diff --git a/__tests__/attest.test.ts b/__tests__/attest.test.ts deleted file mode 100644 index f6e64ff..0000000 --- a/__tests__/attest.test.ts +++ /dev/null @@ -1,195 +0,0 @@ -import { jest } from '@jest/globals' -import type { Descriptor } from '@sigstore/oci' -// Mock functions -const mockGetOctokit = jest.fn() -// eslint-disable-next-line @typescript-eslint/no-explicit-any -const mockAttest = jest.fn<() => Promise>() -const mockCreateStorageRecord = jest.fn<() => Promise>() -const mockGetRegistryCredentials = jest.fn() -const mockAttachArtifactToImage = jest.fn<() => Promise>() - -// Mock @actions/github -jest.unstable_mockModule('@actions/github', () => ({ - getOctokit: mockGetOctokit, - context: { - repo: { owner: 'foo', repo: 'bar' }, - payload: { repository: { visibility: 'private' } } - } -})) - -// Mock @actions/attest -jest.unstable_mockModule('@actions/attest', () => ({ - attest: mockAttest, - createStorageRecord: mockCreateStorageRecord -})) - -// Mock @sigstore/oci -jest.unstable_mockModule('@sigstore/oci', () => ({ - getRegistryCredentials: mockGetRegistryCredentials, - attachArtifactToImage: mockAttachArtifactToImage -})) - -// Dynamic imports after mocking -const { createAttestation, repoOwnerIsOrg } = await import('../src/attest') - -const subjectName = 'ghcr.io/foo/bar' -const subjectDigest = - 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' - -const predicate = { - type: 'https://in-toto.io/attestation/release/v0.1', - params: {} -} - -describe('repoOwnerIsOrg', () => { - beforeEach(() => { - jest.clearAllMocks() - }) - - it('returns true when repo owner is an organization', async () => { - mockGetOctokit.mockReturnValue({ - rest: { - repos: { - get: jest - .fn<() => Promise<{ data: { owner: { type: string } } }>>() - .mockResolvedValue({ - data: { owner: { type: 'Organization' } } - }) - } - } - }) - - const result = await repoOwnerIsOrg('gh-token') - expect(result).toBe(true) - }) - - it('returns false when repo owner is a user', async () => { - mockGetOctokit.mockReturnValue({ - rest: { - repos: { - // eslint-disable-next-line @typescript-eslint/no-explicit-any - get: jest.fn<() => Promise>().mockResolvedValue({ - data: { owner: { type: 'User' } } - }) - } - } - }) - - const result = await repoOwnerIsOrg('gh-token') - expect(result).toBe(false) - }) -}) - -describe('createAttestation', () => { - beforeEach(() => { - jest.clearAllMocks() - - // Default mock implementations - mockAttest.mockResolvedValue({ - bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }, - certificate: 'cert', - tlogID: 'tlog-123', - attestationID: 'att-123' - }) - - mockGetRegistryCredentials.mockReturnValue({ - username: 'user', - password: 'pass' - }) - - mockAttachArtifactToImage.mockResolvedValue({ - digest: 'sha256:abc123', - mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json', - size: 100 - }) - }) - - describe('when createStorageRecord is false', () => { - it('skips storage record creation', async () => { - const subjects = [ - { - name: subjectName, - digest: { sha256: subjectDigest.replace('sha256:', '') } - } - ] - - const result = await createAttestation(subjects, predicate, { - sigstoreInstance: 'github', - pushToRegistry: true, - createStorageRecord: false, - githubToken: 'gh-token' - }) - - expect(result.attestationDigest).toBe('sha256:abc123') - expect(mockCreateStorageRecord).not.toHaveBeenCalled() - }) - }) - - describe('when storage records are empty', () => { - beforeEach(() => { - mockGetOctokit.mockReturnValue({ - rest: { - repos: { - // eslint-disable-next-line @typescript-eslint/no-explicit-any - get: jest.fn<() => Promise>().mockResolvedValue({ - data: { owner: { type: 'Organization' } } - }) - } - } - }) - mockCreateStorageRecord.mockResolvedValue([]) - }) - - it('handles empty storage records gracefully', async () => { - const subjects = [ - { - name: subjectName, - digest: { sha256: subjectDigest.replace('sha256:', '') } - } - ] - - const result = await createAttestation(subjects, predicate, { - sigstoreInstance: 'github', - pushToRegistry: true, - createStorageRecord: true, - githubToken: 'gh-token' - }) - - expect(result.attestationDigest).toBe('sha256:abc123') - }) - }) - - describe('when subject has unsupported protocol', () => { - beforeEach(() => { - mockGetOctokit.mockReturnValue({ - rest: { - repos: { - // eslint-disable-next-line @typescript-eslint/no-explicit-any - get: jest.fn<() => Promise>().mockResolvedValue({ - data: { owner: { type: 'Organization' } } - }) - } - } - }) - mockCreateStorageRecord.mockResolvedValue([123]) - }) - - it('handles unsupported protocol gracefully', async () => { - const subjects = [ - { - name: 'http://registry.example.com/foo/bar', - digest: { sha256: subjectDigest.replace('sha256:', '') } - } - ] - - const result = await createAttestation(subjects, predicate, { - sigstoreInstance: 'github', - pushToRegistry: true, - createStorageRecord: true, - githubToken: 'gh-token' - }) - - expect(result.attestationDigest).toBe('sha256:abc123') - }) - }) -}) diff --git a/__tests__/fixtures/mocks.ts b/__tests__/fixtures/mocks.ts new file mode 100644 index 0000000..fc2a1db --- /dev/null +++ b/__tests__/fixtures/mocks.ts @@ -0,0 +1,253 @@ +import type { Attestation, Predicate, Subject } from '@actions/attest' +import { jest } from '@jest/globals' +import type { RestEndpointMethodTypes } from '@octokit/plugin-rest-endpoint-methods' +import type { Descriptor } from '@sigstore/oci' + +// ============================================================================= +// @actions/core mock factory +// ============================================================================= + +export type CoreMock = { + info: jest.Mock + warning: jest.Mock + debug: jest.Mock + startGroup: jest.Mock + endGroup: jest.Mock + setOutput: jest.Mock + setFailed: jest.Mock + summary: SummaryMock +} + +export type SummaryMock = { + write: jest.Mock + addRaw: jest.Mock + addHeading: jest.Mock + addLink: jest.Mock + addTable: jest.Mock + addBreak: jest.Mock + addSeparator: jest.Mock + addQuote: jest.Mock + addCodeBlock: jest.Mock + addList: jest.Mock + addImage: jest.Mock + addDetails: jest.Mock + addEOL: jest.Mock + emptyBuffer: jest.Mock + stringify: jest.Mock + isEmptyBuffer: jest.Mock + clear: jest.Mock +} + +export const createSummaryMock = (): SummaryMock => { + const mock: SummaryMock = { + write: jest.fn(), + addRaw: jest.fn(), + addHeading: jest.fn(), + addLink: jest.fn(), + addTable: jest.fn(), + addBreak: jest.fn(), + addSeparator: jest.fn(), + addQuote: jest.fn(), + addCodeBlock: jest.fn(), + addList: jest.fn(), + addImage: jest.fn(), + addDetails: jest.fn(), + addEOL: jest.fn(), + emptyBuffer: jest.fn(), + stringify: jest.fn().mockReturnValue(''), + isEmptyBuffer: jest.fn().mockReturnValue(true), + clear: jest.fn() + } + // Make chainable + for (const key of Object.keys(mock) as (keyof SummaryMock)[]) { + if (key !== 'stringify' && key !== 'isEmptyBuffer') { + mock[key].mockReturnThis() + } + } + return mock +} + +export const createCoreMock = (): CoreMock => ({ + info: jest.fn(), + warning: jest.fn(), + debug: jest.fn(), + startGroup: jest.fn(), + endGroup: jest.fn(), + setOutput: jest.fn(), + setFailed: jest.fn(), + summary: createSummaryMock() +}) + +// ============================================================================= +// @actions/github mock factory +// ============================================================================= + +export type GitHubContextMock = { + repo: { owner: string; repo: string } + payload: { repository?: { visibility: string } } + serverUrl: string +} + +export const createGitHubContextMock = ( + overrides: Partial = {} +): GitHubContextMock => ({ + repo: { owner: 'test-owner', repo: 'test-repo' }, + payload: { repository: { visibility: 'public' } }, + serverUrl: 'https://github.com', + ...overrides +}) + +export type OctokitMock = { + rest: { + repos: { + get: jest.Mock + } + } +} + +export const createOctokitMock = ( + ownerType: 'Organization' | 'User' = 'Organization' +): OctokitMock => ({ + rest: { + repos: { + get: jest + .fn() + .mockResolvedValue({ + data: { owner: { type: ownerType } } + }) + } + } +}) + +// ============================================================================= +// @actions/attest mock factory +// ============================================================================= + +export type AttestMock = { + attest: jest.Mock + buildSLSAProvenancePredicate: jest.Mock + createStorageRecord: jest.Mock +} + +export const createAttestMock = (): AttestMock => ({ + attest: jest.fn(), + buildSLSAProvenancePredicate: jest.fn(), + createStorageRecord: jest.fn() +}) + +export const createAttestationResult = ( + overrides: Partial = {} +): Attestation => ({ + bundle: { + mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' as const, + verificationMaterial: { + certificate: { rawBytes: '' }, + publicKey: undefined, + x509CertificateChain: undefined, + tlogEntries: [], + timestampVerificationData: undefined + }, + dsseEnvelope: { + payload: '', + payloadType: '', + signatures: [] + }, + messageSignature: undefined + }, + certificate: '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----', + tlogID: 'tlog-123', + attestationID: 'att-123', + ...overrides +}) + +// ============================================================================= +// @sigstore/oci mock factory +// ============================================================================= + +export type OciMock = { + getRegistryCredentials: jest.Mock + attachArtifactToImage: jest.Mock +} + +export const createOciMock = (): OciMock => ({ + getRegistryCredentials: jest.fn().mockReturnValue({ + username: 'test-user', + password: 'test-pass' + }), + attachArtifactToImage: jest + .fn<() => Promise>() + .mockResolvedValue({ + digest: 'sha256:abc123def456', + mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json', + size: 1234 + }) +}) + +// ============================================================================= +// Common test data +// ============================================================================= + +export const TEST_SUBJECT: Subject = { + name: 'test-artifact', + digest: { + sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' + } +} + +export const TEST_SUBJECT_WITH_REGISTRY: Subject = { + name: 'ghcr.io/test-owner/test-repo', + digest: { + sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' + } +} + +export const TEST_PREDICATE: Predicate = { + type: 'https://example.com/predicate/v1', + params: { foo: 'bar' } +} + +export const TEST_PROVENANCE_PREDICATE: Predicate = { + type: 'https://slsa.dev/provenance/v1', + params: { + buildDefinition: { + buildType: 'https://actions.github.io/buildtypes/workflow/v1' + }, + runDetails: { + builder: { id: 'https://github.com/actions/runner' } + } + } +} + +// ============================================================================= +// Environment helpers +// ============================================================================= + +export const setupTestEnvironment = ( + env: Record = {} +): (() => void) => { + const originalEnv = { ...process.env } + + process.env = { + ...process.env, + ACTIONS_ID_TOKEN_REQUEST_URL: 'https://token.url', + ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'test-token', + RUNNER_TEMP: '/tmp', + ...env + } + + return () => { + process.env = originalEnv + } +} + +// ============================================================================= +// OIDC token helpers +// ============================================================================= + +export const createOidcToken = (subject = 'test@example.com'): string => { + const payload = { + sub: subject, + iss: 'https://token.actions.githubusercontent.com' + } + return `.${Buffer.from(JSON.stringify(payload)).toString('base64')}.