diff --git a/internal/verifier/BUILD b/internal/verifier/BUILD index 4d2593a9..bfd576aa 100644 --- a/internal/verifier/BUILD +++ b/internal/verifier/BUILD @@ -37,6 +37,8 @@ go_test( "//schema/amber-slsa-buildtype/v1:example.json", "//schema/amber-slsa-buildtype/v1:provenance.json", "//testdata:provenance.json", + "//testdata:bad_command_provenance.json", + "//testdata:invalid_hash_provenance.json", ], embed = [":verifier"], deps = ["//internal/testutil"], diff --git a/internal/verifier/verifier_test.go b/internal/verifier/verifier_test.go index 40753678..586a123e 100644 --- a/internal/verifier/verifier_test.go +++ b/internal/verifier/verifier_test.go @@ -16,14 +16,17 @@ package verify import ( "os" + "strings" "testing" "github.com/project-oak/transparent-release/internal/testutil" ) -const examplePath = "testdata/provenance.json" +const validProvenancePath = "testdata/provenance.json" +const invalidHashProvenancePath = "testdata/invalid_hash_provenance.json" +const badCommandProvenancePath = "testdata/bad_command_provenance.json" -func TestReproducibleProvenanceVerifier(t *testing.T) { +func TestReproducibleProvenanceVerifier_validProvenance(t *testing.T) { // The path to provenance is specified relative to the root of the repo, so we need to go one level up. // Get the current directory before that to restore the path at the end of the test. currentDir, err := os.Getwd() @@ -34,11 +37,47 @@ func TestReproducibleProvenanceVerifier(t *testing.T) { testutil.Chdir(t, "../../") verifier := ReproducibleProvenanceVerifier{} - if err := verifier.Verify(examplePath); err != nil { + if err := verifier.Verify(validProvenancePath); err != nil { t.Fatalf("couldn't verify the provenance file: %v", err) } } +func TestReproducibleProvenanceVerifier_invalidHash(t *testing.T) { + // The path to provenance is specified relative to the root of the repo, so we need to go one level up. + // Get the current directory before that to restore the path at the end of the test. + currentDir, err := os.Getwd() + if err != nil { + t.Fatalf("couldn't get current directory: %v", err) + } + defer testutil.Chdir(t, currentDir) + testutil.Chdir(t, "../../") + verifier := ReproducibleProvenanceVerifier{} + + want := "failed to verify the hash of the built binary" + + if err := verifier.Verify(invalidHashProvenancePath); !strings.Contains(err.Error(), want) { + t.Fatalf("want error containing message %q, got %v", want, err) + } +} + +func TestReproducibleProvenanceVerifier_badCommand(t *testing.T) { + // The path to provenance is specified relative to the root of the repo, so we need to go one level up. + // Get the current directory before that to restore the path at the end of the test. + currentDir, err := os.Getwd() + if err != nil { + t.Fatalf("couldn't get current directory: %v", err) + } + defer testutil.Chdir(t, currentDir) + testutil.Chdir(t, "../../") + verifier := ReproducibleProvenanceVerifier{} + + want := "couldn't build the binary" + + if err := verifier.Verify(badCommandProvenancePath); !strings.Contains(err.Error(), want) { + t.Fatalf("want error containing message %q, got %v", want, err) + } +} + func TestAmberProvenanceMetadataVerifier(t *testing.T) { // The path to provenance is specified relative to the root of the repo, so we need to go one level up. // Get the current directory before that to restore the path at the end of the test. @@ -50,7 +89,7 @@ func TestAmberProvenanceMetadataVerifier(t *testing.T) { testutil.Chdir(t, "../../") verifier := AmberProvenanceMetadataVerifier{} - if err := verifier.Verify(examplePath); err != nil { + if err := verifier.Verify(validProvenancePath); err != nil { t.Fatalf("couldn't verify the provenance file: %v", err) } } diff --git a/testdata/BUILD b/testdata/BUILD index 044ce195..e4b8c508 100644 --- a/testdata/BUILD +++ b/testdata/BUILD @@ -21,5 +21,7 @@ licenses(["notice"]) exports_files([ "build.toml", "provenance.json", + "bad_command_provenance.json", + "invalid_hash_provenance.json", "static.txt", ]) diff --git a/testdata/bad_command_provenance.json b/testdata/bad_command_provenance.json new file mode 100644 index 00000000..811f5275 --- /dev/null +++ b/testdata/bad_command_provenance.json @@ -0,0 +1 @@ +{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"test.txt","digest":{"sha256":"322527c0260e25f0e9a2595bd0d71a52294fe2397a7af76165190fd98de8920d"}}],"predicate":{"builder":{"id":""},"buildType":"https://github.com/project-oak/transparent-release/schema/amber-slsa-buildtype/v1/provenance.json","invocation":{"configSource":{}},"buildConfig":{"command":["echo","bad command, with no output!"],"outputPath":"test.txt"},"materials":[{"uri":"bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9","digest":{"sha256":"9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9"}},{"uri":"https://github.com/project-oak/transparent-release","digest":{"sha1":"9b5f98310dbbad675834474fa68c37d880687cb9"}}]}} \ No newline at end of file diff --git a/testdata/invalid_hash_provenance.json b/testdata/invalid_hash_provenance.json new file mode 100644 index 00000000..cc3a59f8 --- /dev/null +++ b/testdata/invalid_hash_provenance.json @@ -0,0 +1 @@ +{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"test.txt","digest":{"sha256":"1234"}}],"predicate":{"builder":{"id":""},"buildType":"https://github.com/project-oak/transparent-release/schema/amber-slsa-buildtype/v1/provenance.json","invocation":{"configSource":{}},"buildConfig":{"command":["cp","testdata/static.txt","test.txt"],"outputPath":"test.txt"},"materials":[{"uri":"bash@sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9","digest":{"sha256":"9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9"}},{"uri":"https://github.com/project-oak/transparent-release","digest":{"sha1":"9b5f98310dbbad675834474fa68c37d880687cb9"}}]}} \ No newline at end of file