From a2a8d7ed958f4e87191f3c8f205260faaac22b1e Mon Sep 17 00:00:00 2001 From: Yongxuan Zhang Date: Wed, 4 Jan 2023 19:28:58 +0000 Subject: [PATCH] refactor trusted resources testing functions This commit fixes #5820. It refactors the trusted resouces testing functions into a testing pkg. This will avoid running unit test on these functions. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com --- .../pipelinerun/pipelinerun_test.go | 13 +- .../pipelinerun/resources/pipelineref_test.go | 23 ++-- .../taskrun/resources/taskref_test.go | 23 ++-- pkg/reconciler/taskrun/taskrun_test.go | 13 +- .../testing}/trustedresources.go | 6 +- .../verifier/verifier_test.go | 22 ++-- pkg/trustedresources/verify_test.go | 64 +++++----- test/trusted_resources_test.go | 19 +-- test/trustedresources_test.go | 115 ------------------ 9 files changed, 95 insertions(+), 203 deletions(-) rename {test => pkg/trustedresources/testing}/trustedresources.go (99%) delete mode 100644 test/trustedresources_test.go diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go index 174d460bf4d..bf512914f7b 100644 --- a/pkg/reconciler/pipelinerun/pipelinerun_test.go +++ b/pkg/reconciler/pipelinerun/pipelinerun_test.go @@ -44,6 +44,7 @@ import ( ttesting "github.com/tektoncd/pipeline/pkg/reconciler/testing" "github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim" resolutioncommon "github.com/tektoncd/pipeline/pkg/resolution/common" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/test" "github.com/tektoncd/pipeline/test/diff" "github.com/tektoncd/pipeline/test/names" @@ -10993,12 +10994,12 @@ spec: value: bar `) - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, prs.Namespace) - signedTask, err := test.GetSignedTask(ts, signer, "test-task") + signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, prs.Namespace) + signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task") if err != nil { t.Fatal("fail to sign task", err) } - signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline") + signedPipeline, err := trtesting.GetSignedPipeline(ps, signer, "test-pipeline") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -11067,12 +11068,12 @@ spec: value: bar `) - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, prs.Namespace) - signedTask, err := test.GetSignedTask(ts, signer, "test-task") + signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, prs.Namespace) + signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task") if err != nil { t.Fatal("fail to sign task", err) } - signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline") + signedPipeline, err := trtesting.GetSignedPipeline(ps, signer, "test-pipeline") if err != nil { t.Fatal("fail to sign pipeline", err) } diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go index 012116f8a8b..8784d5b4b44 100644 --- a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go +++ b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go @@ -33,6 +33,7 @@ import ( "github.com/tektoncd/pipeline/pkg/client/clientset/versioned/fake" "github.com/tektoncd/pipeline/pkg/reconciler/pipelinerun/resources" "github.com/tektoncd/pipeline/pkg/trustedresources" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/test" "github.com/tektoncd/pipeline/test/diff" "github.com/tektoncd/pipeline/test/parse" @@ -444,9 +445,9 @@ func TestGetPipelineFunc_RemoteResolutionInvalidData(t *testing.T) { func TestGetVerifiedPipelineFunc_Success(t *testing.T) { ctx := context.Background() tektonclient := fake.NewSimpleClientset() - signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") + signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources") - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline") unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) @@ -455,7 +456,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) { resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleConfigSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := trtesting.GetSignedPipeline(unsignedPipeline, signer, "signed") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -575,7 +576,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) + ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) fn := resources.GetVerifiedPipelineFunc(ctx, k8sclient, tektonclient, tc.requester, &tc.pipelinerun, vps) resolvedPipeline, source, err := fn(ctx, pipelineRef.Name) @@ -595,9 +596,9 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) { func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) { ctx := context.Background() tektonclient := fake.NewSimpleClientset() - signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") + signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources") - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline") unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) @@ -606,7 +607,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) { resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleConfigSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, signer, "signed") + signedPipeline, err := trtesting.GetSignedPipeline(unsignedPipeline, signer, "signed") if err != nil { t.Fatal("fail to sign pipeline", err) } @@ -645,7 +646,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) + ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) pr := &v1beta1.PipelineRun{ ObjectMeta: metav1.ObjectMeta{Namespace: "trusted-resources"}, Spec: v1beta1.PipelineRunSpec{ @@ -672,9 +673,9 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) { func TestGetVerifiedPipelineFunc_GetFuncError(t *testing.T) { ctx := context.Background() tektonclient := fake.NewSimpleClientset() - _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") + _, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources") - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline") unsignedPipelineBytes, err := json.Marshal(unsignedPipeline) if err != nil { t.Fatal("fail to marshal pipeline", err) @@ -732,7 +733,7 @@ func TestGetVerifiedPipelineFunc_GetFuncError(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) + ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) store := config.NewStore(logging.FromContext(ctx).Named("config-store")) featureflags := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/reconciler/taskrun/resources/taskref_test.go b/pkg/reconciler/taskrun/resources/taskref_test.go index a3c79506205..87531e06ae8 100644 --- a/pkg/reconciler/taskrun/resources/taskref_test.go +++ b/pkg/reconciler/taskrun/resources/taskref_test.go @@ -34,6 +34,7 @@ import ( "github.com/tektoncd/pipeline/pkg/client/clientset/versioned/fake" "github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources" "github.com/tektoncd/pipeline/pkg/trustedresources" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/test" "github.com/tektoncd/pipeline/test/diff" "github.com/tektoncd/pipeline/test/parse" @@ -692,10 +693,10 @@ func TestGetPipelineFunc_RemoteResolutionInvalidData(t *testing.T) { func TestGetVerifiedTaskFunc_Success(t *testing.T) { ctx := context.Background() - signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") + signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources") tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -704,7 +705,7 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) { resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, sampleConfigSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, signer, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -771,7 +772,7 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) + ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) tr := &v1beta1.TaskRun{ ObjectMeta: metav1.ObjectMeta{Namespace: "trusted-resources"}, Spec: v1beta1.TaskRunSpec{ @@ -800,10 +801,10 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) { func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) { ctx := context.Background() - signer, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") + signer, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources") tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -812,7 +813,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) { resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, sampleConfigSource.DeepCopy(), nil) requesterUnsigned := test.NewRequester(resolvedUnsigned, nil) - signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, signer, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -850,7 +851,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) + ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) tr := &v1beta1.TaskRun{ ObjectMeta: metav1.ObjectMeta{Namespace: "trusted-resources"}, Spec: v1beta1.TaskRunSpec{ @@ -879,10 +880,10 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) { func TestGetVerifiedTaskFunc_GetFuncError(t *testing.T) { ctx := context.Background() - _, k8sclient, vps := test.SetupMatchAllVerificationPolicies(t, "trusted-resources") + _, k8sclient, vps := trtesting.SetupMatchAllVerificationPolicies(t, "trusted-resources") tektonclient := fake.NewSimpleClientset() - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") unsignedTaskBytes, err := json.Marshal(unsignedTask) if err != nil { t.Fatal("fail to marshal task", err) @@ -940,7 +941,7 @@ func TestGetVerifiedTaskFunc_GetFuncError(t *testing.T) { } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) + ctx = trtesting.SetupTrustedResourceConfig(ctx, tc.resourceVerificationMode) store := config.NewStore(logging.FromContext(ctx).Named("config-store")) featureflags := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go index 6c8d0fa5c59..84df53172c1 100644 --- a/pkg/reconciler/taskrun/taskrun_test.go +++ b/pkg/reconciler/taskrun/taskrun_test.go @@ -47,6 +47,7 @@ import ( "github.com/tektoncd/pipeline/pkg/reconciler/volumeclaim" resolutioncommon "github.com/tektoncd/pipeline/pkg/resolution/common" "github.com/tektoncd/pipeline/pkg/trustedresources" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/pkg/workspace" "github.com/tektoncd/pipeline/test" "github.com/tektoncd/pipeline/test/diff" @@ -5222,7 +5223,7 @@ spec: results: - name: result1 steps: - - script: echo foo >> $(results.result1.path) + - script: echo foo >> $(results.result1.path) image: myimage name: mycontainer status: @@ -5230,7 +5231,7 @@ status: results: - name: result1 steps: - - script: echo foo >> $(results.result1.path) + - script: echo foo >> $(results.result1.path) image: myimage name: mycontainer `) @@ -5589,8 +5590,8 @@ status: podName: the-pod `) - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, tr.Namespace) - signedTask, err := test.GetSignedTask(ts, signer, "test-task") + signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, tr.Namespace) + signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task") if err != nil { t.Fatal("fail to sign task", err) } @@ -5654,8 +5655,8 @@ status: podName: the-pod `) - signer, _, vps := test.SetupMatchAllVerificationPolicies(t, tr.Namespace) - signedTask, err := test.GetSignedTask(ts, signer, "test-task") + signer, _, vps := trtesting.SetupMatchAllVerificationPolicies(t, tr.Namespace) + signedTask, err := trtesting.GetSignedTask(ts, signer, "test-task") if err != nil { t.Fatal("fail to sign task", err) } diff --git a/test/trustedresources.go b/pkg/trustedresources/testing/trustedresources.go similarity index 99% rename from test/trustedresources.go rename to pkg/trustedresources/testing/trustedresources.go index 403599ba717..96bed5578cd 100644 --- a/test/trustedresources.go +++ b/pkg/trustedresources/testing/trustedresources.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package test +package testing import ( "bytes" @@ -356,10 +356,12 @@ func GetSignedTask(unsigned *v1beta1.Task, signer signature.Signer, name string) return signedTask, nil } -func getPass(confirm bool) ([]byte, error) { +// GetPass returns the password +func GetPass(confirm bool) ([]byte, error) { read := read(confirm) return read() } + func readPasswordFn(confirm bool) func() ([]byte, error) { pw, ok := os.LookupEnv("PRIVATE_PASSWORD") if ok { diff --git a/pkg/trustedresources/verifier/verifier_test.go b/pkg/trustedresources/verifier/verifier_test.go index 697aa995f94..fb6269590c4 100644 --- a/pkg/trustedresources/verifier/verifier_test.go +++ b/pkg/trustedresources/verifier/verifier_test.go @@ -29,7 +29,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1" - "github.com/tektoncd/pipeline/test" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/test/diff" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -42,8 +42,8 @@ const ( func TestFromConfigMap_Success(t *testing.T) { ctx := context.Background() - keys, keypath := test.GetKeysFromFile(ctx, t) - ctx = test.SetupTrustedResourceKeyConfig(ctx, keypath, config.EnforceResourceVerificationMode) + keys, keypath := trtesting.GetKeysFromFile(ctx, t) + ctx = trtesting.SetupTrustedResourceKeyConfig(ctx, keypath, config.EnforceResourceVerificationMode) v, err := FromConfigMap(ctx, fakek8s.NewSimpleClientset()) checkVerifier(t, keys, v[0]) if err != nil { @@ -67,7 +67,7 @@ func TestFromConfigMap_Error(t *testing.T) { }} for _, tc := range tcs { t.Run(tc.name, func(t *testing.T) { - ctx := test.SetupTrustedResourceKeyConfig(context.Background(), tc.keyPath, config.EnforceResourceVerificationMode) + ctx := trtesting.SetupTrustedResourceKeyConfig(context.Background(), tc.keyPath, config.EnforceResourceVerificationMode) _, err := FromConfigMap(ctx, fakek8s.NewSimpleClientset()) if !errors.Is(err, tc.expectedError) { t.Errorf("FromConfigMap got: %v, want: %v", err, tc.expectedError) @@ -78,10 +78,10 @@ func TestFromConfigMap_Error(t *testing.T) { func TestFromPolicy_Success(t *testing.T) { ctx := context.Background() - _, key256, k8sclient, vps := test.SetupVerificationPolicies(t) + _, key256, k8sclient, vps := trtesting.SetupVerificationPolicies(t) keyInDataVp, keyInSecretVp := vps[0], vps[1] - _, key384, pub, err := test.GenerateKeys(elliptic.P384(), crypto.SHA256) + _, key384, pub, err := trtesting.GenerateKeys(elliptic.P384(), crypto.SHA256) if err != nil { t.Fatalf("failed to generate keys %v", err) } @@ -224,9 +224,9 @@ func TestFromPolicy_Error(t *testing.T) { func TestFromKeyRef_Success(t *testing.T) { ctx := context.Background() - fileKey, keypath := test.GetKeysFromFile(ctx, t) + fileKey, keypath := trtesting.GetKeysFromFile(ctx, t) - _, secretKey, pub, err := test.GenerateKeys(elliptic.P256(), crypto.SHA256) + _, secretKey, pub, err := trtesting.GenerateKeys(elliptic.P256(), crypto.SHA256) if err != nil { t.Fatalf("failed to generate keys: %v", err) } @@ -266,7 +266,7 @@ func TestFromKeyRef_Success(t *testing.T) { func TestFromKeyRef_Error(t *testing.T) { ctx := context.Background() - _, keypath := test.GetKeysFromFile(ctx, t) + _, keypath := trtesting.GetKeysFromFile(ctx, t) tcs := []struct { name string keyref string @@ -299,7 +299,7 @@ func TestFromKeyRef_Error(t *testing.T) { } func TestFromSecret_Success(t *testing.T) { - _, keys, pub, err := test.GenerateKeys(elliptic.P256(), crypto.SHA256) + _, keys, pub, err := trtesting.GenerateKeys(elliptic.P256(), crypto.SHA256) if err != nil { t.Fatalf("failed to generate keys: %v", err) } @@ -384,7 +384,7 @@ func TestFromSecret_Error(t *testing.T) { } func TestFromData_Error(t *testing.T) { - _, _, pub, err := test.GenerateKeys(elliptic.P256(), crypto.SHA256) + _, _, pub, err := trtesting.GenerateKeys(elliptic.P256(), crypto.SHA256) if err != nil { t.Fatalf("failed to generate keys %v", err) } diff --git a/pkg/trustedresources/verify_test.go b/pkg/trustedresources/verify_test.go index edd2238bb82..72a13bd2f86 100644 --- a/pkg/trustedresources/verify_test.go +++ b/pkg/trustedresources/verify_test.go @@ -29,8 +29,8 @@ import ( "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/pkg/trustedresources/verifier" - test "github.com/tektoncd/pipeline/test" "github.com/tektoncd/pipeline/test/diff" "go.uber.org/zap/zaptest" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -47,8 +47,8 @@ func TestVerifyInterface_Task_Success(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedTask(unsignedTask, sv, "signed") + unsignedTask := trtesting.GetUnsignedTask("test-task") + signedTask, err := trtesting.GetSignedTask(unsignedTask, sv, "signed") if err != nil { t.Fatalf("Failed to get signed task %v", err) } @@ -75,9 +75,9 @@ func TestVerifyInterface_Task_Error(t *testing.T) { t.Fatalf("failed to get signerverifier %v", err) } - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedTask(unsignedTask, sv, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, sv, "signed") if err != nil { t.Fatalf("Failed to get signed task %v", err) } @@ -127,13 +127,13 @@ func TestVerifyInterface_Task_Error(t *testing.T) { func TestVerifyTask_Configmap_Success(t *testing.T) { ctx := logging.WithLogger(context.Background(), zaptest.NewLogger(t).Sugar()) - signer, keypath := test.GetSignerFromFile(ctx, t) + signer, keypath := trtesting.GetSignerFromFile(ctx, t) - ctx = test.SetupTrustedResourceKeyConfig(ctx, keypath, config.EnforceResourceVerificationMode) + ctx = trtesting.SetupTrustedResourceKeyConfig(ctx, keypath, config.EnforceResourceVerificationMode) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, signer, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -147,11 +147,11 @@ func TestVerifyTask_Configmap_Success(t *testing.T) { func TestVerifyTask_Configmap_Error(t *testing.T) { ctx := logging.WithLogger(context.Background(), zaptest.NewLogger(t).Sugar()) - signer, keypath := test.GetSignerFromFile(ctx, t) + signer, keypath := trtesting.GetSignerFromFile(ctx, t) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, signer, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -184,7 +184,7 @@ func TestVerifyTask_Configmap_Error(t *testing.T) { for _, tc := range tcs { t.Run(tc.name, func(t *testing.T) { - ctx = test.SetupTrustedResourceKeyConfig(ctx, tc.keypath, config.EnforceResourceVerificationMode) + ctx = trtesting.SetupTrustedResourceKeyConfig(ctx, tc.keypath, config.EnforceResourceVerificationMode) err := VerifyTask(ctx, tc.task, nil, "", []*v1alpha1.VerificationPolicy{}) if !errors.Is(err, tc.expectedError) { t.Errorf("VerifyTask got: %v, want: %v", err, tc.expectedError) @@ -195,17 +195,17 @@ func TestVerifyTask_Configmap_Error(t *testing.T) { func TestVerifyTask_VerificationPolicy_Success(t *testing.T) { ctx := logging.WithLogger(context.Background(), zaptest.NewLogger(t).Sugar()) - ctx = test.