` +} diff --git a/__tests__/fixtures/samples/cyclonedx-sbom.json b/__tests__/fixtures/samples/cyclonedx-sbom.json new file mode 100644 index 0000000..bd1d83d --- /dev/null +++ b/__tests__/fixtures/samples/cyclonedx-sbom.json @@ -0,0 +1,13 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:12345678-1234-1234-1234-123456789012", + "version": 1, + "components": [ + { + "type": "library", + "name": "test-component", + "version": "1.0.0" + } + ] +} diff --git a/__tests__/fixtures/samples/predicate.json b/__tests__/fixtures/samples/predicate.json new file mode 100644 index 0000000..6d837d4 --- /dev/null +++ b/__tests__/fixtures/samples/predicate.json @@ -0,0 +1,9 @@ +{ + "buildType": "https://example.com/build/v1", + "builder": { + "id": "https://github.com/actions/runner" + }, + "metadata": { + "buildStartedOn": "2024-01-01T00:00:00Z" + } +} diff --git a/__tests__/fixtures/samples/spdx-sbom.json b/__tests__/fixtures/samples/spdx-sbom.json new file mode 100644 index 0000000..7ed4131 --- /dev/null +++ b/__tests__/fixtures/samples/spdx-sbom.json @@ -0,0 +1,15 @@ +{ + "spdxVersion": "SPDX-2.3", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "test-package", + "dataLicense": "CC0-1.0", + "documentNamespace": "https://example.com/test-package", + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "name": "test-package", + "versionInfo": "1.0.0", + "downloadLocation": "https://example.com/test-package-1.0.0.tar.gz" + } + ] +} diff --git a/__tests__/index.test.ts b/__tests__/index.test.ts index 90c8107..8038e57 100644 --- a/__tests__/index.test.ts +++ b/__tests__/index.test.ts @@ -1,6 +1,3 @@ -/** - * Unit tests for the action's entrypoint, src/index.ts - */ import { jest } from '@jest/globals' // Mock functions @@ -22,14 +19,53 @@ jest.unstable_mockModule('../src/main', () => ({ describe('index', () => { beforeEach(() => { jest.clearAllMocks() - mockGetBooleanInput.mockReturnValue(false) mockGetInput.mockReturnValue('') + mockGetBooleanInput.mockReturnValue(false) }) - it('calls run when imported', async () => { - // Dynamic import after mocking + it('should call run with inputs from core.getInput', async () => { + mockGetInput.mockImplementation((name: string) => { + const inputs: Record = { + 'subject-path': '/path/to/subject', + 'subject-name': 'my-artifact', + 'subject-digest': '', + 'subject-checksums': '', + 'predicate-type': 'https://example.com/predicate', + predicate: '{}', + 'predicate-path': '', + 'sbom-path': '', + 'github-token': 'test-token' + } + return inputs[name] || '' + }) + + mockGetBooleanInput.mockImplementation((name: string) => { + const inputs: Record = { + 'push-to-registry': false, + 'create-storage-record': true, + 'show-summary': true, + 'private-signing': false + } + return inputs[name] || false + }) + + // Dynamic import triggers the module await import('../src/index') - expect(mockRun).toHaveBeenCalled() + expect(mockRun).toHaveBeenCalledWith({ + subjectPath: '/path/to/subject', + subjectName: 'my-artifact', + subjectDigest: '', + subjectChecksums: '', + predicateType: 'https://example.com/predicate', + predicate: '{}', + predicatePath: '', + sbomPath: '', + githubToken: 'test-token', + pushToRegistry: false, + createStorageRecord: true, + showSummary: true, + privateSigning: false + }) }) }) diff --git a/__tests__/integration/attest.test.ts b/__tests__/integration/attest.test.ts new file mode 100644 index 0000000..438c667 --- /dev/null +++ b/__tests__/integration/attest.test.ts @@ -0,0 +1,228 @@ +import { jest } from '@jest/globals' +import { + createAttestationResult, + createGitHubContextMock, + createOctokitMock, + TEST_PREDICATE, + TEST_SUBJECT_WITH_REGISTRY +} from '../fixtures/mocks' + +import type { Attestation } from '@actions/attest' +import type { Descriptor } from '@sigstore/oci' + +// Mock functions +const mockGetOctokit = jest.fn() +const mockAttest = jest.fn<() => Promise>() +const mockCreateStorageRecord = jest.fn<() => Promise>() +const mockGetRegistryCredentials = jest.fn() +const mockAttachArtifactToImage = jest.fn<() => Promise>() + +// Mutable context for tests +const mockContext = createGitHubContextMock() + +// Mock @actions/github +jest.unstable_mockModule('@actions/github', () => ({ + getOctokit: mockGetOctokit, + context: mockContext +})) + +// Mock @actions/attest +jest.unstable_mockModule('@actions/attest', () => ({ + attest: mockAttest, + createStorageRecord: mockCreateStorageRecord +})) + +// Mock @sigstore/oci +jest.unstable_mockModule('@sigstore/oci', () => ({ + getRegistryCredentials: mockGetRegistryCredentials, + attachArtifactToImage: mockAttachArtifactToImage +})) + +// Dynamic imports after mocking +const { createAttestation, repoOwnerIsOrg } = await import('../../src/attest') + +describe('repoOwnerIsOrg', () => { + beforeEach(() => { + jest.clearAllMocks() + }) + + it('should return true when repo owner is an Organization', async () => { + mockGetOctokit.mockReturnValue(createOctokitMock('Organization')) + + const result = await repoOwnerIsOrg('test-token') + + expect(result).toBe(true) + expect(mockGetOctokit).toHaveBeenCalledWith('test-token') + }) + + it('should return false when repo owner is a User', async () => { + mockGetOctokit.mockReturnValue(createOctokitMock('User')) + + const result = await repoOwnerIsOrg('test-token') + + expect(result).toBe(false) + }) +}) + +describe('createAttestation', () => { + const defaultOpts = { + sigstoreInstance: 'github' as const, + pushToRegistry: false, + createStorageRecord: false, + githubToken: 'test-token' + } + + beforeEach(() => { + jest.clearAllMocks() + + mockAttest.mockResolvedValue(createAttestationResult()) + mockGetRegistryCredentials.mockReturnValue({ + username: 'test-user', + password: 'test-pass' + }) + mockAttachArtifactToImage.mockResolvedValue({ + digest: 'sha256:attestation-digest', + mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json', + size: 1234 + }) + mockCreateStorageRecord.mockResolvedValue([12345]) + mockGetOctokit.mockReturnValue(createOctokitMock('Organization')) + }) + + describe('basic attestation', () => { + it('should call attest with correct parameters', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + await createAttestation(subjects, TEST_PREDICATE, defaultOpts) + + expect(mockAttest).toHaveBeenCalledWith({ + subjects, + predicateType: TEST_PREDICATE.type, + predicate: TEST_PREDICATE.params, + sigstore: 'github', + token: 'test-token' + }) + }) + + it('should return attestation result', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + const result = await createAttestation( + subjects, + TEST_PREDICATE, + defaultOpts + ) + + expect(result.attestationID).toBe('att-123') + expect(result.certificate).toContain('BEGIN CERTIFICATE') + expect(result.tlogID).toBe('tlog-123') + }) + }) + + describe('registry push', () => { + const pushOpts = { ...defaultOpts, pushToRegistry: true } + + it('should push attestation to registry when enabled', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + const result = await createAttestation(subjects, TEST_PREDICATE, pushOpts) + + expect(mockGetRegistryCredentials).toHaveBeenCalledWith(subjects[0].name) + expect(mockAttachArtifactToImage).toHaveBeenCalled() + expect(result.attestationDigest).toBe('sha256:attestation-digest') + }) + + it('should skip registry push for multiple subjects', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY, TEST_SUBJECT_WITH_REGISTRY] + + await createAttestation(subjects, TEST_PREDICATE, pushOpts) + + expect(mockAttachArtifactToImage).not.toHaveBeenCalled() + }) + }) + + describe('storage record creation', () => { + const storageOpts = { + ...defaultOpts, + pushToRegistry: true, + createStorageRecord: true + } + + it('should create storage record when enabled and owner is org', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + const result = await createAttestation( + subjects, + TEST_PREDICATE, + storageOpts + ) + + expect(mockCreateStorageRecord).toHaveBeenCalled() + expect(result.storageRecordIds).toEqual([12345]) + }) + + it('should skip storage record when owner is User', async () => { + mockGetOctokit.mockReturnValue(createOctokitMock('User')) + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + const result = await createAttestation( + subjects, + TEST_PREDICATE, + storageOpts + ) + + expect(mockCreateStorageRecord).not.toHaveBeenCalled() + expect(result.storageRecordIds).toBeUndefined() + }) + + it('should skip storage record when createStorageRecord is false', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + const opts = { ...storageOpts, createStorageRecord: false } + + await createAttestation(subjects, TEST_PREDICATE, opts) + + expect(mockCreateStorageRecord).not.toHaveBeenCalled() + }) + + it('should handle empty storage records gracefully', async () => { + mockCreateStorageRecord.mockResolvedValue([]) + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + const result = await createAttestation( + subjects, + TEST_PREDICATE, + storageOpts + ) + + expect(result.storageRecordIds).toEqual([]) + }) + + it('should continue when storage record creation fails', async () => { + mockCreateStorageRecord.mockRejectedValue(new Error('Permission denied')) + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + + // Should not throw + const result = await createAttestation( + subjects, + TEST_PREDICATE, + storageOpts + ) + + expect(result.attestationID).toBe('att-123') + expect(result.storageRecordIds).toBeUndefined() + }) + }) + + describe('sigstore instance selection', () => { + it('should use public-good sigstore instance when specified', async () => { + const subjects = [TEST_SUBJECT_WITH_REGISTRY] + const opts = { ...defaultOpts, sigstoreInstance: 'public-good' as const } + + await createAttestation(subjects, TEST_PREDICATE, opts) + + expect(mockAttest).toHaveBeenCalledWith( + expect.objectContaining({ sigstore: 'public-good' }) + ) + }) + }) +}) diff --git a/__tests__/integration/main.test.ts b/__tests__/integration/main.test.ts new file mode 100644 index 0000000..61d7e33 --- /dev/null +++ b/__tests__/integration/main.test.ts @@ -0,0 +1,454 @@ +import { jest } from '@jest/globals' +import fs from 'fs/promises' +import os from 'os' +import path from 'path' +import { + createAttestationResult, + createOctokitMock, + TEST_PROVENANCE_PREDICATE +} from '../fixtures/mocks' + +import type { Attestation, Predicate } from '@actions/attest' +import type { Descriptor } from '@sigstore/oci' +import type { RunInputs } from '../../src/main' + +// Create persistent mock functions +const infoMock = jest.fn() +const warningMock = jest.fn() +const debugMock = jest.fn() +const startGroupMock = jest.fn() +const endGroupMock = jest.fn() +const setOutputMock = jest.fn() +const setFailedMock = jest.fn() + +// Create chainable summary mock +const summaryMock = { + write: jest.fn().mockReturnThis(), + addRaw: jest.fn().mockReturnThis(), + addHeading: jest.fn().mockReturnThis(), + addLink: jest.fn().mockReturnThis(), + addTable: jest.fn().mockReturnThis(), + addBreak: jest.fn().mockReturnThis(), + addSeparator: jest.fn().mockReturnThis(), + addQuote: jest.fn().mockReturnThis(), + addCodeBlock: jest.fn().mockReturnThis(), + addList: jest.fn().mockReturnThis(), + addImage: jest.fn().mockReturnThis(), + addDetails: jest.fn().mockReturnThis(), + addEOL: jest.fn().mockReturnThis(), + emptyBuffer: jest.fn().mockReturnThis(), + stringify: jest.fn().mockReturnValue(''), + isEmptyBuffer: jest.fn().mockReturnValue(true), + clear: jest.fn().mockReturnThis() +} + +const mockGetOctokit = jest.fn() +const mockAttest = jest.fn<() => Promise>() +const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise>() +const mockCreateStorageRecord = jest.fn<() => Promise>() +const mockGetRegistryCredentials = jest.fn() +const mockAttachArtifactToImage = jest.fn<() => Promise>() + +// Mutable context for tests +const mockContext = { + repo: { owner: 'test-owner', repo: 'test-repo' }, + payload: { repository: { visibility: 'private' } }, + serverUrl: 'https://github.com' +} + +// Mock @actions/core +jest.unstable_mockModule('@actions/core', () => ({ + info: infoMock, + warning: warningMock, + debug: debugMock, + startGroup: startGroupMock, + endGroup: endGroupMock, + setOutput: setOutputMock, + setFailed: setFailedMock, + summary: summaryMock +})) + +// Mock @actions/github +jest.unstable_mockModule('@actions/github', () => ({ + getOctokit: mockGetOctokit, + context: mockContext +})) + +// Mock @actions/attest +jest.unstable_mockModule('@actions/attest', () => ({ + attest: mockAttest, + buildSLSAProvenancePredicate: mockBuildSLSAProvenancePredicate, + createStorageRecord: mockCreateStorageRecord +})) + +// Mock @sigstore/oci +jest.unstable_mockModule('@sigstore/oci', () => ({ + getRegistryCredentials: mockGetRegistryCredentials, + attachArtifactToImage: mockAttachArtifactToImage +})) + +// Dynamic import after mocking +const { run } = await import('../../src/main') + +const defaultInputs: RunInputs = { + predicate: '', + predicateType: '', + predicatePath: '', + sbomPath: '', + subjectName: '', + subjectDigest: '', + subjectPath: '', + subjectChecksums: '', + pushToRegistry: false, + createStorageRecord: false, + showSummary: false, + githubToken: 'test-token', + privateSigning: false +} + +describe('run', () => { + let tempDir: string + const originalEnv = { ...process.env } + + beforeEach(async () => { + jest.clearAllMocks() + + // Reset chainable summary mocks + for (const key of Object.keys(summaryMock)) { + if (key !