Tests cases for multiple build and git-clone tasks

enterprise-contract · Nov 24, 2023 · fab6481 · fab6481
1 parent 9651b88
commit fab6481
Show file tree

Hide file tree

Showing 4 changed files with 238 additions and 0 deletions.
diff --git a/policy/lib/tekton/task_test.rego b/policy/lib/tekton/task_test.rego
@@ -325,6 +325,40 @@ test_build_task_not_found if {
 	count(tkn.build_tasks(missing_results)) == 0
 }
 
+test_multiple_build_tasks if {
+	task1 := json.patch(_good_build_task, [{
+		"op": "replace",
+		"path": "/ref/name",
+		"value": "buildah-1",
+	}])
+
+	task2 := json.patch(_good_build_task, [{
+		"op": "replace",
+		"path": "/ref/name",
+		"value": "buildah-2",
+	}])
+
+	task3 := json.patch(_good_build_task, [{
+		"op": "replace",
+		"path": "/ref/name",
+		"value": "buildah-3",
+	}])
+
+	attestation3 := {"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [task1, task2, task3]},
+	}}}
+
+	count(tkn.build_tasks(attestation3)) == 3
+
+	attestation2 := {"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [task1, _good_git_clone_task, task3]},
+	}}}
+
+	count(tkn.build_tasks(attestation2)) == 2
+}
+
 test_git_clone_task if {
 	expected := _good_git_clone_task
 	lib.assert_equal([expected], tkn.git_clone_tasks(_good_attestation))
@@ -349,6 +383,40 @@ test_git_clone_task_not_found if {
 	count(tkn.git_clone_tasks(missing_results)) == 0
 }
 
+test_multiple_git_clone_tasks if {
+	task1 := json.patch(_good_git_clone_task, [{
+		"op": "replace",
+		"path": "/ref/name",
+		"value": "git-clone-1",
+	}])
+
+	task2 := json.patch(_good_git_clone_task, [{
+		"op": "replace",
+		"path": "/ref/name",
+		"value": "git-clone-2",
+	}])
+
+	task3 := json.patch(_good_git_clone_task, [{
+		"op": "replace",
+		"path": "/ref/name",
+		"value": "git-clone-3",
+	}])
+
+	attestation3 := {"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [task1, task2, task3]},
+	}}}
+
+	count(tkn.git_clone_tasks(attestation3)) == 3
+
+	attestation2 := {"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [task1, _good_build_task, task3]},
+	}}}
+
+	count(tkn.git_clone_tasks(attestation2)) == 2
+}
+
 test_task_data_bundle_ref if {
 	lib.assert_equal(
 		{

diff --git a/policy/release/hermetic_build_task_test.rego b/policy/release/hermetic_build_task_test.rego
@@ -27,6 +27,69 @@ test_not_hermetic_build if {
 	lib.assert_equal_results(expected, hermetic_build_task.deny) with input.attestations as [hermetic_missing]
 }
 
+test_hermetic_build_many_build_tasks if {
+	task1 := {
+		"results": [
+			{"name": "IMAGE_URL", "value": "registry/repo"},
+			{"name": "IMAGE_DIGEST", "value": "digest"},
+		],
+		"ref": {"kind": "Task", "name": "build-1", "bundle": "reg.img/spam@sha256:abc"},
+		"invocation": {"parameters": {"HERMETIC": "true"}},
+	}
+
+	task2 := {
+		"results": [
+			{"name": "IMAGE_URL", "value": "registry/repo"},
+			{"name": "IMAGE_DIGEST", "value": "digest"},
+		],
+		"ref": {"kind": "Task", "name": "build-2", "bundle": "reg.img/spam@sha256:abc"},
+		"invocation": {"parameters": {"HERMETIC": "true"}},
+	}
+
+	attestation := {"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [task1, task2]},
+	}}}
+	lib.assert_empty(hermetic_build_task.deny) with input.attestations as [attestation]
+
+	attestation_mixed_hermetic := json.patch(
+		{"statement": {"predicate": {
+			"buildType": lib.tekton_pipeline_run,
+			"buildConfig": {"tasks": [task1, task2]},
+		}}},
+		[{
+			"op": "replace",
+			"path": "/statement/predicate/buildConfig/tasks/0/invocation/parameters/HERMETIC",
+			"value": "false",
+		}],
+	)
+	expected := {{
+		"code": "hermetic_build_task.build_task_hermetic",
+		"msg": "Build task was not invoked with the hermetic parameter set",
+	}}
+	lib.assert_equal_results(expected, hermetic_build_task.deny) with input.attestations as [attestation_mixed_hermetic]
+
+	attestation_non_hermetic := json.patch(
+		{"statement": {"predicate": {
+			"buildType": lib.tekton_pipeline_run,
+			"buildConfig": {"tasks": [task1, task2]},
+		}}},
+		[
+			{
+				"op": "replace",
+				"path": "/statement/predicate/buildConfig/tasks/0/invocation/parameters/HERMETIC",
+				"value": "false",
+			},
+			{
+				"op": "replace",
+				"path": "/statement/predicate/buildConfig/tasks/1/invocation/parameters/HERMETIC",
+				"value": "false",
+			},
+		],
+	)
+	lib.assert_equal_results(expected, hermetic_build_task.deny) with input.attestations as [attestation_non_hermetic]
+}
+
 _good_attestation := {"statement": {"predicate": {
 	"buildType": lib.tekton_pipeline_run,
 	"buildConfig": {"tasks": [{

