From d661c7da8c1d5533f81e634cd47063d2403e6837 Mon Sep 17 00:00:00 2001 From: JeromeJu Date: Mon, 12 Jun 2023 20:19:05 +0000 Subject: [PATCH] Add apiVersion to trustedResources helper This commit adds the apiVersion to the trustedResources helper which now allows the getSignedTask and etc helpers to return verified CRDs with the accepted apiVersions. This could help avoid confusions when we are adding v1 CRDs to be verified in the test cases. --- .../pipelinerun/pipelinerun_test.go | 64 ++++++------- .../pipelinerun/resources/pipelineref_test.go | 52 +++++------ .../taskrun/resources/taskref_test.go | 24 ++--- pkg/reconciler/taskrun/taskrun_test.go | 6 +- pkg/trustedresources/verify_test.go | 90 +++++++++--------- test/examples_test.go | 1 - test/trusted_resources_test.go | 28 +++--- test/trustedresources.go | 93 +++++++++++++------ test/wait.go | 1 + 9 files changed, 198 insertions(+), 161 deletions(-) diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go index c790049184c..65d91151853 100644 --- a/pkg/reconciler/pipelinerun/pipelinerun_test.go +++ b/pkg/reconciler/pipelinerun/pipelinerun_test.go @@ -11628,7 +11628,7 @@ spec: `) signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace) - signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task") + signedTask, err := test.GetSignedTask(ts, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -11648,7 +11648,7 @@ spec: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -11765,7 +11765,7 @@ func TestReconcile_verifyResolved_V1beta1Pipeline_Error(t *testing.T) { resolverName := "foobar" // Case1: unsigned Pipeline refers to unsigned Task - unsignedTask := parse.MustParseV1beta1Task(t, ` + unsignedV1beta1Task := parse.MustParseV1beta1Task(t, ` metadata: name: test-task namespace: foo @@ -11778,12 +11778,12 @@ spec: - name: foo value: bar `) - unsignedTaskBytes, err := yaml.Marshal(unsignedTask) + unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } - unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` + unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: test-pipeline namespace: foo @@ -11793,24 +11793,24 @@ spec: taskRef: resolver: %s `, resolverName)) - unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline) + unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal task", err) } // Case2: signed Pipeline refers to unsigned Task - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline") + signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace) + signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask) + signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask) if err != nil { t.Fatal("fail to marshal task", err) } // Case3: signed Pipeline refers to modified Task - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -11818,7 +11818,7 @@ spec: if err != nil { t.Fatal("fail to marshal task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } @@ -11838,11 +11838,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask) + signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask) if err != nil { t.Fatal("fail to marshal task", err) } @@ -11858,11 +11858,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() if modifiedPipeline.Annotations == nil { modifiedPipeline.Annotations = make(map[string]string) } @@ -11902,12 +11902,12 @@ spec: { name: "unsigned pipeline fails verification", pipelineBytes: unsignedPipelineBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with unsigned task fails verification", pipelineBytes: signedPipelineWithUnsignedTaskBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with modified task fails verification", @@ -12100,7 +12100,7 @@ func TestReconcile_verifyResolved_V1Pipeline_Error(t *testing.T) { resolverName := "foobar" // Case1: unsigned Pipeline refers to unsigned Task - unsignedTask := parse.MustParseV1beta1Task(t, ` + unsignedV1beta1Task := parse.MustParseV1beta1Task(t, ` metadata: name: test-task namespace: foo @@ -12113,12 +12113,12 @@ spec: - name: foo value: bar `) - unsignedTaskBytes, err := yaml.Marshal(unsignedTask) + unsignedV1beta1TaskBytes, err := yaml.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } - unsignedPipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` + unsignedV1beta1Pipeline := parse.MustParseV1beta1Pipeline(t, fmt.Sprintf(` metadata: name: test-pipeline namespace: foo @@ -12128,24 +12128,24 @@ spec: taskRef: resolver: %s `, resolverName)) - unsignedPipelineBytes, err := yaml.Marshal(unsignedPipeline) + unsignedPipelineBytes, err := yaml.