== 'stringify' && key !== 'isEmptyBuffer') { + ;( + summaryMock[key as keyof typeof summaryMock] as jest.Mock + ).mockReturnThis() + } + } + + mockAttest.mockResolvedValue(createAttestationResult()) + mockBuildSLSAProvenancePredicate.mockResolvedValue( + TEST_PROVENANCE_PREDICATE + ) + mockCreateStorageRecord.mockResolvedValue([12345]) + mockGetOctokit.mockReturnValue(createOctokitMock('Organization')) + mockGetRegistryCredentials.mockReturnValue({ username: 'u', password: 'p' }) + mockAttachArtifactToImage.mockResolvedValue({ + digest: 'sha256:abc', + mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json', + size: 100 + }) + + // Reset context + mockContext.repo = { owner: 'test-owner', repo: 'test-repo' } + mockContext.payload = { repository: { visibility: 'private' } } + + // Create temp directory + tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'main-test-')) + + // Set required environment + process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://token.url' + process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token' + process.env.RUNNER_TEMP = tempDir + }) + + afterEach(async () => { + process.env = { ...originalEnv } + await fs.rm(tempDir, { recursive: true, force: true }) + }) + + describe('environment validation', () => { + it('should fail when ACTIONS_ID_TOKEN_REQUEST_URL is not set', async () => { + delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL + + await run({ + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + predicateType: 'https://example.com/predicate', + predicate: '{}' + }) + + expect(setFailedMock).toHaveBeenCalledWith( + expect.objectContaining({ + message: expect.stringContaining('id-token') + }) + ) + }) + }) + + describe('subject validation', () => { + it('should fail when no subject inputs are provided', async () => { + await run(defaultInputs) + + expect(setFailedMock).toHaveBeenCalledWith( + expect.objectContaining({ + message: expect.stringContaining('subject-path') + }) + ) + }) + }) + + describe('attestation type detection', () => { + it('should detect provenance attestation when no predicate inputs provided', async () => { + await run({ + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' + }) + + expect(infoMock).toHaveBeenCalledWith( + 'Attestation type: Build Provenance' + ) + expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalled() + }) + + it('should detect custom attestation when predicate inputs provided', async () => { + await run({ + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + predicateType: 'https://example.com/predicate', + predicate: '{}' + }) + + expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom') + expect(mockBuildSLSAProvenancePredicate).not.toHaveBeenCalled() + }) + + it('should detect SBOM attestation when sbom-path provided', async () => { + const sbomPath = path.join(tempDir, 'sbom.json') + await fs.writeFile( + sbomPath, + JSON.stringify({ + spdxVersion: 'SPDX-2.3', + SPDXID: 'SPDXRef-DOCUMENT', + name: 'test' + }) + ) + + await run({ + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + sbomPath + }) + + expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM') + }) + + it('should fail when sbom-path is combined with predicate inputs', async () => { + await run({ + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + sbomPath: '/path/to/sbom.json', + predicateType: 'https://example.com/predicate' + }) + + expect(setFailedMock).toHaveBeenCalledWith( + expect.objectContaining({ + message: expect.stringContaining( + 'Cannot specify sbom-path together with' + ) + }) + ) + }) + }) + + describe('successful attestation', () => { + const validInputs: RunInputs = { + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + predicateType: 'https://example.com/predicate', + predicate: '{}' + } + + it('should create attestation successfully', async () => { + await run(validInputs) + + expect(setFailedMock).not.toHaveBeenCalled() + expect(mockAttest).toHaveBeenCalled() + }) + + it('should set output for attestation-id', async () => { + await run(validInputs) + + expect(setOutputMock).toHaveBeenCalledWith('attestation-id', 'att-123') + }) + + it('should set output for attestation-url', async () => { + await run(validInputs) + + expect(setOutputMock).toHaveBeenCalledWith( + 'attestation-url', + 'https://github.com/test-owner/test-repo/attestations/att-123' + ) + }) + + it('should set output for bundle-path', async () => { + await run(validInputs) + + expect(setOutputMock).toHaveBeenCalledWith( + 'bundle-path', + expect.stringContaining('attestation.json') + ) + }) + + it('should write attestation bundle to file', async () => { + await run(validInputs) + + const bundlePath = setOutputMock.mock.calls.find( + (call: unknown[]) => call[0] === 'bundle-path' + )?.[1] as string + + const content = await fs.readFile(bundlePath, 'utf-8') + expect(content).toContain('mediaType') + }) + }) + + describe('sigstore instance selection', () => { + const validInputs: RunInputs = { + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + predicateType: 'https://example.com/predicate', + predicate: '{}' + } + + it('should use github sigstore for private repos', async () => { + mockContext.payload = { repository: { visibility: 'private' } } + + await run(validInputs) + + expect(mockAttest).toHaveBeenCalledWith( + expect.objectContaining({ sigstore: 'github' }) + ) + }) + + it('should use public-good sigstore for public repos', async () => { + mockContext.payload = { repository: { visibility: 'public' } } + + await run(validInputs) + + expect(mockAttest).toHaveBeenCalledWith( + expect.objectContaining({ sigstore: 'public-good' }) + ) + }) + + it('should use github sigstore when privateSigning is true', async () => { + mockContext.payload = { repository: { visibility: 'public' } } + + await run({ ...validInputs, privateSigning: true }) + + expect(mockAttest).toHaveBeenCalledWith( + expect.objectContaining({ sigstore: 'github' }) + ) + }) + }) + + describe('multiple subjects', () => { + it('should handle multiple subjects from glob pattern', async () => { + // Create test files + for (let i = 0; i < 3; i++) { + await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`) + } + + await run({ + ...defaultInputs, + subjectPath: path.join(tempDir, 'file-*.txt'), + predicateType: 'https://example.com/predicate', + predicate: '{}' + }) + + expect(setFailedMock).not.toHaveBeenCalled() + expect(infoMock).toHaveBeenCalledWith( + expect.stringContaining('3 subjects') + ) + }) + + it('should fail when subject count exceeds maximum', async () => { + // Create too many files + for (let i = 0; i < 1025; i++) { + await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`) + } + + await run({ + ...defaultInputs, + subjectPath: path.join(tempDir, 'file-*.txt'), + predicateType: 'https://example.com/predicate', + predicate: '{}' + }) + + expect(setFailedMock).toHaveBeenCalledWith( + expect.objectContaining({ + message: expect.stringContaining('Too many subjects') + }) + ) + }) + }) + + describe('summary output', () => { + const validInputs: RunInputs = { + ...defaultInputs, + subjectName: 'artifact', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + predicateType: 'https://example.com/predicate', + predicate: '{}', + showSummary: true + } + + it('should write summary when showSummary is true', async () => { + await run(validInputs) + + expect(summaryMock.addHeading).toHaveBeenCalled() + expect(summaryMock.write).toHaveBeenCalled() + }) + + it('should not write summary when showSummary is false', async () => { + await run({ ...validInputs, showSummary: false }) + + expect(summaryMock.write).not.toHaveBeenCalled() + }) + }) + + describe('registry push', () => { + const registryInputs: RunInputs = { + ...defaultInputs, + subjectName: 'ghcr.io/test-owner/test-repo', + subjectDigest: + 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32', + predicateType: 'https://example.com/predicate', + predicate: '{}', + pushToRegistry: true + } + + it('should push attestation to registry when enabled', async () => { + await run(registryInputs) + + expect(mockAttachArtifactToImage).toHaveBeenCalled() + }) + + it('should lowercase subject name for registry push', async () => { + await run({ + ...registryInputs, + subjectName: 'ghcr.io/TEST-OWNER/Test-Repo' + }) + + expect(mockAttest).toHaveBeenCalledWith( + expect.objectContaining({ + subjects: [ + expect.objectContaining({ + name: 'ghcr.io/test-owner/test-repo' + }) + ] + }) + ) + }) + }) +}) diff --git a/__tests__/provenance.test.ts b/__tests__/integration/provenance.test.ts similarity index 51% rename from __tests__/provenance.test.ts rename to __tests__/integration/provenance.test.ts index 7bbe489..f81a9a2 100644 --- a/__tests__/provenance.test.ts +++ b/__tests__/integration/provenance.test.ts @@ -1,5 +1,6 @@ import type { Predicate } from '@actions/attest' import { jest } from '@jest/globals' +import { TEST_PROVENANCE_PREDICATE } from '../fixtures/mocks' // Mock function const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise>() @@ -10,39 +11,27 @@ jest.unstable_mockModule('@actions/attest', () => ({ })) // Dynamic import after mocking -const { generateProvenancePredicate } = await import('../src/provenance') +const { generateProvenancePredicate } = await import('../../src/provenance') describe('generateProvenancePredicate', () => { - const mockPredicate = { - type: 'https://slsa.dev/provenance/v1', - params: { - buildDefinition: { - buildType: 'https://actions.github.io/buildtypes/workflow/v1' - }, - runDetails: { - builder: { id: 'https://github.com/actions/runner' } - } - } - } - beforeEach(() => { jest.clearAllMocks() - mockBuildSLSAProvenancePredicate.mockResolvedValue(mockPredicate) + mockBuildSLSAProvenancePredicate.mockResolvedValue(TEST_PROVENANCE_PREDICATE) }) - it('returns the SLSA provenance predicate', async () => { + it('should delegate to buildSLSAProvenancePredicate', async () => { const result = await generateProvenancePredicate() expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalledTimes(1) - expect(result).toEqual(mockPredicate) + expect(result).toEqual(TEST_PROVENANCE_PREDICATE) }) - it('propagates errors from buildSLSAProvenancePredicate', async () => { - const error = new Error('Failed to build provenance') + it('should propagate errors from the underlying function', async () => { + const error = new Error('Failed to build provenance predicate') mockBuildSLSAProvenancePredicate.mockRejectedValue(error) await expect(generateProvenancePredicate()).rejects.toThrow( - 'Failed to build provenance' + 'Failed to build provenance predicate' ) }) }) diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts deleted file mode 100644 index 600b55d..0000000 --- a/__tests__/main.test.ts +++ /dev/null @@ -1,676 +0,0 @@ -/** - * Unit tests for the action's main functionality, src/main.ts - * - * These should be run as if the action was called from a workflow. - * Specifically, the inputs listed in `action.yml` should be set as environment - * variables following the pattern `INPUT_`. - */ -import type { Predicate } from '@actions/attest' -import { jest } from '@jest/globals' -import type { RunInputs } from '../src/main' - -// Create mock functions before mocking modules -const infoMock = jest.fn() -const warningMock = jest.fn() -const startGroupMock = jest.fn() -const endGroupMock = jest.fn() -const setOutputMock = jest.fn() -const setFailedMock = jest.fn() -const debugMock = jest.fn() - -// OCI mocks -const getRegCredsMock = jest.fn() -const attachArtifactMock = jest.fn() - -// Attest mocks -const attestMock = jest.fn() -const createStorageRecordMock = jest.fn() - -// Local attest mocks -// eslint-disable-next-line @typescript-eslint/no-explicit-any -const createAttestationMock = jest.fn<() => Promise>() -const repoOwnerIsOrgMock = jest.fn() - -// Provenance mock -const generateProvenancePredicateMock = jest.fn<() => Promise>() - -// GitHub context mock -const mockContext = { - repo: { owner: 'foo', repo: 'bar' }, - payload: { repository: { visibility: 'private' } } -} -const mockGetOctokit = jest.fn() - -// Summary mock with chainable methods -const summaryMock = { - write: jest.fn().mockReturnThis(), - addRaw: jest.fn().mockReturnThis(), - addHeading: jest.fn().mockReturnThis(), - addLink: jest.fn().mockReturnThis(), - addTable: jest.fn().mockReturnThis(), - addBreak: jest.fn().mockReturnThis(), - addSeparator: jest.fn().mockReturnThis(), - addQuote: jest.fn().mockReturnThis(), - addCodeBlock: jest.fn().mockReturnThis(), - addList: jest.fn().mockReturnThis(), - addImage: jest.fn().mockReturnThis(), - addDetails: jest.fn().mockReturnThis(), - addEOL: jest.fn().mockReturnThis(), - emptyBuffer: jest.fn().mockReturnThis(), - stringify: jest.fn().mockReturnValue(''), - isEmptyBuffer: jest.fn().mockReturnValue(true), - clear: jest.fn().mockReturnThis() -} - -// Mock @actions/core -jest.unstable_mockModule('@actions/core', () => ({ - info: infoMock, - warning: warningMock, - startGroup: startGroupMock, - endGroup: endGroupMock, - setOutput: setOutputMock, - setFailed: setFailedMock, - debug: debugMock, - summary: summaryMock -})) - -// Mock @actions/github -jest.unstable_mockModule('@actions/github', () => ({ - context: mockContext, - getOctokit: mockGetOctokit -})) - -// Mock @sigstore/oci -jest.unstable_mockModule('@sigstore/oci', () => ({ - getRegistryCredentials: getRegCredsMock, - attachArtifactToImage: attachArtifactMock -})) - -// Mock @actions/attest -jest.unstable_mockModule('@actions/attest', () => ({ - attest: attestMock, - createStorageRecord: createStorageRecordMock -})) - -// Mock ../src/attest -jest.unstable_mockModule('../src/attest', () => ({ - createAttestation: createAttestationMock, - repoOwnerIsOrg: repoOwnerIsOrgMock -})) - -// Mock ../src/provenance -jest.unstable_mockModule('../src/provenance', () => ({ - generateProvenancePredicate: generateProvenancePredicateMock -})) - -// Dynamic imports after mocking -const { mockFulcio, mockRekor, mockTSA } = await import('@sigstore/mock') -const fs = (await import('fs/promises')).default -const nock = (await import('nock')).default -const os = (await import('os')).default -const path = (await import('path')).default -const { MockAgent, setGlobalDispatcher } = await import('undici') -const { run } = await import('../src/main') - -// MockAgent for mocking @actions/github -const mockAgent = new MockAgent() -setGlobalDispatcher(mockAgent) - -const defaultInputs: RunInputs = { - predicate: '', - predicateType: '', - predicatePath: '', - sbomPath: '', - subjectName: '', - subjectDigest: '', - subjectPath: '', - subjectChecksums: '', - pushToRegistry: false, - createStorageRecord: true, - showSummary: true, - githubToken: '', - privateSigning: false -} - -describe('action', () => { - // Capture original environment variables so we can restore after each test - const originalEnv = process.env - const originalContext = { - repo: { owner: 'foo', repo: 'bar' }, - payload: { repository: { visibility: 'private' } } - } - - // Mock OIDC token endpoint - const tokenURL = 'https://token.url' - - // Fake an OIDC token - const oidcSubject = 'foo@bar.com' - const oidcPayload = { sub: oidcSubject, iss: '' } - const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString( - 'base64' - )}.}` - - const subjectName = 'ghcr.io/registry/foo/bar' - const subjectDigest = - 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' - const predicate = '{}' - const predicateType = 'https://in-toto.io/attestation/release/v0.1' - - const attestationID = '1234567890' - const storageRecordID = 987654321 - - beforeEach(() => { - jest.clearAllMocks() - - nock(tokenURL) - .get('/') - .query({ audience: 'sigstore' }) - .reply(200, { value: oidcToken }) - - const pool = mockAgent.get('https://api.github.com') - pool - .intercept({ - path: /^\/repos\/.*\/.*\/attestations$/, - method: 'post' - }) - .reply(201, { id: attestationID }) - - pool - .intercept({ - path: /^\/orgs\/.*\/artifacts\/metadata\/storage-record$/, - method: 'post' - }) - .reply(200, { storage_records: [{ id: storageRecordID }] }) - - process.env = { - ...originalEnv, - ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL, - ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token', - RUNNER_TEMP: process.env.RUNNER_TEMP || '/tmp' - } - }) - - afterEach(() => { - // Restore the original environment - process.env = originalEnv - - // Restore the original github.context - setGHContext(originalContext) - }) - - describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - predicateType, - predicate, - githubToken: 'gh-token' - } - - beforeEach(() => { - // Nullify the OIDC token URL - process.env.ACTIONS_ID_TOKEN_REQUEST_URL = '' - }) - - it('sets a failed status', async () => { - await run(inputs) - - expect(setFailedMock).toHaveBeenCalledWith( - new Error( - 'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.' - ) - ) - }) - }) - - describe('when no inputs are provided', () => { - it('sets a failed status', async () => { - await run(defaultInputs) - - expect(setFailedMock).toHaveBeenCalledWith( - new Error( - 'One of subject-path, subject-digest, or subject-checksums must be provided' - ) - ) - }) - }) - - describe('when the repository is private', () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - predicateType, - predicate, - githubToken: 'gh-token' - } - - beforeEach(async () => { - // Set the GH context with private repository visibility and a repo owner. - setGHContext({ - payload: { repository: { visibility: 'private' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - - // Mock createAttestation to return expected values - createAttestationMock.mockResolvedValue({ - attestationID, - certificate: - '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----', - tlogID: 'tlog-123', - attestationDigest: 'sha256:123456', - bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' } - }) - - await mockFulcio({ - baseURL: 'https://fulcio.githubapp.com', - strict: false - }) - await mockTSA({ baseURL: 'https://timestamp.githubapp.com' }) - }) - - it('invokes the action w/o error', async () => { - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom') - expect(infoMock).toHaveBeenCalledWith( - expect.stringMatching( - `Attestation created for ${subjectName}@${subjectDigest}` - ) - ) - expect(createAttestationMock).toHaveBeenCalled() - }) - }) - - describe('when the repository is public', () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - predicateType, - predicate, - githubToken: 'gh-token', - pushToRegistry: true - } - - beforeEach(async () => { - // Set the GH context with public repository visibility and a repo owner. - setGHContext({ - payload: { repository: { visibility: 'public' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - - // Setup createAttestation mock - createAttestationMock.mockResolvedValue({ - attestationID, - certificate: - '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----', - tlogID: 'tlog-123', - attestationDigest: 'sha256:123456', - bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }, - storageRecordIds: [storageRecordID] - }) - - await mockFulcio({ - baseURL: 'https://fulcio.sigstore.dev', - strict: false - }) - await mockRekor({ baseURL: 'https://rekor.sigstore.dev' }) - - mockGetOctokit.mockReturnValue({ - rest: { - repos: { - get: jest - .fn<() => Promise<{ data: { owner: { type: string } } }>>() - .mockResolvedValue({ - data: { owner: { type: 'Organization' } } - }) - } - } - }) - }) - - it('invokes the action w/o error', async () => { - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(createAttestationMock).toHaveBeenCalled() - expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom') - expect(infoMock).toHaveBeenCalledWith( - expect.stringMatching( - `Attestation created for ${subjectName}@${subjectDigest}` - ) - ) - }) - - it('catches error when storage record creation fails and continues', async () => { - // Mock createAttestation to simulate storage record failure (but still succeed overall) - createAttestationMock.mockResolvedValue({ - attestationID, - certificate: - '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----', - tlogID: 'tlog-123', - attestationDigest: 'sha256:123456', - bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' } - // No storageRecordIDs - simulates empty/failed storage record - }) - - await run(inputs) - - expect(createAttestationMock).toHaveBeenCalled() - expect(setFailedMock).not.toHaveBeenCalled() - }) - - it('does not create a storage record when the repo is owned by a user', async () => { - // Mock createAttestation to not return storage record IDs - createAttestationMock.mockResolvedValue({ - attestationID, - certificate: - '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----', - tlogID: 'tlog-123', - attestationDigest: 'sha256:123456', - bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' } - }) - - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(createAttestationMock).toHaveBeenCalled() - expect(infoMock).toHaveBeenCalledWith( - expect.stringMatching( - `Attestation created for ${subjectName}@${subjectDigest}` - ) - ) - }) - }) - - describe('when the subject count is greater than 1', () => { - let dir = '' - const filename = 'subject' - - beforeEach(async () => { - const subjectCount = 5 - const content = 'file content' - - // Set-up temp directory - const tmpDir = await fs.realpath(os.tmpdir()) - dir = await fs.mkdtemp(tmpDir + path.sep) - - // Add files for glob testing - for (let i = 0; i < subjectCount; i++) { - await fs.writeFile(path.join(dir, `${filename}-${i}`), content) - } - - // Set the GH context with private repository visibility and a repo owner. - setGHContext({ - payload: { repository: { visibility: 'private' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - - // Set-up a Fulcio mock for each subject - await mockFulcio({ - baseURL: 'https://fulcio.githubapp.com', - strict: false - }) - - // Set-up a TSA mock for each subject - await mockTSA({ baseURL: 'https://timestamp.githubapp.com' }) - }) - - afterEach(async () => { - // Clean-up temp directory - await fs.rm(dir, { recursive: true }) - }) - - it('invokes the action w/o error', async () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectPath: path.join(dir, `${filename}-*`), - predicateType, - predicate, - githubToken: 'gh-token' - } - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom') - expect(infoMock).toHaveBeenNthCalledWith( - 2, - expect.stringMatching('Attestation created for 5 subjects') - ) - }) - }) - - describe('when the subject count exceeds the max', () => { - let dir = '' - const filename = 'subject' - - beforeEach(async () => { - const subjectCount = 1025 - const content = 'file content' - - // Set-up temp directory - const tmpDir = await fs.realpath(os.tmpdir()) - dir = await fs.mkdtemp(tmpDir + path.sep) - - // Add files for glob testing - for (let i = 0; i < subjectCount; i++) { - await fs.writeFile(path.join(dir, `${filename}-${i}`), content) - } - - // Set the GH context with private repository visibility and a repo owner. - setGHContext({ - payload: { repository: { visibility: 'private' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - }) - - afterEach(async () => { - // Clean-up temp directory - await fs.rm(dir, { recursive: true }) - }) - - it('sets a failed status', async () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectPath: path.join(dir, `${filename}-*`), - predicateType, - predicate, - githubToken: 'gh-token' - } - await run(inputs) - - expect(setFailedMock).toHaveBeenCalledWith( - new Error( - 'Too many subjects specified (>1024). The maximum number of subjects is 1024.' - ) - ) - }) - }) - - describe('attestation type detection', () => { - describe('when sbom-path is provided with predicate inputs', () => { - it('sets a failed status for conflicting inputs', async () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - sbomPath: '/path/to/sbom.json', - predicateType: 'https://example.com/predicate', - githubToken: 'gh-token' - } - - await run(inputs) - - expect(setFailedMock).toHaveBeenCalledWith( - new Error( - 'Cannot specify sbom-path together with predicate-type, predicate, or predicate-path' - ) - ) - }) - }) - - describe('when predicate is provided without predicate-type', () => { - it('sets a failed status for missing predicate-type', async () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - predicate: '{}', - githubToken: 'gh-token' - } - - await run(inputs) - - expect(setFailedMock).toHaveBeenCalledWith( - new Error( - 'predicate-type is required when using predicate or predicate-path' - ) - ) - }) - }) - - describe('when custom attestation inputs are