diff --git a/policy/release/provenance_materials_test.rego b/policy/release/provenance_materials_test.rego
@@ -154,6 +154,46 @@ test_commit_and_url_mismatch if {
 	lib.assert_equal_results(expected, provenance_materials.deny) with input.attestations as [_mock_attestation(tasks)]
 }
 
+test_provenance_many_git_clone_tasks if {
+	task := {
+		"results": [
+			{"name": "url", "value": _git_url},
+			{"name": "commit", "value": _git_commit},
+		],
+		"ref": {"bundle": _bundle},
+		"steps": [{"entrypoint": "/bin/bash"}],
+	}
+
+	task1 := json.patch(task, [{
+		"op": "add",
+		"path": "name",
+		"value": "git-clone-1",
+	}])
+
+	task2 := json.patch(task, [{
+		"op": "add",
+		"path": "name",
+		"value": "git-clone-2",
+	}])
+
+	attestation := _mock_attestation([task1, task2])
+
+	# all good
+	lib.assert_empty(provenance_materials.deny) with input.attestations as [attestation]
+
+	# one task's cloned digest doesn't match
+	expected := {{
+		"code": "provenance_materials.git_clone_source_matches_provenance",
+		# regal ignore:line-length
+		"msg": `Entry in materials for the git repo "git+https://gitforge/repo.git" and commit "big-bada-boom" not found`,
+	}}
+	lib.assert_equal_results(expected, provenance_materials.deny) with input.attestations as [json.patch(attestation, [{
+		"op": "replace",
+		"path": "/statement/predicate/buildConfig/tasks/0/results/1/value",
+		"value": "big-bada-boom",
+	}])]
+}
+
 _bundle := "registry.img/spam@sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"
 
 _git_url := "https://gitforge/repo"

diff --git a/policy/release/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build_test.rego
@@ -91,6 +91,73 @@ test_empty_task_steps if {
 	) with input.attestations as [_mock_attestation(tasks)]
 }
 
+test_build_script_used_many_build_tasks if {
+	tasks := [
+		{
+			"name": "build-1",
+			"results": [
+				{"name": "IMAGE_URL", "value": _image_url},
+				{"name": "IMAGE_DIGEST", "value": _image_digest},
+			],
+			"ref": {"bundle": mock_bundle},
+			"steps": [{"entrypoint": "/bin/bash"}],
+		},
+		{
+			"name": "build-2",
+			"results": [
+				{"name": "IMAGE_URL", "value": _image_url},
+				{"name": "IMAGE_DIGEST", "value": _image_digest},
+			],
+			"ref": {"bundle": mock_bundle},
+			"steps": [{"entrypoint": "/bin/bash"}],
+		},
+	]
+
+	# all good
+	lib.assert_empty(slsa_build_scripted_build.deny) with input.attestations as [_mock_attestation(tasks)]
+
+	# one of the build tasks doesn't have any steps
+	expected_scripted := {{
+		"code": "slsa_build_scripted_build.build_script_used",
+		"msg": "Build task \"build-2\" does not contain any steps",
+	}}
+	lib.assert_equal_results(
+		expected_scripted,
+		slsa_build_scripted_build.deny,
+	) with input.attestations as [_mock_attestation(json.patch(tasks, [{
+		"op": "remove",
+		"path": "1/steps",
+	}]))]
+
+	# one of the build tasks produces the expected results, the other one doesn't, this is ok
+	lib.assert_empty(slsa_build_scripted_build.deny) with input.attestations as [_mock_attestation(json.patch(tasks, [{
+		"op": "replace",
+		"path": "1/results/0/value",
+		"value": "something-else",
+	}]))]
+
+	# none of the build tasks produced the expected results
+	expected_results := {{
+		"code": "slsa_build_scripted_build.subject_build_task_matches",
+		"msg": `The attestation subject, "some.image/foo:bar@sha256:123", does not match any of the images built`,
+	}}
+	lib.assert_equal_results(
+		expected_results,
+		slsa_build_scripted_build.deny,
+	) with input.attestations as [_mock_attestation(json.patch(tasks, [
+		{
+			"op": "replace",
+			"path": "0/results/0/value",
+			"value": "something-else",
+		},
+		{
+			"op": "replace",
+			"path": "1/results/0/value",
+			"value": "something-else",
+		},
+	]))]
+}
+
 test_results_missing_value_url if {
 	tasks := [{
 		"results": [