From 2517acdf8e2203845b2e0c696f58551a98d1d863 Mon Sep 17 00:00:00 2001 From: JeromeJu Date: Mon, 12 Jun 2023 14:55:07 +0000 Subject: [PATCH] Add apiVersion to trustedResources helper This commit adds the apiVersion to the trustedResources helper which now allows the getSignedTask and etc helpers to return verified CRDs with the accepted apiVersions. This could help avoid confusions when we are adding v1 CRDs to be verified in the test cases. --- .../pipelinerun/pipelinerun_test.go | 64 +++--- .../pipelinerun/resources/pipelineref_test.go | 52 ++--- .../taskrun/resources/taskref_test.go | 12 +- pkg/reconciler/taskrun/taskrun_test.go | 6 +- pkg/trustedresources/verify_test.go | 92 ++++---- test/trusted_resources_test.go | 26 +-- test/trustedresources.go | 204 ++++++++++++------ test/trustedresources_test.go | 4 +- test/wait.go | 1 + 9 files changed, 271 insertions(+), 190 deletions(-) diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go index c790049184c..65d91151853 100644 --- a/pkg/reconciler/pipelinerun/pipelinerun_test.go +++ b/pkg/reconciler/pipelinerun/pipelinerun_test.go @@ -11628,7 +11628,7 @@ spec: `) signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace) - signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task") + signedTask, err := test.GetSignedTask(ts, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -11648,7 +11648,7 @@ spec: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -11765,7 +11765,7 @@ func TestReconcile_verifyResolved_V1beta1Pipeline_Error(t *testing.T) { resolverName := "foobar" // Case1: unsigned Pipeline refers to unsigned Task - unsignedTask := parse.MustParseV1beta1Task(t, ` + unsignedV1beta1Task := parse.MustParseV1beta1Task(t, ` metadata: name: test-task namespace: foo @@ -11778,12 +11778,12 @@ spec: - name: foo value: bar `) - unsignedTaskBytes, err := yaml.Marshal(unsignedTask) + unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } - unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` + unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: test-pipeline namespace: foo @@ -11793,24 +11793,24 @@ spec: taskRef: resolver: %s `, resolverName)) - unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline) + unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal task", err) } // Case2: signed Pipeline refers to unsigned Task - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline") + signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace) + signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask) + signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask) if err != nil { t.Fatal("fail to marshal task", err) } // Case3: signed Pipeline refers to modified Task - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -11818,7 +11818,7 @@ spec: if err != nil { t.Fatal("fail to marshal task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } @@ -11838,11 +11838,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask) + signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask) if err != nil { t.Fatal("fail to marshal task", err) } @@ -11858,11 +11858,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() if modifiedPipeline.Annotations == nil { modifiedPipeline.Annotations = make(map[string]string) } @@ -11902,12 +11902,12 @@ spec: { name: "unsigned pipeline fails verification", pipelineBytes: unsignedPipelineBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with unsigned task fails verification", pipelineBytes: signedPipelineWithUnsignedTaskBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with modified task fails verification", @@ -12100,7 +12100,7 @@ func TestReconcile_verifyResolved_V1Pipeline_Error(t *testing.T) { resolverName := "foobar" // Case1: unsigned Pipeline refers to unsigned Task - unsignedTask := parse.MustParseV1beta1Task(t, ` + unsignedV1beta1Task := parse.MustParseV1beta1Task(t, ` metadata: name: test-task namespace: foo @@ -12113,12 +12113,12 @@ spec: - name: foo value: bar `) - unsignedTaskBytes, err := yaml.Marshal(unsignedTask) + unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } - unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` + unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: test-pipeline namespace: foo @@ -12128,24 +12128,24 @@ spec: taskRef: resolver: %s `, resolverName)) - unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline) + unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal task", err) } // Case2: signed Pipeline refers to unsigned Task - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline") + signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace) + signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask) + signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask) if err != nil { t.Fatal("fail to marshal task", err) } // Case3: signed Pipeline refers to modified Task - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -12153,7 +12153,7 @@ spec: if err != nil { t.Fatal("fail to marshal task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } @@ -12173,11 +12173,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask) + signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask) if err != nil { t.Fatal("fail to marshal task", err) } @@ -12193,11 +12193,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() if modifiedPipeline.Annotations == nil { modifiedPipeline.Annotations = make(map[string]string) } @@ -12237,12 +12237,12 @@ spec: { name: "unsigned pipeline fails verification", pipelineBytes: unsignedPipelineBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with unsigned task fails verification", pipelineBytes: signedPipelineWithUnsignedTaskBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with modified task fails verification", diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go index c95491e3235..60d3a0ce6ce 100644 --- a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go +++ b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go @@ -517,8 +517,8 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -529,10 +529,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { }, EntryPoint: "foo/bar", } - resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil) + resolvedUnmatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -551,7 +551,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { requesterMatched := test.NewRequester(resolvedMatched, nil) pipelineRef := &v1beta1.PipelineRef{ - Name: signedPipeline.Name, + Name: signedPipeline.(*v1beta1.Pipeline).Name, ResolverRef: v1beta1.ResolverRef{ Resolver: "git", }, @@ -573,7 +573,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { }, Status: v1beta1.PipelineRunStatus{ PipelineRunStatusFields: v1beta1.PipelineRunStatusFields{ - PipelineSpec: &signedPipeline.Spec, + PipelineSpec: &signedPipeline.(*v1beta1.Pipeline).Spec, Provenance: &v1beta1.Provenance{ RefSource: &v1beta1.RefSource{ URI: "abc.com", @@ -588,7 +588,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { warnPolicyRefSource := &v1beta1.RefSource{ URI: " warnVP", } - resolvedUnsignedMatched := test.NewResolvedResource(unsignedPipelineBytes, nil, warnPolicyRefSource, nil) + resolvedUnsignedMatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, warnPolicyRefSource, nil) requesterUnsignedMatched := test.NewRequester(resolvedUnsignedMatched, nil) testcases := []struct { @@ -633,7 +633,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.WarnNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrNoMatchedPolicies}, }, { @@ -642,7 +642,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.FailNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: warnPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrResourceVerificationFailed}, }, { @@ -651,7 +651,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationSkip}, }, { @@ -662,10 +662,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { policies: vps, expected: &v1beta1.Pipeline{ ObjectMeta: metav1.ObjectMeta{ - Name: signedPipeline.Name, - Namespace: signedPipeline.Namespace, + Name: signedPipeline.(*v1beta1.Pipeline).Name, + Namespace: signedPipeline.(*v1beta1.Pipeline).Namespace, }, - Spec: signedPipeline.Spec, + Spec: signedPipeline.(*v1beta1.Pipeline).Spec, }, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: nil, @@ -704,8 +704,8 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { tektonclient := fake.NewSimpleClientset() signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -717,10 +717,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { EntryPoint: "foo/bar", } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, matchPolicyRefSource, nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -739,7 +739,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { resolvedUnmatched := test.NewResolvedResource(signedPipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() modifiedPipeline.Annotations["random"] = "attack" modifiedPipelineBytes, err := json.Marshal(modifiedPipeline) if err != nil { @@ -831,7 +831,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { t.Error(err) } - unsignedPipelineBytes, err := json.Marshal(unsignedV1Pipeline) + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -842,7 +842,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { }, EntryPoint: "foo/bar", } - resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil) + resolvedUnmatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) signedPipeline, err := getSignedV1Pipeline(unsignedV1Pipeline, signer, "signed") @@ -912,7 +912,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { warnPolicyRefSource := &v1beta1.RefSource{ URI: " warnVP", } - resolvedUnsignedMatched := test.NewResolvedResource(unsignedPipelineBytes, nil, warnPolicyRefSource, nil) + resolvedUnsignedMatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, warnPolicyRefSource, nil) requesterUnsignedMatched := test.NewRequester(resolvedUnsignedMatched, nil) testcases := []struct { @@ -1028,7 +1028,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyError(t *testing.T) { tektonclient := fake.NewSimpleClientset() signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipelineBytes, err := json.Marshal(unsignedV1Pipeline) + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -1040,7 +1040,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyError(t *testing.T) { EntryPoint: "foo/bar", } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, matchPolicyRefSource, nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) signedPipeline, err := getSignedV1Pipeline(unsignedV1Pipeline, signer, "signed") @@ -1144,13 +1144,13 @@ func TestGetPipelineFunc_GetFuncError(t *testing.T) { tektonclient := fake.NewSimpleClientset() _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleRefSource.DeepCopy(), nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, sampleRefSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) resolvedUnsigned.DataErr = fmt.Errorf("resolution error") diff --git a/pkg/reconciler/taskrun/resources/taskref_test.go b/pkg/reconciler/taskrun/resources/taskref_test.go index 9a3fb168e7a..9e96d807141 100644 --- a/pkg/reconciler/taskrun/resources/taskref_test.go +++ b/pkg/reconciler/taskrun/resources/taskref_test.go @@ -765,7 +765,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := test.GetUnsignedTask("test-task", "v1beta1") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -775,7 +775,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { } requesterUnmatched := bytesToRequester(unsignedTaskBytes, noMatchPolicyRefSource) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "signed") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -890,7 +890,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := test.GetUnsignedTask("test-task", "v1beta1") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -900,7 +900,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { } requesterUnsigned := bytesToRequester(unsignedTaskBytes, matchPolicyRefSource) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "signed") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -913,7 +913,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { } requesterUnmatched := bytesToRequester(signedTaskBytes, noMatchPolicyRefSource) - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() modifiedTask.Annotations["random"] = "attack" modifiedTaskBytes, err := json.Marshal(modifiedTask) if err != nil { @@ -1267,7 +1267,7 @@ func TestGetTaskFunc_GetFuncError(t *testing.T) { _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := test.GetUnsignedTask("test-task", "v1beta1") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go index 9f47f46ad14..a6dd9581ded 100644 --- a/pkg/reconciler/taskrun/taskrun_test.go +++ b/pkg/reconciler/taskrun/taskrun_test.go @@ -4919,7 +4919,7 @@ spec: `) signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace) - signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task") + signedTask, err := test.GetSignedTask(ts, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -5070,12 +5070,12 @@ spec: } signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } diff --git a/pkg/trustedresources/verify_test.go b/pkg/trustedresources/verify_test.go index 1a5baf76d0d..a661798fb9b 100644 --- a/pkg/trustedresources/verify_test.go +++ b/pkg/trustedresources/verify_test.go @@ -46,7 +46,7 @@ const ( namespace = "trusted-resources" ) -var unsignedTask = v1.Task{ +var unsignedV1beta1Task = v1.Task{ TypeMeta: metav1.TypeMeta{ APIVersion: "tekton.dev/v1", Kind: "Task"}, @@ -62,7 +62,7 @@ var unsignedTask = v1.Task{ }, } -var unsignedPipeline = v1.Pipeline{ +var unsignedV1beta1Pipeline = v1.Pipeline{ TypeMeta: metav1.TypeMeta{ APIVersion: "tekton.dev/v1", Kind: "Pipeline"}, @@ -85,23 +85,23 @@ func TestVerifyInterface_Task_Success(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatalf("Failed to get signed task %v", err) } signature := []byte{} - if sig, ok := signedTask.Annotations[SignatureAnnotation]; ok { - delete(signedTask.Annotations, SignatureAnnotation) + if sig, ok := signedV1beta1Task.(*v1beta1.Task).Annotations[SignatureAnnotation]; ok { + delete(signedV1beta1Task.