provided', () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - predicateType, - predicate, - githubToken: 'gh-token' - } - - beforeEach(async () => { - setGHContext({ - payload: { repository: { visibility: 'private' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - - await mockFulcio({ - baseURL: 'https://fulcio.githubapp.com', - strict: false - }) - await mockTSA({ baseURL: 'https://timestamp.githubapp.com' }) - }) - - it('logs the attestation type as Custom', async () => { - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom') - }) - }) - - describe('when provenance attestation is detected', () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - githubToken: 'gh-token' - } - - const mockProvPredicate = { - type: 'https://slsa.dev/provenance/v1', - params: { buildDefinition: {}, runDetails: {} } - } - - beforeEach(async () => { - // Configure mock for provenance predicate - generateProvenancePredicateMock.mockResolvedValue(mockProvPredicate) - - // Configure mock for createAttestation - createAttestationMock.mockResolvedValue({ - attestationID: '1234567890', - certificate: - '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----', - tlogID: 'tlog-123', - attestationDigest: 'sha256:123456', - bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' } - }) - - setGHContext({ - payload: { repository: { visibility: 'private' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - - await mockFulcio({ - baseURL: 'https://fulcio.githubapp.com', - strict: false - }) - await mockTSA({ baseURL: 'https://timestamp.githubapp.com' }) - }) - - it('logs the attestation type as Build Provenance and generates predicate', async () => { - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(infoMock).toHaveBeenCalledWith( - 'Attestation type: Build Provenance' - ) - }) - }) - - describe('when sbom attestation is detected', () => { - let tmpDir: string - let sbomFilePath: string - - const spdxSBOM = { - spdxVersion: 'SPDX-2.3', - SPDXID: 'SPDXRef-DOCUMENT', - name: 'test-package', - packages: [] - } - - beforeEach(async () => { - tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'main-test-')) - sbomFilePath = path.join(tmpDir, 'sbom.spdx.json') - await fs.writeFile(sbomFilePath, JSON.stringify(spdxSBOM)) - - setGHContext({ - payload: { repository: { visibility: 'private' } }, - repo: { owner: 'foo', repo: 'bar' } - }) - - await mockFulcio({ - baseURL: 'https://fulcio.githubapp.com', - strict: false - }) - await mockTSA({ baseURL: 'https://timestamp.githubapp.com' }) - }) - - afterEach(async () => { - await fs.rm(tmpDir, { recursive: true }) - }) - - it('logs the attestation type as SBOM and generates predicate', async () => { - const inputs: RunInputs = { - ...defaultInputs, - subjectDigest, - subjectName, - sbomPath: sbomFilePath, - githubToken: 'gh-token' - } - - await run(inputs) - - expect(setFailedMock).not.toHaveBeenCalled() - expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM') - }) - }) - }) -}) - -// Helper to update the mock context -function setGHContext(context: { - repo?: { owner: string; repo: string } - payload?: { repository?: { visibility: string } } -}): void { - if (context.repo) { - mockContext.repo = context.repo - } - if (context.payload) { - mockContext.payload = context.payload as typeof mockContext.payload - } -} diff --git a/__tests__/predicate.test.ts b/__tests__/predicate.test.ts deleted file mode 100644 index 1a71fa6..0000000 --- a/__tests__/predicate.test.ts +++ /dev/null @@ -1,133 +0,0 @@ -import fs from 'fs/promises' -import os from 'os' -import path from 'path' -import { predicateFromInputs, PredicateInputs } from '../src/predicate' - -describe('subjectFromInputs', () => { - const blankInputs: PredicateInputs = { - predicateType: '', - predicate: '', - predicatePath: '' - } - - describe('when no inputs are provided', () => { - it('throws an error', async () => { - await expect(predicateFromInputs(blankInputs)).rejects.toThrow( - /predicate-type/i - ) - }) - }) - - describe('when neither predicate path nor predicate are provided', () => { - it('throws an error', async () => { - const inputs: PredicateInputs = { - ...blankInputs, - predicateType: 'https://example.com/predicate' - } - - await expect(predicateFromInputs(inputs)).rejects.toThrow( - /one of predicate-path or predicate must be provided/i - ) - }) - }) - - describe('when both predicate path and predicate are provided', () => { - it('throws an error', async () => { - const inputs: PredicateInputs = { - predicateType: 'https://example.com/predicate', - predicate: '{}', - predicatePath: 'path/to/predicate' - } - - await expect(predicateFromInputs(inputs)).rejects.toThrow( - /only one of predicate-path or predicate may be provided/i - ) - }) - }) - - describe('when specifying a predicate path', () => { - const predicateType = 'https://example.com/predicate' - const content = '{}' - let predicatePath = '' - - beforeEach(async () => { - // Set-up temp directory - const tmpDir = await fs.realpath(os.tmpdir()) - const dir = await fs.mkdtemp(tmpDir + path.sep) - - const filename = 'subject' - predicatePath = path.join(dir, filename) - - // Write file to temp directory - await fs.writeFile(predicatePath, content) - }) - - afterEach(async () => { - // Clean-up temp directory - await fs.rm(path.parse(predicatePath).dir, { recursive: true }) - }) - - it('returns the predicate', async () => { - const inputs: PredicateInputs = { - ...blankInputs, - predicateType, - predicatePath - } - await expect(predicateFromInputs(inputs)).resolves.toEqual({ - type: predicateType, - params: JSON.parse(content) - }) - }) - }) - - describe('when specifying a predicate path that does not exist', () => { - const predicateType = 'https://example.com/predicate' - const predicatePath = 'foo' - - it('returns the predicate', async () => { - const inputs: PredicateInputs = { - ...blankInputs, - predicateType, - predicatePath - } - await expect(predicateFromInputs(inputs)).rejects.toThrow( - /file not found/ - ) - }) - }) - - describe('when specifying a predicate value', () => { - const predicateType = 'https://example.com/predicate' - const content = '{}' - - it('returns the predicate', async () => { - const inputs: PredicateInputs = { - ...blankInputs, - predicateType, - predicate: content - } - - await expect(predicateFromInputs(inputs)).resolves.toEqual({ - type: predicateType, - params: JSON.parse(content) - }) - }) - }) - - describe('when specifying a predicate value exceeding the max size', () => { - const predicateType = 'https://example.com/predicate' - const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) }) - - it('throws an error', async () => { - const inputs: PredicateInputs = { - ...blankInputs, - predicateType, - predicate: content - } - - await expect(predicateFromInputs(inputs)).rejects.toThrow( - /predicate string exceeds maximum/ - ) - }) - }) -}) diff --git a/__tests__/sbom.test.ts b/__tests__/sbom.test.ts deleted file mode 100644 index 17b72d5..0000000 --- a/__tests__/sbom.test.ts +++ /dev/null @@ -1,161 +0,0 @@ -import fs from 'fs/promises' -import os from 'os' -import path from 'path' -import { parseSBOMFromPath, generateSBOMPredicate, SBOM } from '../src/sbom' - -describe('parseSBOMFromPath', () => { - let tmpDir: string - - beforeEach(async () => { - tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sbom-test-')) - }) - - afterEach(async () => { - await fs.rm(tmpDir, { recursive: true }) - }) - - describe('when file does not exist', () => { - it('throws an error', async () => { - await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow( - /SBOM file not found/ - ) - }) - }) - - describe('when file contains valid SPDX SBOM', () => { - const spdxSBOM = { - spdxVersion: 'SPDX-2.3', - SPDXID: 'SPDXRef-DOCUMENT', - name: 'test-package', - packages: [] - } - - it('returns SBOM with type spdx', async () => { - const filePath = path.join(tmpDir, 'sbom.spdx.json') - await fs.writeFile(filePath, JSON.stringify(spdxSBOM)) - - const result = await parseSBOMFromPath(filePath) - - expect(result.type).toBe('spdx') - expect(result.object).toEqual(spdxSBOM) - }) - }) - - describe('when file contains valid CycloneDX SBOM', () => { - const cyclonedxSBOM = { - bomFormat: 'CycloneDX', - specVersion: '1.4', - serialNumber: 'urn:uuid:12345', - components: [] - } - - it('returns SBOM with type cyclonedx', async () => { - const filePath = path.join(tmpDir, 'sbom.cdx.json') - await fs.writeFile(filePath, JSON.stringify(cyclonedxSBOM)) - - const result = await parseSBOMFromPath(filePath) - - expect(result.type).toBe('cyclonedx') - expect(result.object).toEqual(cyclonedxSBOM) - }) - }) - - describe('when file contains invalid SBOM format', () => { - it('throws an error', async () => { - const filePath = path.join(tmpDir, 'invalid.json') - await fs.writeFile(filePath, JSON.stringify({ random: 'data' })) - - await expect(parseSBOMFromPath(filePath)).rejects.toThrow( - /Unsupported SBOM format/ - ) - }) - }) - - describe('when file contains invalid JSON', () => { - it('throws an error', async () => { - const filePath = path.join(tmpDir, 'invalid.json') - await fs.writeFile(filePath, 'not valid json') - - await expect(parseSBOMFromPath(filePath)).rejects.toThrow() - }) - }) - - describe('when file exceeds maximum size', () => { - it('throws an error', async () => { - const filePath = path.join(tmpDir, 'large.json') - // Create a file larger than 16MB - const largeContent = 'x'.repeat(17 * 1024 * 1024) - await fs.writeFile(filePath, largeContent) - - await expect(parseSBOMFromPath(filePath)).rejects.toThrow( - /SBOM file exceeds maximum allowed size/ - ) - }) - }) -}) - -describe('generateSBOMPredicate', () => { - describe('for SPDX SBOM', () => { - const spdxSBOM: SBOM = { - type: 'spdx', - object: { - spdxVersion: 'SPDX-2.3', - SPDXID: 'SPDXRef-DOCUMENT', - name: 'test-package' - } - } - - it('returns predicate with correct SPDX type', () => { - const predicate = generateSBOMPredicate(spdxSBOM) - - expect(predicate.type).toBe('https://spdx.dev/Document/v2.3') - expect(predicate.params).toEqual(spdxSBOM.object) - }) - }) - - describe('for CycloneDX SBOM', () => { - const cyclonedxSBOM: SBOM = { - type: 'cyclonedx', - object: { - bomFormat: 'CycloneDX', - specVersion: '1.4', - serialNumber: 'urn:uuid:12345' - } - } - - it('returns predicate with correct CycloneDX type', () => { - const predicate = generateSBOMPredicate(cyclonedxSBOM) - - expect(predicate.type).toBe('https://cyclonedx.org/bom') - expect(predicate.params).toEqual(cyclonedxSBOM.object) - }) - }) - - describe('for SPDX without version', () => { - const invalidSBOM: SBOM = { - type: 'spdx', - object: { - SPDXID: 'SPDXRef-DOCUMENT' - } - } - - it('throws an error', () => { - expect(() => generateSBOMPredicate(invalidSBOM)).toThrow( - /Cannot find spdxVersion/ - ) - }) - }) - - describe('for unsupported SBOM type', () => { - const unsupportedSBOM = { - type: 'unknown' as SBOM['type'], - object: { foo: 'bar' } - } - - it('throws an error', () => { - expect(() => generateSBOMPredicate(unsupportedSBOM)).toThrow( - /Unsupported SBOM format/ - ) - }) - }) -}) diff --git a/__tests__/style.test.ts b/__tests__/style.test.ts deleted file mode 100644 index d7ebe8f..0000000 --- a/__tests__/style.test.ts +++ /dev/null @@ -1,15 +0,0 @@ -import { highlight, mute } from '../src/style' - -describe('style', () => { - describe('highlight', () => { - it('adds cyan color to the string', () => { - expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m') - }) - }) - - describe('mute', () => { - it('adds gray color to the string', () => { - expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m') - }) - }) -}) diff --git a/__tests__/subject.test.ts b/__tests__/subject.test.ts deleted file mode 100644 index 7064a00..0000000 --- a/__tests__/subject.test.ts +++ /dev/null @@ -1,600 +0,0 @@ -import crypto from 'crypto' -import fs from 'fs/promises' -import os from 'os' -import path from 'path' -import { - formatSubjectDigest, - subjectFromInputs, - SubjectInputs -} from '../src/subject' - -describe('subjectFromInputs', () => { - const blankInputs: SubjectInputs = { - subjectPath: '', - subjectName: '', - subjectDigest: '', - subjectChecksums: '' - } - - describe('when no inputs are provided', () => { - it('throws an error', async () => { - await expect(subjectFromInputs(blankInputs)).rejects.toThrow( - /one of subject-path, subject-digest, or subject-checksums must be provided/i - ) - }) - }) - - describe('when both subject path and subject