-go/pkg/root"
4952
"github.com/sigstore/sigstore/pkg/cryptoutils"
5053
"github.com/sigstore/sigstore/pkg/fulcioroots"
5154
"github.com/sigstore/sigstore/pkg/tuf"
@@ -3240,10 +3243,12 @@ func TestCheckOptsFromAuthority(t *testing.T) {
32403243
}},
32413244
}
32423245
skCombined := config.SigstoreKeys{
3246+
MediaType: "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
32433247
Tlogs: []*config.TransparencyLogInstance{{
3244-
PublicKey: pbpkRekor,
3245-
LogId: &config.LogID{KeyId: []byte("rekor-logid")},
3246-
BaseUrl: "rekor.example.com",
3248+
PublicKey: pbpkRekor,
3249+
LogId: &config.LogID{KeyId: []byte("rekor-logid")},
3250+
BaseUrl: "rekor.example.com",
3251+
HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,
32473252
}},
32483253
CertificateAuthorities: []*config.CertificateAuthority{{
32493254
Subject: &config.DistinguishedName{
@@ -3253,8 +3258,9 @@ func TestCheckOptsFromAuthority(t *testing.T) {
32533258
CertChain: certChainPB,
32543259
}},
32553260
Ctlogs: []*config.TransparencyLogInstance{{
3256-
LogId: &config.LogID{KeyId: []byte(ctfeLogID)},
3257-
PublicKey: pbpkCTFE,
3261+
LogId: &config.LogID{KeyId: []byte(ctfeLogID)},
3262+
PublicKey: pbpkCTFE,
3263+
HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,
32583264
}},
32593265
}
32603266
c := &config.Config{
@@ -3355,6 +3361,79 @@ func TestCheckOptsFromAuthority(t *testing.T) {
33553361
}},
33563362
CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}},
33573363
},
3364+
}, {
3365+
name: "bundle format, with Identities and Rekor",
3366+
authority: webhookcip.Authority{
3367+
SignatureFormat: "bundle",
3368+
CTLog: &v1alpha1.TLog{
3369+
URL: apis.HTTPS("rekor.example.com"),
3370+
TrustRootRef: "test-trust-combined",
3371+
},
3372+
Keyless: &webhookcip.KeylessRef{
3373+
TrustRootRef: "test-trust-combined",
3374+
Identities: []v1alpha1.Identity{{
3375+
Issuer: "issuer",
3376+
Subject: "subject",
3377+
}},
3378+
},
3379+
},
3380+
ctx: testCtx,
3381+
wantCheckOpts: &cosign.CheckOpts{
3382+
NewBundleFormat: true,
3383+
Identities: []cosign.Identity{{
3384+
Issuer: "issuer",
3385+
Subject: "subject",
3386+
}},
3387+
TrustedMaterial: &root.TrustedRoot{},
3388+
},
3389+
}, {
3390+
name: "bundle format, with TSA",
3391+
authority: webhookcip.Authority{
3392+
SignatureFormat: "bundle",
3393+
// Test keys do not contain a TSA but that is okay as we are just constructing the checkOpts
3394+
RFC3161Timestamp: &webhookcip.RFC3161Timestamp{
3395+
TrustRootRef: "test-trust-combined",
3396+
},
3397+
Keyless: &webhookcip.KeylessRef{
3398+
TrustRootRef: "test-trust-combined",
3399+
},
3400+
},
3401+
ctx: testCtx,
3402+
wantCheckOpts: &cosign.CheckOpts{
3403+
NewBundleFormat: true,
3404+
UseSignedTimestamps: true,
3405+
TrustedMaterial: &root.TrustedRoot{},
3406+
},
3407+
}, {
3408+
name: "bundle format, bad TrustRootRef",
3409+
authority: webhookcip.Authority{
3410+
SignatureFormat: "bundle",
3411+
Keyless: &webhookcip.KeylessRef{
3412+
TrustRootRef: "not-there",
3413+
},
3414+
},
3415+
ctx: testCtx,
3416+
wantErr: "trustRootRef not-there not found",
3417+
}, {
3418+
name: "bundle format, unsupported different trustroots",
3419+
authority: webhookcip.Authority{
3420+
SignatureFormat: "bundle",
3421+
CTLog: &v1alpha1.TLog{
3422+
TrustRootRef: "test-trust-rekor",
3423+
},
3424+
Keyless: &webhookcip.KeylessRef{
3425+
TrustRootRef: "test-trust-combined",
3426+
},
3427+
},
3428+
ctx: testCtx,
3429+
wantErr: "when using the new bundle format, the trustRootRef for the TLog must be the same as the trustRootRef for the Keyless authority",
3430+
}, {
3431+
name: "bundle format, unsupported non-keyless",
3432+
authority: webhookcip.Authority{
3433+
SignatureFormat: "bundle",
3434+
},
3435+
ctx: testCtx,
3436+
wantErr: "when using the new bundle format, the authority must be keyless",
33583437
}}
33593438

33603439
for _, tc := range tests {
@@ -3384,7 +3463,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
33843463
if gotCheckOpts != nil {
33853464
gotCheckOpts.RekorClient = nil
33863465
}
3387-
if diff := cmp.Diff(gotCheckOpts, tc.wantCheckOpts); diff != "" {
3466+
if diff := cmp.Diff(gotCheckOpts, tc.wantCheckOpts, cmpopts.IgnoreUnexported(root.TrustedRoot{})); diff != "" {
33883467
t.Errorf("CheckOpts differ: %s", diff)
33893468
}
33903469
})

0 commit comments

Comments
 (0)