From 430c9fc6774d220c1059a5879af5d58c26b2234e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Thu, 17 Sep 2020 15:32:43 +0200 Subject: [PATCH] Improve testing of PolicyReferenceMatch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Differentiate testPossiblyInvalidImageAndSig and testImageAndSig, so that we don't silently skip cases where we don't expect the imageRef to be invalid. Should not change behavior. Signed-off-by: Miloslav Trmač --- signature/policy_reference_match_test.go | 31 ++++++++++++++++-------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/signature/policy_reference_match_test.go b/signature/policy_reference_match_test.go index 6101691186..1a51c839fc 100644 --- a/signature/policy_reference_match_test.go +++ b/signature/policy_reference_match_test.go @@ -200,18 +200,29 @@ func testImageAndSig(t *testing.T, prm PolicyReferenceMatch, imageRef, sigRef st // This assumes that all ways to obtain a reference.Named perform equivalent validation, // and therefore values refused by reference.ParseNormalizedNamed can not happen in practice. parsedImageRef, err := reference.ParseNormalizedNamed(imageRef) + require.NoError(t, err) + res := prm.matchesDockerReference(refImageMock{parsedImageRef}, sigRef) + assert.Equal(t, result, res, fmt.Sprintf("%s vs. %s", imageRef, sigRef)) +} + +// testPossiblyInvalidImageAndSig is a variant of testImageAndSig +// that does not fail if the imageRef is invalid (which should never happen in practice, +// but makes testing of symmetrical properties using shared tables easier) +func testPossiblyInvalidImageAndSig(t *testing.T, prm PolicyReferenceMatch, imageRef, sigRef string, result bool) { + // This assumes that all ways to obtain a reference.Named perform equivalent validation, + // and therefore values refused by reference.ParseNormalizedNamed can not happen in practice. + _, err := reference.ParseNormalizedNamed(imageRef) if err != nil { return } - res := prm.matchesDockerReference(refImageMock{parsedImageRef}, sigRef) - assert.Equal(t, result, res, fmt.Sprintf("%s vs. %s", imageRef, sigRef)) + testImageAndSig(t, prm, imageRef, sigRef, result) } func TestPRMMatchExactMatchesDockerReference(t *testing.T) { prm := NewPRMMatchExact() for _, test := range prmExactMatchTestTable { - testImageAndSig(t, prm, test.refA, test.refB, test.result) - testImageAndSig(t, prm, test.refB, test.refA, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refA, test.refB, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refB, test.refA, test.result) } // Even if they are signed with an empty string as a reference, unidentified images are rejected. res := prm.matchesDockerReference(refImageMock{nil}, "") @@ -225,15 +236,15 @@ func TestPMMMatchRepoDigestOrExactMatchesDockerReference(t *testing.T) { // It accepts anything prmMatchExact accepts,… for _, test := range prmExactMatchTestTable { if test.result == true { - testImageAndSig(t, prm, test.refA, test.refB, test.result) - testImageAndSig(t, prm, test.refB, test.refA, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refA, test.refB, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refB, test.refA, test.result) } } // … and it rejects everything prmMatchRepository rejects. for _, test := range prmRepositoryMatchTestTable { if test.result == false { - testImageAndSig(t, prm, test.refA, test.refB, test.result) - testImageAndSig(t, prm, test.refB, test.refA, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refA, test.refB, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refB, test.refA, test.result) } } @@ -275,8 +286,8 @@ func TestPMMMatchRepoDigestOrExactMatchesDockerReference(t *testing.T) { func TestPRMMatchRepositoryMatchesDockerReference(t *testing.T) { prm := NewPRMMatchRepository() for _, test := range prmRepositoryMatchTestTable { - testImageAndSig(t, prm, test.refA, test.refB, test.result) - testImageAndSig(t, prm, test.refB, test.refA, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refA, test.refB, test.result) + testPossiblyInvalidImageAndSig(t, prm, test.refB, test.refA, test.result) } // Even if they are signed with an empty string as a reference, unidentified images are rejected. res := prm.matchesDockerReference(refImageMock{nil}, "")