tests

pkg/reconciler/pipelinerun/pipelinerun_test.go

@@ -10733,7 +10733,90 @@ spec:
 	}
 }
 
-func TestReconcile_verifyResolvedPipeline(t *testing.T) {
+func TestReconcile_verifyResolvedPipeline_Success(t *testing.T) {
+	names.TestingSeed()
+	ctx := context.Background()
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	prs := parse.MustParsePipelineRun(t, `
+metadata:
+  name: test-pipelinerun
+  namespace: foo
+  selfLink: /pipeline/1234
+spec:
+  pipelineRef:
+    name: test-pipeline
+`)
+	ps := parse.MustParsePipeline(t, `
+metadata:
+  name: test-pipeline
+  namespace: foo
+spec:
+  tasks:
+    - name: test-1
+      taskRef:
+        name: test-task
+`)
+	ts := parse.MustParseTask(t, `
+metadata:
+  name: test-task
+  namespace: foo
+spec:
+  steps:
+    - name: simple-step
+      image: foo
+      command: ["/mycmd"]
+      env:
+       - name: foo
+         value: bar
+`)
+
+	signer, secretpath, err := test.GetSignerFromFile(ctx, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	signedTask, err := test.GetSignedTask(ts, signer, "test-task")
+	if err != nil {
+		t.Fatal("fail to sign task", err)
+	}
+	signedPipeline, err := test.GetSignedPipeline(ps, signer, "test-pipeline")
+	if err != nil {
+		t.Fatal("fail to sign pipeline", err)
+	}
+
+	cms := []*corev1.ConfigMap{
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
+			Data: map[string]string{
+				"resource-verification-mode": "enforce",
+			},
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: config.GetTrustedResourcesConfigName(), Namespace: system.Namespace()},
+			Data: map[string]string{
+				config.PublicKeys: secretpath,
+			},
+		},
+	}
+	t.Logf("config maps: %s", cms)
+
+	d := test.Data{
+		PipelineRuns: []*v1beta1.PipelineRun{prs},
+		Pipelines:    []*v1beta1.Pipeline{signedPipeline},
+		Tasks:        []*v1beta1.Task{signedTask},
+		ConfigMaps:   cms,
+	}
+	prt := newPipelineRunTest(d, t)
+	defer prt.Cancel()
+
+	reconciledRun, _ := prt.reconcileRun("foo", "test-pipelinerun", []string{}, false)
+
+	checkPipelineRunConditionStatusAndReason(t, reconciledRun, corev1.ConditionUnknown, v1beta1.PipelineRunReasonRunning.String())
+
+}
+
+func TestReconcile_verifyResolvedPipeline_Error(t *testing.T) {
 	names.TestingSeed()
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
@@ -10814,57 +10897,33 @@ spec:
 	t.Logf("config maps: %s", cms)
 
 	testCases := []struct {
-		name            string
-		pipelinerun     []*v1beta1.PipelineRun
-		pipeline        []*v1beta1.Pipeline
-		task            []*v1beta1.Task
-		pernamentErr    bool
-		conditionStatus corev1.ConditionStatus
-		conditionReason string
+		name        string
+		pipelinerun []*v1beta1.PipelineRun
+		pipeline    []*v1beta1.Pipeline
+		task        []*v1beta1.Task
 	}{
 		{
-			name:            "unsigned pipeline fails verification",
-			pipelinerun:     []*v1beta1.PipelineRun{prs},
-			pipeline:        []*v1beta1.Pipeline{ps},
-			pernamentErr:    true,
-			conditionStatus: corev1.ConditionFalse,
-			conditionReason: ReasonResourceVerificationFailed,
-		},
-		{
-			name:            "signed pipeline passes verification",
-			pipelinerun:     []*v1beta1.PipelineRun{prs},
-			pipeline:        []*v1beta1.Pipeline{signedPipeline},
-			task:            []*v1beta1.Task{signedTask},
-			pernamentErr:    false,
-			conditionStatus: corev1.ConditionUnknown,
-			conditionReason: v1beta1.PipelineRunReasonRunning.String(),
+			name:        "unsigned pipeline fails verification",
+			pipelinerun: []*v1beta1.PipelineRun{prs},
+			pipeline:    []*v1beta1.Pipeline{ps},
 		},
 		{
-			name:            "signed pipeline with unsigned task fails verification",
-			pipelinerun:     []*v1beta1.PipelineRun{prs},
-			pipeline:        []*v1beta1.Pipeline{signedPipeline},
-			task:            []*v1beta1.Task{ts},
-			pernamentErr:    true,
-			conditionStatus: corev1.ConditionFalse,
-			conditionReason: ReasonResourceVerificationFailed,
+			name:        "signed pipeline with unsigned task fails verification",
+			pipelinerun: []*v1beta1.PipelineRun{prs},
+			pipeline:    []*v1beta1.Pipeline{signedPipeline},
+			task:        []*v1beta1.Task{ts},
 		},
 		{
-			name:            "signed pipeline with modified task fails verification",
-			pipelinerun:     []*v1beta1.PipelineRun{prs},
-			pipeline:        []*v1beta1.Pipeline{signedPipeline},
-			task:            []*v1beta1.Task{tamperedTask},
-			pernamentErr:    true,
-			conditionStatus: corev1.ConditionFalse,
-			conditionReason: ReasonResourceVerificationFailed,
+			name:        "signed pipeline with modified task fails verification",
+			pipelinerun: []*v1beta1.PipelineRun{prs},
+			pipeline:    []*v1beta1.Pipeline{signedPipeline},
+			task:        []*v1beta1.Task{tamperedTask},
 		},
 		{
-			name:            "modified pipeline with signed task fails verification",
-			pipelinerun:     []*v1beta1.PipelineRun{prs},
-			pipeline:        []*v1beta1.Pipeline{tamperedPipeline},
-			task:            []*v1beta1.Task{signedTask},
-			pernamentErr:    true,
-			conditionStatus: corev1.ConditionFalse,
-			conditionReason: ReasonResourceVerificationFailed,
+			name:        "modified pipeline with signed task fails verification",
+			pipelinerun: []*v1beta1.PipelineRun{prs},
+			pipeline:    []*v1beta1.Pipeline{tamperedPipeline},
+			task:        []*v1beta1.Task{signedTask},
 		},
 	}
 
@@ -10879,9 +10938,9 @@ spec:
 			prt := newPipelineRunTest(d, t)
 			defer prt.Cancel()
 
-			reconciledRun, _ := prt.reconcileRun("foo", "test-pipelinerun", []string{}, tc.pernamentErr)
+			reconciledRun, _ := prt.reconcileRun("foo", "test-pipelinerun", []string{}, true)
 
-			checkPipelineRunConditionStatusAndReason(t, reconciledRun, tc.conditionStatus, tc.conditionReason)
+			checkPipelineRunConditionStatusAndReason(t, reconciledRun, corev1.ConditionFalse, ReasonResourceVerificationFailed)
 		})
 	}
 }