def test_construct_operator_item_claim_messages(
mock_quay_client,
mock_uuid,
mock_datetime,
mock_encode,
target_settings,
operator_signing_push_item,
signing_manifest_list_data,
):
hub = mock.MagicMock()
mock_get_manifest = mock.MagicMock()
mock_get_manifest.return_value = signing_manifest_list_data
mock_quay_client.return_value.get_manifest = mock_get_manifest
mock_uuid.side_effect = range(100)
mock_datetime.utcnow.return_value.isoformat.return_value = "2021-03-19T14:45:23.128632"
mock_encode.return_value = b"some-encode"
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
claim_messages = sig_handler.construct_index_image_claim_messages(
operator_signing_push_item, ["v4.5"], ["key1", "key2"])
with open("tests/test_data/test_expected_operator_claim_messages.json",
"r") as f:
expected_claim_messages = json.loads(f.read())
assert claim_messages == expected_claim_messages
mock_get_manifest.assert_called_once()
assert mock_uuid.call_count == 8
def test_sign_task_index_image(
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
hub = mock.MagicMock()
mock_construct_index_claim_msgs.return_value = ["msg1", "msg2"]
mock_get_radas_signatures.return_value = ["sig1", "sig2"]
build_details = IIBRes("registry1/namespace/image:1",
"registry1/iib-namespace/image@sha256:a1a1a1",
["1-1"])
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
claims = sig_handler.sign_task_index_image(["some-key"],
"registry1/namespace/image:1",
["3", "3-stamp"])
mock_construct_index_claim_msgs.assert_called_once_with(
"registry1/namespace/image:1", ["3", "3-stamp"], ["some-key"])
mock_get_radas_signatures.assert_called_once_with(["msg1", "msg2"])
mock_validate_radas_msgs.assert_called_once_with(["msg1", "msg2"],
["sig1", "sig2"])
mock_upload_signatures_to_pyxis.assert_called_once_with(["msg1", "msg2"],
["sig1", "sig2"])
assert claims == ["msg1", "msg2"]
def test_sign_operator_images_no_signatures(
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
hub = mock.MagicMock()
mock_construct_index_claim_msgs.return_value = []
iib_results = {
"v4.5": {
"iib_result":
IIBRes(
"registry1/iib-namespace/image:v4.5",
"registry1/iib-namespace/image@sha256:a1a1a1",
["v4.5-1"],
),
"signing_keys": [None],
},
}
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
sig_handler.sign_operator_images(iib_results, "stamp")
mock_construct_index_claim_msgs.assert_called_once_with(
"quay.io/iib-namespace/iib:v4.5-1", ["v4.5", "v4.5-stamp"], [None])
mock_get_radas_signatures.assert_not_called()
mock_validate_radas_msgs.assert_not_called()
mock_upload_signatures_to_pyxis.assert_not_called()
def test_sign_task_index_image(
mock_quay_api_client,
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
class IIBRes:
def __init__(self, index_image_resolved):
self.index_image_resolved = index_image_resolved
hub = mock.MagicMock()
mock_construct_index_claim_msgs.return_value = ["msg1", "msg2"]
mock_get_radas_signatures.return_value = ["sig1", "sig2"]
build_details = IIBRes("registry1/namespace/image:1")
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target"
)
sig_handler.sign_task_index_image(["some-key"], "registry1/namespace/image:1", "3")
mock_construct_index_claim_msgs.assert_called_once_with(
"registry1/namespace/image:1", "3", ["some-key"]
)
mock_get_radas_signatures.assert_called_once_with(["msg1", "msg2"])
mock_validate_radas_msgs.assert_called_once_with(["msg1", "msg2"], ["sig1", "sig2"])
mock_upload_signatures_to_pyxis.assert_called_once_with(["msg1", "msg2"], ["sig1", "sig2"], 100)
def test_sign_operator_images(
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
hub = mock.MagicMock()
mock_construct_index_claim_msgs.side_effect = [["msg1", "msg2"],
["msg3", "msg4"]]
mock_get_radas_signatures.return_value = ["sig1", "sig2", "sig3", "sig4"]
iib_results = {
"v4.5": {
"iib_result":
IIBRes(
"registry1/iib-namespace/image:v4.5",
