Add negative tests for verifier

internal/verifier/BUILD

@@ -37,6 +37,8 @@ go_test(
         "//schema/amber-slsa-buildtype/v1:example.json",
         "//schema/amber-slsa-buildtype/v1:provenance.json",
         "//testdata:provenance.json",
+        "//testdata:bad_command_provenance.json",
+        "//testdata:invalid_hash_provenance.json",
     ],
     embed = [":verifier"],
     deps = ["//internal/testutil"],

internal/verifier/verifier_test.go

@@ -16,14 +16,17 @@ package verify
 
 import (
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/project-oak/transparent-release/internal/testutil"
 )
 
-const examplePath = "testdata/provenance.json"
+const validProvenancePath = "testdata/provenance.json"
+const invalidHashProvenancePath = "testdata/invalid_hash_provenance.json"
+const badCommandProvenancePath = "testdata/bad_command_provenance.json"
 
-func TestReproducibleProvenanceVerifier(t *testing.T) {
+func TestReproducibleProvenanceVerifier_validProvenance(t *testing.T) {
 	// The path to provenance is specified relative to the root of the repo, so we need to go one level up.
 	// Get the current directory before that to restore the path at the end of the test.
 	currentDir, err := os.Getwd()
@@ -34,11 +37,47 @@ func TestReproducibleProvenanceVerifier(t *testing.T) {
 	testutil.Chdir(t, "../../")
 	verifier := ReproducibleProvenanceVerifier{}
 
-	if err := verifier.Verify(examplePath); err != nil {
+	if err := verifier.Verify(validProvenancePath); err != nil {
 		t.Fatalf("couldn't verify the provenance file: %v", err)
 	}
 }
 
+func TestReproducibleProvenanceVerifier_invalidHash(t *testing.T) {
+	// The path to provenance is specified relative to the root of the repo, so we need to go one level up.
+	// Get the current directory before that to restore the path at the end of the test.
+	currentDir, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("couldn't get current directory: %v", err)
+	}
+	defer testutil.Chdir(t, currentDir)
+	testutil.Chdir(t, "../../")
+	verifier := ReproducibleProvenanceVerifier{}
+
+	want := "failed to verify the hash of the built binary"
+
+	if err := verifier.Verify(invalidHashProvenancePath); !strings.Contains(err.Error(), want) {
+		t.Fatalf("want error containing message %q, got %v", want, err)
+	}
+}
+
+func TestReproducibleProvenanceVerifier_badCommand(t *testing.T) {
+	// The path to provenance is specified relative to the root of the repo, so we need to go one level up.
+	// Get the current directory before that to restore the path at the end of the test.
+	currentDir, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("couldn't get current directory: %v", err)
+	}
+	defer testutil.Chdir(t, currentDir)
+	testutil.Chdir(t, "../../")
+	verifier := ReproducibleProvenanceVerifier{}
+
+	want := "couldn't build the binary"
+
+	if err := verifier.Verify(badCommandProvenancePath); !strings.Contains(err.Error(), want) {
+		t.Fatalf("want error containing message %q, got %v", want, err)
+	}
+}
+
 func TestAmberProvenanceMetadataVerifier(t *testing.T) {
 	// The path to provenance is specified relative to the root of the repo, so we need to go one level up.
 	// Get the current directory before that to restore the path at the end of the test.
@@ -50,7 +89,7 @@ func TestAmberProvenanceMetadataVerifier(t *testing.T) {
 	testutil.Chdir(t, "../../")
 	verifier := AmberProvenanceMetadataVerifier{}
 
-	if err := verifier.Verify(examplePath); err != nil {
+	if err := verifier.Verify(validProvenancePath); err != nil {
 		t.Fatalf("couldn't verify the provenance file: %v", err)
 	}
 }

testdata/BUILD

@@ -21,5 +21,7 @@ licenses(["notice"])
 exports_files([
     "build.toml",
     "provenance.json",
+    "bad_command_provenance.json",
+    "invalid_hash_provenance.json",
     "static.txt",
 ])

testdata/bad_command_provenance.json

@@ -0,0 +1 @@
+{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"test.txt","digest":{"sha256":"322527c0260e25f0e9a2595bd0d71a52294fe2397a7af76165190fd98de8920d"}}],"predicate":{"builder":{"id":""},"buildType":"https://github.com/project-oak/transparent-release/schema/amber-slsa-buildtype/v1/provenance.json","invocation":{"configSource":{}},"buildConfig":{"command":["echo","bad command, with no output!"],"outputPath":"test.txt"},"materials":[{"uri":"bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9","digest":{"sha256":"9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9"}},{"uri":"https://github.com/project-oak/transparent-release","digest":{"sha1":"9b5f98310dbbad675834474fa68c37d880687cb9"}}]}}

testdata/invalid_hash_provenance.json

@@ -0,0 +1 @@
+{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"test.txt","digest":{"sha256":"1234"}}],"predicate":{"builder":{"id":""},"buildType":"https://github.com/project-oak/transparent-release/schema/amber-slsa-buildtype/v1/provenance.json","invocation":{"configSource":{}},"buildConfig":{"command":["cp","testdata/static.txt","test.txt"],"outputPath":"test.txt"},"materials":[{"uri":"bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9","digest":{"sha256":"9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9"}},{"uri":"https://github.com/project-oak/transparent-release","digest":{"sha1":"9b5f98310dbbad675834474fa68c37d880687cb9"}}]}}