(*v1beta1.Task).Annotations, SignatureAnnotation) signature, err = base64.StdEncoding.DecodeString(sig) if err != nil { t.Fatal(err) } } - err = verifyInterface(signedTask, sv, signature) + err = verifyInterface(signedV1beta1Task, sv, signature) if err != nil { t.Fatalf("VerifyInterface() get err %v", err) } @@ -113,14 +113,14 @@ func TestVerifyInterface_Task_Error(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatalf("Failed to get signed task %v", err) } - tamperedTask := signedTask.DeepCopy() + tamperedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() tamperedTask.Name = "tampered" tcs := []struct { @@ -129,7 +129,7 @@ func TestVerifyInterface_Task_Error(t *testing.T) { expectedError error }{{ name: "Unsigned Task Fail Verification", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), expectedError: ErrResourceVerificationFailed, }, { name: "Empty task Fail Verification", @@ -164,13 +164,13 @@ func TestVerifyInterface_Task_Error(t *testing.T) { func TestVerifyResource_Task_Success(t *testing.T) { signer256, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer256, "signed") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, signer256, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() modifiedTask.Name = "modified" signer384, _, pub, err := test.GenerateKeys(elliptic.P384(), crypto.SHA384) @@ -246,7 +246,7 @@ func TestVerifyResource_Task_Success(t *testing.T) { }, } - signedTask384, err := test.GetSignedV1beta1Task(unsignedTask, signer384, "signed384") + signedTask384, err := test.GetSignedTask(unsignedV1beta1Task, signer384, "signed384", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -262,40 +262,40 @@ func TestVerifyResource_Task_Success(t *testing.T) { expectedVerificationResult VerificationResult }{{ name: "signed git source task passes verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source task passes verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed task with sha384 key", - task: signedTask384, + task: signedTask384.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/sha384"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{sha384Vp}, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, }, { name: "unsigned task matches warn policy doesn't fail verification", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy}, @@ -332,14 +332,14 @@ func TestVerifyResource_Task_Error(t *testing.T) { ctx = test.SetupTrustedResourceConfig(ctx, config.FailNoMatchPolicy) sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedV1beta1Task := test.GetUnsignedTask("test-task", "v1beta1") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - tamperedTask := signedTask.DeepCopy() + tamperedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() tamperedTask.Annotations["random"] = "attack" matchingSource := "git+https://github.com/tektoncd/catalog.git" @@ -352,7 +352,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError error }{{ name: "unsigned Task fails verification", - task: unsignedTask, + task: unsignedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: vps, expectedError: ErrResourceVerificationFailed, @@ -364,7 +364,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrResourceVerificationFailed, }, { name: "task not matching pattern fails verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationPolicy: vps, expectedError: ErrNoMatchedPolicies, @@ -376,7 +376,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrNoMatchedPolicies, }, { name: "Verification fails with regex error", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -393,7 +393,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrRegexMatch, }, { name: "Verification fails with error from policy", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -429,8 +429,8 @@ func TestVerifyResource_Task_Error(t *testing.T) { func TestVerifyResource_Pipeline_Success(t *testing.T) { sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, sv, "signed") + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -444,25 +444,25 @@ func TestVerifyResource_Pipeline_Success(t *testing.T) { expectedVerificationResult VerificationResult }{{ name: "signed git source pipeline passes verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source pipeline passes verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", - pipeline: unsignedPipeline, + pipeline: unsignedV1beta1Pipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", - pipeline: unsignedPipeline, + pipeline: unsignedV1beta1Pipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, @@ -483,13 +483,13 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { ctx = test.SetupTrustedResourceConfig(ctx, config.FailNoMatchPolicy) sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline", "v1beta1") - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, sv, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - tamperedPipeline := signedPipeline.DeepCopy() + tamperedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() tamperedPipeline.Annotations["random"] = "attack" matchingSource := "git+https://github.com/tektoncd/catalog.git" @@ -508,13 +508,13 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { expectedError: ErrResourceVerificationFailed, }, { name: "Task Not Matching Pattern Fails Verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationPolicy: vps, expectedError: ErrNoMatchedPolicies, }, { name: "Verification fails with regex error", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -542,22 +542,22 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { func TestVerifyResource_V1Task_Success(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signedTask, err := getSignedV1Task(unsignedTask.DeepCopy(), signer, "signed") + signedV1beta1Task, err := getSignedV1Task(unsignedV1beta1Task.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } - vr := VerifyResource(context.Background(), signedTask, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) + vr := VerifyResource(context.Background(), signedV1beta1Task, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) if vr.VerificationResultType != VerificationPass { t.Errorf("VerificationResult mismatch: want %v, got %v", VerificationPass, vr.VerificationResultType) } } func TestVerifyResource_V1Task_Error(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signedTask, err := getSignedV1Task(unsignedTask.DeepCopy(), signer, "signed") + signedV1beta1Task, err := getSignedV1Task(unsignedV1beta1Task.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedV1beta1Task.DeepCopy() modifiedTask.Annotations["foo"] = "modified" vr := VerifyResource(context.Background(), modifiedTask, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) if vr.VerificationResultType != VerificationError && !errors.Is(vr.Err, ErrResourceVerificationFailed) { @@ -567,7 +567,7 @@ func TestVerifyResource_V1Task_Error(t *testing.T) { func TestVerifyResource_V1Pipeline_Success(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signed, err := getSignedV1Pipeline(unsignedPipeline.DeepCopy(), signer, "signed") + signed, err := getSignedV1Pipeline(unsignedV1beta1Pipeline.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } @@ -579,7 +579,7 @@ func TestVerifyResource_V1Pipeline_Success(t *testing.T) { func TestVerifyResource_V1Pipeline_Error(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signed, err := getSignedV1Pipeline(unsignedPipeline.DeepCopy(), signer, "signed") + signed, err := getSignedV1Pipeline(unsignedV1beta1Pipeline.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } @@ -602,7 +602,7 @@ func TestVerifyResource_TypeNotSupported(t *testing.T) { } func TestPrepareObjectMeta(t *testing.T) { - unsigned := test.GetUnsignedTask("test-task").ObjectMeta + unsigned := test.GetUnsignedTask("test-task", "v1beta1").(*v1beta1.Task).ObjectMeta signed := unsigned.DeepCopy() sig := "tY805zV53PtwDarK3VD6dQPx5MbIgctNcg/oSle+MG0=" diff --git a/test/trusted_resources_test.go b/test/trusted_resources_test.go index 2b1f6eeb8f6..e3780ab9802 100644 --- a/test/trusted_resources_test.go +++ b/test/trusted_resources_test.go @@ -96,11 +96,11 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedV1beta1Task(task, signer, "signedtask") + signedV1beta1Task, err := GetSignedTask(task, signer, "signedtask", "v1beta1") if err != nil { t.Errorf("error getting signed task: %v", err) } - if _, err := c.V1beta1TaskClient.Create(ctx, signedTask, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1TaskClient.Create(ctx, signedV1beta1Task, metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Task: %s", err) } @@ -121,14 +121,14 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedTask.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Task.Name, namespace)) - signedPipeline, err := GetSignedV1beta1Pipeline(pipeline, signer, "signedpipeline") + signedV1beta1Pipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline", "v1beta1") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } - if _, err := c.V1beta1PipelineClient.Create(ctx, signedPipeline, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1PipelineClient.Create(ctx, signedV1beta1Pipeline, metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Pipeline: %s", err) } @@ -147,7 +147,7 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedPipeline.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Pipeline.Name, namespace)) t.Logf("Creating PipelineRun %s", pr.Name) if _, err := c.V1beta1PipelineRunClient.Create(ctx, pr, metav1.CreateOptions{}); err != nil { @@ -210,13 +210,13 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedV1beta1Task(task, signer, "signedtask") + signedV1beta1Task, err := GetSignedTask(task, signer, "signedtask", "v1beta1") if err != nil { t.Errorf("error getting signed task: %v", err) } // modify the task to fail the verification - signedTask.Annotations["foo"] = "bar" - if _, err := c.V1beta1TaskClient.Create(ctx, signedTask, metav1.CreateOptions{}); err != nil { + signedV1beta1Task.Annotations["foo"] = "bar" + if _, err := c.V1beta1TaskClient.Create(ctx, signedV1beta1Task, metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Task: %s", err) } @@ -237,14 +237,14 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedTask.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Task.Name, namespace)) - signedPipeline, err := GetSignedV1beta1Pipeline(pipeline, signer, "signedpipeline") + signedV1beta1Pipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline", "v1beta1") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } - if _, err := c.V1beta1PipelineClient.Create(ctx, signedPipeline, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1PipelineClient.Create(ctx, signedV1beta1Pipeline, metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Pipeline: %s", err) } @@ -263,7 +263,7 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedPipeline.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Pipeline.Name, namespace)) t.Logf("Creating PipelineRun %s", pr.Name) if _, err := c.V1beta1PipelineRunClient.Create(ctx, pr, metav1.CreateOptions{}); err != nil { diff --git a/test/trustedresources.go b/test/trustedresources.go index e887603567c..42d440457bb 100644 --- a/test/trustedresources.go +++ b/test/trustedresources.go @@ -34,11 +34,12 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" corev1 "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" fakek8s "k8s.io/client-go/kubernetes/fake" "knative.dev/pkg/logging" ) @@ -54,44 +55,89 @@ var ( read = readPasswordFn ) -// GetUnsignedTask returns unsigned task with given name -func GetUnsignedTask(name string) *v1beta1.Task { - return &v1beta1.Task{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "tekton.dev/v1beta1", - Kind: "Task"}, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - Annotations: map[string]string{"foo": "bar"}, - }, - Spec: v1beta1.TaskSpec{ - Steps: []v1beta1.Step{{ - Image: "ubuntu", - Name: "echo", - }}, - }, +// GetUnsignedTask returns unsigned task with given name and apiVersion +func GetUnsignedTask(name, apiVersion string) runtime.Object { + switch apiVersion { + case v1beta1Version: + return &v1beta1.Task{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1beta1", + Kind: "Task"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1beta1.TaskSpec{ + Steps: []v1beta1.Step{{ + Image: "ubuntu", + Name: "echo", + }}, + }, + } + case v1Version: + return &v1.Task{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1", + Kind: "Task"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1.TaskSpec{ + Steps: []v1.Step{{ + Image: "ubuntu", + Name: "echo", + }}, + }, + } + default: + return nil } } -// GetUnsignedPipeline returns unsigned pipeline with given name -func GetUnsignedPipeline(name string) *v1beta1.Pipeline { - return &v1beta1.Pipeline{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "tekton.dev/v1beta1", - Kind: "Pipeline"}, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - Annotations: map[string]string{"foo": "bar"}, - }, - Spec: v1beta1.PipelineSpec{ - Tasks: []v1beta1.PipelineTask{ - { - Name: "task", +// GetUnsignedPipeline returns unsigned pipeline with given name and apiVersion +func GetUnsignedPipeline(name, apiVersion string) runtime.Object { + switch apiVersion { + case v1beta1Version: + return &v1beta1.Pipeline{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1beta1", + Kind: "Pipeline"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1beta1.PipelineSpec{ + Tasks: []v1beta1.PipelineTask{ + { + Name: "task", + }, }, }, - }, + } + case v1Version: + return &v1.Pipeline{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "tekton.dev/v1", + Kind: "Pipeline"}, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + Annotations: map[string]string{"foo": "bar"}, + }, + Spec: v1.PipelineSpec{ + Tasks: []v1.PipelineTask{ + { + Name: "task", + }, + }, + }, + } + default: + return nil } } @@ -132,7 +178,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P t.Fatalf("failed to generate keys %v", err) } - secret := &v1.Secret{ + secret := &corev1.Secret{ Data: map[string][]byte{"cosign.pub": pub}, ObjectMeta: metav1.ObjectMeta{ Name: "verification-secrets", @@ -164,7 +210,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P { Name: "pubkey", Key: &v1alpha1.KeyRef{ - SecretRef: &v1.SecretReference{ + SecretRef: &corev1.SecretReference{ Name: secret.Name, Namespace: secret.Namespace, }, @@ -199,7 +245,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P { Name: "pubkey", Key: &v1alpha1.KeyRef{ - SecretRef: &v1.SecretReference{ + SecretRef: &corev1.SecretReference{ Name: secret.Name, Namespace: secret.Namespace, }, @@ -224,7 +270,7 @@ func SetupMatchAllVerificationPolicies(t *testing.T, namespace string) (signatur t.Fatalf("failed to generate keys %v", err) } - secret := &v1.Secret{ + secret := &corev1.Secret{ Data: map[string][]byte{"cosign.pub": pub}, ObjectMeta: metav1.ObjectMeta{ Name: "verification-secrets", @@ -324,34 +370,68 @@ func signInterface(signer signature.Signer, i interface{}) ([]byte, error) { return sig, nil } -// GetSignedV1beta1Pipeline signed the given pipeline and rename it with given name -func GetSignedV1beta1Pipeline(unsigned *v1beta1.Pipeline, signer signature.Signer, name string) (*v1beta1.Pipeline, error) { - signedPipeline := unsigned.DeepCopy() - signedPipeline.Name = name - if signedPipeline.Annotations == nil { - signedPipeline.Annotations = map[string]string{} - } - signature, err := signInterface(signer, signedPipeline) - if err != nil { - return nil, err +// GetSignedPipeline signed the given pipeline and rename it with given name and apiVersion +func GetSignedPipeline(unsigned runtime.Object, signer signature.Signer, name, apiVersion string) (runtime.Object, error) { + switch apiVersion { + case v1Version: + signedV1Pipeline := unsigned.(*v1.Pipeline).DeepCopy() + signedV1Pipeline.Name = name + if signedV1Pipeline.Annotations == nil { + signedV1Pipeline.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1Pipeline) + if err != nil { + return nil, err + } + signedV1Pipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1Pipeline, nil + case v1beta1Version: + signedV1beta1Pipeline := unsigned.(*v1beta1.Pipeline).DeepCopy() + signedV1beta1Pipeline.Name = name + if signedV1beta1Pipeline.Annotations == nil { + signedV1beta1Pipeline.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1beta1Pipeline) + if err != nil { + return nil, err + } + signedV1beta1Pipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1beta1Pipeline, nil + default: + return nil, fmt.Errorf("could not get signed pipeline from unsigned: %v", unsigned) } - signedPipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) - return signedPipeline, nil } -// GetSignedV1beta1Task signed the given task and rename it with given name -func GetSignedV1beta1Task(unsigned *v1beta1.Task, signer signature.Signer, name string) (*v1beta1.Task, error) { - signedTask := unsigned.DeepCopy() - signedTask.Name = name - if signedTask.Annotations == nil { - signedTask.Annotations = map[string]string{} - } - signature, err := signInterface(signer, signedTask) - if err != nil { - return nil, err +// GetSignedTask signed the given task and rename it with given name and apiVersion +func GetSignedTask(unsigned runtime.Object, signer signature.Signer, name, apiVersion string) (runtime.Object, error) { + switch apiVersion { + case v1Version: + signedV1Task := unsigned.(*v1.Task).DeepCopy() + signedV1Task.Name = name + if signedV1Task.Annotations == nil { + signedV1Task.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1Task) + if err != nil { + return nil, err + } + signedV1Task.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1Task, nil + case v1beta1Version: + signedV1beta1Task := unsigned.(*v1beta1.Task).DeepCopy() + signedV1beta1Task.Name = name + if signedV1beta1Task.Annotations == nil { + signedV1beta1Task.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1beta1Task) + if err != nil { + return nil, err + } + signedV1beta1Task.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1beta1Task, nil + default: + return nil, fmt.Errorf("could not get signed task from unsigned: %v", unsigned) } - signedTask.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) - return signedTask, nil } func getPass(confirm bool) ([]byte, error) { diff --git a/test/trustedresources_test.go b/test/trustedresources_test.go index 0a84da1a25e..ff27c8f252c 100644 --- a/test/trustedresources_test.go +++ b/test/trustedresources_test.go @@ -46,7 +46,7 @@ func TestSignInterface(t *testing.T) { }{{ name: "Sign Task", signer: sv, - target: GetUnsignedTask("unsigned"), + target: GetUnsignedTask("unsigned", v1beta1Version), wantErr: false, }, { name: "Sign String with cosign signer", @@ -61,7 +61,7 @@ func TestSignInterface(t *testing.T) { }, { name: "Empty Signer", signer: nil, - target: GetUnsignedTask("unsigned"), + target: GetUnsignedTask("unsigned", v1beta1Version), wantErr: true, }, { name: "Sign String with mock signer", diff --git a/test/wait.go b/test/wait.go index b22e3111074..90e5bebdeac 100644 --- a/test/wait.go +++ b/test/wait.go @@ -62,6 +62,7 @@ import ( const ( interval = 1 * time.Second timeout = 10 * time.Minute + v1Version = "v1" v1beta1Version = "v1beta1" )