def test_verify_docker_image_sha_missing(chain, build_link, decision_link,
docker_image_link):
chain.links = [build_link, decision_link, docker_image_link]
# missing built sha
docker_image_link.cot['artifacts']['path/image']['sha256'] = None
with pytest.raises(CoTError):
cotverify.verify_docker_image_sha(chain, build_link)
def test_verify_docker_image_sha_wrong_built_sha(chain, build_link,
decision_link,
docker_image_link):
chain.links = [build_link, decision_link, docker_image_link]
docker_image_link.cot['artifacts']['path/image']['sha256'] = "wrong_sha"
with pytest.raises(CoTError):
cotverify.verify_docker_image_sha(chain, build_link)
def test_verify_docker_image_sha_bad_allowlist(chain, build_link,
decision_link,
docker_image_link):
chain.links = [build_link, decision_link, docker_image_link]
# wrong docker hub sha
decision_link.cot['environment']['imageHash'] = "sha256:not_allowlisted"
with pytest.raises(CoTError):
cotverify.verify_docker_image_sha(chain, decision_link)
def test_verify_docker_image_sha(chain, build_link, decision_link,
docker_image_link):
chain.links = [build_link, decision_link, docker_image_link]
for link in chain.links:
cotverify.verify_docker_image_sha(chain, link)
# cover action == decision case
decision_link.task_type = 'action'
cotverify.verify_docker_image_sha(chain, decision_link)
def test_verify_docker_image_sha_wrong_task_id(chain, build_link,
decision_link,
docker_image_link):
chain.links = [build_link, decision_link, docker_image_link]
# wrong task id
build_link.task['extra']['chainOfTrust']['inputs'][
'docker-image'] = "wrong_task_id"
with pytest.raises(CoTError):
cotverify.verify_docker_image_sha(chain, build_link)
def test_verify_docker_image_sha(chain, build_link, decision_link,
docker_image_link):
chain.links = [build_link, decision_link, docker_image_link]
for link in chain.links:
cotverify.verify_docker_image_sha(chain, link)
