2024-04-10 17:57:01 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
|
|
require "diagnostic"
|
|
|
|
|
|
|
|
|
|
RSpec.describe Homebrew::Attestation do
|
|
|
|
|
let(:fake_gh) { Pathname.new("/extremely/fake/gh") }
|
2024-05-03 13:01:02 -04:00
|
|
|
let(:fake_gh_creds) { "fake-gh-api-token" }
|
|
|
|
|
let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) }
|
2024-05-03 13:17:31 -04:00
|
|
|
let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) }
|
2024-04-10 17:57:01 -04:00
|
|
|
let(:cached_download) { "/fake/cached/download" }
|
2024-04-11 13:39:13 -04:00
|
|
|
let(:fake_bottle_filename) { instance_double(Bottle::Filename, to_s: "fakebottle--1.0.faketag.bottle.tar.gz") }
|
2024-04-11 16:44:57 -04:00
|
|
|
let(:fake_bottle_url) { "https://example.com/#{fake_bottle_filename}" }
|
|
|
|
|
let(:fake_bottle) do
|
|
|
|
|
instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url)
|
|
|
|
|
end
|
2024-05-14 14:32:23 -04:00
|
|
|
let(:fake_result_invalid_json) { instance_double(SystemCommand::Result, stdout: "\"invalid JSON") }
|
|
|
|
|
let(:fake_result_json_resp) do
|
|
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
|
|
|
|
|
statement: { subject: [{ name: fake_bottle_filename.to_s }] },
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
2024-05-14 14:32:23 -04:00
|
|
|
let(:fake_result_json_resp_backfill) do
|
|
|
|
|
digest = Digest::SHA256.hexdigest(fake_bottle_url)
|
|
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
|
|
|
|
|
statement: {
|
|
|
|
|
subject: [{ name: "#{digest}--#{fake_bottle_filename}" }],
|
|
|
|
|
},
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 16:44:57 -04:00
|
|
|
end
|
2024-05-14 14:32:23 -04:00
|
|
|
let(:fake_result_json_resp_too_new) do
|
|
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-15T00:00:00Z" }],
|
|
|
|
|
statement: { subject: [{ name: fake_bottle_filename.to_s }] },
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
|
|
|
|
let(:fake_json_resp_wrong_sub) do
|
2024-05-14 14:32:23 -04:00
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
|
|
|
|
|
statement: { subject: [{ name: "wrong-subject.tar.gz" }] },
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
2024-04-10 17:57:01 -04:00
|
|
|
|
|
|
|
|
describe "::gh_executable" do
|
2024-04-10 18:02:56 -04:00
|
|
|
it "calls ensure_executable" do
|
2024-04-11 13:39:13 -04:00
|
|
|
expect(described_class).to receive(:ensure_executable!)
|
2024-04-10 18:02:56 -04:00
|
|
|
.with("gh")
|
2024-04-10 17:57:01 -04:00
|
|
|
.and_return(fake_gh)
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
described_class.gh_executable
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe "::check_attestation" do
|
|
|
|
|
before do
|
|
|
|
|
allow(described_class).to receive(:gh_executable)
|
|
|
|
|
.and_return(fake_gh)
|
|
|
|
|
end
|
|
|
|
|
|
2024-05-03 13:01:02 -04:00
|
|
|
it "raises without any gh credentials" do
|
|
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(nil)
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::GhAuthNeeded)
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "raises when gh subprocess fails" do
|
2024-05-03 13:01:02 -04:00
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
2024-05-03 13:01:02 -04:00
|
|
|
.and_raise(ErrorDuringExecution.new(["foo"], status: fake_error_status))
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
|
|
|
|
end
|
|
|
|
|
|
2024-05-03 13:17:31 -04:00
|
|
|
it "raises auth error when gh subprocess fails with auth exit code" do
|
|
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
2024-05-03 13:17:31 -04:00
|
|
|
.and_raise(ErrorDuringExecution.new(["foo"], status: fake_auth_status))
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::GhAuthNeeded)
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "raises when gh returns invalid JSON" do
|
2024-05-03 13:01:02 -04:00
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
|
|
|
|
.and_return(fake_result_invalid_json)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "raises when gh returns other subjects" do
|
2024-05-03 13:01:02 -04:00
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
2024-04-11 13:39:13 -04:00
|
|
|
.and_return(fake_json_resp_wrong_sub)
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe "::check_core_attestation" do
|
|
|
|
|
before do
|
2024-04-11 13:39:13 -04:00
|
|
|
allow(described_class).to receive(:gh_executable)
|
2024-04-10 17:57:01 -04:00
|
|
|
.and_return(fake_gh)
|
2024-05-03 13:01:02 -04:00
|
|
|
|
|
|
|
|
allow(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
2024-04-10 17:57:01 -04:00
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "calls gh with args for homebrew-core" do
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json", "--cert-identity",
|
|
|
|
|
described_class::HOMEBREW_CORE_CI_URI],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
|
|
|
|
.and_return(fake_result_json_resp)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
described_class.check_core_attestation fake_bottle
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "calls gh with args for backfill when homebrew-core fails" do
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json", "--cert-identity",
|
|
|
|
|
described_class::HOMEBREW_CORE_CI_URI],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
2024-04-11 13:39:13 -04:00
|
|
|
.once
|
|
|
|
|
.and_raise(described_class::InvalidAttestationError)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::BACKFILL_REPO, "--format", "json"],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
|
|
|
|
.and_return(fake_result_json_resp_backfill)
|
2024-04-10 17:57:01 -04:00
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
described_class.check_core_attestation fake_bottle
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "raises when the backfilled attestation is too new" do
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json", "--cert-identity",
|
|
|
|
|
described_class::HOMEBREW_CORE_CI_URI],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
2024-04-11 13:39:13 -04:00
|
|
|
.once
|
|
|
|
|
.and_raise(described_class::InvalidAttestationError)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::BACKFILL_REPO, "--format", "json"],
|
|
|
|
|
env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
|
|
|
|
|
.and_return(fake_result_json_resp_too_new)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_core_attestation fake_bottle
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