digest are provided', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - subjectName: 'foo', - subjectPath: 'path/to/subject', - subjectDigest: 'digest', - subjectChecksums: '' - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /only one of subject-path, subject-digest, or subject-checksums may be provided/i - ) - }) - }) - - describe('when both subject path and subject checksums are provided', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - subjectName: '', - subjectPath: 'path/to/subject', - subjectDigest: '', - subjectChecksums: 'path/to/checksums' - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /only one of subject-path, subject-digest, or subject-checksums may be provided/i - ) - }) - }) - - describe('when both subject digest and subject checksums are provided', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - subjectName: 'foo', - subjectPath: '', - subjectDigest: 'digest', - subjectChecksums: 'path/to/checksums' - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /only one of subject-path, subject-digest, or subject-checksums may be provided/i - ) - }) - }) - - describe('when subject digest is provided but not the name', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectDigest: 'digest' - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /subject-name must be provided when using subject-digest/i - ) - }) - }) - - describe('when specifying a subject digest', () => { - const name = 'Subject' - - describe('when the digest is malformed', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectDigest: 'digest', - subjectName: name - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /subject-digest must be in the format "sha256:"/i - ) - }) - }) - - describe('when the algorithm is not supported', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectDigest: 'md5:deadbeef', - subjectName: name - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /subject-digest must be in the format "sha256:"/i - ) - }) - }) - - describe('when the sha256 digest is malformed', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectDigest: 'sha256:deadbeef', - subjectName: name - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /subject-digest must be in the format "sha256:"/i - ) - }) - }) - - describe('when the sha256 digest is valid', () => { - const alg = 'sha256' - const digest = - '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' - - it('returns the subject', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectDigest: `${alg}:${digest}`, - subjectName: name - } - - const subject = await subjectFromInputs(inputs) - - expect(subject).toBeDefined() - expect(subject).toHaveLength(1) - expect(subject[0].name).toEqual(name) - expect(subject[0].digest).toEqual({ [alg]: digest }) - }) - }) - - describe('when the downcaseName is true', () => { - const imageName = 'ghcr.io/FOO/bar' - const alg = 'sha256' - const digest = - '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' - - it('returns the subject (with name downcased)', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectDigest: `${alg}:${digest}`, - subjectName: imageName, - downcaseName: true - } - - const subject = await subjectFromInputs(inputs) - - expect(subject).toBeDefined() - expect(subject).toHaveLength(1) - expect(subject[0].name).toEqual(imageName.toLowerCase()) - expect(subject[0].digest).toEqual({ [alg]: digest }) - }) - }) - }) - - describe('when specifying a subject path', () => { - describe('when the file does NOT exist', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: '/f/a/k/e' - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /could not find subject at path/i - ) - }) - }) - }) - - describe('when the file exists', () => { - let dir = '' - const filename = 'subject' - const content = 'file content' - - const expectedDigest = crypto - .createHash('sha256') - .update(content) - .digest('hex') - - beforeEach(async () => { - // Set-up temp directory - const tmpDir = await fs.realpath(os.tmpdir()) - dir = await fs.mkdtemp(tmpDir + path.sep) - - // Write file to temp directory - await fs.writeFile(path.join(dir, filename), content) - - // Add files for glob testing - for (let i = 0; i < 3; i++) { - await fs.writeFile(path.join(dir, `${filename}-${i}`), content) - await fs.writeFile(path.join(dir, `other-${i}`), content) - } - }) - - afterEach(async () => { - // Clean-up temp directory - await fs.rm(dir, { recursive: true }) - }) - - describe('when no name is provided', () => { - it('returns the subject', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: path.join(dir, filename) - } - - const subject = await subjectFromInputs(inputs) - - expect(subject).toBeDefined() - expect(subject).toHaveLength(1) - expect(subject[0].name).toEqual(filename) - expect(subject[0].digest).toEqual({ sha256: expectedDigest }) - }) - }) - - describe('when a name is provided', () => { - const name = 'mysubject' - - it('returns the subject', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: path.join(dir, filename), - subjectName: name - } - - const subject = await subjectFromInputs(inputs) - - expect(subject).toBeDefined() - expect(subject).toHaveLength(1) - expect(subject[0].name).toEqual(name) - expect(subject[0].digest).toEqual({ sha256: expectedDigest }) - }) - }) - - describe('when a file glob is supplied', () => { - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: path.join(dir, 'subject-*') - } - - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(3) - - subjects.forEach((subject, i) => { - expect(subject.name).toEqual(`${filename}-${i}`) - expect(subject.digest).toEqual({ sha256: expectedDigest }) - }) - }) - }) - - describe('when a file glob is supplied which also matches non-files', () => { - it('returns the subjects (excluding non-files)', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: `${dir}*` - } - - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(7) - }) - }) - - describe('when a comma-separated list is supplied', () => { - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}` - } - - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(2) - - expect(subjects).toContainEqual({ - name: 'subject-1', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'subject-2', - digest: { sha256: expectedDigest } - }) - }) - }) - - describe('when a multi-line list is supplied', () => { - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}` - } - - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(2) - - expect(subjects).toContainEqual({ - name: 'subject-0', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'subject-2', - digest: { sha256: expectedDigest } - }) - }) - }) - - describe('when an excluding glob is supplied', () => { - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: `${path.join(dir, 'subject-*')},!${path.join(dir, 'subject-1')}` - } - - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(2) - - expect(subjects).toContainEqual({ - name: 'subject-0', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'subject-2', - digest: { sha256: expectedDigest } - }) - }) - }) - - describe('when a multi-line glob list is supplied', () => { - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: `${path.join(dir, 'subject-*')}\n ${path.join(dir, 'other-*')} ` - } - - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(6) - - expect(subjects).toContainEqual({ - name: 'subject-0', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'subject-1', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'subject-2', - digest: { sha256: expectedDigest } - }) - - expect(subjects).toContainEqual({ - name: 'other-0', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'other-1', - digest: { sha256: expectedDigest } - }) - expect(subjects).toContainEqual({ - name: 'other-2', - digest: { sha256: expectedDigest } - }) - }) - }) - - describe('when duplicate subjects are supplied', () => { - let otherDir = '' - - // Add duplicate subject in alternate directory - beforeEach(async () => { - // Set-up temp directory - const tmpDir = await fs.realpath(os.tmpdir()) - otherDir = await fs.mkdtemp(tmpDir + path.sep) - - // Write file to temp directory - await fs.writeFile(path.join(otherDir, filename), content) - }) - - it('returns de-duplicated subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectPath: `${path.join(dir, 'subject')}, ${path.join(otherDir, 'subject')} ` - } - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(1) - }) - }) - }) - - describe('when specifying a subject checksums file', () => { - const checksums = ` -187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d demo_0.0.1_linux_amd64 -badline -5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718 demo_0.0.1_darwin_arm64` - - let dir = '' - const filename = 'checksums' - - beforeEach(async () => { - // Set-up temp directory - const tmpDir = await fs.realpath(os.tmpdir()) - dir = await fs.mkdtemp(tmpDir + path.sep) - - // Write file to temp directory - await fs.writeFile(path.join(dir, filename), checksums) - }) - - afterEach(async () => { - // Clean-up temp directory - await fs.rm(dir, { recursive: true }) - }) - - describe('when the specified path is NOT a file', () => { - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectChecksums: dir - } - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /subject checksums file not found/i - ) - }) - }) - - describe('when the specific path is a file', () => { - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectChecksums: path.join(dir, filename) - } - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(2) - - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_linux_amd64', - digest: { - sha256: - '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d' - } - }) - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_darwin_arm64', - digest: { - sha512: - '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718' - } - }) - }) - }) - }) - - describe('when specifying a subject checksums string', () => { - const checksums = ` -f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386 -187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64 -9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 demo_0.0.1_linux_arm64` - - it('returns the multiple subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectChecksums: checksums - } - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(3) - - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_linux_386', - digest: { - sha256: - 'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e' - } - }) - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_linux_amd64', - digest: { - sha256: - '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d' - } - }) - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_linux_arm64', - digest: { - sha256: - '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5' - } - }) - }) - }) - - describe('when specifying a subject checksums string with duplicates', () => { - const checksums = ` -f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386 -f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386 -187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64` - - it('returns de-duplicated subjects', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectChecksums: checksums - } - const subjects = await subjectFromInputs(inputs) - - expect(subjects).toBeDefined() - expect(subjects).toHaveLength(2) - - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_linux_386', - digest: { - sha256: - 'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e' - } - }) - expect(subjects).toContainEqual({ - name: 'demo_0.0.1_linux_amd64', - digest: { - sha256: - '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d' - } - }) - }) - }) - - describe('when specifying a subject checksums string with an unrecognized digest', () => { - const checksums = `f861e demo_0.0.1_linux_386` - - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectChecksums: checksums - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow( - /unknown digest algorithm/i - ) - }) - }) - - describe('when specifying a subject checksums string with an invalid digest', () => { - const checksums = - '!