diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go index c790049184c..65d91151853 100644 --- a/pkg/reconciler/pipelinerun/pipelinerun_test.go +++ b/pkg/reconciler/pipelinerun/pipelinerun_test.go @@ -11628,7 +11628,7 @@ spec: `) signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace) - signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task") + signedTask, err := test.GetSignedTask(ts, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -11648,7 +11648,7 @@ spec: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -11765,7 +11765,7 @@ func TestReconcile_verifyResolved_V1beta1Pipeline_Error(t *testing.T) { resolverName := "foobar" // Case1: unsigned Pipeline refers to unsigned Task - unsignedTask := parse.MustParseV1beta1Task(t, ` + unsignedV1beta1Task := parse.MustParseV1beta1Task(t, ` metadata: name: test-task namespace: foo @@ -11778,12 +11778,12 @@ spec: - name: foo value: bar `) - unsignedTaskBytes, err := yaml.Marshal(unsignedTask) + unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } - unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` + unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: test-pipeline namespace: foo @@ -11793,24 +11793,24 @@ spec: taskRef: resolver: %s `, resolverName)) - unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline) + unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal task", err) } // Case2: signed Pipeline refers to unsigned Task - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline") + signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace) + signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask) + signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask) if err != nil { t.Fatal("fail to marshal task", err) } // Case3: signed Pipeline refers to modified Task - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -11818,7 +11818,7 @@ spec: if err != nil { t.Fatal("fail to marshal task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } @@ -11838,11 +11838,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask) + signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask) if err != nil { t.Fatal("fail to marshal task", err) } @@ -11858,11 +11858,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() if modifiedPipeline.Annotations == nil { modifiedPipeline.Annotations = make(map[string]string) } @@ -11902,12 +11902,12 @@ spec: { name: "unsigned pipeline fails verification", pipelineBytes: unsignedPipelineBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with unsigned task fails verification", pipelineBytes: signedPipelineWithUnsignedTaskBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with modified task fails verification", @@ -12100,7 +12100,7 @@ func TestReconcile_verifyResolved_V1Pipeline_Error(t *testing.T) { resolverName := "foobar" // Case1: unsigned Pipeline refers to unsigned Task - unsignedTask := parse.MustParseV1beta1Task(t, ` + unsignedV1beta1Task := parse.MustParseV1beta1Task(t, ` metadata: name: test-task namespace: foo @@ -12113,12 +12113,12 @@ spec: - name: foo value: bar `) - unsignedTaskBytes, err := yaml.Marshal(unsignedTask) + unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } - unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` + unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: test-pipeline namespace: foo @@ -12128,24 +12128,24 @@ spec: taskRef: resolver: %s `, resolverName)) - unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline) + unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal task", err) } // Case2: signed Pipeline refers to unsigned Task - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline") + signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace) + signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask) + signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask) if err != nil { t.Fatal("fail to marshal task", err) } // Case3: signed Pipeline refers to modified Task - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -12153,7 +12153,7 @@ spec: if err != nil { t.Fatal("fail to marshal task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } @@ -12173,11 +12173,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask) + signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask) if err != nil { t.Fatal("fail to marshal task", err) } @@ -12193,11 +12193,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() if modifiedPipeline.Annotations == nil { modifiedPipeline.Annotations = make(map[string]string) } @@ -12237,12 +12237,12 @@ spec: { name: "unsigned pipeline fails verification", pipelineBytes: unsignedPipelineBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with unsigned task fails verification", pipelineBytes: signedPipelineWithUnsignedTaskBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with modified task fails verification", diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go index c95491e3235..60d3a0ce6ce 100644 --- a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go +++ b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go @@ -517,8 +517,8 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -529,10 +529,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { }, EntryPoint: "foo/bar", } - resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil) + resolvedUnmatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -551,7 +551,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { requesterMatched := test.NewRequester(resolvedMatched, nil) pipelineRef := &v1beta1.PipelineRef{ - Name: signedPipeline.Name, + Name: signedPipeline.(*v1beta1.Pipeline).Name, ResolverRef: v1beta1.ResolverRef{ Resolver: "git", }, @@ -573,7 +573,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { }, Status: v1beta1.PipelineRunStatus{ PipelineRunStatusFields: v1beta1.PipelineRunStatusFields{ - PipelineSpec: &signedPipeline.Spec, + PipelineSpec: &signedPipeline.(*v1beta1.Pipeline).Spec, Provenance: &v1beta1.Provenance{ RefSource: &v1beta1.RefSource{ URI: "abc.com", @@ -588,7 +588,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { warnPolicyRefSource := &v1beta1.RefSource{ URI: " warnVP", } - resolvedUnsignedMatched := test.NewResolvedResource(unsignedPipelineBytes, nil, warnPolicyRefSource, nil) + resolvedUnsignedMatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, warnPolicyRefSource, nil) requesterUnsignedMatched := test.NewRequester(resolvedUnsignedMatched, nil) testcases := []struct { @@ -633,7 +633,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.WarnNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrNoMatchedPolicies}, }, { @@ -642,7 +642,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.FailNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: warnPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrResourceVerificationFailed}, }, { @@ -651,7 +651,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationSkip}, }, { @@ -662,10 +662,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { policies: vps, expected: &v1beta1.Pipeline{ ObjectMeta: metav1.ObjectMeta{ - Name: signedPipeline.Name, - Namespace: signedPipeline.Namespace, + Name: signedPipeline.(*v1beta1.Pipeline).Name, + Namespace: signedPipeline.(*v1beta1.Pipeline).Namespace, }, - Spec: signedPipeline.Spec, + Spec: signedPipeline.(*v1beta1.Pipeline).Spec, }, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: nil, @@ -704,8 +704,8 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { tektonclient := fake.NewSimpleClientset() signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -717,10 +717,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { EntryPoint: "foo/bar", } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, matchPolicyRefSource, nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -739,7 +739,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { resolvedUnmatched := test.NewResolvedResource(signedPipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() modifiedPipeline.Annotations["random"] = "attack" modifiedPipelineBytes, err := json.Marshal(modifiedPipeline) if err != nil { @@ -831,7 +831,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { t.Error(err) } - unsignedPipelineBytes, err := json.Marshal(unsignedV1Pipeline) + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -842,7 +842,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { }, EntryPoint: "foo/bar", } - resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil) + resolvedUnmatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) signedPipeline, err := getSignedV1Pipeline(unsignedV1Pipeline, signer, "signed") @@ -912,7 +912,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { warnPolicyRefSource := &v1beta1.RefSource{ URI: " warnVP", } - resolvedUnsignedMatched := test.NewResolvedResource(unsignedPipelineBytes, nil, warnPolicyRefSource, nil) + resolvedUnsignedMatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, warnPolicyRefSource, nil) requesterUnsignedMatched := test.NewRequester(resolvedUnsignedMatched, nil) testcases := []struct { @@ -1028,7 +1028,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyError(t *testing.T) { tektonclient := fake.NewSimpleClientset() signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipelineBytes, err := json.Marshal(unsignedV1Pipeline) + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -1040,7 +1040,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyError(t *testing.T) { EntryPoint: "foo/bar", } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, matchPolicyRefSource, nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) signedPipeline, err := getSignedV1Pipeline(unsignedV1Pipeline, signer, "signed") @@ -1144,13 +1144,13 @@ func TestGetPipelineFunc_GetFuncError(t *testing.T) { tektonclient := fake.NewSimpleClientset() _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleRefSource.DeepCopy(), nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, sampleRefSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) resolvedUnsigned.DataErr = fmt.Errorf("resolution error") diff --git a/pkg/reconciler/taskrun/resources/taskref_test.go b/pkg/reconciler/taskrun/resources/taskref_test.go index 9a3fb168e7a..9e96d807141 100644 --- a/pkg/reconciler/taskrun/resources/taskref_test.go +++ b/pkg/reconciler/taskrun/resources/taskref_test.go @@ -765,7 +765,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := test.GetUnsignedTask("test-task", "v1beta1") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -775,7 +775,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { } requesterUnmatched := bytesToRequester(unsignedTaskBytes, noMatchPolicyRefSource) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "signed") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -890,7 +890,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := test.GetUnsignedTask("test-task", "v1beta1") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -900,7 +900,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { } requesterUnsigned := bytesToRequester(unsignedTaskBytes, matchPolicyRefSource) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "signed") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -913,7 +913,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { } requesterUnmatched := bytesToRequester(signedTaskBytes, noMatchPolicyRefSource) - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() modifiedTask.Annotations["random"] = "attack" modifiedTaskBytes, err := json.Marshal(modifiedTask) if err != nil { @@ -1267,7 +1267,7 @@ func TestGetTaskFunc_GetFuncError(t *testing.T) { _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := test.GetUnsignedTask("test-task", "v1beta1") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go index 9f47f46ad14..a6dd9581ded 100644 --- a/pkg/reconciler/taskrun/taskrun_test.go +++ b/pkg/reconciler/taskrun/taskrun_test.go @@ -4919,7 +4919,7 @@ spec: `) signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace) - signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task") + signedTask, err := test.GetSignedTask(ts, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -5070,12 +5070,12 @@ spec: } signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } diff --git a/pkg/trustedresources/verify_test.go b/pkg/trustedresources/verify_test.go index 1a5baf76d0d..a661798fb9b 100644 --- a/pkg/trustedresources/verify_test.go +++ b/pkg/trustedresources/verify_test.go @@ -46,7 +46,7 @@ const ( namespace = "trusted-resources" ) -var unsignedTask = v1.Task{ +var unsignedV1beta1Task = v1.Task{ TypeMeta: metav1.TypeMeta{ APIVersion: "tekton.dev/v1", Kind: "Task"}, @@ -62,7 +62,7 @@ var unsignedTask = v1.Task{ }, } -var unsignedPipeline = v1.Pipeline{ +var unsignedV1beta1Pipeline = v1.Pipeline{ TypeMeta: metav1.TypeMeta{ APIVersion: "tekton.dev/v1", Kind: "Pipeline"}, @@ -85,23 +85,23 @@ func TestVerifyInterface_Task_Success(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatalf("Failed to get signed task %v", err) } signature := []byte{} - if sig, ok := signedTask.Annotations[SignatureAnnotation]; ok { - delete(signedTask.Annotations, SignatureAnnotation) + if sig, ok := signedV1beta1Task.(*v1beta1.Task).Annotations[SignatureAnnotation]; ok { + delete(signedV1beta1Task.