Mock sourcetool package, add integration tests (#222)

* Move sourctool pkg options to own pkg

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* tool: Use new opts packag

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Generate tool implementation fakes

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add mock verifier and makefile target

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add sourcetool integrationt ests

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

.github/workflows/go-test.yml

@@ -21,4 +21,9 @@ jobs:
           check-latest: true
 
       - name: Run Go tests
-        run: go test ./sourcetool/...
+        run: |
+          go test ./sourcetool/...
+
+      - name: Check generated fakes
+        run: |
+          hack/verify-fakes.sh

Makefile

@@ -0,0 +1,4 @@
+.PHONY: fakes
+fakes: ## Rebuild the implementation fakes
+	go generate ./sourcetool/...
+

hack/common.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+function exit_with_msg() {
+    echo "${1}"
+    exit 1
+}

hack/verify-fakes.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+set -o xtrace
+
+source hack/common.sh
+
+make fakes
+git diff --exit-code || exit_with_msg "Fakes are not up to date. Please run 'make fakes' and commit the result"

sourcetool/go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/google/go-github/v69 v69.2.0
 	github.com/in-toto/attestation v1.1.2
+	github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2
 	github.com/migueleliasweb/go-github-mock v1.4.0
 	github.com/sigstore/sigstore-go v1.0.0
 	github.com/sirupsen/logrus v1.9.3
@@ -124,6 +125,7 @@ require (
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/text v0.26.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
 	google.golang.org/grpc v1.72.0 // indirect

sourcetool/go.sum

@@ -286,6 +286,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2 h1:yVCLo4+ACVroOEr4iFU1iH46Ldlzz2rTuu18Ra7M8sU=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2/go.mod h1:VzB2VoMh1Y32/QqDfg9ZJYHj99oM4LiGtqPZydTiQSQ=
 github.com/migueleliasweb/go-github-mock v1.4.0 h1:pQ6K8r348m2q79A8Khb0PbEeNQV7t3h1xgECV+jNpXk=
 github.com/migueleliasweb/go-github-mock v1.4.0/go.mod h1:/DUmhXkxrgVlDOVBqGoUXkV4w0ms5n1jDQHotYm135o=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -298,8 +300,8 @@ github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5
 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
-github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
+github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
+github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
@@ -334,6 +336,8 @@ github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGq
 github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk=
 github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=
 github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k=
+github.com/sclevine/spec v1.4.0 h1:z/Q9idDcay5m5irkZ28M7PtQM4aOISzOpj4bUPkDee8=
+github.com/sclevine/spec v1.4.0/go.mod h1:LvpgJaFyvQzRvc1kaDs0bulYwzC70PbiYjC4QnFHkOM=
 github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc=
 github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
@@ -475,6 +479,8 @@ golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.230.0 h1:2u1hni3E+UXAXrONrrkfWpi/V6cyKVAbfGVeGtC3OxM=
 google.golang.org/api v0.230.0/go.mod h1:aqvtoMk7YkiXx+6U12arQFExiRV9D/ekvMCwCd/TksQ=

sourcetool/internal/tools.go

@@ -0,0 +1,10 @@
+//go:build tools
+
+// This file forces the import of modules used for build scripts and tests
+// not directly used by the codebase.
+
+package internal
+
+import (
+	_ "github.com/maxbrunsfeld/counterfeiter/v6"
+)

sourcetool/pkg/sourcetool/implementation.go

@@ -23,6 +23,7 @@ import (
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/ghcontrol"
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/policy"
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/slsa"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/sourcetool/options"
 )
 
 const (
@@ -61,22 +62,24 @@ jobs:
 `
 
 // toolImplementation defines the mockable implementation of source tool
+//
+//counterfeiter:generate . toolImplementation
 type toolImplementation interface {
-	GetActiveControls(*Options) (slsa.Controls, error)
-	EnsureDefaults(opts *Options) error
-	VerifyOptionsForFullOnboard(*Options) error
-	CreateRepoRuleset(*Options) error
-	CheckWorkflowFork(*Options) error
-	CreateWorkflowPR(*Options) error
-	CheckPolicyFork(*Options) error
-	CreatePolicyPR(*Options) error
-	CheckForks(*Options) error
+	GetActiveControls(*options.Options) (slsa.Controls, error)
+	EnsureDefaults(opts *options.Options) error
+	VerifyOptionsForFullOnboard(*options.Options) error
+	CreateRepoRuleset(*options.Options) error
+	CheckWorkflowFork(*options.Options) error
+	CreateWorkflowPR(*options.Options) error
+	CheckPolicyFork(*options.Options) error
+	CreatePolicyPR(*options.Options) error
+	CheckForks(*options.Options) error
 }
 
 type defaultToolImplementation struct{}
 
 // GetActiveControls returns a slsa.Controls with the active controls on a repo
-func (impl *defaultToolImplementation) GetActiveControls(opts *Options) (slsa.Controls, error) {
+func (impl *defaultToolImplementation) GetActiveControls(opts *options.Options) (slsa.Controls, error) {
 	ctx := context.Background()
 
 	if err := opts.EnsureBranch(); err != nil {
@@ -122,7 +125,7 @@ func (impl *defaultToolImplementation) GetActiveControls(opts *Options) (slsa.Co
 
