mirror of
				https://github.com/containers/podman.git
				synced 2025-10-26 10:45:26 +08:00 
			
		
		
		
	
		
			
				
	
	
		
			377 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			377 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package trust
 | |
| 
 | |
| import (
 | |
| 	"encoding/json"
 | |
| 	"os"
 | |
| 	"path/filepath"
 | |
| 	"strings"
 | |
| 	"testing"
 | |
| 
 | |
| 	"github.com/containers/image/v5/signature"
 | |
| 	"github.com/stretchr/testify/assert"
 | |
| 	"github.com/stretchr/testify/require"
 | |
| )
 | |
| 
 | |
| func TestPolicyDescription(t *testing.T) {
 | |
| 	tempDir := t.TempDir()
 | |
| 	policyPath := filepath.Join(tempDir, "policy.json")
 | |
| 
 | |
| 	// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
 | |
| 	// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
 | |
| 	idReader := func(keyPath string) []string {
 | |
| 		require.True(t, strings.HasPrefix(keyPath, "/"))
 | |
| 		require.True(t, strings.HasSuffix(keyPath, ".pub"))
 | |
| 		return strings.Split(keyPath[1:len(keyPath)-4], ",")
 | |
| 	}
 | |
| 
 | |
| 	for _, c := range []struct {
 | |
| 		policy   *signature.Policy
 | |
| 		expected []*Policy
 | |
| 	}{
 | |
| 		{
 | |
| 			&signature.Policy{
 | |
| 				Default: signature.PolicyRequirements{
 | |
| 					signature.NewPRReject(),
 | |
| 				},
 | |
| 				Transports: map[string]signature.PolicyTransportScopes{
 | |
| 					"docker": {
 | |
| 						"quay.io/accepted": {
 | |
| 							signature.NewPRInsecureAcceptAnything(),
 | |
| 						},
 | |
| 						"registry.redhat.io": {
 | |
| 							xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 						},
 | |
| 						"registry.access.redhat.com": {
 | |
| 							xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 						},
 | |
| 						"quay.io/multi-signed": {
 | |
| 							xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 							xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 						},
 | |
| 						"quay.io/sigstore-signed": {
 | |
| 							xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 							xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 						},
 | |
| 					},
 | |
| 				},
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport: "all",
 | |
| 					Name:      "* (default)",
 | |
| 					RepoName:  "default",
 | |
| 					Type:      "reject",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport: "repository",
 | |
| 					Name:      "quay.io/accepted",
 | |
| 					RepoName:  "quay.io/accepted",
 | |
| 					Type:      "accept",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "repository",
 | |
| 					Name:           "quay.io/multi-signed",
 | |
| 					RepoName:       "quay.io/multi-signed",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://quay.example.com/sigstore",
 | |
| 					GPGId:          "1",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "repository",
 | |
| 					Name:           "quay.io/multi-signed",
 | |
| 					RepoName:       "quay.io/multi-signed",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://quay.example.com/sigstore",
 | |
| 					GPGId:          "2, 3",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "repository",
 | |
| 					Name:           "quay.io/sigstore-signed",
 | |
| 					RepoName:       "quay.io/sigstore-signed",
 | |
| 					Type:           "sigstoreSigned",
 | |
| 					SignatureStore: "",
 | |
| 					GPGId:          "N/A",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "repository",
 | |
| 					Name:           "quay.io/sigstore-signed",
 | |
| 					RepoName:       "quay.io/sigstore-signed",
 | |
| 					Type:           "sigstoreSigned",
 | |
| 					SignatureStore: "",
 | |
| 					GPGId:          "N/A",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "repository",
 | |
| 					Name:           "registry.access.redhat.com",
 | |
| 					RepoName:       "registry.access.redhat.com",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "redhat, redhat-beta",
 | |
| 				}, {
 | |
| 					Transport:      "repository",
 | |
| 					Name:           "registry.redhat.io",
 | |
| 					RepoName:       "registry.redhat.io",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "redhat",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			&signature.Policy{
 | |
| 				Default: signature.PolicyRequirements{
 | |
| 					xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 					xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				},
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport:      "all",
 | |
| 					Name:           "* (default)",
 | |
| 					RepoName:       "default",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "",
 | |
| 					GPGId:          "1",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "all",
 | |
| 					Name:           "* (default)",
 | |
| 					RepoName:       "default",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "",