(*v1beta1.Task).Annotations, SignatureAnnotation) signature, err = base64.StdEncoding.DecodeString(sig) if err != nil { t.Fatal(err) } } - err = verifyInterface(signedTask, sv, signature) + err = verifyInterface(signedV1beta1Task, sv, signature) if err != nil { t.Fatalf("VerifyInterface() get err %v", err) } @@ -113,14 +113,14 @@ func TestVerifyInterface_Task_Error(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatalf("Failed to get signed task %v", err) } - tamperedTask := signedTask.DeepCopy() + tamperedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() tamperedTask.Name = "tampered" tcs := []struct { @@ -129,7 +129,7 @@ func TestVerifyInterface_Task_Error(t *testing.T) { expectedError error }{{ name: "Unsigned Task Fail Verification", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), expectedError: ErrResourceVerificationFailed, }, { name: "Empty task Fail Verification", @@ -164,13 +164,13 @@ func TestVerifyInterface_Task_Error(t *testing.T) { func TestVerifyResource_Task_Success(t *testing.T) { signer256, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer256, "signed") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, signer256, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() modifiedTask.Name = "modified" signer384, _, pub, err := test.GenerateKeys(elliptic.P384(), crypto.SHA384) @@ -246,7 +246,7 @@ func TestVerifyResource_Task_Success(t *testing.T) { }, } - signedTask384, err := test.GetSignedV1beta1Task(unsignedTask, signer384, "signed384") + signedTask384, err := test.GetSignedTask(unsignedV1beta1Task, signer384, "signed384", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -262,40 +262,40 @@ func TestVerifyResource_Task_Success(t *testing.T) { expectedVerificationResult VerificationResult }{{ name: "signed git source task passes verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source task passes verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed task with sha384 key", - task: signedTask384, + task: signedTask384.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/sha384"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{sha384Vp}, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, }, { name: "unsigned task matches warn policy doesn't fail verification", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy}, @@ -332,14 +332,14 @@ func TestVerifyResource_Task_Error(t *testing.T) { ctx = test.SetupTrustedResourceConfig(ctx, config.FailNoMatchPolicy) sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - tamperedTask := signedTask.DeepCopy() + tamperedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() tamperedTask.Annotations["random"] = "attack" matchingSource := "git+https://github.com/tektoncd/catalog.git" @@ -352,7 +352,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError error }{{ name: "unsigned Task fails verification", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: vps, expectedError: ErrResourceVerificationFailed, @@ -364,7 +364,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrResourceVerificationFailed, }, { name: "task not matching pattern fails verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationPolicy: vps, expectedError: ErrNoMatchedPolicies, @@ -376,7 +376,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrNoMatchedPolicies, }, { name: "Verification fails with regex error", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -393,7 +393,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrRegexMatch, }, { name: "Verification fails with error from policy", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -429,8 +429,8 @@ func TestVerifyResource_Task_Error(t *testing.T) { func TestVerifyResource_Pipeline_Success(t *testing.T) { sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, sv, "signed") + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -444,25 +444,25 @@ func TestVerifyResource_Pipeline_Success(t *testing.T) { expectedVerificationResult VerificationResult }{{ name: "signed git source pipeline passes verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source pipeline passes verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", - pipeline: unsignedPipeline, + pipeline: unsignedV1beta1Pipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", - pipeline: unsignedPipeline, + pipeline: unsignedV1beta1Pipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, @@ -483,13 +483,13 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { ctx = test.SetupTrustedResourceConfig(ctx, config.FailNoMatchPolicy) sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, sv, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - tamperedPipeline := signedPipeline.DeepCopy() + tamperedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() tamperedPipeline.Annotations["random"] = "attack" matchingSource := "git+https://github.com/tektoncd/catalog.git" @@ -508,13 +508,13 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { expectedError: ErrResourceVerificationFailed, }, { name: "Task Not Matching Pattern Fails Verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationPolicy: vps, expectedError: ErrNoMatchedPolicies, }, { name: "Verification fails with regex error", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -542,22 +542,22 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { func TestVerifyResource_V1Task_Success(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signedTask, err := getSignedV1Task(unsignedTask.DeepCopy(), signer, "signed") + signedV1beta1Task, err := getSignedV1Task(unsignedV1beta1Task.