almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-04 12:41:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

(WIP) some more tests

Browse source
This commit is contained in:
Alexis Métaireau 2025-02-13 19:12:25 +01:00
parent a540fc5b08
commit 0f2d81dbd6
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
3 changed files with 48 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dangerzone/updater/signatures.py
View file

@ -401,8 +401,7 @@ def get_remote_signatures(image: str, digest: str) -> List[Dict]:
# Remove the last return, split on newlines, convert from JSON # Remove the last return, split on newlines, convert from JSON
signatures_raw = process.stdout.decode("utf-8").strip().split("\n") signatures_raw = process.stdout.decode("utf-8").strip().split("\n")
signatures = list(map(json.loads, signatures_raw)) signatures = list(filter(bool, map(json.loads, signatures_raw)))
breakpoint()
if len(signatures) < 1: if len(signatures) < 1:
raise errors.NoRemoteSignatures("No signatures found for the image") raise errors.NoRemoteSignatures("No signatures found for the image")
return signatures return signatures

12
tests/conftest.py
View file

@ -13,6 +13,13 @@ from dangerzone.gui import Application
sys.dangerzone_dev = True # type: ignore[attr-defined] sys.dangerzone_dev = True # type: ignore[attr-defined]
ASSETS_PATH = Path(__file__).parent / "assets"
TEST_PUBKEY_PATH = ASSETS_PATH / "test.pub.key"
INVALID_SIGNATURES_PATH = ASSETS_PATH / "signatures" / "invalid"
VALID_SIGNATURES_PATH = ASSETS_PATH / "signatures" / "valid"
TEMPERED_SIGNATURES_PATH = ASSETS_PATH / "signatures" / "tempered"
# Use this fixture to make `pytest-qt` invoke our custom QApplication. # Use this fixture to make `pytest-qt` invoke our custom QApplication.
# See https://pytest-qt.readthedocs.io/en/latest/qapplication.html#testing-custom-qapplications # See https://pytest-qt.readthedocs.io/en/latest/qapplication.html#testing-custom-qapplications
@pytest.fixture(scope="session") @pytest.fixture(scope="session")
@ -133,6 +140,11 @@ for_each_doc = pytest.mark.parametrize(
) )
@pytest.fixture
def signature():
return {}
# External Docs - base64 docs encoded for externally sourced documents # External Docs - base64 docs encoded for externally sourced documents
# XXX to reduce the chance of accidentally opening them # XXX to reduce the chance of accidentally opening them
test_docs_external_dir = Path(__file__).parent.joinpath(SAMPLE_EXTERNAL_DIRECTORY) test_docs_external_dir = Path(__file__).parent.joinpath(SAMPLE_EXTERNAL_DIRECTORY)

53
tests/test_signatures.py
View file

@ -28,6 +28,21 @@ VALID_SIGNATURES_PATH = ASSETS_PATH / "signatures" / "valid"
TEMPERED_SIGNATURES_PATH = ASSETS_PATH / "signatures" / "tempered" TEMPERED_SIGNATURES_PATH = ASSETS_PATH / "signatures" / "tempered"
@pytest.fixture
def valid_signature():
signature_file = next(VALID_SIGNATURES_PATH.glob("**/*.json"))
with open(signature_file, "r") as signature_file:
signatures = json.load(signature_file)
return signatures.pop()
@pytest.fixture
def signature_other_digest(valid_signature):
signature = valid_signature.copy()
signature["Bundle"]["Payload"]["digest"] = "sha256:123456"
return signature
def test_load_valid_signatures(mocker): def test_load_valid_signatures(mocker):
mocker.patch("dangerzone.updater.signatures.SIGNATURES_PATH", VALID_SIGNATURES_PATH) mocker.patch("dangerzone.updater.signatures.SIGNATURES_PATH", VALID_SIGNATURES_PATH)
valid_signatures = list(VALID_SIGNATURES_PATH.glob("**/*.json")) valid_signatures = list(VALID_SIGNATURES_PATH.glob("**/*.json"))
@ -163,29 +178,30 @@ def test_get_remote_signatures_empty(fp: FakeProcess, mocker):
mocker.patch("dangerzone.updater.cosign.ensure_installed", return_value=True) mocker.patch("dangerzone.updater.cosign.ensure_installed", return_value=True)
fp.register_subprocess( fp.register_subprocess(
["cosign", "download", "signature", f"{image}@sha256:{digest}"], ["cosign", "download", "signature", f"{image}@sha256:{digest}"],
stdout=json.dumps([]), stdout=json.dumps({}),
) )
with pytest.raises(errors.NoRemoteSignatures): with pytest.raises(errors.NoRemoteSignatures):
get_remote_signatures(image, digest) get_remote_signatures(image, digest)
def test_get_remote_signatures_cosign_error(): def test_get_remote_signatures_cosign_error(mocker, fp: FakeProcess):
pass image = "ghcr.io/freedomofpress/dangerzone/dangerzone"
digest = "123456"
mocker.patch("dangerzone.updater.cosign.ensure_installed", return_value=True)
fp.register_subprocess(
["cosign", "download", "signature", f"{image}@sha256:{digest}"],
returncode=1,
stderr="Error: no signatures associated",
)
with pytest.raises(errors.NoRemoteSignatures):
get_remote_signatures(image, digest)
def test_verify_local_image_no_signatures(): def test_store_signatures_with_different_digests(
pass valid_signature, signature_other_digest
):
signatures = [valid_signature, signature_other_digest]
def test_verify_local_image_invalid_signatures(): breakpoint()
pass
def test_verify_local_image():
pass
def test_store_signatures_with_different_digests():
pass pass
@ -217,5 +233,6 @@ def test_verify_signature_wrong_payload_digest():
pass pass
def test_verify_signatures_not_0(): def test_verify_signatures_empty_list():
pass with pytest.raises(errors.SignatureVerificationError):
verify_signatures([], "1234", TEST_PUBKEY_PATH)