diff --git a/test/trustedresources.go b/test/trustedresources.go index 76435775b16..a735d9a49b6 100644 --- a/test/trustedresources.go +++ b/test/trustedresources.go @@ -116,7 +116,8 @@ func SetupTrustedResourceConfig(ctx context.Context, verificationNoMatchPolicy s // This function helps to setup 3 kinds of VerificationPolicies: // 1. One public key in inline data // 2. One public key in secret -// 3. 2 authorities referring to the same secret. This is to test and make sure we don't have duplicate counts +// 3. wrong inline key +// 4. warn mode policy without keys // SignerVerifier is returned to sign resources // The k8s clientset is returned to fetch secret from it. // VerificationPolicies are returned to fetch public keys @@ -151,7 +152,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P HashAlgorithm: "sha256", }, }, - }) + }, v1alpha1.ModeEnforce) keyInSecretVp := getVerificationPolicy( "keyInSecretVp", @@ -170,7 +171,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P HashAlgorithm: "sha256", }, }, - }) + }, v1alpha1.ModeEnforce) wrongKeyandPatternVp := getVerificationPolicy( "wrongKeyInDataVp", @@ -186,11 +187,30 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P HashAlgorithm: "sha256", }, }, - }) + }, v1alpha1.ModeEnforce) + + warnModeVP := getVerificationPolicy( + "warnModeVP", + namespace, + []v1alpha1.ResourcePattern{{ + Pattern: "warnVP"}, + }, + []v1alpha1.Authority{ + { + Name: "pubkey", + Key: &v1alpha1.KeyRef{ + SecretRef: &v1.SecretReference{ + Name: secret.Name, + Namespace: secret.Namespace, + }, + HashAlgorithm: "sha256", + }, + }, + }, v1alpha1.ModeWarn) k8sclient := fakek8s.NewSimpleClientset(secret) - return sv, keys, k8sclient, []*v1alpha1.VerificationPolicy{&keyInDataVp, &keyInSecretVp, &wrongKeyandPatternVp} + return sv, keys, k8sclient, []*v1alpha1.VerificationPolicy{&keyInDataVp, &keyInSecretVp, &wrongKeyandPatternVp, &warnModeVP} } // SetupMatchAllVerificationPolicies set verification policies with a Pattern to match all resources @@ -224,7 +244,7 @@ func SetupMatchAllVerificationPolicies(t *testing.T, namespace string) (signatur HashAlgorithm: "sha256", }, }, - }) + }, v1alpha1.ModeEnforce) k8sclient := fakek8s.NewSimpleClientset(secret) @@ -350,7 +370,7 @@ func readPasswordFn(confirm bool) func() ([]byte, error) { } } -func getVerificationPolicy(name, namespace string, patterns []v1alpha1.ResourcePattern, authorities []v1alpha1.Authority) v1alpha1.VerificationPolicy { +func getVerificationPolicy(name, namespace string, patterns []v1alpha1.ResourcePattern, authorities []v1alpha1.Authority, mode v1alpha1.ModeType) v1alpha1.VerificationPolicy { return v1alpha1.VerificationPolicy{ TypeMeta: metav1.TypeMeta{ Kind: "VerificationPolicy", @@ -363,7 +383,7 @@ func getVerificationPolicy(name, namespace string, patterns []v1alpha1.ResourceP Spec: v1alpha1.VerificationPolicySpec{ Resources: patterns, Authorities: authorities, - Mode: v1alpha1.ModeEnforce, + Mode: mode, }, } } diff --git a/test/trustedresources_test.go b/test/trustedresources_test.go index 0a84da1a25e..b91b04122c4 100644 --- a/test/trustedresources_test.go +++ b/test/trustedresources_test.go @@ -26,7 +26,9 @@ import ( "github.com/google/go-cmp/cmp" "github.com/sigstore/sigstore/pkg/signature" + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1" "github.com/tektoncd/pipeline/test/diff" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func TestSignInterface(t *testing.T) { @@ -106,6 +108,111 @@ func TestSignInterface(t *testing.T) { } } +func TestGetVerificationPolicy(t *testing.T) { + type args struct { + name string + namespace string + patterns []v1alpha1.ResourcePattern + authorities []v1alpha1.Authority + mode v1alpha1.ModeType + } + + tcs := []struct { + name string + args args + want v1alpha1.VerificationPolicy + }{{ + name: "enforce mode policy", + args: args{ + name: "policy", + namespace: "ns", + patterns: []v1alpha1.ResourcePattern{{Pattern: "url"}}, + authorities: []v1alpha1.Authority{ + { + Name: "pubkey", + Key: &v1alpha1.KeyRef{ + Data: "key", + HashAlgorithm: "sha256", + }, + }, + }, + mode: v1alpha1.ModeEnforce, + }, + want: v1alpha1.VerificationPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: "VerificationPolicy", + APIVersion: "v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "policy", + Namespace: "ns", + }, + Spec: v1alpha1.VerificationPolicySpec{ + Resources: []v1alpha1.ResourcePattern{{Pattern: "url"}}, + Authorities: []v1alpha1.Authority{ + { + Name: "pubkey", + Key: &v1alpha1.KeyRef{ + Data: "key", + HashAlgorithm: "sha256", + }, + }, + }, + Mode: v1alpha1.ModeEnforce, + }, + }, + }, { + name: "warn mode policy", + args: args{ + name: "policy", + namespace: "ns", + patterns: []v1alpha1.ResourcePattern{{Pattern: "url"}}, + authorities: []v1alpha1.Authority{ + { + Name: "pubkey", + Key: &v1alpha1.KeyRef{ + Data: "key", + HashAlgorithm: "sha256", + }, + }, + }, + mode: v1alpha1.ModeWarn, + }, + want: v1alpha1.VerificationPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: "VerificationPolicy", + APIVersion: "v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "policy", + Namespace: "ns", + }, + Spec: v1alpha1.VerificationPolicySpec{ + Resources: []v1alpha1.ResourcePattern{{Pattern: "url"}}, + Authorities: []v1alpha1.Authority{ + { + Name: "pubkey", + Key: &v1alpha1.KeyRef{ + Data: "key", + HashAlgorithm: "sha256", + }, + }, + }, + Mode: v1alpha1.ModeWarn, + }, + }, + }, + } + for _, tc := range tcs { + t.Run(tc.name, func(t *testing.T) { + got := getVerificationPolicy(tc.args.name, tc.args.namespace, tc.args.patterns, tc.args.authorities, tc.args.mode) + if d := cmp.Diff(tc.want, got); d != "" { + diff.PrintWantGot(d) + } + }) + } +} + type mockSigner struct { signature.SignerVerifier }