From 5e25f8cd7a0a6dd56b279b6c2dbdd68563f1c26a Mon Sep 17 00:00:00 2001 From: Mikhail Swift Date: Wed, 28 Aug 2024 10:08:05 -0400 Subject: [PATCH] test: add additional policy verification test (#341) This adds an additional test for policy verification to make sure that policy verification fails if all the expected attestations do not appear in a step's collection. Signed-off-by: Mikhail Swift --- verify_test.go | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/verify_test.go b/verify_test.go index 6557c64f..21534b24 100644 --- a/verify_test.go +++ b/verify_test.go @@ -39,8 +39,8 @@ import ( ) func TestVerify(t *testing.T) { - policy, functionarySigner := makepolicyRSA(t) - policyEnvelope, policySigner := signPolicyRSA(t, policy) + testPolicy, functionarySigner := makepolicyRSA(t) + policyEnvelope, policySigner := signPolicyRSA(t, testPolicy) policyVerifier, err := policySigner.Verifier() require.NoError(t, err) workingDir := t.TempDir() @@ -132,6 +132,46 @@ func TestVerify(t *testing.T) { require.Error(t, err, fmt.Sprintf("passed with results: %+v", results)) }) + + t.Run("Fail with missing attestation", func(t *testing.T) { + functionaryVerifier, err := functionarySigner.Verifier() + require.NoError(t, err) + functionaryKeyID, err := functionaryVerifier.KeyID() + require.NoError(t, err) + functionaryPublicKey, err := functionaryVerifier.Bytes() + require.NoError(t, err) + failPolicy := makepolicy(policy.Functionary{ + Type: "PublicKey", + PublicKeyID: functionaryKeyID, + }, + policy.PublicKey{ + KeyID: functionaryKeyID, + Key: functionaryPublicKey, + }, + map[string]policy.Root{}, + ) + + step1 := failPolicy.Steps["step01"] + step1.Attestations = append(step1.Attestations, policy.Attestation{Type: "nonexistent atttestation"}) + failPolicy.Steps["step01"] = step1 + failPolicyEnvelope, failPolicySigner := signPolicyRSA(t, failPolicy) + failPolicyVerifier, err := failPolicySigner.Verifier() + require.NoError(t, err) + + memorySource := source.NewMemorySource() + require.NoError(t, memorySource.LoadEnvelope("step01", step1Result.SignedEnvelope)) + require.NoError(t, memorySource.LoadEnvelope("step02", step2Result.SignedEnvelope)) + + results, err := Verify( + context.Background(), + failPolicyEnvelope, + []cryptoutil.Verifier{failPolicyVerifier}, + VerifyWithCollectionSource(memorySource), + VerifyWithSubjectDigests(subjects), + ) + + require.Error(t, err, fmt.Sprintf("passed with results: %+v", results)) + }) } func makepolicy(functionary policy.Functionary, publicKey policy.PublicKey, roots map[string]policy.Root) policy.Policy {