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) - signer256, _, k8sclient, vps := test.SetupVerificationPolicies(t) + ctx = trtesting.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) + signer256, _, k8sclient, vps := trtesting.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedTask(unsignedTask, signer256, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, signer256, "signed") if err != nil { t.Fatal("fail to sign task", err) } - signer384, _, pub, err := test.GenerateKeys(elliptic.P384(), crypto.SHA384) + signer384, _, pub, err := trtesting.GenerateKeys(elliptic.P384(), crypto.SHA384) if err != nil { t.Fatalf("failed to generate keys %v", err) } @@ -236,7 +236,7 @@ func TestVerifyTask_VerificationPolicy_Success(t *testing.T) { } vps = append(vps, sha384Vp) - signedTask384, err := test.GetSignedTask(unsignedTask, signer384, "signed384") + signedTask384, err := trtesting.GetSignedTask(unsignedTask, signer384, "signed384") if err != nil { t.Fatal("fail to sign task", err) } @@ -272,12 +272,12 @@ func TestVerifyTask_VerificationPolicy_Success(t *testing.T) { func TestVerifyTask_VerificationPolicy_Error(t *testing.T) { ctx := logging.WithLogger(context.Background(), zaptest.NewLogger(t).Sugar()) - ctx = test.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) - sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) + ctx = trtesting.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) + sv, _, k8sclient, vps := trtesting.SetupVerificationPolicies(t) - unsignedTask := test.GetUnsignedTask("test-task") + unsignedTask := trtesting.GetUnsignedTask("test-task") - signedTask, err := test.GetSignedTask(unsignedTask, sv, "signed") + signedTask, err := trtesting.GetSignedTask(unsignedTask, sv, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -364,12 +364,12 @@ func TestVerifyTask_VerificationPolicy_Error(t *testing.T) { func TestVerifyPipeline_Success(t *testing.T) { ctx := logging.WithLogger(context.Background(), zaptest.NewLogger(t).Sugar()) - ctx = test.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) - sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) + ctx = trtesting.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) + sv, _, k8sclient, vps := trtesting.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline") - signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, sv, "signed") + signedPipeline, err := trtesting.GetSignedPipeline(unsignedPipeline, sv, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -399,12 +399,12 @@ func TestVerifyPipeline_Success(t *testing.T) { func TestVerifyPipeline_Error(t *testing.T) { ctx := logging.WithLogger(context.Background(), zaptest.NewLogger(t).Sugar()) - ctx = test.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) - sv, _, k8sclient, vps := test.SetupVerificationPolicies(t) + ctx = trtesting.SetupTrustedResourceConfig(ctx, config.EnforceResourceVerificationMode) + sv, _, k8sclient, vps := trtesting.SetupVerificationPolicies(t) - unsignedPipeline := test.GetUnsignedPipeline("test-pipeline") + unsignedPipeline := trtesting.GetUnsignedPipeline("test-pipeline") - signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, sv, "signed") + signedPipeline, err := trtesting.GetSignedPipeline(unsignedPipeline, sv, "signed") if err != nil { t.Fatal("fail to sign task", err) } @@ -435,7 +435,7 @@ func TestVerifyPipeline_Error(t *testing.T) { } func TestPrepareObjectMeta(t *testing.T) { - unsigned := test.GetUnsignedTask("test-task").ObjectMeta + unsigned := trtesting.GetUnsignedTask("test-task").ObjectMeta signed := unsigned.DeepCopy() signed.Annotations = map[string]string{SignatureAnnotation: "tY805zV53PtwDarK3VD6dQPx5MbIgctNcg/oSle+MG0="} diff --git a/test/trusted_resources_test.go b/test/trusted_resources_test.go index 1b5e87411cf..3b016a20542 100644 --- a/test/trusted_resources_test.go +++ b/test/trusted_resources_test.go @@ -30,6 +30,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/tektoncd/pipeline/pkg/apis/config" "github.com/tektoncd/pipeline/pkg/pod" + trtesting "github.com/tektoncd/pipeline/pkg/trustedresources/testing" "github.com/tektoncd/pipeline/test/parse" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -77,7 +78,7 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedTask(task, signer, "signedtask") + signedTask, err := trtesting.GetSignedTask(task, signer, "signedtask") if err != nil { t.Errorf("error getting signed task: %v", err) } @@ -97,7 +98,7 @@ spec: kind: Task `, helpers.ObjectNameForTest(t), namespace, signedTask.Name)) - signedPipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline") + signedPipeline, err := trtesting.GetSignedPipeline(pipeline, signer, "signedpipeline") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } @@ -157,7 +158,7 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedTask(task, signer, "signedtask") + signedTask, err := trtesting.GetSignedTask(task, signer, "signedtask") if err != nil { t.Errorf("error getting signed task: %v", err) } @@ -179,7 +180,7 @@ spec: kind: Task `, helpers.ObjectNameForTest(t), namespace, signedTask.Name)) - signedPipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline") + signedPipeline, err := trtesting.GetSignedPipeline(pipeline, signer, "signedpipeline") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } @@ -260,7 +261,7 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedTask(task, signer, "signedtask") + signedTask, err := trtesting.GetSignedTask(task, signer, "signedtask") if err != nil { t.Errorf("error getting signed task: %v", err) } @@ -280,7 +281,7 @@ spec: kind: Task `, helpers.ObjectNameForTest(t), namespace, signedTask.Name)) - signedPipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline") + signedPipeline, err := trtesting.GetSignedPipeline(pipeline, signer, "signedpipeline") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } @@ -358,7 +359,7 @@ spec: args: ['-c', 'echo hello'] `, helpers.ObjectNameForTest(t), namespace, fqImageName)) - signedTask, err := GetSignedTask(task, signer, "signedtask") + signedTask, err := trtesting.GetSignedTask(task, signer, "signedtask") if err != nil { t.Errorf("error getting signed task: %v", err) } @@ -380,7 +381,7 @@ spec: kind: Task `, helpers.ObjectNameForTest(t), namespace, signedTask.Name)) - signedPipeline, err := GetSignedPipeline(pipeline, signer, "signedpipeline") + signedPipeline, err := trtesting.GetSignedPipeline(pipeline, signer, "signedpipeline") if err != nil { t.Errorf("error getting signed pipeline: %v", err) } @@ -439,7 +440,7 @@ func setSecretAndConfig(ctx context.Context, t *testing.T, client kubernetes.Int t.Fatal(err) } - signer, err := signature.LoadSignerFromPEMFile(privKey, crypto.SHA256, getPass) + signer, err := signature.LoadSignerFromPEMFile(privKey, crypto.SHA256, trtesting.GetPass) if err != nil { t.Errorf("error getting signer from key file: %v", err) } diff --git a/test/trustedresources_test.go b/test/trustedresources_test.go deleted file mode 100644 index 0a84da1a25e..00000000000 --- a/test/trustedresources_test.go +++ /dev/null @@ -1,115 +0,0 @@ -/* -Copyright 2022 The Tekton Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package test - -import ( - "bytes" - "crypto/sha256" - "encoding/base64" - "encoding/json" - "io" - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/sigstore/sigstore/pkg/signature" - "github.com/tektoncd/pipeline/test/diff" -) - -func TestSignInterface(t *testing.T) { - sv, _, err := signature.NewDefaultECDSASignerVerifier() - if err != nil { - t.Fatalf("failed to get signerverifier %v", err) - } - - var mocksigner mockSigner - - tcs := []struct { - name string - signer signature.SignerVerifier - target interface{} - expected string - wantErr bool - }{{ - name: "Sign Task", - signer: sv, - target: GetUnsignedTask("unsigned"), - wantErr: false, - }, { - name: "Sign String with cosign signer", - signer: sv, - target: "Hello world", - wantErr: false, - }, { - name: "Empty TaskSpec", - signer: sv, - target: nil, - wantErr: false, - }, { - name: "Empty Signer", - signer: nil, - target: GetUnsignedTask("unsigned"), - wantErr: true, - }, { - name: "Sign String with mock signer", - signer: mocksigner, - target: "Hello world", - expected: "tY805zV53PtwDarK3VD6dQPx5MbIgctNcg/oSle+MG0=", - wantErr: false, - }, - } - - for _, tc := range tcs { - t.Run(tc.name, func(t *testing.T) { - sig, err := signInterface(tc.signer, tc.target) - if (err != nil) != tc.wantErr { - t.Fatalf("SignInterface() get err %v, wantErr %t", err, tc.wantErr) - } - - if tc.expected != "" { - signature := base64.StdEncoding.EncodeToString(sig) - if d := cmp.Diff(signature, tc.expected); d != "" { - t.Fatalf("Diff:\n%s", diff.PrintWantGot(d)) - } - return - } - - if tc.wantErr { - return - } - - ts, err := json.Marshal(tc.target) - if err != nil { - t.Fatal(err) - } - - h := sha256.New() - h.Write(ts) - - if err := tc.signer.VerifySignature(bytes.NewReader(sig), bytes.NewReader(h.Sum(nil))); err != nil { - t.Fatalf("SignInterface() generate wrong signature: %v", err) - } - }) - } -} - -type mockSigner struct { - signature.SignerVerifier -} - -func (mockSigner) SignMessage(message io.Reader, opts ...signature.SignOption) ([]byte, error) { - return io.ReadAll(message) -}