add warn mode to getVerificationPolicy

getVerificationPolicy is a helper function to return VerificationPolicy with given args, it can reduce the duplicate code for tests. This commit adds warn mode to this function so we could test the behaviour of warn mode policies. Signed-off-by: Yongxuan Zhang [email protected]
tektoncd · May 25, 2023 · 9b8e5fc · 9b8e5fc
1 parent dffb5f4
commit 9b8e5fc
Show file tree

Hide file tree

Showing 2 changed files with 135 additions and 8 deletions.
diff --git a/test/trustedresources.go b/test/trustedresources.go
@@ -116,7 +116,8 @@ func SetupTrustedResourceConfig(ctx context.Context, verificationNoMatchPolicy s
 // This function helps to setup 3 kinds of VerificationPolicies:
 // 1. One public key in inline data
 // 2. One public key in secret
-// 3. 2 authorities referring to the same secret. This is to test and make sure we don't have duplicate counts
+// 3. wrong inline key
+// 4. warn mode policy without keys
 // SignerVerifier is returned to sign resources
 // The k8s clientset is returned to fetch secret from it.
 // VerificationPolicies are returned to fetch public keys
@@ -151,7 +152,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P
 					HashAlgorithm: "sha256",
 				},
 			},
-		})
+		}, v1alpha1.ModeEnforce)
 
 	keyInSecretVp := getVerificationPolicy(
 		"keyInSecretVp",
@@ -170,7 +171,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P
 					HashAlgorithm: "sha256",
 				},
 			},
-		})
+		}, v1alpha1.ModeEnforce)
 
 	wrongKeyandPatternVp := getVerificationPolicy(
 		"wrongKeyInDataVp",
@@ -186,11 +187,30 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P
 					HashAlgorithm: "sha256",
 				},
 			},
-		})
+		}, v1alpha1.ModeEnforce)
+
+	warnModeVP := getVerificationPolicy(
+		"warnModeVP",
+		namespace,
+		[]v1alpha1.ResourcePattern{{
+			Pattern: "warnVP"},
+		},
+		[]v1alpha1.Authority{
+			{
+				Name: "pubkey",
+				Key: &v1alpha1.KeyRef{
+					SecretRef: &v1.SecretReference{
+						Name:      secret.Name,
+						Namespace: secret.Namespace,
+					},
+					HashAlgorithm: "sha256",
+				},
+			},
+		}, v1alpha1.ModeWarn)
 
 	k8sclient := fakek8s.NewSimpleClientset(secret)
 
-	return sv, keys, k8sclient, []*v1alpha1.VerificationPolicy{&keyInDataVp, &keyInSecretVp, &wrongKeyandPatternVp}
+	return sv, keys, k8sclient, []*v1alpha1.VerificationPolicy{&keyInDataVp, &keyInSecretVp, &wrongKeyandPatternVp, &warnModeVP}
 }
 
 // SetupMatchAllVerificationPolicies set verification policies with a Pattern to match all resources
@@ -224,7 +244,7 @@ func SetupMatchAllVerificationPolicies(t *testing.T, namespace string) (signatur
 					HashAlgorithm: "sha256",
 				},
 			},
-		})
+		}, v1alpha1.ModeEnforce)
 
 	k8sclient := fakek8s.NewSimpleClientset(secret)
 
@@ -350,7 +370,7 @@ func readPasswordFn(confirm bool) func() ([]byte, error) {
 	}
 }
 
-func getVerificationPolicy(name, namespace string, patterns []v1alpha1.ResourcePattern, authorities []v1alpha1.Authority) v1alpha1.VerificationPolicy {
+func getVerificationPolicy(name, namespace string, patterns []v1alpha1.ResourcePattern, authorities []v1alpha1.Authority, mode v1alpha1.ModeType) v1alpha1.VerificationPolicy {
 	return v1alpha1.VerificationPolicy{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "VerificationPolicy",
@@ -363,7 +383,7 @@ func getVerificationPolicy(name, namespace string, patterns []v1alpha1.ResourceP
 		Spec: v1alpha1.VerificationPolicySpec{
 			Resources:   patterns,
 			Authorities: authorities,
-			Mode:        v1alpha1.ModeEnforce,
+			Mode:        mode,
 		},
 	}
 }
diff --git a/test/trustedresources_test.go b/test/trustedresources_test.go
@@ -26,7 +26,9 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	"github.com/tektoncd/pipeline/test/diff"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestSignInterface(t *testing.T) {
@@ -106,6 +108,111 @@ func TestSignInterface(t *testing.T) {
 	}
 }
 
+func TestGetVerificationPolicy(t *testing.T) {
+	type args struct {
+		name        string
+		namespace   string
+		patterns    []v1alpha1.ResourcePattern
+		authorities []v1alpha1.Authority
+		mode        v1alpha1.ModeType
+	}
+
+	tcs := []struct {
+		name string
+		args args
+		want v1alpha1.VerificationPolicy
+	}{{
+		name: "enforce mode policy",
+		args: args{
+			name:      "policy",
+			namespace: "ns",
+			patterns:  []v1alpha1.ResourcePattern{{Pattern: "url"}},
+			authorities: []v1alpha1.Authority{
+				{
+					Name: "pubkey",
+					Key: &v1alpha1.KeyRef{
+						Data:          "key",
+						HashAlgorithm: "sha256",
+					},
+				},
+			},
+			mode: v1alpha1.ModeEnforce,
+		},
+		want: v1alpha1.VerificationPolicy{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "VerificationPolicy",
+				APIVersion: "v1alpha1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "policy",
+				Namespace: "ns",
+			},
+			Spec: v1alpha1.VerificationPolicySpec{
+				Resources: []v1alpha1.ResourcePattern{{Pattern: "url"}},
+				Authorities: []v1alpha1.Authority{
+					{
+						Name: "pubkey",
+						Key: &v1alpha1.KeyRef{
+							Data:          "key",
+							HashAlgorithm: "sha256",
+						},
+					},
+				},
+				Mode: v1alpha1.ModeEnforce,
+			},
+		},
+	}, {
+		name: "warn mode policy",
+		args: args{
+			name:      "policy",
+			namespace: "ns",
+			patterns:  []v1alpha1.ResourcePattern{{Pattern: "url"}},
+			authorities: []v1alpha1.Authority{
+				{
+					Name: "pubkey",
+					Key: &v1alpha1.KeyRef{
+						Data:          "key",
+						HashAlgorithm: "sha256",
+					},
+				},
+			},
+			mode: v1alpha1.ModeWarn,
+		},
+		want: v1alpha1.VerificationPolicy{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "VerificationPolicy",
+				APIVersion: "v1alpha1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "policy",
+				Namespace: "ns",
+			},
+			Spec: v1alpha1.VerificationPolicySpec{
+				Resources: []v1alpha1.ResourcePattern{{Pattern: "url"}},
+				Authorities: []v1alpha1.Authority{
+					{
+						Name: "pubkey",
+						Key: &v1alpha1.KeyRef{
+							Data:          "key",
+							HashAlgorithm: "sha256",
+						},
+					},
+				},
+				Mode: v1alpha1.ModeWarn,
+			},
+		},
+	},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			got := getVerificationPolicy(tc.args.name, tc.args.namespace, tc.args.patterns, tc.args.authorities, tc.args.mode)
+			if d := cmp.Diff(tc.want, got); d != "" {
+				diff.PrintWantGot(d)
+			}
+		})
+	}
+}
+
 type mockSigner struct {
 	signature.SignerVerifier
 }