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386' - - it('throws an error', async () => { - const inputs: SubjectInputs = { - ...blankInputs, - subjectChecksums: checksums - } - - await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i) - }) - }) -}) - -describe('subjectDigest', () => { - it('returns the digest', () => { - const subject = { - name: 'foo', - digest: { sha1: 'deadbeef' } - } - - const digest = formatSubjectDigest(subject) - expect(digest).toEqual('sha1:deadbeef') - }) -}) diff --git a/__tests__/detect.test.ts b/__tests__/unit/detect.test.ts similarity index 64% rename from __tests__/detect.test.ts rename to __tests__/unit/detect.test.ts index 36f959c..4820996 100644 --- a/__tests__/detect.test.ts +++ b/__tests__/unit/detect.test.ts @@ -2,7 +2,7 @@ import { detectAttestationType, validateAttestationInputs, DetectionInputs -} from '../src/detect' +} from '../../src/detect' describe('detectAttestationType', () => { const blankInputs: DetectionInputs = { @@ -12,14 +12,12 @@ describe('detectAttestationType', () => { predicatePath: '' } - describe('when no inputs are provided', () => { - it('returns provenance', () => { - expect(detectAttestationType(blankInputs)).toBe('provenance') - }) + it('should return provenance when no inputs are provided', () => { + expect(detectAttestationType(blankInputs)).toBe('provenance') }) - describe('when sbom-path is provided', () => { - it('returns sbom', () => { + describe('SBOM detection', () => { + it('should return sbom when sbom-path is provided', () => { const inputs: DetectionInputs = { ...blankInputs, sbomPath: '/path/to/sbom.json' @@ -27,7 +25,7 @@ describe('detectAttestationType', () => { expect(detectAttestationType(inputs)).toBe('sbom') }) - it('returns sbom even when predicate inputs are also provided', () => { + it('should prioritize sbom over custom predicate inputs', () => { const inputs: DetectionInputs = { ...blankInputs, sbomPath: '/path/to/sbom.json', @@ -37,38 +35,32 @@ describe('detectAttestationType', () => { }) }) - describe('when predicate-type is provided', () => { - it('returns custom', () => { + describe('custom detection', () => { + it('should return custom when predicate-type is provided', () => { const inputs: DetectionInputs = { ...blankInputs, predicateType: 'https://example.com/predicate' } expect(detectAttestationType(inputs)).toBe('custom') }) - }) - describe('when predicate is provided', () => { - it('returns custom', () => { + it('should return custom when predicate is provided', () => { const inputs: DetectionInputs = { ...blankInputs, predicate: '{}' } expect(detectAttestationType(inputs)).toBe('custom') }) - }) - describe('when predicate-path is provided', () => { - it('returns custom', () => { + it('should return custom when predicate-path is provided', () => { const inputs: DetectionInputs = { ...blankInputs, predicatePath: '/path/to/predicate.json' } expect(detectAttestationType(inputs)).toBe('custom') }) - }) - describe('when predicate-type and predicate are provided', () => { - it('returns custom', () => { + it('should return custom when predicate-type and predicate are both provided', () => { const inputs: DetectionInputs = { ...blankInputs, predicateType: 'https://example.com/predicate', @@ -87,24 +79,20 @@ describe('validateAttestationInputs', () => { predicatePath: '' } - describe('when no inputs are provided', () => { - it('does not throw', () => { - expect(() => validateAttestationInputs(blankInputs)).not.toThrow() - }) + it('should not throw when no inputs are provided', () => { + expect(() => validateAttestationInputs(blankInputs)).not.toThrow() }) - describe('when sbom-path is provided alone', () => { - it('does not throw', () => { - const inputs: DetectionInputs = { - ...blankInputs, - sbomPath: '/path/to/sbom.json' - } - expect(() => validateAttestationInputs(inputs)).not.toThrow() - }) + it('should not throw when sbom-path is provided alone', () => { + const inputs: DetectionInputs = { + ...blankInputs, + sbomPath: '/path/to/sbom.json' + } + expect(() => validateAttestationInputs(inputs)).not.toThrow() }) - describe('when sbom-path is combined with predicate-type', () => { - it('throws an error', () => { + describe('sbom-path conflicts', () => { + it('should throw when sbom-path is combined with predicate-type', () => { const inputs: DetectionInputs = { ...blankInputs, sbomPath: '/path/to/sbom.json', @@ -114,10 +102,8 @@ describe('validateAttestationInputs', () => { /Cannot specify sbom-path together with/ ) }) - }) - describe('when sbom-path is combined with predicate', () => { - it('throws an error', () => { + it('should throw when sbom-path is combined with predicate', () => { const inputs: DetectionInputs = { ...blankInputs, sbomPath: '/path/to/sbom.json', @@ -127,10 +113,8 @@ describe('validateAttestationInputs', () => { /Cannot specify sbom-path together with/ ) }) - }) - describe('when sbom-path is combined with predicate-path', () => { - it('throws an error', () => { + it('should throw when sbom-path is combined with predicate-path', () => { const inputs: DetectionInputs = { ...blankInputs, sbomPath: '/path/to/sbom.json', @@ -142,8 +126,8 @@ describe('validateAttestationInputs', () => { }) }) - describe('when predicate is provided without predicate-type', () => { - it('throws an error', () => { + describe('predicate-type requirements', () => { + it('should throw when predicate is provided without predicate-type', () => { const inputs: DetectionInputs = { ...blankInputs, predicate: '{}' @@ -152,10 +136,8 @@ describe('validateAttestationInputs', () => { /predicate-type is required/ ) }) - }) - describe('when predicate-path is provided without predicate-type', () => { - it('throws an error', () => { + it('should throw when predicate-path is provided without predicate-type', () => { const inputs: DetectionInputs = { ...blankInputs, predicatePath: '/path/to/predicate.json' @@ -164,10 +146,8 @@ describe('validateAttestationInputs', () => { /predicate-type is required/ ) }) - }) - describe('when predicate-type and predicate are provided', () => { - it('does not throw', () => { + it('should not throw when predicate-type and predicate are provided', () => { const inputs: DetectionInputs = { ...blankInputs, predicateType: 'https://example.com/predicate', @@ -175,10 +155,8 @@ describe('validateAttestationInputs', () => { } expect(() => validateAttestationInputs(inputs)).not.toThrow() }) - }) - describe('when predicate-type and predicate-path are provided', () => { - it('does not throw', () => { + it('should not throw when predicate-type and predicate-path are provided', () => { const inputs: DetectionInputs = { ...blankInputs, predicateType: 'https://example.com/predicate', diff --git a/__tests__/unit/predicate.test.ts b/__tests__/unit/predicate.test.ts new file mode 100644 index 0000000..6d08b8b --- /dev/null +++ b/__tests__/unit/predicate.test.ts @@ -0,0 +1,142 @@ +import fs from 'fs/promises' +import os from 'os' +import path from 'path' +import { predicateFromInputs, PredicateInputs } from '../../src/predicate' + +describe('predicateFromInputs', () => { + const blankInputs: PredicateInputs = { + predicateType: '', + predicate: '', + predicatePath: '' + } + + let tempDir: string + + beforeEach(async () => { + tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'predicate-test-')) + }) + + afterEach(async () => { + await fs.rm(tempDir, { recursive: true, force: true }) + }) + + describe('input validation', () => { + it('should throw when predicate-type is not provided', async () => { + await expect(predicateFromInputs(blankInputs)).rejects.toThrow( + /predicate-type must be provided/ + ) + }) + + it('should throw when neither predicate nor predicate-path is provided', async () => { + const inputs: PredicateInputs = { + ...blankInputs, + predicateType: 'https://example.com/predicate' + } + await expect(predicateFromInputs(inputs)).rejects.toThrow( + /one of predicate-path or predicate must be provided/i + ) + }) + + it('should throw when both predicate and predicate-path are provided', async () => { + const inputs: PredicateInputs = { + predicateType: 'https://example.com/predicate', + predicate: '{}', + predicatePath: '/path/to/predicate.json' + } + await expect(predicateFromInputs(inputs)).rejects.toThrow( + /only one of predicate-path or predicate may be provided/i + ) + }) + }) + + describe('with predicate string', () => { + it('should parse and return the predicate', async () => { + const predicateType = 'https://example.com/predicate' + const predicateContent = { foo: 'bar', nested: { value: 123 } } + + const inputs: PredicateInputs = { + ...blankInputs, + predicateType, + predicate: JSON.stringify(predicateContent) + } + + const result = await predicateFromInputs(inputs) + + expect(result).toEqual({ + type: predicateType, + params: predicateContent + }) + }) + + it('should throw when predicate string exceeds max size', async () => { + const predicateType = 'https://example.com/predicate' + const largeContent = JSON.stringify({ data: 'x'.repeat(16 * 1024 * 1024) }) + + const inputs: PredicateInputs = { + ...blankInputs, + predicateType, + predicate: largeContent + } + + await expect(predicateFromInputs(inputs)).rejects.toThrow( + /predicate string exceeds maximum/ + ) + }) + + it('should throw when predicate is invalid JSON', async () => { + const inputs: PredicateInputs = { + ...blankInputs, + predicateType: 'https://example.com/predicate', + predicate: 'not valid json' + } + + await expect(predicateFromInputs(inputs)).rejects.toThrow(/JSON/) + }) + }) + + describe('with predicate path', () => { + it('should read and parse predicate from file', async () => { + const predicateType = 'https://example.com/predicate' + const predicateContent = { buildType: 'test', metadata: { version: '1.0' } } + const filePath = path.join(tempDir, 'predicate.json') + + await fs.writeFile(filePath, JSON.stringify(predicateContent)) + + const inputs: PredicateInputs = { + ...blankInputs, + predicateType, + predicatePath: filePath + } + + const result = await predicateFromInputs(inputs) + + expect(result).toEqual({ + type: predicateType, + params: predicateContent + }) + }) + + it('should throw when predicate file does not exist', async () => { + const inputs: PredicateInputs = { + ...blankInputs, + predicateType: 'https://example.com/predicate', + predicatePath: '/nonexistent/file.json' + } + + await expect(predicateFromInputs(inputs)).rejects.toThrow(/file not found/) + }) + + it('should throw when predicate file contains invalid JSON', async () => { + const filePath = path.join(tempDir, 'invalid.json') + await fs.writeFile(filePath, 'not valid json') + + const inputs: PredicateInputs = { + ...blankInputs, + predicateType: 'https://example.com/predicate', + predicatePath: filePath + } + + await expect(predicateFromInputs(inputs)).rejects.toThrow(/JSON/) + }) + }) +}) diff --git a/__tests__/unit/sbom.test.ts b/__tests__/unit/sbom.test.ts new file mode 100644 index 0000000..39613a5 --- /dev/null +++ b/__tests__/unit/sbom.test.ts @@ -0,0 +1,181 @@ +import { jest } from '@jest/globals' +import fs from 'fs/promises' +import os from 'os' +import path from 'path' +import { parseSBOMFromPath, generateSBOMPredicate, SBOM } from '../../src/sbom' + +describe('parseSBOMFromPath', () => { + let tempDir: string + + beforeEach(async () => { + tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sbom-test-')) + }) + + afterEach(async () => { + await fs.rm(tempDir, { recursive: true, force: true }) + }) + + describe('file handling', () => { + it('should throw when file does not exist', async () => { + await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow( + /SBOM file not found/ + ) + }) + + it('should rethrow non-ENOENT errors', async () => { + const statSpy = jest.spyOn(fs, 'stat').mockRejectedValueOnce( + Object.assign(new Error('Permission denied'), { code: 'EACCES' }) + ) + + await expect(parseSBOMFromPath('/some/file.json')).rejects.toThrow( + /Permission denied/ + ) + + statSpy.mockRestore() + }) + + it('should throw when file contains invalid JSON', async () => { + const filePath = path.join(tempDir, 'invalid.json') + await fs.writeFile(filePath, 'not valid json') + + await expect(parseSBOMFromPath(filePath)).rejects.toThrow(/JSON/) + }) + + it('should throw when file exceeds maximum size', async () => { + const filePath = path.join(tempDir, 'large.json') + const largeContent = 'x'.repeat(17 * 1024 * 1024) + await fs.writeFile(filePath, largeContent) + + await expect(parseSBOMFromPath(filePath)).rejects.toThrow( + /SBOM file exceeds maximum allowed size/ + ) + }) + }) + + describe('SPDX format', () => { + const spdxSBOM = { + spdxVersion: 'SPDX-2.3', + SPDXID: 'SPDXRef-DOCUMENT', + name: 'test-package', + packages: [] + } + + it('should parse valid SPDX SBOM', async () => { + const filePath = path.join(tempDir, 