Add tests for --extra-rule-data

Signed-off-by: Mark Bestavros <[email protected]>
enterprise-contract · Apr 9, 2024 · ab1c07e · ab1c07e
1 parent d8f4c59
commit ab1c07e
Show file tree

Hide file tree

Showing 3 changed files with 204 additions and 0 deletions.
diff --git a/cmd/validate/image_test.go b/cmd/validate/image_test.go
@@ -21,6 +21,7 @@ package validate
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"testing"
@@ -673,6 +674,104 @@ configuration:
 	assert.NoError(t, err)
 }
 
+func Test_ValidateImageCommandExtraData(t *testing.T) {
+	validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ bool) (*output.Output, error) {
+		return &output.Output{
+			ImageSignatureCheck: output.VerificationStatus{
+				Passed: true,
+			},
+			ImageAccessibleCheck: output.VerificationStatus{
+				Passed: true,
+			},
+			AttestationSignatureCheck: output.VerificationStatus{
+				Passed: true,
+			},
+			AttestationSyntaxCheck: output.VerificationStatus{
+				Passed: true,
+			},
+			PolicyCheck: []evaluator.Outcome{
+				{
+					FileName:  "test.json",
+					Namespace: "test.main",
+					Successes: []evaluator.Result{
+						{
+							Message: "Pass",
+							Metadata: map[string]interface{}{
+								"code": "policy.nice",
+							},
+						},
+					},
+				},
+			},
+			ImageURL: component.ContainerImage,
+			ExitCode: 0,
+		}, nil
+	}
+
+	validateImageCmd := validateImageCmd(validate)
+	cmd := setUpCobra(validateImageCmd)
+
+	fs := afero.NewMemMapFs()
+
+	cmd.SetContext(utils.WithFS(context.TODO(), fs))
+
+	testPolicyJSON := `sources:
+  - policy:
+      - "registry/policy:latest"
+    data:
+      - "registry/policy-data:latest"
+configuration:
+  collections:
+    - minimal
+  include:
+    - "*"
+  exclude: []
+`
+	err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	cmd.SetArgs(append(rootArgs, []string{
+		"--image",
+		"registry/image:tag",
+		"--public-key",
+		utils.TestPublicKey,
+		"--policy",
+		"/policy.json",
+		"--extra-rule-data",
+		"key=value",
+	}...))
+
+	var out bytes.Buffer
+	cmd.SetOut(&out)
+
+	utils.SetTestRekorPublicKey(t)
+
+	err = cmd.Execute()
+	assert.NoError(t, err)
+
+	// extract one of the sources, since we can match JSON without needing to compare publicKey (which may change)
+	unmarshaled := make(map[string]interface{})
+	err = json.Unmarshal(out.Bytes(), &unmarshaled)
+	assert.NoError(t, err)
+
+	sourceSample := unmarshaled["policy"].(map[string]interface{})["sources"].([]interface{})[0].(map[string]interface{})
+	sourceSampleMarshaled, err := json.Marshal(sourceSample)
+	assert.NoError(t, err)
+	assert.JSONEq(t, `{
+		"data": [
+			"registry/policy-data:latest"
+		],
+		"policy": [
+			"registry/policy:latest"
+		],
+		"ruleData": {
+			"key":"value"
+		}
+	  }`, string(sourceSampleMarshaled))
+}
+
 func Test_ValidateImageCommandEmptyPolicyFile(t *testing.T) {
 	validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ bool) (*output.Output, error) {
 		return &output.Output{

diff --git a/features/__snapshots__/validate_image.snap b/features/__snapshots__/validate_image.snap
@@ -1948,6 +1948,86 @@ ${TEMP}/ec-work-${RANDOM}/policy/${RANDOM}/main.rego:34: rego_type_error: undefi
 
 ---
 
+[happy day with extra rule data:stdout - 1]
+{
+  "success": true,
+  "components": [
+    {
+      "name": "Unnamed",
+      "containerImage": "${REGISTRY}/acceptance/ec-happy-day@sha256:${REGISTRY_acceptance/ec-happy-day:latest_DIGEST}",
+      "source": {},
+      "successes": [
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "builtin.attestation.signature_check"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "builtin.attestation.syntax_check"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "builtin.image.signature_check"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "main.acceptor"
+          }
+        }
+      ],
+      "success": true,
+      "signatures": [
+        {
+          "keyid": "",
+          "sig": "${IMAGE_SIGNATURE_acceptance/ec-happy-day}"
+        }
+      ],
+      "attestations": [
+        {
+          "type": "https://in-toto.io/Statement/v0.1",
+          "predicateType": "https://slsa.dev/provenance/v0.2",
+          "predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
+          "signatures": [
+            {
+              "keyid": "",
+              "sig": "${ATTESTATION_SIGNATURE_acceptance/ec-happy-day}"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "key": "${known_PUBLIC_KEY_JSON}",
+  "policy": {
+    "sources": [
+      {
+        "policy": [
+          "git::https://${GITHOST}/git/happy-day-policy.git"
+        ],
+        "ruleData": {
+          "key": "value"
+        }
+      }
+    ],
+    "rekorUrl": "${REKOR}",
+    "publicKey": "${known_PUBLIC_KEY}"
+  },
+  "ec-version": "${EC_VERSION}",
+  "effective-time": "${TIMESTAMP}"
+}
+---
+
+[happy day with extra rule data:stderr - 1]
+
+---
+
 [rule dependencies:stdout - 1]
 {
   "success": false,

diff --git a/features/validate_image.feature b/features/validate_image.feature
@@ -99,6 +99,31 @@ Feature: evaluate enterprise contract
     Then the exit status should be 0
     Then the output should match the snapshot
 
+  Scenario: happy day with extra rule data
+    Given a key pair named "known"
+    Given an image named "acceptance/ec-happy-day"
+    Given a valid image signature of "acceptance/ec-happy-day" image signed by the "known" key
+    Given a valid Rekor entry for image signature of "acceptance/ec-happy-day"
+    Given a valid attestation of "acceptance/ec-happy-day" signed by the "known" key
+    Given a valid Rekor entry for attestation of "acceptance/ec-happy-day"
+    Given a git repository named "happy-day-policy" with
+      | main.rego | examples/happy_day.rego |
+    Given policy configuration named "ec-policy" with specification
+    """
+    {
+      "sources": [
+        {
+          "policy": [
+            "git::https://${GITHOST}/git/happy-day-policy.git"
+          ]
+        }
+      ]
+    }
+    """
+    When ec command is run with "validate image --image ${REGISTRY}/acceptance/ec-happy-day --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --extra-rule-data key=value --show-successes"
+    Then the exit status should be 0
+    Then the output should match the snapshot
+
   Scenario: invalid image signature
     Given a key pair named "known"
     Given a key pair named "unknown"