test: add more unit tests for eval policy

Signed-off-by: hectorj2f <[email protected]>
sigstore · Apr 25, 2022 · 7a87d68 · 7a87d68
1 parent a40d5be
commit 7a87d68
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/pkg/cosign/kubernetes/webhook/validator_test.go b/pkg/cosign/kubernetes/webhook/validator_test.go
@@ -381,10 +381,10 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 		want: func() *apis.FieldError {
 			var errs *apis.FieldError
 			fe := apis.ErrGeneric("failed policy: cluster-image-policy-keyless", "image").ViaFieldIndex("initContainers", 0)
-			fe.Details = fmt.Sprintf("%s failed evaluating cue policy for ClusterImagePolicy : string literal not terminated", digest.String())
+			fe.Details = fmt.Sprintf("%s failed evaluating cue policy for ClusterImagePolicy : failed to compile the cue policy with error: string literal not terminated", digest.String())
 			errs = errs.Also(fe)
 			fe2 := apis.ErrGeneric("failed policy: cluster-image-policy-keyless", "image").ViaFieldIndex("containers", 0)
-			fe2.Details = fmt.Sprintf("%s failed evaluating cue policy for ClusterImagePolicy : string literal not terminated", digest.String())
+			fe2.Details = fmt.Sprintf("%s failed evaluating cue policy for ClusterImagePolicy : failed to compile the cue policy with error: string literal not terminated", digest.String())
 			errs = errs.Also(fe2)
 			return errs
 		}(),

diff --git a/pkg/policy/eval_test.go b/pkg/policy/eval_test.go
@@ -138,7 +138,31 @@ func TestEvalPolicy(t *testing.T) {
 			signatures: list.MaxItems(1) & list.MinItems(1)
 		  },
 		  keylessatt: {
-			attestations: struct.MinFields(2) & struct.MaxFields(2)
+			attestations: struct.MaxFields(1) & struct.MinFields(1)
+		  },
+		  keylesssignature: {
+			signatures: list.MaxItems(1) & list.MinItems(1)
+		  }
+		}`,
+	}, {
+		name:       "cluster image policy main policy, fails",
+		json:       cipAttestation,
+		policyType: "cue",
+		wantErr:    true,
+		wantErrSub: `failed evaluating cue policy for cluster image policy main policy, fails : failed to evaluate the policy with error: authorityMatches.keylessattMinAttestations: conflicting values 2 and "Error" (mismatched types int and string)`,
+		policyFile: `package sigstore
+		import "struct"
+		import "list"
+		authorityMatches: {
+		  keyatt: {
+			attestations: struct.MaxFields(1) & struct.MinFields(1)
+		  },
+		  keysignature: {
+			signatures: list.MaxItems(1) & list.MinItems(1)
+		  },
+		  if( len(authorityMatches.keylessatt.attestations) < 2) {
+			keylessattMinAttestations: 2
+			keylessattMinAttestations: "Error"
 		  },
 		  keylesssignature: {
 			signatures: list.MaxItems(1) & list.MinItems(1)

diff --git a/test/e2e_test_cluster_image_policy_with_attestations.sh b/test/e2e_test_cluster_image_policy_with_attestations.sh
@@ -214,7 +214,7 @@ echo '::endgroup::'
 # The CIP policy is the one that should fail now because it doesn't have enough
 # attestations
 echo '::group:: test job rejection'
-expected_error='no matching attestations'
+expected_error='failed to evaluate the policy with error: authorityMatches.keylessattMinAttestations'
 assert_error ${expected_error}
 echo '::endgroup::'