Skip to content

Commit

Permalink
create test for vsa generation
Browse files Browse the repository at this point in the history
test fixes
  • Loading branch information
joejstuart committed Nov 6, 2023
1 parent 15a07d3 commit 49b0bc6
Show file tree
Hide file tree
Showing 6 changed files with 178 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ https://in-toto.io/Statement/v0.1

[TestMarshal - 1]
{
"digest": {
"sha1": "sha1:asdf"
},
"predicateBuildType": "https://my.build.type",
"predicateType": "https://slsa.dev/provenance/v0.2",
"signatures": [
Expand Down
4 changes: 4 additions & 0 deletions internal/attestation/attestation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"testing"

"github.com/gkampitakis/go-snaps/snaps"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/types"
ct "github.com/sigstore/cosign/v2/pkg/types"
"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -83,6 +84,7 @@ func TestProvenanceFromSignature(t *testing.T) {
l.On("Base64Signature").Return("", nil)
l.On("Cert").Return(&x509.Certificate{}, nil)
l.On("Chain").Return([]*x509.Certificate{}, nil)
l.On("Digest").Return(v1.Hash{}, nil)
},
data: payloadJson1,
},
Expand All @@ -94,6 +96,7 @@ func TestProvenanceFromSignature(t *testing.T) {
l.On("Base64Signature").Return("sig-from-cert", nil)
l.On("Cert").Return(signature.ParseChainguardReleaseCert(), nil)
l.On("Chain").Return(signature.ParseSigstoreChainCert(), nil)
l.On("Digest").Return(v1.Hash{}, nil)
},
data: payloadJson1,
},
Expand All @@ -105,6 +108,7 @@ func TestProvenanceFromSignature(t *testing.T) {
l.On("Base64Signature").Return("sig-from-cert", nil)
l.On("Cert").Return(signature.ParseChainguardReleaseCert(), nil)
l.On("Chain").Return(signature.ParseSigstoreChainCert(), nil)
l.On("Digest").Return(v1.Hash{}, nil)
},
data: payloadJson2, // String payload remains as a string
//data: payloadJson1, // String payload is marshaled
Expand Down
3 changes: 3 additions & 0 deletions internal/attestation/slsa_provenance_02_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,7 @@ func TestSLSAProvenanceFromSignature(t *testing.T) {
l.On("Base64Signature").Return("", nil)
l.On("Cert").Return(&x509.Certificate{}, nil)
l.On("Chain").Return([]*x509.Certificate{}, nil)
l.On("Digest").Return(v1.Hash{}, nil)
},
},
{
Expand All @@ -297,6 +298,7 @@ func TestSLSAProvenanceFromSignature(t *testing.T) {
l.On("Base64Signature").Return("sig-from-cert", nil)
l.On("Cert").Return(signature.ParseChainguardReleaseCert(), nil)
l.On("Chain").Return(signature.ParseSigstoreChainCert(), nil)
l.On("Digest").Return(v1.Hash{}, nil)
},
},
}
Expand Down Expand Up @@ -346,6 +348,7 @@ func TestMarshal(t *testing.T) {
sig.On("Base64Signature").Return("sig-from-cert", nil)
sig.On("Cert").Return(signature.ParseChainguardReleaseCert(), nil)
sig.On("Chain").Return(signature.ParseSigstoreChainCert(), nil)
sig.On("Digest").Return(v1.Hash{Algorithm: "sha1", Hex: "asdf"}, nil)

att, err := SLSAProvenanceFromSignature(sig)

Expand Down
23 changes: 10 additions & 13 deletions internal/attestation/vsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ package attestation

import (
"strings"
"time"

"github.com/in-toto/in-toto-golang/in_toto"

Expand Down Expand Up @@ -48,18 +47,16 @@ type attestationSource struct {
}

type predicate struct {
Verifier map[string]string `json:"verifier"`
TimeVerified string `json:"timeVerified"`
ResourceUri string `json:"resourceUri"`
Policies []policySource `json:"policies"`
InputAttestations []attestationSource `json:"intputAttestations"`
VerificationResult string `json:"verificationResult"`
VerifiedRules []string `json:"verifiedRules"`
VerifiedCollections []string `json:"verfiedCollection"`
SlsaVersion string `json:"slsaVersion"`
Verifier map[string]string `json:"verifier,omitempty"`
TimeVerified string `json:"timeVerified,omitempty"`
Policies []policySource `json:"policies,omitempty"`
InputAttestations []attestationSource `json:"intputAttestations,omitempty"`
VerificationResult string `json:"verificationResult,omitempty"`
VerifiedRules []string `json:"verifiedRules,omitempty"`
VerifiedCollections []string `json:"verfiedCollection,omitempty"`
}

