def test_sign_container_images_no_signatures(
mock_quay_client,
mock_construct_claim_msgs,
mock_remove_duplicate_claim_msgs,
mock_filter_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
container_signing_push_item,
container_multiarch_push_item,
):
hub = mock.MagicMock()
mock_construct_claim_msgs.side_effect = [["msg1", "msg2"],
["msg3", "msg4"]]
mock_remove_duplicate_claim_msgs.return_value = [
"msg1", "msg2", "msg3", "msg4"
]
mock_filter_claim_msgs.return_value = []
sig_handler = signature_handler.ContainerSignatureHandler(
hub, "1", target_settings, "some-target")
sig_handler.sign_container_images(
[container_signing_push_item, container_multiarch_push_item])
assert mock_construct_claim_msgs.call_count == 2
mock_remove_duplicate_claim_msgs.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"])
mock_filter_claim_msgs.assert_called_once_with(
["msg1", "msg2", "msg3", "msg4"])
mock_get_radas_signatures.assert_not_called()
mock_validate_radas_msgs.assert_not_called()
mock_upload_signatures_to_pyxis.assert_not_called()
def test_remove_duplicate_claim_messages(mock_quay_client, target_settings,
container_signing_push_item):
hub = mock.MagicMock()
sig_handler = signature_handler.ContainerSignatureHandler(
hub, "1", target_settings, "some-target")
messages = [
{
"sig_key_id": "some-key",
"claim_file": "some-encode",
"pub_task_id": "1",
"request_id": "0",
"manifest_digest":
"sha256:8a3a33cad0bd33650ba7287a7ec94327d8e47ddf7845c569c80b5c4b20d49d36",
"repo": "some-namespace/target----repo1",
"image_name": "target/repo1",
"docker_reference": "some-registry1.com/target/repo1:tag1",
"created": "2021-03-19T14:45:23.128632Z",
},
{
"sig_key_id": "some-key",
"claim_file": "some-encode",
"pub_task_id": "1",
"request_id": "1",
"manifest_digest":
"sha256:8a3a33cad0bd33650ba7287a7ec94327d8e47ddf7845c569c80b5c4b20d49d36",
"repo": "some-namespace/target----repo1",
"image_name": "target/repo1",
"docker_reference": "some-registry1.com/target/repo1:tag1",
"created": "2021-03-19T14:45:23.128632Z",
},
]
result_messages = sig_handler.remove_duplicate_claim_messages(messages)
assert result_messages == [messages[0]]
def test_construct_item_claim_messages_ml(
mock_quay_client,
mock_get_tagged_digests,
mock_uuid,
mock_datetime,
mock_encode,
target_settings,
container_signing_push_item_ml,
):
hub = mock.MagicMock()
mock_uuid.side_effect = range(100)
mock_encode.return_value = b"some-encode"
mock_datetime.utcnow.return_value.isoformat.return_value = "2021-03-19T14:45:23.128632"
mock_get_tagged_digests.return_value = [
"sha256:8a3a33cad0bd33650ba7287a7ec94327d8e47ddf7845c569c80b5c4b20d49d36",
"sha256:2e8f38a0a8d2a450598430fa70c7f0b53aeec991e76c3e29c63add599b4ef7ee",
]
mock_quay_client.MANIFEST_LIST_TYPE = (
"application/vnd.docker.distribution.manifest.list.v2+json")
sig_handler = signature_handler.ContainerSignatureHandler(
hub, "1", target_settings, "some-target")
claim_messages = sig_handler.construct_item_claim_messages(
container_signing_push_item_ml)
with open("tests/test_data/test_expected_claim_messages.json", "r") as f:
expected_claim_messages = json.loads(f.read())
assert claim_messages == expected_claim_messages
mock_get_tagged_digests.assert_called_once_with(
"some-registry/src/repo:1",
"application/vnd.docker.distribution.manifest.list.v2+json")
assert mock_uuid.call_count == 12
def test_construct_item_claim_messages_none_signing_key(
mock_quay_client,
target_settings,
container_signing_push_item,
):
hub = mock.MagicMock()
sig_handler = signature_handler.ContainerSignatureHandler(
hub, "1", target_settings, "some-target")
push_item_none_key = container_signing_push_item
push_item_none_key.claims_signing_key = None
claim_messages = sig_handler.construct_item_claim_messages(
push_item_none_key)
assert claim_messages == []
def test_sign_container_images_not_allowed(
mock_quay_client,
mock_construct_claim_msgs,
mock_filter_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
container_signing_push_item,
):
hub = mock.MagicMock()
target_settings["docker_settings"][
"docker_container_signing_enabled"] = False
sig_handler = signature_handler.ContainerSignatureHandler(
hub, "1", target_settings, "some-target")
sig_handler.sign_container_images([container_signing_push_item])
mock_construct_claim_msgs.assert_not_called()
mock_filter_claim_msgs.assert_not_called()
mock_get_radas_signatures.assert_not_called()
mock_validate_radas_msgs.assert_not_called()
mock_upload_signatures_to_pyxis.assert_not_called()
def test_sign_container_images_new_digests_nothing_to_sign(
mock_quay_client,
mock_construct_claim_msgs,
mock_filter_claim_msgs,
mock_get_radas_signatures,
mock_validate_radas_msgs,
mock_upload_signatures_to_pyxis,
target_settings,
container_signing_push_item,
):
hub = mock.MagicMock()
mock_filter_claim_msgs.return_value = []
sig_handler = signature_handler.ContainerSignatureHandler(
hub, "1", target_settings, "some-target")
ret = sig_handler.sign_container_images_new_digests([])
mock_construct_claim_msgs.assert_not_called()
mock_filter_claim_msgs.assert_called_once()
mock_get_radas_signatures.assert_not_called()
mock_validate_radas_msgs.assert_not_called()
mock_upload_signatures_to_pyxis.assert_not_called()
assert ret == []