attest/attestation/layout_test.go

/*
   Copyright Docker attest authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package attestation_test

import (
	"context"
	"path/filepath"
	"strings"
	"testing"

	"github.com/docker/attest"
	"github.com/docker/attest/attestation"
	"github.com/docker/attest/internal/test"
	"github.com/docker/attest/oci"
	"github.com/docker/attest/policy"
	v1 "github.com/google/go-containerregistry/pkg/v1"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestAttestationFromOCILayout(t *testing.T) {
	ctx, signer := test.Setup(t)
	outputLayout := test.CreateTempDir(t, "", "attest-oci-layout")

	invalidPlatform := &v1.Platform{
		Architecture: "invalid",
		OS:           "invalid",
	}

	opts := &attestation.SigningOptions{}
	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
	require.NoError(t, err)
	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
	require.NoError(t, err)
	signedIndex := attIdx.Index
	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
	require.NoError(t, err)
	spec, err := oci.ParseImageSpec(oci.LocalPrefix + outputLayout)
	require.NoError(t, err)
	err = oci.SaveIndex(ctx, []*oci.ImageSpec{spec}, signedIndex, "docker.io/library/test-image:test")
	require.NoError(t, err)

	testCases := []struct {
		name     string
		platform *v1.Platform
		errorStr string
	}{
		{name: "nominal", platform: spec.Platform},
		{name: "invalid platform", platform: invalidPlatform, errorStr: "platform not found in index"},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			spec := &oci.ImageSpec{
				Type:       oci.OCI,
				Identifier: outputLayout,
				Platform:   tc.platform,
			}
			resolver, err := policy.CreateImageDetailsResolver(spec)
			if tc.errorStr != "" {
				require.Error(t, err)
				assert.Contains(t, err.Error(), tc.errorStr)
				return
			}
			require.NoError(t, err)
			desc, err := resolver.ImageDescriptor(ctx)
			require.NoError(t, err)
			digest := desc.Digest.String()
			assert.True(t, strings.Contains(digest, "sha256:"))
		})
	}
}

func TestSubjectNameAnnotations(t *testing.T) {
	testCases := []struct {
		name          string
		ociLayoutPath string
		errorStr      string
	}{
		{name: "oci annotation", ociLayoutPath: test.UnsignedTestIndex("..")},
		{name: "containerd annotation", ociLayoutPath: filepath.Join("..", "test", "testdata", "containerd-subject-layout")},
		{name: "missing subject name", ociLayoutPath: filepath.Join("..", "test", "testdata", "missing-subject-layout"), errorStr: "failed to find subject name in annotations"},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			spec, err := oci.ParseImageSpec(oci.LocalPrefix+tc.ociLayoutPath, oci.WithPlatform("linux/arm64"))
			require.NoError(t, err)
			_, err = policy.CreateImageDetailsResolver(spec)
			if tc.errorStr != "" {
				require.Error(t, err)
				assert.Contains(t, err.Error(), tc.errorStr)
				return
			}
			require.NoError(t, err)
		})
	}
}

func TestImageDetailsFromImageLayout(t *testing.T) {
	spec, err := oci.ParseImageSpec(oci.LocalPrefix+test.UnsignedTestImage(".."), oci.WithPlatform("linux/arm64"))
	require.NoError(t, err)
	resolver, err := policy.CreateImageDetailsResolver(spec)
	require.NoError(t, err)
	desc, err := resolver.ImageDescriptor(context.Background())
	require.NoError(t, err)
	digest := desc.Digest.String()
	assert.Equal(t, "sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390", digest)
}
chore: apply license headers 2024-10-17 13:40:17 -05:00			`/*`
refactor: remove copyright year; add newline 2024-10-18 09:25:31 -05:00			`Copyright Docker attest authors`
chore: apply license headers 2024-10-17 13:40:17 -05:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`
refactor: remove copyright year; add newline 2024-10-18 09:25:31 -05:00
fix: cyclical imports 2024-08-12 14:49:52 -05:00			`package attestation_test`
feat: add oci layout test 2024-08-05 11:24:28 -05:00
			`import (`
Support images as well as indexes in ImageDetailResolvers (#183) * build: Generate test data for unsigned and no provenance image indexes * feat: Add function to build index without SBOM or provenance for linux/amd64 platform * feat: add build_image function to build image without SBOM or provenance for linux/amd64 * feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR * feat: support images in details resolvers 2024-09-30 20:53:13 +01:00			`"context"`
feat: support containerd subject annotations 2024-09-19 14:59:54 -05:00			`"path/filepath"`
feat: add oci layout test 2024-08-05 11:24:28 -05:00			`"strings"`
			`"testing"`

refactor! remove pkg directory (#145) * refactor!: remove pkg directory * chore: include breaking changes in draft 2024-09-02 16:17:50 +01:00			`"github.com/docker/attest"`
			`"github.com/docker/attest/attestation"`
feat: add oci layout test 2024-08-05 11:24:28 -05:00			`"github.com/docker/attest/internal/test"`
refactor! remove pkg directory (#145) * refactor!: remove pkg directory * chore: include breaking changes in draft 2024-09-02 16:17:50 +01:00			`"github.com/docker/attest/oci"`
			`"github.com/docker/attest/policy"`
feat: add nil pointer test 2024-08-05 16:50:40 -05:00			`v1 "github.com/google/go-containerregistry/pkg/v1"`
feat: add oci layout test 2024-08-05 11:24:28 -05:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestAttestationFromOCILayout(t *testing.T) {`
			`ctx, signer := test.Setup(t)`
			`outputLayout := test.CreateTempDir(t, "", "attest-oci-layout")`