 // EnsureBranch makes sure the manager has a defined branch, looking up the
 // default if it needs to
-func (impl *defaultToolImplementation) EnsureDefaults(opts *Options) error {
+func (impl *defaultToolImplementation) EnsureDefaults(opts *options.Options) error {
 	if t := os.Getenv(tokenVar); t == "" {
 		return fmt.Errorf("$%s environment variable not set", tokenVar)
 	}
@@ -142,7 +145,7 @@ func (impl *defaultToolImplementation) EnsureDefaults(opts *Options) error {
 	return nil
 }
 
-func getUserData(opts *Options) error {
+func getUserData(opts *options.Options) error {
 	if opts.UserForkOrg != "" {
 		return nil
 	}
@@ -184,7 +187,7 @@ func getUserData(opts *Options) error {
 }
 
 // VerifyOptions checks options are in good shape to run
-func (impl *defaultToolImplementation) VerifyOptionsForFullOnboard(opts *Options) error {
+func (impl *defaultToolImplementation) VerifyOptionsForFullOnboard(opts *options.Options) error {
 	errs := []error{}
 	if opts.Repo == "" {
 		errs = append(errs, errors.New("no repository name defined"))
@@ -217,7 +220,7 @@ func (impl *defaultToolImplementation) VerifyOptionsForFullOnboard(opts *Options
 	return errors.Join(errs...)
 }
 
-func (impl *defaultToolImplementation) CreateRepoRuleset(opts *Options) error {
+func (impl *defaultToolImplementation) CreateRepoRuleset(opts *options.Options) error {
 	// Ensure we have branch and defaults
 	if err := opts.EnsureBranch(); err != nil {
 		return err
@@ -240,7 +243,7 @@ func (impl *defaultToolImplementation) CreateRepoRuleset(opts *Options) error {
 
 // CheckWorkflowFork verifies that the user has a fork of the repository
 // we are configuring.
-func (impl *defaultToolImplementation) CheckWorkflowFork(opts *Options) error {
+func (impl *defaultToolImplementation) CheckWorkflowFork(opts *options.Options) error {
 	userForkOrg := opts.UserForkOrg
 	userForkRepo := opts.Repo // For now we only support forks with the same name
 
@@ -257,7 +260,7 @@ func (impl *defaultToolImplementation) CheckWorkflowFork(opts *Options) error {
 
 // CreateWorkflowPR creates the pull request to add the provenance workflow
 // to the repository
-func (impl *defaultToolImplementation) CreateWorkflowPR(opts *Options) error {
+func (impl *defaultToolImplementation) CreateWorkflowPR(opts *options.Options) error {
 	// Branchname to be created on the user's fork
 	branchname := fmt.Sprintf("slsa-source-workflow-%d", time.Now().Unix())
 
@@ -328,7 +331,7 @@ func (impl *defaultToolImplementation) CreateWorkflowPR(opts *Options) error {
 	return nil
 }
 
-func (impl *defaultToolImplementation) CheckPolicyFork(opts *Options) error {
+func (impl *defaultToolImplementation) CheckPolicyFork(opts *options.Options) error {
 	policyOrg, policyRepo, ok := strings.Cut(opts.PolicyRepo, "/")
 	if !ok || policyRepo == "" {
 		return fmt.Errorf("unable to parse policy repository slug")
@@ -349,7 +352,7 @@ func (impl *defaultToolImplementation) CheckPolicyFork(opts *Options) error {
 }
 
 // CreatePolicyPR creates a pull request to push the policy
-func (impl *defaultToolImplementation) CreatePolicyPR(opts *Options) error {
+func (impl *defaultToolImplementation) CreatePolicyPR(opts *options.Options) error {
 	// Branchname to be created on the user's fork
 	branchname := fmt.Sprintf("slsa-source-policy-%d", time.Now().Unix())
 
@@ -425,7 +428,7 @@ func (impl *defaultToolImplementation) CreatePolicyPR(opts *Options) error {
 }
 