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal task", err) } // Case2: signed Pipeline refers to unsigned Task - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedPipelineWithUnsignedTask, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "test-pipeline") + signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedV1beta1Task.Namespace) + signedV1beta1PipelineWithUnsignedTask, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedPipelineWithUnsignedTask) + signedPipelineWithUnsignedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithUnsignedTask) if err != nil { t.Fatal("fail to marshal task", err) } // Case3: signed Pipeline refers to modified Task - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -12153,7 +12153,7 @@ spec: if err != nil { t.Fatal("fail to marshal task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } @@ -12173,11 +12173,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipelineWithModifiedTask, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedV1beta1PipelineWithModifiedTask, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedPipelineWithModifiedTask) + signedPipelineWithModifiedTaskBytes, err := yaml.Marshal(signedV1beta1PipelineWithModifiedTask) if err != nil { t.Fatal("fail to marshal task", err) } @@ -12193,11 +12193,11 @@ spec: taskRef: resolver: %s `, resolverName)) - signedPipeline, err := test.GetSignedV1beta1Pipeline(ps, signer, "test-pipeline") + signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() if modifiedPipeline.Annotations == nil { modifiedPipeline.Annotations = make(map[string]string) } @@ -12237,12 +12237,12 @@ spec: { name: "unsigned pipeline fails verification", pipelineBytes: unsignedPipelineBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with unsigned task fails verification", pipelineBytes: signedPipelineWithUnsignedTaskBytes, - taskBytes: unsignedTaskBytes, + taskBytes: unsignedV1beta1TaskBytes, }, { name: "signed pipeline with modified task fails verification", diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go index c95491e3235..537d0dd5c10 100644 --- a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go +++ b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go @@ -517,8 +517,8 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -529,10 +529,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { }, EntryPoint: "foo/bar", } - resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil) + resolvedUnmatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -551,7 +551,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { requesterMatched := test.NewRequester(resolvedMatched, nil) pipelineRef := &v1beta1.PipelineRef{ - Name: signedPipeline.Name, + Name: signedPipeline.(*v1beta1.Pipeline).Name, ResolverRef: v1beta1.ResolverRef{ Resolver: "git", }, @@ -573,7 +573,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { }, Status: v1beta1.PipelineRunStatus{ PipelineRunStatusFields: v1beta1.PipelineRunStatusFields{ - PipelineSpec: &signedPipeline.Spec, + PipelineSpec: &signedPipeline.(*v1beta1.Pipeline).Spec, Provenance: &v1beta1.Provenance{ RefSource: &v1beta1.RefSource{ URI: "abc.com", @@ -588,7 +588,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { warnPolicyRefSource := &v1beta1.RefSource{ URI: " warnVP", } - resolvedUnsignedMatched := test.NewResolvedResource(unsignedPipelineBytes, nil, warnPolicyRefSource, nil) + resolvedUnsignedMatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, warnPolicyRefSource, nil) requesterUnsignedMatched := test.NewRequester(resolvedUnsignedMatched, nil) testcases := []struct { @@ -633,7 +633,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.WarnNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrNoMatchedPolicies}, }, { @@ -642,7 +642,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.FailNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: warnPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrResourceVerificationFailed}, }, { @@ -651,7 +651,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, pipelinerun: pr, policies: vps, - expected: unsignedPipeline, + expected: unsignedV1beta1Pipeline, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationSkip}, }, { @@ -662,10 +662,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyNoError(t *testing.T) { policies: vps, expected: &v1beta1.Pipeline{ ObjectMeta: metav1.ObjectMeta{ - Name: signedPipeline.Name, - Namespace: signedPipeline.Namespace, + Name: signedPipeline.