|
29 | 29 | from sigstore.verify.policy import UnsafeNoOp |
30 | 30 |
|
31 | 31 |
|
32 | | -@pytest.mark.parametrize("env", ["staging", "production"]) |
| 32 | +# only check the log contents for production: staging is already on |
| 33 | +# rekor v2 and we don't currently support log lookups on rekor v2. |
| 34 | +# This test can likely be removed once prod also uses rekor v2 |
| 35 | +@pytest.mark.parametrize("env", ["production"]) |
33 | 36 | @pytest.mark.ambient_oidc |
34 | | -def test_sign_rekor_entry_consistent(sign_ctx_and_ident_for_env): |
| 37 | +def test_sign_rekor_entry_consistent(request, sign_ctx_and_ident_for_env): |
35 | 38 | ctx_cls, identity = sign_ctx_and_ident_for_env |
36 | 39 |
|
37 | 40 | # NOTE: The actual signer instance is produced lazily, so that parameter |
@@ -108,25 +111,20 @@ def test_sct_verify_keyring_error(sign_ctx_and_ident_for_env, monkeypatch): |
108 | 111 |
|
109 | 112 | @pytest.mark.parametrize("env", ["staging", "production"]) |
110 | 113 | @pytest.mark.ambient_oidc |
111 | | -def test_identity_proof_claim_lookup(sign_ctx_and_ident_for_env, monkeypatch): |
| 114 | +def test_identity_proof_fallback_claim(sign_ctx_and_ident_for_env, monkeypatch): |
112 | 115 | ctx_cls, identity = sign_ctx_and_ident_for_env |
113 | 116 |
|
114 | 117 | ctx: SigningContext = ctx_cls() |
115 | 118 | assert identity is not None |
116 | 119 |
|
117 | | - # clear out the known issuers, forcing the `Identity`'s `proof_claim` to be looked up. |
| 120 | + # clear out known issuers, forcing the `Identity`'s `sub` claim to be used |
| 121 | + # as fall back |
118 | 122 | monkeypatch.setattr(sigstore.oidc, "_KNOWN_OIDC_ISSUERS", {}) |
119 | 123 |
|
120 | 124 | payload = secrets.token_bytes(32) |
121 | 125 |
|
122 | 126 | with ctx.signer(identity) as signer: |
123 | | - expected_entry = signer.sign_artifact(payload).log_entry |
124 | | - actual_entry = ctx._rekor.log.entries.get(log_index=expected_entry.log_index) |
125 | | - |
126 | | - assert expected_entry.body == actual_entry.body |
127 | | - assert expected_entry.integrated_time == actual_entry.integrated_time |
128 | | - assert expected_entry.log_id == actual_entry.log_id |
129 | | - assert expected_entry.log_index == actual_entry.log_index |
| 127 | + signer.sign_artifact(payload) |
130 | 128 |
|
131 | 129 |
|
132 | 130 | @pytest.mark.staging |
|
0 commit comments