"registry1/iib-namespace/image@sha256:a1a1a1",
["v4.5-1"],
),
"signing_keys": ["key1"],
},
"v4.6": {
"iib_result":
IIBRes(
"registry1/iib-namespace/image:v4.6",
"registry1/iib-namespace/image@sha256:b2b2b2",
["v4.6-1"],
),
"signing_keys": ["key2"],
},
}
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
sig_handler.sign_operator_images(iib_results, "stamp-tag")
assert mock_construct_index_claim_msgs.call_count == 2
mock_construct_index_claim_msgs.call_args_list[0] == mock.call(
"quay.io/iib-namespace/iib@sha256:a1a1a1", "v4.5", "v4.5-stamp-tag",
["key1"])
mock_construct_index_claim_msgs.call_args_list[0] == mock.call(
"quay.io/iib-namespace/iib@sha256:b2b2b2", "v4.6", "v4.6-stamp-tag",
["key2"])
mock_get_radas_signatures.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"])
mock_validate_radas_msgs.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"], ["sig1", "sig2", "sig3", "sig4"])
mock_upload_signatures_to_pyxis.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"], ["sig1", "sig2", "sig3", "sig4"])
def test_construct_operator_item_claim_messages_none_signing_key(
mock_quay_client,
target_settings,
operator_signing_push_item,
signing_manifest_list_data,
):
hub = mock.MagicMock()
mock_get_manifest = mock.MagicMock()
mock_get_manifest.return_value = signing_manifest_list_data
mock_quay_client.return_value.get_manifest = mock_get_manifest
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
claim_messages = sig_handler.construct_index_image_claim_messages(
operator_signing_push_item, ["v4.5", "v4.5-stamp"], [None])
assert claim_messages == []
def test_sign_operator_images_not_allowed(
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
hub = mock.MagicMock()
target_settings["docker_settings"][
"docker_container_signing_enabled"] = False
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
sig_handler.sign_operator_images({"nothing": "here"}, "stamp-tag")
mock_construct_index_claim_msgs.assert_not_called()
mock_get_radas_signatures.assert_not_called()
mock_validate_radas_msgs.assert_not_called()
mock_upload_signatures_to_pyxis.assert_not_called()
def test_sign_task_index_image_no_signatures(
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
hub = mock.MagicMock()
mock_construct_index_claim_msgs.return_value = []
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings, "some-target")
sig_handler.sign_task_index_image([None], "registry1/namespace/image:1",
["3", "3-stamp"])
mock_construct_index_claim_msgs.assert_called_once_with(
"registry1/namespace/image:1", ["3", "3-stamp"], [None])
mock_get_radas_signatures.assert_not_called()
mock_validate_radas_msgs.assert_not_called()
mock_upload_signatures_to_pyxis.assert_not_called()
def test_sign_operator_images(
mock_quay_api_client,
mock_quay_client,
mock_construct_index_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
):
class IIBRes:
def __init__(self, index_image_resolved):
self.index_image_resolved = index_image_resolved
hub = mock.MagicMock()
mock_construct_index_claim_msgs.side_effect = [["msg1", "msg2"],
["msg3", "msg4"]]
mock_get_radas_signatures.return_value = ["sig1", "sig2", "sig3", "sig4"]
iib_results = {
"v4.5": {
"iib_result": IIBRes("registry1/namespace/image:1"),
"signing_keys": ["key1"]
},
"v4.6": {
"iib_result": IIBRes("registry1/namespace/image:2"),
"signing_keys": ["key2"]
},
}
sig_handler = signature_handler.OperatorSignatureHandler(
hub, "1", target_settings)
sig_handler.sign_operator_images(iib_results)
assert mock_construct_index_claim_msgs.call_count == 2
mock_get_radas_signatures.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"])
mock_validate_radas_msgs.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"], ["sig1", "sig2", "sig3", "sig4"])
mock_upload_signatures_to_pyxis.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"], ["sig1", "sig2", "sig3", "sig4"],
100)