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } - vr := VerifyResource(context.Background(), signedTask, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) + vr := VerifyResource(context.Background(), signedV1beta1Task, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) if vr.VerificationResultType != VerificationPass { t.Errorf("VerificationResult mismatch: want %v, got %v", VerificationPass, vr.VerificationResultType) } } func TestVerifyResource_V1Task_Error(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signedTask, err := getSignedV1Task(unsignedTask.DeepCopy(), signer, "signed") + signedV1beta1Task, err := getSignedV1Task(unsignedV1beta1Task.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedV1beta1Task.DeepCopy() modifiedTask.Annotations["foo"] = "modified" vr := VerifyResource(context.Background(), modifiedTask, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) if vr.VerificationResultType != VerificationError && !errors.Is(vr.Err, ErrResourceVerificationFailed) { @@ -567,7 +567,7 @@ func TestVerifyResource_V1Task_Error(t *testing.T) { func TestVerifyResource_V1Pipeline_Success(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signed, err := getSignedV1Pipeline(unsignedPipeline.DeepCopy(), signer, "signed") + signed, err := getSignedV1Pipeline(unsignedV1beta1Pipeline.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } @@ -579,7 +579,7 @@ func TestVerifyResource_V1Pipeline_Success(t *testing.T) { func TestVerifyResource_V1Pipeline_Error(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signed, err := getSignedV1Pipeline(unsignedPipeline.DeepCopy(), signer, "signed") + signed, err := getSignedV1Pipeline(unsignedV1beta1Pipeline.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } @@ -602,7 +602,7 @@ func TestVerifyResource_TypeNotSupported(t *testing.T) { } func TestPrepareObjectMeta(t *testing.T) { - unsigned := test.GetUnsignedTask("test-task").ObjectMeta + unsigned := test.GetUnsignedTask("test-task", "v1beta1").(*v1beta1.Task).ObjectMeta signed := unsigned.DeepCopy() sig := "tY805zV53PtwDarK3VD6dQPx5MbIgctNcg/oSle+MG0=" diff --git a/test/trusted_resources_test.go b/test/trusted_resources_test.go index 2b1f6eeb8f6..e7457b0e74d 100644 --- a/test/trusted_resources_test.go +++ b/test/trusted_resources_test.go @@ -29,6 +29,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" "github.com/tektoncd/pipeline/pkg/pod" "github.com/tektoncd/pipeline/test/parse" v1 "k8s.io/api/core/v1" @@ -96,11 +97,11 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedV1beta1Task(task, signer, "signedtask") + signedV1beta1Task, err := GetSignedTask(task, signer, "signedtask", "v1beta1") if err != nil { t.Errorf("error getting signed task: %v", err) } - if _, err := c.V1beta1TaskClient.Create(ctx, signedTask, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1TaskClient.Create(ctx, signedV1beta1Task.(*v1beta1.Task), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Task: %s", err) } @@ -121,14 +122,14 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedTask.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Task.(*v1beta1.Task).Name, namespace)) - signedPipeline, err := GetSignedV1beta1Pipeline(pipeline, signer, "signedpipeline") + signedV1beta1Pipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline", "v1beta1") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } - if _, err := c.V1beta1PipelineClient.Create(ctx, signedPipeline, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1PipelineClient.Create(ctx, signedV1beta1Pipeline.(*v1beta1.Pipeline), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Pipeline: %s", err) } @@ -147,7 +148,7 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedPipeline.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Pipeline.(*v1beta1.Pipeline).Name, namespace)) t.Logf("Creating PipelineRun %s", pr.Name) if _, err := c.V1beta1PipelineRunClient.Create(ctx, pr, metav1.CreateOptions{}); err != nil { @@ -210,13 +211,13 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedV1beta1Task(task, signer, "signedtask") + signedV1beta1Task, err := GetSignedTask(task, signer, "signedtask", "v1beta1") if err != nil { t.Errorf("error getting signed task: %v", err) } // modify the task to fail the verification - signedTask.Annotations["foo"] = "bar" - if _, err := c.V1beta1TaskClient.Create(ctx, signedTask, metav1.CreateOptions{}); err != nil { + signedV1beta1Task.