test: add additional policy verification test (#341)

This adds an additional test for policy verification to make sure that policy verification fails if all the expected attestations do not appear in a step's collection. Signed-off-by: Mikhail Swift <[email protected]>
in-toto · Aug 28, 2024 · 5e25f8c · 5e25f8c
1 parent 776a451
commit 5e25f8c
Showing 1 changed file with 42 additions and 2 deletions.
diff --git a/verify_test.go b/verify_test.go
@@ -39,8 +39,8 @@ import (
 )
 
 func TestVerify(t *testing.T) {
-	policy, functionarySigner := makepolicyRSA(t)
-	policyEnvelope, policySigner := signPolicyRSA(t, policy)
+	testPolicy, functionarySigner := makepolicyRSA(t)
+	policyEnvelope, policySigner := signPolicyRSA(t, testPolicy)
 	policyVerifier, err := policySigner.Verifier()
 	require.NoError(t, err)
 	workingDir := t.TempDir()
@@ -132,6 +132,46 @@ func TestVerify(t *testing.T) {
 
 		require.Error(t, err, fmt.Sprintf("passed with results: %+v", results))
 	})
+
+	t.Run("Fail with missing attestation", func(t *testing.T) {
+		functionaryVerifier, err := functionarySigner.Verifier()
+		require.NoError(t, err)
+		functionaryKeyID, err := functionaryVerifier.KeyID()
+		require.NoError(t, err)
+		functionaryPublicKey, err := functionaryVerifier.Bytes()
+		require.NoError(t, err)
+		failPolicy := makepolicy(policy.Functionary{
+			Type:        "PublicKey",
+			PublicKeyID: functionaryKeyID,
+		},
+			policy.PublicKey{
+				KeyID: functionaryKeyID,
+				Key:   functionaryPublicKey,
+			},
+			map[string]policy.Root{},
+		)
+
+		step1 := failPolicy.Steps["step01"]
+		step1.Attestations = append(step1.Attestations, policy.Attestation{Type: "nonexistent atttestation"})
+		failPolicy.Steps["step01"] = step1
+		failPolicyEnvelope, failPolicySigner := signPolicyRSA(t, failPolicy)
+		failPolicyVerifier, err := failPolicySigner.Verifier()
+		require.NoError(t, err)
+
+		memorySource := source.NewMemorySource()
+		require.NoError(t, memorySource.LoadEnvelope("step01", step1Result.SignedEnvelope))
+		require.NoError(t, memorySource.LoadEnvelope("step02", step2Result.SignedEnvelope))
+
+		results, err := Verify(
+			context.Background(),
+			failPolicyEnvelope,
+			[]cryptoutil.Verifier{failPolicyVerifier},
+			VerifyWithCollectionSource(memorySource),
+			VerifyWithSubjectDigests(subjects),
+		)
+
+		require.Error(t, err, fmt.Sprintf("passed with results: %+v", results))
+	})
 }
 
 func makepolicy(functionary policy.Functionary, publicKey policy.PublicKey, roots map[string]policy.Root) policy.Policy {