refactor trusted resources testing functions

This commit fixes tektoncd#5820. It refactors the trusted resouces testing
functions into a testing pkg. This will avoid running unit test on these
functions.

Signed-off-by: Yongxuan Zhang [email protected]

pkg/reconciler/pipelinerun/pipelinerun_test.go

@@ -44,6 +44,7 @@ import (
 	ttesting "github.com/tektoncd/pipeline/pkg/reconciler/testing"
 	"github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim"
 	resolutioncommon "github.com/tektoncd/pipeline/pkg/resolution/common"
+	trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing"
 	"github.com/tektoncd/pipeline/test"
 	"github.com/tektoncd/pipeline/test/diff"
 	"github.com/tektoncd/pipeline/test/names"
@@ -10993,12 +10994,12 @@ spec:
          value: bar
 `)
 
-	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, prs.Namespace)
-	signedTask, err := test.GetSignedTask(ts, signer, "test-task")
+	signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, prs.Namespace)
+	signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task")
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
-	signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline")
+	signedPipeline, err := trtesting.GetSignedPipeline(ps, signer, "test-pipeline")
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
@@ -11067,12 +11068,12 @@ spec:
          value: bar
 `)
 
-	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, prs.Namespace)
-	signedTask, err := test.GetSignedTask(ts, signer, "test-task")
+	signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, prs.Namespace)
+	signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task")
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
-	signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline")
+	signedPipeline, err := trtesting.GetSignedPipeline(ps, signer, "test-pipeline")
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}

pkg/reconciler/pipelinerun/resources/pipelineref_test.go

@@ -33,6 +33,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/client/clientset/versioned/fake"
 	"github.com/tektoncd/pipeline/pkg/reconciler/pipelinerun/resources"
 	"github.com/tektoncd/pipeline/pkg/trustedresources"
+	trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing"
 	"github.com/tektoncd/pipeline/test"
 	"github.com/tektoncd/pipeline/test/diff"
 	"github.com/tektoncd/pipeline/test/parse"
@@ -444,9 +445,9 @@ func TestGetPipelineFunc_RemoteResolutionInvalidData(t *testing.T) {
 func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 	ctx := context.Background()
 	tektonclient := fake.NewSimpleClientset()
-	signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources")
+	signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources")
 
-	unsignedPipeline := test.GetUnsignedPipeline("test-pipeline")
+	unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline")
 	unsignedPipelineBytes, err := json.Marshal(unsignedPipeline)
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
@@ -455,7 +456,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 	resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleConfigSource.DeepCopy(), nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 
-	signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, signer, "signed")
+	signedPipeline, err := trtesting.GetSignedPipeline(unsignedPipeline, signer, "signed")
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
@@ -575,7 +576,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
+			ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
 			fn := resources.GetVerifiedPipelineFunc(ctx, k8sclient, tektonclient, tc.requester, &tc.pipelinerun, vps)
 
 			resolvedPipeline, source, err := fn(ctx, pipelineRef.Name)
@@ -595,9 +596,9 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 	ctx := context.Background()
 	tektonclient := fake.NewSimpleClientset()
-	signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources")
+	signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources")
 
-	unsignedPipeline := test.GetUnsignedPipeline("test-pipeline")
+	unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline")
 	unsignedPipelineBytes, err := json.Marshal(unsignedPipeline)
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
@@ -606,7 +607,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 	resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleConfigSource.DeepCopy(), nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 
-	signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, signer, "signed")
+	signedPipeline, err := trtesting.GetSignedPipeline(unsignedPipeline, signer, "signed")
 	if err != nil {
 		t.Fatal("fail to sign pipeline", err)
 	}
@@ -645,7 +646,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
+			ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
 			pr := &v1beta1.PipelineRun{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "trusted-resources"},
 				Spec: v1beta1.PipelineRunSpec{
@@ -672,9 +673,9 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 func TestGetVerifiedPipelineFunc_GetFuncError(t *testing.T) {
 	ctx := context.Background()
 	tektonclient := fake.NewSimpleClientset()
-	_, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources")
+	_, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources")
 
-	unsignedPipeline := test.GetUnsignedPipeline("test-pipeline")
+	unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline")
 	unsignedPipelineBytes, err := json.Marshal(unsignedPipeline)
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
@@ -732,7 +733,7 @@ func TestGetVerifiedPipelineFunc_GetFuncError(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
+			ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
 			store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
 			featureflags := &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{

pkg/reconciler/taskrun/resources/taskref_test.go

@@ -34,6 +34,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/client/clientset/versioned/fake"
 	"github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources"
 	"github.com/tektoncd/pipeline/pkg/trustedresources"
+	trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing"
 	"github.com/tektoncd/pipeline/test"
 	"github.com/tektoncd/pipeline/test/diff"
 	"github.com/tektoncd/pipeline/test/parse"
@@ -692,10 +693,10 @@ func TestGetPipelineFunc_RemoteResolutionInvalidData(t *testing.T) {
 func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 	ctx := context.Background()
 