(*v1beta1.Pipeline).Name, + Namespace: signedPipeline.(*v1beta1.Pipeline).Namespace, }, - Spec: signedPipeline.Spec, + Spec: signedPipeline.(*v1beta1.Pipeline).Spec, }, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: nil, @@ -704,8 +704,8 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { tektonclient := fake.NewSimpleClientset() signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -717,10 +717,10 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { EntryPoint: "foo/bar", } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, matchPolicyRefSource, nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -739,7 +739,7 @@ func TestGetPipelineFunc_V1beta1Pipeline_VerifyError(t *testing.T) { resolvedUnmatched := test.NewResolvedResource(signedPipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) - modifiedPipeline := signedPipeline.DeepCopy() + modifiedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() modifiedPipeline.Annotations["random"] = "attack" modifiedPipelineBytes, err := json.Marshal(modifiedPipeline) if err != nil { @@ -831,7 +831,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { t.Error(err) } - unsignedPipelineBytes, err := json.Marshal(unsignedV1Pipeline) + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -842,7 +842,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { }, EntryPoint: "foo/bar", } - resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil) + resolvedUnmatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, noMatchPolicyRefSource, nil) requesterUnmatched := test.NewRequester(resolvedUnmatched, nil) signedPipeline, err := getSignedV1Pipeline(unsignedV1Pipeline, signer, "signed") @@ -912,7 +912,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyNoError(t *testing.T) { warnPolicyRefSource := &v1beta1.RefSource{ URI: " warnVP", } - resolvedUnsignedMatched := test.NewResolvedResource(unsignedPipelineBytes, nil, warnPolicyRefSource, nil) + resolvedUnsignedMatched := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, warnPolicyRefSource, nil) requesterUnsignedMatched := test.NewRequester(resolvedUnsignedMatched, nil) testcases := []struct { @@ -1028,7 +1028,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyError(t *testing.T) { tektonclient := fake.NewSimpleClientset() signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipelineBytes, err := json.Marshal(unsignedV1Pipeline) + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } @@ -1040,7 +1040,7 @@ func TestGetPipelineFunc_V1Pipeline_VerifyError(t *testing.T) { EntryPoint: "foo/bar", } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, matchPolicyRefSource, nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) signedPipeline, err := getSignedV1Pipeline(unsignedV1Pipeline, signer, "signed") @@ -1144,13 +1144,13 @@ func TestGetPipelineFunc_GetFuncError(t *testing.T) { tektonclient := fake.NewSimpleClientset() _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedV1beta1PipelineBytes, err := json.Marshal(unsignedV1beta1Pipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) } - resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleRefSource.DeepCopy(), nil) + resolvedUnsigned := test.NewResolvedResource(unsignedV1beta1PipelineBytes, nil, sampleRefSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) resolvedUnsigned.DataErr = fmt.Errorf("resolution error") diff --git a/pkg/reconciler/taskrun/resources/taskref_test.go b/pkg/reconciler/taskrun/resources/taskref_test.go index 9a3fb168e7a..315e4d4833c 100644 --- a/pkg/reconciler/taskrun/resources/taskref_test.go +++ b/pkg/reconciler/taskrun/resources/taskref_test.go @@ -765,8 +765,8 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") - unsignedTaskBytes, err := json.Marshal(unsignedTask) + unsignedV1beta1Task := test.GetUnsignedTask("test-task") + unsignedTaskBytes, err := json.