Split descriptionsOfPolicyRequirements out of getPolicyShowOutput

This will evetually allow us to use it for the default scope as well, which currently uses a simplified version. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-07-03 09:17:15 +08:00 · 2022-08-24 20:07:18 +02:00
parent d4c5217280
commit 51064acc49
2 changed files with 124 additions and 23 deletions
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@ -72,14 +72,23 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
 		sort.Strings(scopes)
 		for _, repo := range scopes {
 			repoval := transval[repo]
-			tempTrustShowOutput := Policy{
+			template := Policy{
+				Transport: transport,
 				Name:      repo,
 				RepoName:  repo,
-				Transport: transport,
-				Type:      trustTypeDescription(repoval[0].Type),
 			}
+			output = append(output, descriptionsOfPolicyRequirements(repoval, template, registryConfigs, repo, idReader)...)
+		}
+	}
+	return output, nil
+}
+
+// descriptionsOfPolicyRequirements turns reqs into user-readable policy entries, with Transport/Name/Reponame coming from template, potentially looking up scope in registryConfigs.
+func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, registryConfigs *registryConfiguration, scope string, idReader gpgIDReader) []*Policy {
+	tempTrustShowOutput := template
+	tempTrustShowOutput.Type = trustTypeDescription(reqs[0].Type)
 	uids := []string{}
-			for _, repoele := range repoval {
+	for _, repoele := range reqs {
 		if len(repoele.KeyPath) > 0 {
 			uids = append(uids, idReader(repoele.KeyPath)...)
 		}
@ -89,7 +98,7 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
 	}
 	tempTrustShowOutput.GPGId = strings.Join(uids, ", ")

-			registryNamespace := haveMatchRegistry(repo, registryConfigs)
+	registryNamespace := haveMatchRegistry(scope, registryConfigs)
 	if registryNamespace != nil {
 		if registryNamespace.Lookaside != "" {
 			tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside
@ -97,8 +106,5 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
 			tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
 		}
 	}
-			output = append(output, &tempTrustShowOutput)
-		}
-	}
-	return output, nil
+	return []*Policy{&tempTrustShowOutput}
 }
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@ -90,3 +90,98 @@ func TestPolicyDescription(t *testing.T) {
 		assert.Equal(t, c.expected, res)
 	}
 }
+
+func TestDescriptionsOfPolicyRequirements(t *testing.T) {
+	// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
+	// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
+	idReader := func(keyPath string) []string {
+		require.True(t, strings.HasPrefix(keyPath, "/"))
+		require.True(t, strings.HasSuffix(keyPath, ".pub"))
+		return strings.Split(keyPath[1:len(keyPath)-4], ",")
+	}
+
+	template := Policy{
+		Transport: "transport",
+		Name:      "name",
+		RepoName:  "repoName",
+	}
+	registryConfigs, err := loadAndMergeConfig("./testdata")
+	require.NoError(t, err)
+
+	for _, c := range []struct {
+		scope    string
+		reqs     signature.PolicyRequirements
+		expected []*Policy
+	}{
+		{
+			"",
+			signature.PolicyRequirements{
+				signature.NewPRReject(),
+			},
+			[]*Policy{
+				{
+					Transport: "transport",
+					Name:      "name",
+					RepoName:  "repoName",
+					Type:      "reject",
+				},
+			},
+		},
+		{
+			"quay.io/accepted",
+			signature.PolicyRequirements{
+				signature.NewPRInsecureAcceptAnything(),
+			},
+			[]*Policy{
+				{
+					Transport: "transport",
+					Name:      "name",
+					RepoName:  "repoName",
+					Type:      "accept",
+				},
+			},
+		},
+		{
+			"registry.redhat.io",
+			signature.PolicyRequirements{
+				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat",
+				},
+			},
+		},
+		{
+			"quay.io/multi-signed",
+			signature.PolicyRequirements{
+				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "1, 2, 3",
+				},
+			},
+		},
+	} {
+		reqsJSON, err := json.Marshal(c.reqs)
+		require.NoError(t, err)
+		var parsedRegs []repoContent
+		err = json.Unmarshal(reqsJSON, &parsedRegs)
+		require.NoError(t, err)
+
+		res := descriptionsOfPolicyRequirements(parsedRegs, template, registryConfigs, c.scope, idReader)
+		assert.Equal(t, c.expected, res)
+	}
+}