-	signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources")
+	signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources")
 	tektonclient := fake.NewSimpleClientset()
 
-	unsignedTask := test.GetUnsignedTask("test-task")
+	unsignedTask := trtesting.GetUnsignedTask("test-task")
 	unsignedTaskBytes, err := json.Marshal(unsignedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
@@ -704,7 +705,7 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 	resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, sampleConfigSource.DeepCopy(), nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 
-	signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed")
+	signedTask, err := trtesting.GetSignedTask(unsignedTask, signer, "signed")
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
@@ -771,7 +772,7 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
+			ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
 			tr := &v1beta1.TaskRun{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "trusted-resources"},
 				Spec: v1beta1.TaskRunSpec{
@@ -800,10 +801,10 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 
 func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 	ctx := context.Background()
-	signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources")
+	signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources")
 	tektonclient := fake.NewSimpleClientset()
 
-	unsignedTask := test.GetUnsignedTask("test-task")
+	unsignedTask := trtesting.GetUnsignedTask("test-task")
 	unsignedTaskBytes, err := json.Marshal(unsignedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
@@ -812,7 +813,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 	resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, sampleConfigSource.DeepCopy(), nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 
-	signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed")
+	signedTask, err := trtesting.GetSignedTask(unsignedTask, signer, "signed")
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
@@ -850,7 +851,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
+			ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
 			tr := &v1beta1.TaskRun{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "trusted-resources"},
 				Spec: v1beta1.TaskRunSpec{
@@ -879,10 +880,10 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 
 func TestGetVerifiedTaskFunc_GetFuncError(t *testing.T) {
 	ctx := context.Background()
-	_, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources")
+	_, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources")
 	tektonclient := fake.NewSimpleClientset()
 
-	unsignedTask := test.GetUnsignedTask("test-task")
+	unsignedTask := trtesting.GetUnsignedTask("test-task")
 	unsignedTaskBytes, err := json.Marshal(unsignedTask)
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
@@ -940,7 +941,7 @@ func TestGetVerifiedTaskFunc_GetFuncError(t *testing.T) {
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
+			ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode)
 			store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
 			featureflags := &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{

pkg/reconciler/taskrun/taskrun_test.go

@@ -47,6 +47,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim"
 	resolutioncommon "github.com/tektoncd/pipeline/pkg/resolution/common"
 	"github.com/tektoncd/pipeline/pkg/trustedresources"
+	trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing"
 	"github.com/tektoncd/pipeline/pkg/workspace"
 	"github.com/tektoncd/pipeline/test"
 	"github.com/tektoncd/pipeline/test/diff"
@@ -5222,15 +5223,15 @@ spec:
     results:
       - name: result1
     steps:
-    - script: echo foo >> $(results.result1.path)  
+    - script: echo foo >> $(results.result1.path)
       image: myimage
       name: mycontainer
 status:
   taskSpec:
     results:
       - name: result1
     steps:
-    - script: echo foo >> $(results.result1.path)  
+    - script: echo foo >> $(results.result1.path)
       image: myimage
       name: mycontainer
 `)
@@ -5589,8 +5590,8 @@ status:
   podName: the-pod
 `)
 
-	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, tr.Namespace)
-	signedTask, err := test.GetSignedTask(ts, signer, "test-task")
+	signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, tr.Namespace)
+	signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task")
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}
@@ -5654,8 +5655,8 @@ status:
   podName: the-pod
 `)
 
-	signer, _, vps := test.SetupMatchAllVerificationPolicies(t, tr.Namespace)
-	signedTask, err := test.GetSignedTask(ts, signer, "test-task")
+	signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, tr.Namespace)
+	signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task")
 	if err != nil {
 		t.Fatal("fail to sign task", err)
 	}

test/trustedresources.go → pkg/trustedresources/testing/trustedresources.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package test
+package testing
 
 import (
 	"bytes"
@@ -356,10 +356,12 @@ func GetSignedTask(unsigned *v1beta1.Task, signer signature.Signer, name string)
 	return signedTask, nil
 }
 