 // CheckForks checks that the user has forks of the required repositories
-func (impl *defaultToolImplementation) CheckForks(opts *Options) error {
+func (impl *defaultToolImplementation) CheckForks(opts *options.Options) error {
 	errs := []error{}
 	if err := impl.CheckPolicyFork(opts); err != nil {
 		errs = append(errs, err)

sourcetool/pkg/sourcetool/options.go

@@ -1,141 +1,53 @@
 package sourcetool
 
-import (
-	"context"
-	"errors"
-	"fmt"
+import "github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/sourcetool/options"
 
-	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/ghcontrol"
-	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/policy"
-)
-
-type Options struct {
-	Repo   string
-	Owner  string
-	Branch string
-	Commit string
-
-	// Organization to look for slsa and user forks
-	UserForkOrg string
-	Enforce     bool
-	UseSSH      bool
-	UpdateRepo  bool
-
-	// PolicyRepo is the repository where the policies are stored
-	PolicyRepo string
-}
-
-// DefaultOptions holds the default options the tool initializes with
-var DefaultOptions = Options{
-	PolicyRepo: fmt.Sprintf("%s/%s", policy.SourcePolicyRepoOwner, policy.SourcePolicyRepo),
-	UseSSH:     true,
-}
-
-// GetGitHubConnection creates a new github connection to the repository
-// defined in the options set.
-func (o *Options) GetGitHubConnection() (*ghcontrol.GitHubConnection, error) {
-	if o.Owner == "" {
-		return nil, errors.New("owner not set")
-	}
-	if o.Repo == "" {
-		return nil, errors.New("repository not set")
-	}
-
-	return ghcontrol.NewGhConnection(o.Owner, o.Repo, ghcontrol.BranchToFullRef(o.Branch)), nil
-}
-
-// EnsureCommit checks the options have a commit sha defined. If not, then
-// the latest commit from the loaded branch is read from the GitHub API.
-func (o *Options) EnsureCommit() error {
-	if o.Commit != "" {
-		return nil
-	}
-
-	if o.Branch == "" {
-		return errors.New("unable to fetch latest commit, no branch defined")
-	}
-
-	ghc, err := o.GetGitHubConnection()
-	if err != nil {
-		return fmt.Errorf("getting GitHub connection: %w", err)
-	}
-
-	commit, err := ghc.GetLatestCommit(context.Background(), o.Branch)
-	if err != nil {
-		return fmt.Errorf("fetching latest commit: %w", err)
-	}
-	o.Commit = commit
-	return nil
-}
-
-// EnsureBranch checks that the options set has a branch set and if not, it
-// reads the repository's default branch from the GitHub API.
-func (o *Options) EnsureBranch() error {
-	if o.Branch != "" {
-		return nil
-	}
-
-	ghc, err := o.GetGitHubConnection()
-	if err != nil {
-		return fmt.Errorf("getting GitHub connection: %w", err)
-	}
-
-	branch, err := ghc.GetDefaultBranch(context.Background())
-	if err != nil {
-		return fmt.Errorf("fetching default branch: %w", err)
-	}
-	o.Branch = branch
-	return nil
-}
-
-type ooFn func(*Options) error
-
-func WithRepo(repo string) ooFn {
-	return func(o *Options) error {
+func WithRepo(repo string) options.Fn {
+	return func(o *options.Options) error {
 		// TODO(puerco): Validate repo string
 		o.Repo = repo
 		return nil
 	}
 }
 
-func WithOwner(repo string) ooFn {
-	return func(o *Options) error {
+func WithOwner(repo string) options.Fn {
+	return func(o *options.Options) error {
 		// TODO(puerco): Validate org string
 		o.Owner = repo
 		return nil
 	}
 }
 
-func WithBranch(branch string) ooFn {
-	return func(o *Options) error {
+func WithBranch(branch string) options.Fn {
+	return func(o *options.Options) error {
 		o.Branch = branch
 		return nil
 	}
 }
 
-func WithCommit(commit string) ooFn {
-	return func(o *Options) error {
+func WithCommit(commit string) options.Fn {
+	return func(o *options.Options) error {
 		o.Commit = commit
 		return nil
 	}
 }
 
-func WithEnforce(enforce bool) ooFn {
-	return func(o *Options) error {
+func WithEnforce(enforce bool) options.Fn {
+	return func(o *options.Options) error {
 		o.Enforce = enforce
 		return nil
 	}
 }
 
-func WithUserForkOrg(org string) ooFn {
-	return func(o *Options) error {
+func WithUserForkOrg(org string) options.Fn {
+	return func(o *options.Options) error {
 		o.UserForkOrg = org
 		return nil
 	}
 }
 
-func WithPolicyRepo(slug string) ooFn {
-	return func(o *Options) error {
+func WithPolicyRepo(slug string) options.Fn {
+	return func(o *options.Options) error {
 		o.PolicyRepo = slug
 		return nil
 	}