Skip to content

Commit

Permalink
chore: add notation-trust-policy e2e test
Browse files Browse the repository at this point in the history
Signed-off-by: Shahram Kalantari <[email protected]>
  • Loading branch information
shahramk64 committed Dec 27, 2024
1 parent fbf3a90 commit 70ab92e
Showing 1 changed file with 78 additions and 0 deletions.
78 changes: 78 additions & 0 deletions test/bats/base-test.bats
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,84 @@ RATIFY_NAMESPACE=gatekeeper-system
assert_failure
}

@test "test rendering notation verifier with modified trust policies settings" {
teardown() {
echo "cleaning up"
rm -f notation-file1.crt
rm -f notation-file2.crt
rm -f notation-file3.crt
}

touch notation-file1.crt
echo "fake cert 1" > notation-file1.crt
touch notation-file2.crt
echo "fake cert 2" > notation-file2.crt
touch notation-file2.crt
echo "fake cert 3" > notation-file3.crt

# Capture Helm template output
rendered=$(helm template multiple-trust-policies ./charts/ratify \
--set featureFlags.RATIFY_CERT_ROTATION=true \
--set-file notationCerts[0]="notation-file1.crt" \
--set-file notationCerts[1]="notation-file2.crt" \
--set-file notationCerts[2]="notation-file3.crt" \
--set notation.trustPolicies[0].registryScopes[0]="registry1.azurecr.io/" \
--set notation.trustPolicies[0].trustedIdentities[0]="cert identity 1" \
--set notation.trustPolicies[0].trustStores[0]=ca:notationCerts[0] \
--set notation.trustPolicies[0].trustStores[1]=tsa:notationCerts[1] \
--set notation.trustPolicies[0].trustStores[2]=signingAuthority:notationCerts[2] \
--set notation.trustPolicies[1].registryScopes[0]="registry2.azurecr.io/" \
--set notation.trustPolicies[1].trustedIdentities[0]="cert identity 2" \
--set notation.trustPolicies[1].trustStores[0]=ca:notationCerts[1])

assert_success

# Extract the verifier-notation specific section
verifier_notation_output=$(echo "$rendered" | awk '/# Source: ratify\/templates\/verifier.yaml/,/^[^ ]/')

# the expected partial output
expected_verifier_notation=$(cat <<EOF
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-notation
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "5"
spec:
name: notation
version: 1.0.0
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- test-ratify-notation-inline-cert-0
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
registryScopes:
- "*"
signatureVerification:
level: strict
trustStores:
- ca:certs
trustedIdentities:
- "*"
EOF
)

# Assert that the rendered Helm output contains the expected section
[[ "$rendered" == *"$expected_verifier_notation"* ]] || {
echo "Rendered output does not contain the expected verifier-notation section."
echo "Rendered output:"
echo "$rendered"
echo "Expected section:"
echo "$expected_verifier_notation"
return 1
}
}

@test "crd version test" {
run kubectl delete verifiers.config.ratify.deislabs.io/verifier-notation
assert_success
Expand Down

0 comments on commit 70ab92e

Please sign in to comment.