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } @@ -775,7 +775,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { } requesterUnmatched := bytesToRequester(unsignedTaskBytes, noMatchPolicyRefSource) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "signed") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -832,7 +832,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { requester: requesterUnmatched, verificationNoMatchPolicy: config.WarnNoMatchPolicy, policies: vps, - expected: unsignedTask, + expected: unsignedV1beta1Task, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrNoMatchedPolicies}, }, { @@ -840,7 +840,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { requester: requesterUnsignedMatched, verificationNoMatchPolicy: config.FailNoMatchPolicy, policies: vps, - expected: unsignedTask, + expected: unsignedV1beta1Task, expectedRefSource: warnPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationWarn, Err: trustedresources.ErrResourceVerificationFailed}, }, { @@ -848,7 +848,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyNoError(t *testing.T) { requester: requesterUnmatched, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, policies: vps, - expected: unsignedTask, + expected: unsignedV1beta1Task, expectedRefSource: noMatchPolicyRefSource, expectedVerificationResult: &trustedresources.VerificationResult{VerificationResultType: trustedresources.VerificationSkip}, }, @@ -890,8 +890,8 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") - unsignedTaskBytes, err := json.Marshal(unsignedTask) + unsignedV1beta1Task := test.GetUnsignedTask("test-task") + unsignedTaskBytes, err := json.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } @@ -900,7 +900,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { } requesterUnsigned := bytesToRequester(unsignedTaskBytes, matchPolicyRefSource) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "signed") + signedTask, err := test.GetSignedTask(unsignedV1beta1Task, signer, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -913,7 +913,7 @@ func TestGetTaskFunc_V1beta1Task_VerifyError(t *testing.T) { } requesterUnmatched := bytesToRequester(signedTaskBytes, noMatchPolicyRefSource) - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() modifiedTask.Annotations["random"] = "attack" modifiedTaskBytes, err := json.Marshal(modifiedTask) if err != nil { @@ -1267,8 +1267,8 @@ func TestGetTaskFunc_GetFuncError(t *testing.T) { _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") - unsignedTaskBytes, err := json.Marshal(unsignedTask) + unsignedV1beta1Task := test.GetUnsignedTask("test-task") + unsignedTaskBytes, err := json.Marshal(unsignedV1beta1Task) if err != nil { t.Fatal("fail to marshal task", err) } diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go index 9f47f46ad14..a6dd9581ded 100644 --- a/pkg/reconciler/taskrun/taskrun_test.go +++ b/pkg/reconciler/taskrun/taskrun_test.go @@ -4919,7 +4919,7 @@ spec: `) signer, _, vps := test.SetupMatchAllVerificationPolicies(t, ts.Namespace) - signedTask, err := test.GetSignedV1beta1Task(ts, signer, "test-task") + signedTask, err := test.GetSignedTask(ts, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -5070,12 +5070,12 @@ spec: } signer, _, vps := test.SetupMatchAllVerificationPolicies(t, unsignedTask.Namespace) - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer, "test-task") + signedTask, err := test.GetSignedTask(unsignedTask, signer, "test-task", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedTask.(*v1beta1.Task).DeepCopy() if modifiedTask.Annotations == nil { modifiedTask.Annotations = make(map[string]string) } diff --git a/pkg/trustedresources/verify_test.go b/pkg/trustedresources/verify_test.go index 1a5baf76d0d..7a6f374bdd8 100644 --- a/pkg/trustedresources/verify_test.go +++ b/pkg/trustedresources/verify_test.go @@ -46,7 +46,7 @@ const ( namespace = "trusted-resources" ) -var unsignedTask = v1.Task{ +var unsignedV1Task = v1.Task{ TypeMeta: metav1.TypeMeta{ APIVersion: "tekton.dev/v1", Kind: "Task"}, @@ -62,7 +62,7 @@ var unsignedTask = v1.Task{ }, } -var unsignedPipeline = v1.Pipeline{ +var unsignedV1Pipeline = v1.Pipeline{ TypeMeta: metav1.TypeMeta{ APIVersion: "tekton.dev/v1", Kind: "Pipeline"}, @@ -85,23 +85,23 @@ func TestVerifyInterface_Task_Success(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + unsignedV1beta1Task := test.GetUnsignedTask("test-task") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatalf("Failed to get signed task %v", err) } signature := []byte{} - if sig, ok := signedTask.Annotations[SignatureAnnotation]; ok { - delete(signedTask.Annotations, SignatureAnnotation) + if sig, ok := signedV1beta1Task.(*v1beta1.Task).Annotations[SignatureAnnotation]; ok { + delete(signedV1beta1Task.