func VsaFromImageValidation(results []evaluator.Outcome, policies []source.PolicySource, policy policy.Policy, attestations []Attestation) (ProvenanceStatementVSA, error) {
func VsaFromImageValidation(verifiedTime string, results []evaluator.Outcome, policies []source.PolicySource, policy policy.Policy, attestations []Attestation) ProvenanceStatementVSA {
var verifiedPolicies []policySource
for _, p := range policies {
verifiedPolicies = append(verifiedPolicies, policySource{uri: p.PolicyUrl()})
Expand Down Expand Up @@ -105,12 +102,12 @@ func VsaFromImageValidation(results []evaluator.Outcome, policies []source.Polic
Verifier: map[string]string{
"id": "ec",
},
TimeVerified: time.Now().String(),
TimeVerified: verifiedTime,
Policies: verifiedPolicies,
InputAttestations: inputAttestations,
VerificationResult: verificationResult,
VerifiedRules: verifiedLevels,
VerifiedCollections: verifiedCollections,
},
}, nil
}
}
155 changes: 155 additions & 0 deletions internal/attestation/vsa_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
// Copyright The Enterprise Contract Contributors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0

package attestation

import (
"context"
"testing"
"time"

ecc "github.com/enterprise-contract/enterprise-contract-controller/api/v1alpha1"
"github.com/in-toto/in-toto-golang/in_toto"
"github.com/sigstore/cosign/v2/pkg/cosign"
"github.com/stretchr/testify/assert"

"github.com/enterprise-contract/ec-cli/internal/evaluator"
"github.com/enterprise-contract/ec-cli/internal/policy"
"github.com/enterprise-contract/ec-cli/internal/policy/source"
)

type mockPolicy struct {
ecc.EnterpriseContractPolicySpec
// choosenTime string
// effectiveTime *time.Time
}

func (m mockPolicy) PublicKeyPEM() ([]byte, error) {
return []byte{}, nil
}

func (m mockPolicy) CheckOpts() (*cosign.CheckOpts, error) {
return nil, nil
}

func (m mockPolicy) WithSpec(spec ecc.EnterpriseContractPolicySpec) policy.Policy {
return m
}

func (m mockPolicy) Spec() ecc.EnterpriseContractPolicySpec {
return m.EnterpriseContractPolicySpec
}

func (m mockPolicy) EffectiveTime() time.Time {
return time.Now()
}

func (m mockPolicy) AttestationTime(time.Time) {

}

func (m mockPolicy) Identity() cosign.Identity {
return cosign.Identity{}
}

func (m mockPolicy) Keyless() bool {
return true
}

type mockPolicyUrl struct {
Url string
}

func (m *mockPolicyUrl) GetPolicy(ctx context.Context, workDir string, showMsg bool) (string, error) {
return "", nil
}

func (m *mockPolicyUrl) PolicyUrl() string {
return m.Url
}

func (m *mockPolicyUrl) Subdir() string {
return ""
}

func TestVsaFromImageValidation(t *testing.T) {
verifiedTime := time.Now().String()
cases := []struct {
name string
time string
results []evaluator.Outcome
policies []source.PolicySource
policy policy.Policy
attestations []Attestation
expected ProvenanceStatementVSA
}{
{
name: "verified success - vsa provenance",
time: verifiedTime,
results: []evaluator.Outcome{
{
Successes: []evaluator.Result{
{
Message: "Success",
Metadata: map[string]interface{}{"code": "test.rule"},
},
},
},
},
policies: []source.PolicySource{&mockPolicyUrl{Url: "https://example.com"}},
policy: mockPolicy{
ecc.EnterpriseContractPolicySpec{
Sources: []ecc.Source{
{
Config: &ecc.SourceConfig{
Include: []string{"@redhat"},
},
},
},
},
},
attestations: []Attestation{slsaProvenance{}},
expected: ProvenanceStatementVSA{
StatementHeader: in_toto.StatementHeader{
Type: StatmentVSA,
PredicateType: PredicateVSAProvenance,
},
Predicate: predicate{
Verifier: map[string]string{
"id": "ec",
},
VerificationResult: "Success",
TimeVerified: verifiedTime,
InputAttestations: []attestationSource{
{version: "https://slsa.dev/provenance/v0.2"},
},
Policies: []policySource{
{uri: "https://example.com"},
},
VerifiedRules: []string{"test.rule"},
VerifiedCollections: []string{"redhat"},
},
},
},
}

for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
got := VsaFromImageValidation(c.time, c.results, c.policies, c.policy, c.attestations)
assert.Equal(t, c.expected, got)
})
}
}
8 changes: 3 additions & 5 deletions internal/image/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,9 @@ func ValidateImage(ctx context.Context, comp app.SnapshotComponent, p policy.Pol
}
allResults = append(allResults, results...)
out.Data = append(out.Data, data)
vsa, err := attestation.VsaFromImageValidation(results, e.GetPolicySources(), p, a.Attestations())
if err != nil {
log.Debugf("error creating vsa: %v", err)
}
out.Vsa = append(out.Vsa, vsa)
out.Vsa = append(out.Vsa,
attestation.VsaFromImageValidation(time.Now().String(), results, e.GetPolicySources(), p, a.Attestations()),
)
}

out.PolicyInput = inputJSON
Expand Down

0 comments on commit 49b0bc6

Please sign in to comment.