-func getPass(confirm bool) ([]byte, error) {
+// GetPass returns the password
+func GetPass(confirm bool) ([]byte, error) {
 	read := read(confirm)
 	return read()
 }
+
 func readPasswordFn(confirm bool) func() ([]byte, error) {
 	pw, ok := os.LookupEnv("PRIVATE_PASSWORD")
 	if ok {

pkg/trustedresources/verifier/verifier_test.go

@@ -29,7 +29,7 @@ import (
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
-	"github.com/tektoncd/pipeline/test"
+	trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing"
 	"github.com/tektoncd/pipeline/test/diff"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -42,8 +42,8 @@ const (
 
 func TestFromConfigMap_Success(t *testing.T) {
 	ctx := context.Background()
-	keys, keypath := test.GetKeysFromFile(ctx, t)
-	ctx = test.SetupTrustedResourceKeyConfig(ctx, keypath, config.EnforceResourceVerificationMode)
+	keys, keypath := trtesting.GetKeysFromFile(ctx, t)
+	ctx = trtesting.SetupTrustedResourceKeyConfig(ctx, keypath, config.EnforceResourceVerificationMode)
 	v, err := FromConfigMap(ctx, fakek8s.NewSimpleClientset())
 	checkVerifier(t, keys, v[0])
 	if err != nil {
@@ -67,7 +67,7 @@ func TestFromConfigMap_Error(t *testing.T) {
 	}}
 	for _, tc := range tcs {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx := test.SetupTrustedResourceKeyConfig(context.Background(), tc.keyPath, config.EnforceResourceVerificationMode)
+			ctx := trtesting.SetupTrustedResourceKeyConfig(context.Background(), tc.keyPath, config.EnforceResourceVerificationMode)
 			_, err := FromConfigMap(ctx, fakek8s.NewSimpleClientset())
 			if !errors.Is(err, tc.expectedError) {
 				t.Errorf("FromConfigMap got: %v, want: %v", err, tc.expectedError)
@@ -78,10 +78,10 @@ func TestFromConfigMap_Error(t *testing.T) {
 
 func TestFromPolicy_Success(t *testing.T) {
 	ctx := context.Background()
-	_, key256, k8sclient, vps := test.SetupVerificationPolicies(t)
+	_, key256, k8sclient, vps := trtesting.SetupVerificationPolicies(t)
 	keyInDataVp, keyInSecretVp := vps[0], vps[1]
 
-	_, key384, pub, err := test.GenerateKeys(elliptic.P384(), crypto.SHA256)
+	_, key384, pub, err := trtesting.GenerateKeys(elliptic.P384(), crypto.SHA256)
 	if err != nil {
 		t.Fatalf("failed to generate keys %v", err)
 	}
@@ -224,9 +224,9 @@ func TestFromPolicy_Error(t *testing.T) {
 
 func TestFromKeyRef_Success(t *testing.T) {
 	ctx := context.Background()
-	fileKey, keypath := test.GetKeysFromFile(ctx, t)
+	fileKey, keypath := trtesting.GetKeysFromFile(ctx, t)
 
-	_, secretKey, pub, err := test.GenerateKeys(elliptic.P256(), crypto.SHA256)
+	_, secretKey, pub, err := trtesting.GenerateKeys(elliptic.P256(), crypto.SHA256)
 	if err != nil {
 		t.Fatalf("failed to generate keys: %v", err)
 	}
@@ -266,7 +266,7 @@ func TestFromKeyRef_Success(t *testing.T) {
 
 func TestFromKeyRef_Error(t *testing.T) {
 	ctx := context.Background()
-	_, keypath := test.GetKeysFromFile(ctx, t)
+	_, keypath := trtesting.GetKeysFromFile(ctx, t)
 	tcs := []struct {
 		name          string
 		keyref        string
@@ -299,7 +299,7 @@ func TestFromKeyRef_Error(t *testing.T) {
 }
 
 func TestFromSecret_Success(t *testing.T) {
-	_, keys, pub, err := test.GenerateKeys(elliptic.P256(), crypto.SHA256)
+	_, keys, pub, err := trtesting.GenerateKeys(elliptic.P256(), crypto.SHA256)
 	if err != nil {
 		t.Fatalf("failed to generate keys: %v", err)
 	}
@@ -384,7 +384,7 @@ func TestFromSecret_Error(t *testing.T) {
 }
 
 func TestFromData_Error(t *testing.T) {
-	_, _, pub, err := test.GenerateKeys(elliptic.P256(), crypto.SHA256)
+	_, _, pub, err := trtesting.GenerateKeys(elliptic.P256(), crypto.SHA256)
 	if err != nil {
 		t.Fatalf("failed to generate keys %v", err)
 	}