feat: add nil pointer test 2024-08-05 16:50:40 -05:00			`invalidPlatform := &v1.Platform{`
			`Architecture: "invalid",`
			`OS: "invalid",`
			`}`

feat: add oci layout test 2024-08-05 11:24:28 -05:00			`opts := &attestation.SigningOptions{}`
Support images as well as indexes in ImageDetailResolvers (#183) * build: Generate test data for unsigned and no provenance image indexes * feat: Add function to build index without SBOM or provenance for linux/amd64 platform * feat: add build_image function to build image without SBOM or provenance for linux/amd64 * feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR * feat: support images in details resolvers 2024-09-30 20:53:13 +01:00			`attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))`
feat: add oci layout test 2024-08-05 11:24:28 -05:00			`require.NoError(t, err)`
			`signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)`
			`require.NoError(t, err)`
			`signedIndex := attIdx.Index`
			`signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)`
			`require.NoError(t, err)`
			`spec, err := oci.ParseImageSpec(oci.LocalPrefix + outputLayout)`
			`require.NoError(t, err)`
feat: support containerd subject annotations 2024-09-19 14:59:54 -05:00			`err = oci.SaveIndex(ctx, []*oci.ImageSpec{spec}, signedIndex, "docker.io/library/test-image:test")`
feat: add oci layout test 2024-08-05 11:24:28 -05:00			`require.NoError(t, err)`

feat: add nil pointer test 2024-08-05 16:50:40 -05:00			`testCases := []struct {`
			`name string`
			`platform *v1.Platform`
			`errorStr string`
			`}{`
			`{name: "nominal", platform: spec.Platform},`
			`{name: "invalid platform", platform: invalidPlatform, errorStr: "platform not found in index"},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
			`spec := &oci.ImageSpec{`
			`Type: oci.OCI,`
			`Identifier: outputLayout,`
			`Platform: tc.platform,`
			`}`
			`resolver, err := policy.CreateImageDetailsResolver(spec)`
			`if tc.errorStr != "" {`
			`require.Error(t, err)`
			`assert.Contains(t, err.Error(), tc.errorStr)`
			`return`
			`}`
			`require.NoError(t, err)`
			`desc, err := resolver.ImageDescriptor(ctx)`
			`require.NoError(t, err)`
			`digest := desc.Digest.String()`
			`assert.True(t, strings.Contains(digest, "sha256:"))`
			`})`
			`}`
feat: add oci layout test 2024-08-05 11:24:28 -05:00			`}`
feat: support containerd subject annotations 2024-09-19 14:59:54 -05:00
			`func TestSubjectNameAnnotations(t *testing.T) {`
			`testCases := []struct {`
			`name string`
			`ociLayoutPath string`
			`errorStr string`
			`}{`
Support images as well as indexes in ImageDetailResolvers (#183) * build: Generate test data for unsigned and no provenance image indexes * feat: Add function to build index without SBOM or provenance for linux/amd64 platform * feat: add build_image function to build image without SBOM or provenance for linux/amd64 * feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR * feat: support images in details resolvers 2024-09-30 20:53:13 +01:00			`{name: "oci annotation", ociLayoutPath: test.UnsignedTestIndex("..")},`
feat: support containerd subject annotations 2024-09-19 14:59:54 -05:00			`{name: "containerd annotation", ociLayoutPath: filepath.Join("..", "test", "testdata", "containerd-subject-layout")},`
test: make test layouts smaller 2024-09-19 15:31:37 -05:00			`{name: "missing subject name", ociLayoutPath: filepath.Join("..", "test", "testdata", "missing-subject-layout"), errorStr: "failed to find subject name in annotations"},`
feat: support containerd subject annotations 2024-09-19 14:59:54 -05:00			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.name, func(t *testing.T) {`
test: make test layouts smaller 2024-09-19 15:31:37 -05:00			`spec, err := oci.ParseImageSpec(oci.LocalPrefix+tc.ociLayoutPath, oci.WithPlatform("linux/arm64"))`
feat: support containerd subject annotations 2024-09-19 14:59:54 -05:00			`require.NoError(t, err)`
			`_, err = policy.CreateImageDetailsResolver(spec)`
			`if tc.errorStr != "" {`
			`require.Error(t, err)`
			`assert.Contains(t, err.Error(), tc.errorStr)`
			`return`
			`}`
			`require.NoError(t, err)`
			`})`
			`}`
			`}`
Support images as well as indexes in ImageDetailResolvers (#183) * build: Generate test data for unsigned and no provenance image indexes * feat: Add function to build index without SBOM or provenance for linux/amd64 platform * feat: add build_image function to build image without SBOM or provenance for linux/amd64 * feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR * feat: support images in details resolvers 2024-09-30 20:53:13 +01:00
			`func TestImageDetailsFromImageLayout(t *testing.T) {`
			`spec, err := oci.ParseImageSpec(oci.LocalPrefix+test.UnsignedTestImage(".."), oci.WithPlatform("linux/arm64"))`
			`require.NoError(t, err)`
			`resolver, err := policy.CreateImageDetailsResolver(spec)`
			`require.NoError(t, err)`
			`desc, err := resolver.ImageDescriptor(context.Background())`
			`require.NoError(t, err)`
			`digest := desc.Digest.String()`
			`assert.Equal(t, "sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390", digest)`
			`}`