(*v1beta1.Task).Annotations, SignatureAnnotation) signature, err = base64.StdEncoding.DecodeString(sig) if err != nil { t.Fatal(err) } } - err = verifyInterface(signedTask, sv, signature) + err = verifyInterface(signedV1beta1Task, sv, signature) if err != nil { t.Fatalf("VerifyInterface() get err %v", err) } @@ -113,14 +113,14 @@ func TestVerifyInterface_Task_Error(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") + unsignedV1beta1Task := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatalf("Failed to get signed task %v", err) } - tamperedTask := signedTask.DeepCopy() + tamperedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() tamperedTask.Name = "tampered" tcs := []struct { @@ -129,7 +129,7 @@ func TestVerifyInterface_Task_Error(t *testing.T) { expectedError error }{{ name: "Unsigned Task Fail Verification", - task: unsignedTask, + task: unsignedV1beta1Task, expectedError: ErrResourceVerificationFailed, }, { name: "Empty task Fail Verification", @@ -164,13 +164,13 @@ func TestVerifyInterface_Task_Error(t *testing.T) { func TestVerifyResource_Task_Success(t *testing.T) { signer256, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, signer256, "signed") + unsignedV1beta1Task := test.GetUnsignedTask("test-task") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, signer256, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() modifiedTask.Name = "modified" signer384, _, pub, err := test.GenerateKeys(elliptic.P384(), crypto.SHA384) @@ -246,7 +246,7 @@ func TestVerifyResource_Task_Success(t *testing.T) { }, } - signedTask384, err := test.GetSignedV1beta1Task(unsignedTask, signer384, "signed384") + signedTask384, err := test.GetSignedTask(unsignedV1beta1Task, signer384, "signed384", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -262,40 +262,40 @@ func TestVerifyResource_Task_Success(t *testing.T) { expectedVerificationResult VerificationResult }{{ name: "signed git source task passes verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source task passes verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed task with sha384 key", - task: signedTask384, + task: signedTask384.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/sha384"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{sha384Vp}, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", - task: unsignedTask, + task: unsignedV1beta1Task, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", - task: unsignedTask, + task: unsignedV1beta1Task, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, }, { name: "unsigned task matches warn policy doesn't fail verification", - task: unsignedTask, + task: unsignedV1beta1Task, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy}, @@ -332,14 +332,14 @@ func TestVerifyResource_Task_Error(t *testing.T) { ctx = test.SetupTrustedResourceConfig(ctx, config.FailNoMatchPolicy) sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedV1beta1Task := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedV1beta1Task(unsignedTask, sv, "signed") + signedV1beta1Task, err := test.GetSignedTask(unsignedV1beta1Task, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - tamperedTask := signedTask.DeepCopy() + tamperedTask := signedV1beta1Task.(*v1beta1.Task).DeepCopy() tamperedTask.Annotations["random"] = "attack" matchingSource := "git+https://github.com/tektoncd/catalog.git" @@ -352,7 +352,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError error }{{ name: "unsigned Task fails verification", - task: unsignedTask, + task: unsignedV1beta1Task, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: vps, expectedError: ErrResourceVerificationFailed, @@ -364,7 +364,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrResourceVerificationFailed, }, { name: "task not matching pattern fails verification", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationPolicy: vps, expectedError: ErrNoMatchedPolicies, @@ -376,7 +376,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrNoMatchedPolicies, }, { name: "Verification fails with regex error", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -393,7 +393,7 @@ func TestVerifyResource_Task_Error(t *testing.T) { expectedError: ErrRegexMatch, }, { name: "Verification fails with error from policy", - task: signedTask, + task: signedV1beta1Task.