(*v1beta1.Task).Annotations["foo"] = "bar" + if _, err := c.V1beta1TaskClient.Create(ctx, signedV1beta1Task.(*v1beta1.Task), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Task: %s", err) } @@ -237,14 +238,14 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedTask.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Task.(*v1beta1.Task).Name, namespace)) - signedPipeline, err := GetSignedV1beta1Pipeline(pipeline, signer, "signedpipeline") + signedV1beta1Pipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline", "v1beta1") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } - if _, err := c.V1beta1PipelineClient.Create(ctx, signedPipeline, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1PipelineClient.Create(ctx, signedV1beta1Pipeline.(*v1beta1.Pipeline), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Pipeline: %s", err) } @@ -263,7 +264,7 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedPipeline.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Pipeline.(*v1beta1.Pipeline).Name, namespace)) t.Logf("Creating PipelineRun %s", pr.Name) if _, err := c.V1beta1PipelineRunClient.Create(ctx, pr, metav1.CreateOptions{}); err != nil { diff --git a/test/trustedresources.go b/test/trustedresources.go index e887603567c..42d440457bb 100644 --- a/test/trustedresources.go +++ b/test/trustedresources.go @@ -34,11 +34,12 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" corev1 "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" fakek8s "k8s.io/client-go/kubernetes/fake" "knative.dev/pkg/logging" ) @@ -54,44 +55,89 @@ var ( read = readPasswordFn ) -// GetUnsignedTask returns unsigned task with given name -func GetUnsignedTask(name string) *v1beta1.Task { - return &v1beta1.Task{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "tekton.dev/v1beta1", - Kind: "Task"}, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - Annotations: map[string]string{"foo": "bar"}, - }, - Spec: v1beta1.TaskSpec{ - Steps: []v1beta1.Step{{ - Image: "ubuntu", - Name: "echo", - }}, - }, +// GetUnsignedTask returns unsigned task with given name and apiVersion +func GetUnsignedTask(name, apiVersion string) runtime.Object { + switch apiVersion { + case v1beta1Version: + return &v1beta1.Task{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1beta1", + Kind: "Task"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1beta1.TaskSpec{ + Steps: []v1beta1.Step{{ + Image: "ubuntu", + Name: "echo", + }}, + }, + } + case v1Version: + return &v1.Task{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1", + Kind: "Task"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1.TaskSpec{ + Steps: []v1.Step{{ + Image: "ubuntu", + Name: "echo", + }}, + }, + } + default: + return nil } } -// GetUnsignedPipeline returns unsigned pipeline with given name -func GetUnsignedPipeline(name string) *v1beta1.Pipeline { - return &v1beta1.Pipeline{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "tekton.dev/v1beta1", - Kind: "Pipeline"}, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - Annotations: map[string]string{"foo": "bar"}, - }, - Spec: v1beta1.PipelineSpec{ - Tasks: []v1beta1.PipelineTask{ - { - Name: "task", +// GetUnsignedPipeline returns unsigned pipeline with given name and apiVersion +func GetUnsignedPipeline(name, apiVersion string) runtime.Object { + switch apiVersion { + case v1beta1Version: + return &v1beta1.Pipeline{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1beta1", + Kind: "Pipeline"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1beta1.PipelineSpec{ + Tasks: []v1beta1.PipelineTask{ + { + Name: "task", + }, }, }, - }, + } + case v1Version: + return &v1.Pipeline{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1", + Kind: "Pipeline"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1.PipelineSpec{ + Tasks: []v1.PipelineTask{ + { + Name: "task", + }, + }, + }, + } + default: + return nil } } @@ -132,7 +178,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P t.Fatalf("failed to generate keys %v", err) } - secret := &v1.Secret{ + secret := &corev1.Secret{ Data: map[string][]byte{"cosign.pub": pub}, ObjectMeta: metav1.ObjectMeta{ Name: "verification-secrets", @@ -164,7 +210,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P { Name: "pubkey", Key: &v1alpha1.KeyRef{ - SecretRef: &v1.SecretReference{ + SecretRef: &corev1.SecretReference{ Name: secret.Name, Namespace: secret.Namespace, }, @@ -199,7 +245,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P { Name: "pubkey", Key: &v1alpha1.KeyRef{ - SecretRef: &v1.SecretReference{ + SecretRef: &corev1.SecretReference{ Name: secret.Name, Namespace: secret.Namespace, }, @@ -224,7 +270,7 @@ func SetupMatchAllVerificationPolicies(t *testing.T, namespace string) (signatur t.Fatalf("failed to generate keys %v", err) } - secret := &v1.Secret{ + secret := &corev1.Secret{ Data: map[string][]byte{"cosign.pub": pub}, ObjectMeta: metav1.ObjectMeta{ Name: "verification-secrets", @@ -324,34 +370,68 @@ func signInterface(signer signature.Signer, i interface{}) ([]byte, error) { return sig, nil } -// GetSignedV1beta1Pipeline signed the given pipeline and rename it with given name -func GetSignedV1beta1Pipeline(unsigned *v1beta1.Pipeline, signer signature.Signer, name string) (*v1beta1.Pipeline, error) { - signedPipeline := unsigned.DeepCopy() - signedPipeline.Name = name - if signedPipeline.Annotations == nil { - signedPipeline.Annotations = map[string]string{} - } - signature, err := signInterface(signer, signedPipeline) - if err != nil { - return nil, err +// GetSignedPipeline signed the given pipeline and rename it with given name and apiVersion +func GetSignedPipeline(unsigned runtime.Object, signer signature.Signer, name, apiVersion string) (runtime.Object, error) { + switch apiVersion { + case v1Version: + signedV1Pipeline := unsigned.(*v1.Pipeline).DeepCopy() + signedV1Pipeline.Name = name + if signedV1Pipeline.Annotations == nil { + signedV1Pipeline.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1Pipeline) + if err != nil { + return nil, err + } + signedV1Pipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1Pipeline, nil + case v1beta1Version: + signedV1beta1Pipeline := unsigned.(*v1beta1.Pipeline).DeepCopy() + signedV1beta1Pipeline.Name = name + if signedV1beta1Pipeline.Annotations == nil { + signedV1beta1Pipeline.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1beta1Pipeline) + if err != nil { + return nil, err + } + signedV1beta1Pipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1beta1Pipeline, nil + default: + return nil, fmt.Errorf("could not get signed pipeline from unsigned: %v", unsigned) } - signedPipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) - return signedPipeline, nil } -// GetSignedV1beta1Task signed the given task and rename it with given name -func GetSignedV1beta1Task(unsigned *v1beta1.Task, signer signature.Signer, name string) (*v1beta1.Task, error) { - signedTask := unsigned.DeepCopy() - signedTask.Name = name - if signedTask.Annotations == nil { - signedTask.Annotations = map[string]string{} - } - signature, err := signInterface(signer, signedTask) - if err != nil { - return nil, err +// GetSignedTask signed the given task and rename it with given name and apiVersion +func GetSignedTask(unsigned runtime.Object, signer signature.Signer, name, apiVersion string) (runtime.Object, error) { + switch apiVersion { + case v1Version: + signedV1Task := unsigned.(*v1.Task).DeepCopy() + signedV1Task.Name = name + if signedV1Task.Annotations == nil { + signedV1Task.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1Task) + if err != nil { + return nil, err + } + signedV1Task.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1Task, nil + case v1beta1Version: + signedV1beta1Task := unsigned.(*v1beta1.Task).DeepCopy() + signedV1beta1Task.Name = name + if signedV1beta1Task.Annotations == nil { + signedV1beta1Task.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1beta1Task) + if err != nil { + return nil, err + } + signedV1beta1Task.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1beta1Task, nil + default: + return nil, fmt.Errorf("could not get signed task from unsigned: %v", unsigned) } - signedTask.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) - return signedTask, nil } func getPass(confirm bool) ([]byte, error) { diff --git a/test/trustedresources_test.go b/test/trustedresources_test.go index 0a84da1a25e..ff27c8f252c 100644 --- a/test/trustedresources_test.go +++ b/test/trustedresources_test.go @@ -46,7 +46,7 @@ func TestSignInterface(t *testing.T) { }{{ name: "Sign Task", signer: sv, - target: GetUnsignedTask("unsigned"), + target: GetUnsignedTask("unsigned", v1beta1Version), wantErr: false, }, { name: "Sign String with cosign signer", @@ -61,7 +61,7 @@ func TestSignInterface(t *testing.T) { }, { name: "Empty Signer", signer: nil, - target: GetUnsignedTask("unsigned"), + target: GetUnsignedTask("unsigned", v1beta1Version), wantErr: true, }, { name: "Sign String with mock signer", diff --git a/test/wait.go b/test/wait.go index b22e3111074..90e5bebdeac 100644 --- a/test/wait.go +++ b/test/wait.go @@ -62,6 +62,7 @@ import ( const ( interval = 1 * time.Second timeout = 10 * time.Minute + v1Version = "v1" v1beta1Version = "v1beta1" )