 | |
| 					GPGId:          "2, 3",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 	} {
 | |
| 		policyJSON, err := json.Marshal(c.policy)
 | |
| 		require.NoError(t, err)
 | |
| 		err = os.WriteFile(policyPath, policyJSON, 0600)
 | |
| 		require.NoError(t, err)
 | |
| 
 | |
| 		res, err := policyDescriptionWithGPGIDReader(policyPath, "./testdata", idReader)
 | |
| 		require.NoError(t, err)
 | |
| 		assert.Equal(t, c.expected, res)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 | |
| 	// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
 | |
| 	// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
 | |
| 	idReader := func(keyPath string) []string {
 | |
| 		require.True(t, strings.HasPrefix(keyPath, "/"))
 | |
| 		require.True(t, strings.HasSuffix(keyPath, ".pub"))
 | |
| 		return strings.Split(keyPath[1:len(keyPath)-4], ",")
 | |
| 	}
 | |
| 
 | |
| 	template := Policy{
 | |
| 		Transport: "transport",
 | |
| 		Name:      "name",
 | |
| 		RepoName:  "repoName",
 | |
| 	}
 | |
| 	registryConfigs, err := loadAndMergeConfig("./testdata")
 | |
| 	require.NoError(t, err)
 | |
| 
 | |
| 	for _, c := range []struct {
 | |
| 		scope    string
 | |
| 		reqs     signature.PolicyRequirements
 | |
| 		expected []*Policy
 | |
| 	}{
 | |
| 		{
 | |
| 			"",
 | |
| 			signature.PolicyRequirements{
 | |
| 				signature.NewPRReject(),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport: "transport",
 | |
| 					Name:      "name",
 | |
| 					RepoName:  "repoName",
 | |
| 					Type:      "reject",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			"quay.io/accepted",
 | |
| 			signature.PolicyRequirements{
 | |
| 				signature.NewPRInsecureAcceptAnything(),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport: "transport",
 | |
| 					Name:      "name",
 | |
| 					RepoName:  "repoName",
 | |
| 					Type:      "accept",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			"registry.redhat.io",
 | |
| 			signature.PolicyRequirements{
 | |
| 				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "redhat",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			"registry.access.redhat.com",
 | |
| 			signature.PolicyRequirements{
 | |
| 				xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "redhat, redhat-beta",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			"quay.io/multi-signed",
 | |
| 			signature.PolicyRequirements{
 | |
| 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://quay.example.com/sigstore",
 | |
| 					GPGId:          "1",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://quay.example.com/sigstore",
 | |
| 					GPGId:          "2, 3",
 | |
| 				},
 | |
| 			},
 | |
| 		}, {
 | |
| 			"quay.io/sigstore-signed",
 | |
| 			signature.PolicyRequirements{
 | |
| 				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "sigstoreSigned",
 | |
| 					SignatureStore: "",
 | |
| 					GPGId:          "N/A",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "sigstoreSigned",
 | |
| 					SignatureStore: "",
 | |
| 					GPGId:          "N/A",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 		{ // Multiple kinds of requirements are represented individually.
 | |
| 			"registry.redhat.io",
 | |
| 			signature.PolicyRequirements{
 | |
| 				signature.NewPRReject(),
 | |
| 				signature.NewPRInsecureAcceptAnything(),
 | |
| 				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 				xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
 | |
| 			},
 | |
| 			[]*Policy{
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					Type:           "reject",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					Type:           "accept",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "redhat",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "redhat, redhat-beta",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "1",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "signed",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "2, 3",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "sigstoreSigned",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "N/A",
 | |
| 				},
 | |
| 				{
 | |
| 					Transport:      "transport",
 | |
| 					Name:           "name",
 | |
| 					RepoName:       "repoName",
 | |
| 					Type:           "sigstoreSigned",
 | |
| 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 | |
| 					GPGId:          "N/A",
 | |
| 				},
 | |
| 			},
 | |
| 		},
 | |
| 	} {
 | |
| 		reqsJSON, err := json.Marshal(c.reqs)
 | |
| 		require.NoError(t, err)
 | |
| 		var parsedRegs []repoContent
 | |
| 		err = json.Unmarshal(reqsJSON, &parsedRegs)
 | |
| 		require.NoError(t, err)
 | |
| 
 | |
| 		res := descriptionsOfPolicyRequirements(parsedRegs, template, registryConfigs, c.scope, idReader)
 | |
| 		assert.Equal(t, c.expected, res)
 | |
| 	}
 | |
| }
 | 