(*v1beta1.Task), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -429,8 +429,8 @@ func TestVerifyResource_Task_Error(t *testing.T) { func TestVerifyResource_Pipeline_Success(t *testing.T) { sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, sv, "signed") + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } @@ -444,25 +444,25 @@ func TestVerifyResource_Pipeline_Success(t *testing.T) { expectedVerificationResult VerificationResult }{{ name: "signed git source pipeline passes verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source pipeline passes verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", - pipeline: unsignedPipeline, + pipeline: unsignedV1beta1Pipeline, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", - pipeline: unsignedPipeline, + pipeline: unsignedV1beta1Pipeline, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, @@ -483,13 +483,13 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { ctx = test.SetupTrustedResourceConfig(ctx, config.FailNoMatchPolicy) sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedV1beta1Pipeline := test.GetUnsignedPipeline("test-pipeline") - signedPipeline, err := test.GetSignedV1beta1Pipeline(unsignedPipeline, sv, "signed") + signedPipeline, err := test.GetSignedPipeline(unsignedV1beta1Pipeline, sv, "signed", "v1beta1") if err != nil { t.Fatal("fail to sign task", err) } - tamperedPipeline := signedPipeline.DeepCopy() + tamperedPipeline := signedPipeline.(*v1beta1.Pipeline).DeepCopy() tamperedPipeline.Annotations["random"] = "attack" matchingSource := "git+https://github.com/tektoncd/catalog.git" @@ -508,13 +508,13 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { expectedError: ErrResourceVerificationFailed, }, { name: "Task Not Matching Pattern Fails Verification", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: mismatchedSource}, verificationPolicy: vps, expectedError: ErrNoMatchedPolicies, }, { name: "Verification fails with regex error", - pipeline: signedPipeline, + pipeline: signedPipeline.(*v1beta1.Pipeline), source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationPolicy: []*v1alpha1.VerificationPolicy{ { @@ -542,22 +542,22 @@ func TestVerifyResource_Pipeline_Error(t *testing.T) { func TestVerifyResource_V1Task_Success(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signedTask, err := getSignedV1Task(unsignedTask.DeepCopy(), signer, "signed") + signedV1beta1Task, err := getSignedV1Task(unsignedV1Task.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } - vr := VerifyResource(context.Background(), signedTask, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) + vr := VerifyResource(context.Background(), signedV1beta1Task, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) if vr.VerificationResultType != VerificationPass { t.Errorf("VerificationResult mismatch: want %v, got %v", VerificationPass, vr.VerificationResultType) } } func TestVerifyResource_V1Task_Error(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signedTask, err := getSignedV1Task(unsignedTask.DeepCopy(), signer, "signed") + signedV1beta1Task, err := getSignedV1Task(unsignedV1Task.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } - modifiedTask := signedTask.DeepCopy() + modifiedTask := signedV1beta1Task.DeepCopy() modifiedTask.Annotations["foo"] = "modified" vr := VerifyResource(context.Background(), modifiedTask, k8sclient, &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, vps) if vr.VerificationResultType != VerificationError && !errors.Is(vr.Err, ErrResourceVerificationFailed) { @@ -567,7 +567,7 @@ func TestVerifyResource_V1Task_Error(t *testing.T) { func TestVerifyResource_V1Pipeline_Success(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signed, err := getSignedV1Pipeline(unsignedPipeline.DeepCopy(), signer, "signed") + signed, err := getSignedV1Pipeline(unsignedV1Pipeline.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } @@ -579,7 +579,7 @@ func TestVerifyResource_V1Pipeline_Success(t *testing.T) { func TestVerifyResource_V1Pipeline_Error(t *testing.T) { signer, _, k8sclient, vps := test.SetupVerificationPolicies(t) - signed, err := getSignedV1Pipeline(unsignedPipeline.DeepCopy(), signer, "signed") + signed, err := getSignedV1Pipeline(unsignedV1Pipeline.DeepCopy(), signer, "signed") if err != nil { t.Error(err) } diff --git a/test/examples_test.go b/test/examples_test.go index 6dd4703ea72..f929b07eb45 100644 --- a/test/examples_test.go +++ b/test/examples_test.go @@ -36,7 +36,6 @@ import ( var ( defaultKoDockerRepoRE = regexp.MustCompile("gcr.io/christiewilson-catfactory") - v1Version = "v1" imagesMappingRE = getImagesMappingRE() ) diff --git a/test/trusted_resources_test.go b/test/trusted_resources_test.go index 2b1f6eeb8f6..9ecf9b890ba 100644 --- a/test/trusted_resources_test.go +++ b/test/trusted_resources_test.go @@ -29,6 +29,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" + "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" "github.com/tektoncd/pipeline/pkg/pod" "github.com/tektoncd/pipeline/test/parse" v1 "k8s.io/api/core/v1" @@ -96,11 +97,11 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedV1beta1Task(task, signer, "signedtask") + signedV1beta1Task, err := GetSignedTask(task, signer, "signedtask", "v1beta1") if err != nil { t.Errorf("error getting signed task: %v", err) } - if _, err := c.V1beta1TaskClient.Create(ctx, signedTask, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1TaskClient.Create(ctx, signedV1beta1Task.(*v1beta1.Task), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Task: %s", err) } @@ -121,14 +122,14 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedTask.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Task.(*v1beta1.Task).Name, namespace)) - signedPipeline, err := GetSignedV1beta1Pipeline(pipeline, signer, "signedpipeline") + signedV1beta1Pipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline", "v1beta1") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } - if _, err := c.V1beta1PipelineClient.Create(ctx, signedPipeline, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1PipelineClient.Create(ctx, signedV1beta1Pipeline.(*v1beta1.Pipeline), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Pipeline: %s", err) } @@ -147,7 +148,7 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedPipeline.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Pipeline.(*v1beta1.Pipeline).Name, namespace)) t.Logf("Creating PipelineRun %s", pr.Name) if _, err := c.V1beta1PipelineRunClient.Create(ctx, pr, metav1.CreateOptions{}); err != nil { @@ -210,13 +211,14 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedV1beta1Task(task, signer, "signedtask") + signedV1beta1Task, err := GetSignedTask(task, signer, "signedtask", "v1beta1") if err != nil { t.Errorf("error getting signed task: %v", err) } // modify the task to fail the verification - signedTask.Annotations["foo"] = "bar" - if _, err := c.V1beta1TaskClient.Create(ctx, signedTask, metav1.CreateOptions{}); err != nil { + signedV1beta1Task.(*v1beta1.Task).Annotations["foo"] = "bar" + signedV1beta1Task := signed.(*v1beta1.Task) + if _, err := c.V1beta1TaskClient.Create(ctx, signedV1beta1Task, metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Task: %s", err) } @@ -237,14 +239,14 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedTask.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Task.(*v1beta1.Task).Name, namespace)) - signedPipeline, err := GetSignedV1beta1Pipeline(pipeline, signer, "signedpipeline") + signedV1beta1Pipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline", "v1beta1") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } - if _, err := c.V1beta1PipelineClient.Create(ctx, signedPipeline, metav1.CreateOptions{}); err != nil { + if _, err := c.V1beta1PipelineClient.Create(ctx, signedV1beta1Pipeline.(*v1beta1.Pipeline), metav1.CreateOptions{}); err != nil { t.Fatalf("Failed to create Pipeline: %s", err) } @@ -263,7 +265,7 @@ spec: value: %s - name: namespace value: %s -`, helpers.ObjectNameForTest(t), namespace, signedPipeline.Name, namespace)) +`, helpers.ObjectNameForTest(t), namespace, signedV1beta1Pipeline.(*v1beta1.Pipeline).Name, namespace)) t.Logf("Creating PipelineRun %s", pr.Name) if _, err := c.V1beta1PipelineRunClient.Create(ctx, pr, metav1.CreateOptions{}); err != nil { diff --git a/test/trustedresources.go b/test/trustedresources.go index e887603567c..1797b6317f1 100644 --- a/test/trustedresources.go +++ b/test/trustedresources.go @@ -34,11 +34,12 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" corev1 "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" fakek8s "k8s.io/client-go/kubernetes/fake" "knative.dev/pkg/logging" ) @@ -132,7 +133,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P t.Fatalf("failed to generate keys %v", err) } - secret := &v1.Secret{ + secret := &corev1.Secret{ Data: map[string][]byte{"cosign.pub": pub}, ObjectMeta: metav1.ObjectMeta{ Name: "verification-secrets", @@ -164,7 +165,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P { Name: "pubkey", Key: &v1alpha1.KeyRef{ - SecretRef: &v1.SecretReference{ + SecretRef: &corev1.SecretReference{ Name: secret.Name, Namespace: secret.Namespace, }, @@ -199,7 +200,7 @@ func SetupVerificationPolicies(t *testing.T) (signature.SignerVerifier, *ecdsa.P { Name: "pubkey", Key: &v1alpha1.KeyRef{ - SecretRef: &v1.SecretReference{ + SecretRef: &corev1.SecretReference{ Name: secret.Name, Namespace: secret.Namespace, }, @@ -224,7 +225,7 @@ func SetupMatchAllVerificationPolicies(t *testing.T, namespace string) (signatur t.Fatalf("failed to generate keys %v", err) } - secret := &v1.Secret{ + secret := &corev1.Secret{ Data: map[string][]byte{"cosign.pub": pub}, ObjectMeta: metav1.ObjectMeta{ Name: "verification-secrets", @@ -324,34 +325,68 @@ func signInterface(signer signature.Signer, i interface{}) ([]byte, error) { return sig, nil } -// GetSignedV1beta1Pipeline signed the given pipeline and rename it with given name -func GetSignedV1beta1Pipeline(unsigned *v1beta1.Pipeline, signer signature.Signer, name string) (*v1beta1.Pipeline, error) { - signedPipeline := unsigned.DeepCopy() - signedPipeline.Name = name - if signedPipeline.Annotations == nil { - signedPipeline.Annotations = map[string]string{} - } - signature, err := signInterface(signer, signedPipeline) - if err != nil { - return nil, err +// GetSignedPipeline signed the given pipeline and rename it with given name and apiVersion +func GetSignedPipeline(unsigned runtime.Object, signer signature.Signer, name, apiVersion string) (runtime.Object, error) { + switch apiVersion { + case v1Version: + signedV1Pipeline := unsigned.(*v1.Pipeline).DeepCopy() + signedV1Pipeline.Name = name + if signedV1Pipeline.Annotations == nil { + signedV1Pipeline.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1Pipeline) + if err != nil { + return nil, err + } + signedV1Pipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1Pipeline, nil + case v1beta1Version: + signedV1beta1Pipeline := unsigned.(*v1beta1.Pipeline).DeepCopy() + signedV1beta1Pipeline.Name = name + if signedV1beta1Pipeline.Annotations == nil { + signedV1beta1Pipeline.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1beta1Pipeline) + if err != nil { + return nil, err + } + signedV1beta1Pipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1beta1Pipeline, nil + default: + return nil, fmt.Errorf("could not get signed pipeline from unsigned: %v", unsigned) } - signedPipeline.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) - return signedPipeline, nil } -// GetSignedV1beta1Task signed the given task and rename it with given name -func GetSignedV1beta1Task(unsigned *v1beta1.Task, signer signature.Signer, name string) (*v1beta1.Task, error) { - signedTask := unsigned.DeepCopy() - signedTask.Name = name - if signedTask.Annotations == nil { - signedTask.Annotations = map[string]string{} - } - signature, err := signInterface(signer, signedTask) - if err != nil { - return nil, err +// GetSignedTask signed the given task and rename it with given name and apiVersion +func GetSignedTask(unsigned runtime.Object, signer signature.Signer, name, apiVersion string) (runtime.Object, error) { + switch apiVersion { + case v1Version: + signedV1Task := unsigned.(*v1.Task).DeepCopy() + signedV1Task.Name = name + if signedV1Task.Annotations == nil { + signedV1Task.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1Task) + if err != nil { + return nil, err + } + signedV1Task.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1Task, nil + case v1beta1Version: + signedV1beta1Task := unsigned.(*v1beta1.Task).DeepCopy() + signedV1beta1Task.Name = name + if signedV1beta1Task.Annotations == nil { + signedV1beta1Task.Annotations = map[string]string{} + } + signature, err := signInterface(signer, signedV1beta1Task) + if err != nil { + return nil, err + } + signedV1beta1Task.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) + return signedV1beta1Task, nil + default: + return nil, fmt.Errorf("could not get signed task from unsigned: %v", unsigned) } - signedTask.Annotations[signatureAnnotation] = base64.StdEncoding.EncodeToString(signature) - return signedTask, nil } func getPass(confirm bool) ([]byte, error) { diff --git a/test/wait.go b/test/wait.go index b22e3111074..90e5bebdeac 100644 --- a/test/wait.go +++ b/test/wait.go @@ -62,6 +62,7 @@ import ( const ( interval = 1 * time.Second timeout = 10 * time.Minute + v1Version = "v1" v1beta1Version = "v1beta1" )