From a968632b4bfb0835464410ed80e374b9519aa66f Mon Sep 17 00:00:00 2001 From: Chitrang Patel Date: Tue, 18 Oct 2022 13:53:06 -0400 Subject: [PATCH 1/5] created a PR --- pkg/chains/signing_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/chains/signing_test.go b/pkg/chains/signing_test.go index a549ffe4b3..93112f105f 100644 --- a/pkg/chains/signing_test.go +++ b/pkg/chains/signing_test.go @@ -39,7 +39,7 @@ func TestSigner_Sign(t *testing.T) { // Sign does three main things: // - generates payloads // - stores them in the configured systems - // - marks the object as signed + // - marks the object as signed tro := objects.NewTaskRunObject(&v1beta1.TaskRun{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", From 28731de1e8252395acc4faf776162c84b2efa73b Mon Sep 17 00:00:00 2001 From: Chitrang Patel Date: Tue, 18 Oct 2022 14:13:40 -0400 Subject: [PATCH 2/5] checking cov --- pkg/chains/signing_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/chains/signing_test.go b/pkg/chains/signing_test.go index 93112f105f..88fc7711d8 100644 --- a/pkg/chains/signing_test.go +++ b/pkg/chains/signing_test.go @@ -257,7 +257,7 @@ func TestSigner_Transparency(t *testing.T) { }, getNewObject: newTaskRun, }, - { + /*{ name: "pipelinerun in-toto", cfg: &config.Config{ Artifacts: config.ArtifactConfigs{ @@ -272,7 +272,7 @@ func TestSigner_Transparency(t *testing.T) { }, }, getNewObject: newPipelineRun, - }, + },*/ { name: "pipelinerun tekton", cfg: &config.Config{ From 20a246533d48ac6ccbb1f226e687634868dbca66 Mon Sep 17 00:00:00 2001 From: Chitrang Patel Date: Tue, 18 Oct 2022 14:17:43 -0400 Subject: [PATCH 3/5] checking cov --- pkg/chains/signing_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/chains/signing_test.go b/pkg/chains/signing_test.go index 88fc7711d8..de703ca940 100644 --- a/pkg/chains/signing_test.go +++ b/pkg/chains/signing_test.go @@ -241,7 +241,7 @@ func TestSigner_Transparency(t *testing.T) { }, getNewObject: newTaskRun, }, - { + /*{ name: "taskrun tekton", cfg: &config.Config{ Artifacts: config.ArtifactConfigs{ @@ -257,7 +257,7 @@ func TestSigner_Transparency(t *testing.T) { }, getNewObject: newTaskRun, }, - /*{ + { name: "pipelinerun in-toto", cfg: &config.Config{ Artifacts: config.ArtifactConfigs{ @@ -272,7 +272,7 @@ func TestSigner_Transparency(t *testing.T) { }, }, getNewObject: newPipelineRun, - },*/ + }, { name: "pipelinerun tekton", cfg: &config.Config{ @@ -288,7 +288,7 @@ func TestSigner_Transparency(t *testing.T) { }, }, getNewObject: newPipelineRun, - }, + },*/ } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 58bda2704f9dd1dd3f2dd9f56a3935bb24fbc7c5 Mon Sep 17 00:00:00 2001 From: Chitrang Patel Date: Tue, 18 Oct 2022 14:23:19 -0400 Subject: [PATCH 4/5] debug --- pkg/chains/signing_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/chains/signing_test.go b/pkg/chains/signing_test.go index de703ca940..9e56724b08 100644 --- a/pkg/chains/signing_test.go +++ b/pkg/chains/signing_test.go @@ -272,7 +272,7 @@ func TestSigner_Transparency(t *testing.T) { }, }, getNewObject: newPipelineRun, - }, + },*/ { name: "pipelinerun tekton", cfg: &config.Config{ @@ -288,7 +288,7 @@ func TestSigner_Transparency(t *testing.T) { }, }, getNewObject: newPipelineRun, - },*/ + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 5b8390442a469a474faadb83467db88717234852 Mon Sep 17 00:00:00 2001 From: Chitrang Patel Date: Tue, 18 Oct 2022 14:53:37 -0400 Subject: [PATCH 5/5] removing cov --- pkg/chains/signing_test.go | 503 ------------------------------------- 1 file changed, 503 deletions(-) delete mode 100644 pkg/chains/signing_test.go diff --git a/pkg/chains/signing_test.go b/pkg/chains/signing_test.go deleted file mode 100644 index 9e56724b08..0000000000 --- a/pkg/chains/signing_test.go +++ /dev/null @@ -1,503 +0,0 @@ -/* -Copyright 2020 The Tekton Authors -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package chains - -import ( - "context" - "errors" - "fmt" - "reflect" - "testing" - - "github.com/sigstore/rekor/pkg/generated/models" - "github.com/tektoncd/chains/pkg/chains/objects" - "github.com/tektoncd/chains/pkg/chains/signing" - "github.com/tektoncd/chains/pkg/chains/storage" - "github.com/tektoncd/chains/pkg/config" - "github.com/tektoncd/chains/pkg/internal/tekton" - "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" - fakepipelineclient "github.com/tektoncd/pipeline/pkg/client/injection/client/fake" - "go.uber.org/zap" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/sets" - "knative.dev/pkg/logging" - rtesting "knative.dev/pkg/reconciler/testing" -) - -func TestSigner_Sign(t *testing.T) { - // Sign does three main things: - // - generates payloads - // - stores them in the configured systems - // - marks the object as signed - tro := objects.NewTaskRunObject(&v1beta1.TaskRun{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - }, - }) - - pro := objects.NewPipelineRunObject(&v1beta1.PipelineRun{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - }, - }) - - tcfg := &config.Config{ - Artifacts: config.ArtifactConfigs{ - TaskRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - } - - pcfg := &config.Config{ - Artifacts: config.ArtifactConfigs{ - PipelineRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - } - - tests := []struct { - name string - backends []*mockBackend - wantErr bool - object objects.TektonObject - config *config.Config - }{ - { - name: "taskrun single system", - backends: []*mockBackend{ - {backendType: "mock"}, - }, - object: tro, - config: tcfg, - }, - { - name: "taskrun multiple systems", - backends: []*mockBackend{ - {backendType: "mock"}, - {backendType: "foo"}, - }, - object: tro, - config: tcfg, - }, - { - name: "taskrun multiple systems, error", - backends: []*mockBackend{ - {backendType: "mock", shouldErr: true}, - {backendType: "foo"}, - }, - wantErr: true, - object: tro, - config: tcfg, - }, - { - name: "pipelinerun single system", - backends: []*mockBackend{ - {backendType: "mock"}, - }, - object: pro, - config: pcfg, - }, - { - name: "pipelinerun multiple systems", - backends: []*mockBackend{ - {backendType: "mock"}, - {backendType: "foo"}, - }, - object: pro, - config: pcfg, - }, - { - name: "pipelinerun multiple systems, error", - backends: []*mockBackend{ - {backendType: "mock", shouldErr: true}, - {backendType: "foo"}, - }, - wantErr: true, - object: pro, - config: pcfg, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - cleanup := setupMocks(&mockRekor{}) - defer cleanup() - - ctx, _ := rtesting.SetupFakeContext(t) - ps := fakepipelineclient.Get(ctx) - - ctx = config.ToContext(ctx, tt.config.DeepCopy()) - - logger := logging.FromContext(ctx) - ts := &ObjectSigner{ - Formatters: AllFormatters(*tt.config, logger), - Backends: fakeAllBackends(tt.backends), - SecretPath: "./signing/x509/testdata/", - Pipelineclientset: ps, - } - - if err := tekton.CreateObject(t, ctx, ps, tt.object); err != nil { - t.Errorf("error creating fake object: %v", err) - } - if err := ts.Sign(ctx, tt.object); (err != nil) != tt.wantErr { - t.Errorf("Signer.Sign() error = %v", err) - } - - // Fetch the updated object - updatedObject, err := tekton.GetObject(t, ctx, ps, tt.object) - if err != nil { - t.Errorf("error fetching fake object: %v", err) - } - - // Check it is marked as signed - shouldBeSigned := !tt.wantErr - if Reconciled(updatedObject) != shouldBeSigned { - t.Errorf("IsSigned()=%t, wanted %t", Reconciled(updatedObject), shouldBeSigned) - } - // Check the payloads were stored in all the backends. - for _, b := range tt.backends { - if b.shouldErr { - continue - } - if b.backendType != "mock" { - continue - } - // We don't actually need to check the signature and serialized formats here, just that - // the payload was stored. - if b.storedPayload == nil { - t.Error("error, expected payload to be stored.") - } - } - - }) - } -} - -func TestSigner_Transparency(t *testing.T) { - newTaskRun := func(name string) objects.TektonObject { - return objects.NewTaskRunObject(&v1beta1.TaskRun{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - }) - } - newPipelineRun := func(name string) objects.TektonObject { - return objects.NewPipelineRunObject(&v1beta1.PipelineRun{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - }) - } - setAnnotation := func(obj objects.TektonObject, key, value string) { - // TODO: opportunity to add code reuse - switch o := obj.GetObject().(type) { - case *v1beta1.PipelineRun: - if o.Annotations == nil { - o.Annotations = make(map[string]string) - } - o.Annotations[key] = value - case *v1beta1.TaskRun: - if o.Annotations == nil { - o.Annotations = make(map[string]string) - } - o.Annotations[key] = value - } - } - - tests := []struct { - name string - cfg *config.Config - getNewObject func(string) objects.TektonObject - }{ - { - name: "taskrun in-toto", - cfg: &config.Config{ - Artifacts: config.ArtifactConfigs{ - TaskRuns: config.Artifact{ - Format: "in-toto", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - Transparency: config.TransparencyConfig{ - Enabled: false, - }, - }, - getNewObject: newTaskRun, - }, - /*{ - name: "taskrun tekton", - cfg: &config.Config{ - Artifacts: config.ArtifactConfigs{ - TaskRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - Transparency: config.TransparencyConfig{ - Enabled: false, - }, - }, - getNewObject: newTaskRun, - }, - { - name: "pipelinerun in-toto", - cfg: &config.Config{ - Artifacts: config.ArtifactConfigs{ - PipelineRuns: config.Artifact{ - Format: "in-toto", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - Transparency: config.TransparencyConfig{ - Enabled: false, - }, - }, - getNewObject: newPipelineRun, - },*/ - { - name: "pipelinerun tekton", - cfg: &config.Config{ - Artifacts: config.ArtifactConfigs{ - PipelineRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - Transparency: config.TransparencyConfig{ - Enabled: false, - }, - }, - getNewObject: newPipelineRun, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - - rekor := &mockRekor{} - backends := []*mockBackend{{backendType: "mock"}} - cleanup := setupMocks(rekor) - defer cleanup() - - ctx, _ := rtesting.SetupFakeContext(t) - ps := fakepipelineclient.Get(ctx) - - ctx = config.ToContext(ctx, tt.cfg.DeepCopy()) - - logger := logging.FromContext(ctx) - os := &ObjectSigner{ - Formatters: AllFormatters(*tt.cfg, logger), - Backends: fakeAllBackends(backends), - SecretPath: "./signing/x509/testdata/", - Pipelineclientset: ps, - } - - obj := tt.getNewObject("foo") - if err := tekton.CreateObject(t, ctx, ps, obj); err != nil { - t.Errorf("error creating fake object: %v", err) - } - if err := os.Sign(ctx, obj); err != nil { - t.Errorf("Signer.Sign() error = %v", err) - } - - if len(rekor.entries) != 0 { - t.Error("expected no transparency log entries!") - } - - // Now enable and try again! - tt.cfg.Transparency.Enabled = true - ctx = config.ToContext(ctx, tt.cfg.DeepCopy()) - - obj = tt.getNewObject("foobar") - if err := tekton.CreateObject(t, ctx, ps, obj); err != nil { - t.Errorf("error creating fake object: %v", err) - } - if err := os.Sign(ctx, obj); err != nil { - t.Errorf("Signer.Sign() error = %v", err) - } - - if len(rekor.entries) != 1 { - t.Error("expected transparency log entry!") - } - - // Now enable verifying the annotation - tt.cfg.Transparency.VerifyAnnotation = true - ctx = config.ToContext(ctx, tt.cfg.DeepCopy()) - - obj = tt.getNewObject("mytektonobject") - if err := tekton.CreateObject(t, ctx, ps, obj); err != nil { - t.Errorf("error creating fake object: %v", err) - } - if err := os.Sign(ctx, obj); err != nil { - t.Errorf("Signer.Sign() error = %v", err) - } - - if len(rekor.entries) != 1 { - t.Error("expected new transparency log entries!") - } - - // add in the annotation - setAnnotation(obj, RekorAnnotation, "true") - if err := os.Sign(ctx, obj); err != nil { - t.Errorf("Signer.Sign() error = %v", err) - } - - if len(rekor.entries) != 2 { - t.Error("expected two transparency log entries!") - } - }) - } -} - -func TestSigningObjects(t *testing.T) { - ctx, _ := rtesting.SetupFakeContext(t) - logger := logging.FromContext(ctx) - tests := []struct { - name string - signers []string - config config.Config - SecretPath string - }{ - { - name: "x509", - signers: []string{signing.TypeX509}, - config: config.Config{ - Artifacts: config.ArtifactConfigs{ - TaskRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - }, - SecretPath: "./signing/x509/testdata/", - }, - { - name: "x509 twice", - signers: []string{signing.TypeX509}, - config: config.Config{ - Artifacts: config.ArtifactConfigs{ - TaskRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - OCI: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - Signer: "x509", - }, - }, - }, - SecretPath: "./signing/x509/testdata/", - }, - { - name: "none", - signers: nil, - config: config.Config{ - Artifacts: config.ArtifactConfigs{ - TaskRuns: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - }, - OCI: config.Artifact{ - Format: "tekton", - StorageBackend: sets.NewString("mock"), - }, - }, - Transparency: config.TransparencyConfig{ - Enabled: false, - }, - }, - SecretPath: "", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - signers := allSigners(ctx, tt.SecretPath, tt.config, logger) - var signerTypes []string - for _, signer := range signers { - signerTypes = append(signerTypes, signer.Type()) - } - if !reflect.DeepEqual(tt.signers, signerTypes) { - t.Errorf("Expected %q signers but got %q signers", tt.signers, signerTypes) - } - }) - } -} - -func fakeAllBackends(backends []*mockBackend) map[string]storage.Backend { - newBackends := map[string]storage.Backend{} - for _, m := range backends { - newBackends[m.backendType] = m - } - return newBackends -} - -func setupMocks(rekor *mockRekor) func() { - oldRekor := getRekor - getRekor = func(_ string, _ *zap.SugaredLogger) (rekorClient, error) { - return rekor, nil - } - return func() { - getRekor = oldRekor - } -} - -type mockRekor struct { - entries [][]byte -} - -func (r *mockRekor) UploadTlog(ctx context.Context, signer signing.Signer, signature, rawPayload []byte, cert, payloadFormat string) (*models.LogEntryAnon, error) { - r.entries = append(r.entries, signature) - index := int64(len(r.entries) - 1) - return &models.LogEntryAnon{ - LogIndex: &index, - }, nil -} - -type mockBackend struct { - storedPayload []byte - shouldErr bool - backendType string -} - -// StorePayload implements the Payloader interface. -func (b *mockBackend) StorePayload(ctx context.Context, _ objects.TektonObject, rawPayload []byte, signature string, opts config.StorageOpts) error { - if b.shouldErr { - return errors.New("mock error storing") - } - b.storedPayload = rawPayload - return nil -} - -func (b *mockBackend) Type() string { - return b.backendType -} - -func (b *mockBackend) RetrievePayloads(ctx context.Context, _ objects.TektonObject, opts config.StorageOpts) (map[string]string, error) { - return nil, fmt.Errorf("not implemented") -} - -func (b *mockBackend) RetrieveSignatures(ctx context.Context, _ objects.TektonObject, opts config.StorageOpts) (map[string][]string, error) { - return nil, fmt.Errorf("not implemented") -}