'sbom.spdx.json') + await fs.writeFile(filePath, JSON.stringify(spdxSBOM)) + + const result = await parseSBOMFromPath(filePath) + + expect(result.type).toBe('spdx') + expect(result.object).toEqual(spdxSBOM) + }) + }) + + describe('CycloneDX format', () => { + const cyclonedxSBOM = { + bomFormat: 'CycloneDX', + specVersion: '1.4', + serialNumber: 'urn:uuid:12345', + components: [] + } + + it('should parse valid CycloneDX SBOM', async () => { + const filePath = path.join(tempDir, 'sbom.cdx.json') + await fs.writeFile(filePath, JSON.stringify(cyclonedxSBOM)) + + const result = await parseSBOMFromPath(filePath) + + expect(result.type).toBe('cyclonedx') + expect(result.object).toEqual(cyclonedxSBOM) + }) + }) + + describe('unsupported formats', () => { + it('should throw for unrecognized SBOM format', async () => { + const filePath = path.join(tempDir, 'invalid-sbom.json') + await fs.writeFile(filePath, JSON.stringify({ random: 'data' })) + + await expect(parseSBOMFromPath(filePath)).rejects.toThrow( + /Unsupported SBOM format/ + ) + }) + + it('should throw for SPDX missing SPDXID', async () => { + const filePath = path.join(tempDir, 'partial-spdx.json') + await fs.writeFile(filePath, JSON.stringify({ spdxVersion: 'SPDX-2.3' })) + + await expect(parseSBOMFromPath(filePath)).rejects.toThrow( + /Unsupported SBOM format/ + ) + }) + + it('should throw for CycloneDX missing required fields', async () => { + const filePath = path.join(tempDir, 'partial-cdx.json') + await fs.writeFile(filePath, JSON.stringify({ bomFormat: 'CycloneDX' })) + + await expect(parseSBOMFromPath(filePath)).rejects.toThrow( + /Unsupported SBOM format/ + ) + }) + }) +}) + +describe('generateSBOMPredicate', () => { + describe('SPDX predicates', () => { + it('should generate predicate with correct SPDX type URL', () => { + const sbom: SBOM = { + type: 'spdx', + object: { + spdxVersion: 'SPDX-2.3', + SPDXID: 'SPDXRef-DOCUMENT', + name: 'test-package' + } + } + + const predicate = generateSBOMPredicate(sbom) + + expect(predicate.type).toBe('https://spdx.dev/Document/v2.3') + expect(predicate.params).toEqual(sbom.object) + }) + + it('should throw when spdxVersion is missing', () => { + const sbom: SBOM = { + type: 'spdx', + object: { SPDXID: 'SPDXRef-DOCUMENT' } + } + + expect(() => generateSBOMPredicate(sbom)).toThrow( + /Cannot find spdxVersion/ + ) + }) + }) + + describe('CycloneDX predicates', () => { + it('should generate predicate with correct CycloneDX type URL', () => { + const sbom: SBOM = { + type: 'cyclonedx', + object: { + bomFormat: 'CycloneDX', + specVersion: '1.4', + serialNumber: 'urn:uuid:12345' + } + } + + const predicate = generateSBOMPredicate(sbom) + + expect(predicate.type).toBe('https://cyclonedx.org/bom') + expect(predicate.params).toEqual(sbom.object) + }) + }) + + describe('unsupported types', () => { + it('should throw for unsupported SBOM type', () => { + const sbom = { + type: 'unknown' as SBOM['type'], + object: { foo: 'bar' } + } + + expect(() => generateSBOMPredicate(sbom)).toThrow(/Unsupported SBOM format/) + }) + }) +}) diff --git a/__tests__/unit/style.test.ts b/__tests__/unit/style.test.ts new file mode 100644 index 0000000..7271fc7 --- /dev/null +++ b/__tests__/unit/style.test.ts @@ -0,0 +1,27 @@ +import { highlight, mute } from '../../src/style' + +describe('style', () => { + describe('highlight', () => { + it('should wrap text with cyan ANSI color codes', () => { + const result = highlight('test message') + expect(result).toBe('\x1B[36mtest message\x1B[39m') + }) + + it('should handle empty strings', () => { + const result = highlight('') + expect(result).toBe('\x1B[36m\x1B[39m') + }) + }) + + describe('mute', () => { + it('should wrap text with gray ANSI color codes', () => { + const result = mute('test message') + expect(result).toBe('\x1B[38;5;244mtest message\x1B[39m') + }) + + it('should handle empty strings', () => { + const result = mute('') + expect(result).toBe('\x1B[38;5;244m\x1B[39m') + }) + }) +}) diff --git a/__tests__/unit/subject.test.ts b/__tests__/unit/subject.test.ts new file mode 100644 index 0000000..ca3c9b9 --- /dev/null +++ b/__tests__/unit/subject.test.ts @@ -0,0 +1,462 @@ +import crypto from 'crypto' +import fs from 'fs/promises' +import os from 'os' +import path from 'path' +import { + subjectFromInputs, + formatSubjectDigest, + SubjectInputs +} from '../../src/subject' + +describe('subjectFromInputs', () => { + const blankInputs: SubjectInputs = { + subjectPath: '', + subjectName: '', + subjectDigest: '', + subjectChecksums: '' + } + + let tempDir: string + + beforeEach(async () => { + tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'subject-test-')) + }) + + afterEach(async () => { + await fs.rm(tempDir, { recursive: true, force: true }) + }) + + describe('input validation', () => { + it('should throw when no inputs are provided', async () => { + await expect(subjectFromInputs(blankInputs)).rejects.toThrow( + /one of subject-path, subject-digest, or subject-checksums must be provided/i + ) + }) + + it('should throw when multiple subject inputs are provided', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: '/some/path', + subjectDigest: 'sha256:abc123' + } + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /only one of subject-path, subject-digest, or subject-checksums may be provided/i + ) + }) + + it('should throw when subject-digest is provided without subject-name', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectDigest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' + } + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /subject-name must be provided when using subject-digest/i + ) + }) + }) + + describe('with subject-digest', () => { + const validDigest = 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' + + it('should return subject with provided name and digest', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectName: 'my-artifact', + subjectDigest: validDigest + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(1) + expect(subjects[0].name).toBe('my-artifact') + expect(subjects[0].digest).toEqual({ + sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' + }) + }) + + it('should lowercase name when downcaseName is true', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectName: 'ghcr.io/FOO/Bar', + subjectDigest: validDigest, + downcaseName: true + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects[0].name).toBe('ghcr.io/foo/bar') + }) + + it('should throw for malformed digest format', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectName: 'artifact', + subjectDigest: 'invalid-digest' + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /subject-digest must be in the format/ + ) + }) + + it('should throw for unsupported hash algorithm', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectName: 'artifact', + subjectDigest: 'md5:d41d8cd98f00b204e9800998ecf8427e' + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /subject-digest must be in the format/ + ) + }) + + it('should throw for incorrect sha256 digest length', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectName: 'artifact', + subjectDigest: 'sha256:deadbeef' + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /subject-digest must be in the format/ + ) + }) + }) + + describe('with subject-path', () => { + const fileContent = 'test file content' + const expectedDigest = crypto.createHash('sha256').update(fileContent).digest('hex') + + it('should calculate digest from file', async () => { + const filePath = path.join(tempDir, 'artifact.bin') + await fs.writeFile(filePath, fileContent) + + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: filePath + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(1) + expect(subjects[0].name).toBe('artifact.bin') + expect(subjects[0].digest).toEqual({ sha256: expectedDigest }) + }) + + it('should use provided name instead of filename', async () => { + const filePath = path.join(tempDir, 'artifact.bin') + await fs.writeFile(filePath, fileContent) + + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: filePath, + subjectName: 'custom-name' + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects[0].name).toBe('custom-name') + }) + + it('should throw when file does not exist', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: '/nonexistent/file' + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /could not find subject at path/i + ) + }) + + describe('glob patterns', () => { + beforeEach(async () => { + for (let i = 0; i < 3; i++) { + await fs.writeFile(path.join(tempDir, `file-${i}.txt`), fileContent) + } + }) + + it('should expand glob pattern to multiple subjects', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: path.join(tempDir, 'file-*.txt') + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(3) + expect(subjects.map(s => s.name).sort()).toEqual([ + 'file-0.txt', + 'file-1.txt', + 'file-2.txt' + ]) + }) + + it('should handle comma-separated paths', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: `${path.join(tempDir, 'file-0.txt')},${path.join(tempDir, 'file-1.txt')}` + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(2) + }) + + it('should handle newline-separated paths', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: `${path.join(tempDir, 'file-0.txt')}\n${path.join(tempDir, 'file-2.txt')}` + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(2) + }) + + it('should support exclusion patterns', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: `${path.join(tempDir, 'file-*.txt')},!${path.join(tempDir, 'file-1.txt')}` + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(2) + expect(subjects.map(s => s.name)).not.toContain('file-1.txt') + }) + + it('should deduplicate subjects with same name and digest', async () => { + // Create another directory with same file + const otherDir = await fs.mkdtemp(path.join(os.tmpdir(), 'subject-dup-')) + await fs.writeFile(path.join(otherDir, 'file-0.txt'), fileContent) + + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: `${path.join(tempDir, 'file-0.txt')},${path.join(otherDir, 'file-0.txt')}` + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(1) + + await fs.rm(otherDir, { recursive: true, force: true }) + }) + }) + + it('should exclude directories from glob results', async () => { + await fs.mkdir(path.join(tempDir, 'subdir')) + await fs.writeFile(path.join(tempDir, 'file.txt'), fileContent) + + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: path.join(tempDir, '*') + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(1) + expect(subjects[0].name).toBe('file.txt') + }) + + it('should throw when too many subjects are specified', async () => { + // Create 1025 files (exceeds MAX_SUBJECT_COUNT of 1024) + for (let i = 0; i < 1025; i++) { + await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`) + } + + const inputs: SubjectInputs = { + ...blankInputs, + subjectPath: path.join(tempDir, 'file-*.txt') + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow(/too many subjects/i) + }) + }) + + describe('with subject-checksums', () => { + describe('from string', () => { + it('should parse sha256 checksums', async () => { + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-linux +9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 artifact-darwin` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(2) + expect(subjects).toContainEqual({ + name: 'artifact-linux', + digest: { sha256: '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d' } + }) + expect(subjects).toContainEqual({ + name: 'artifact-darwin', + digest: { sha256: '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5' } + }) + }) + + it('should parse sha512 checksums', async () => { + const sha512 = '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718' + const checksums = `${sha512} artifact-amd64` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(1) + expect(subjects[0].digest).toEqual({ sha512 }) + }) + + it('should handle binary mode flag (*)', async () => { + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *artifact.bin` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects[0].name).toBe('artifact.bin') + }) + + it('should handle text mode flag (space)', async () => { + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact.txt` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects[0].name).toBe('artifact.txt') + }) + + it('should handle checksums without mode flag', async () => { + // Single space between digest and name (no flag character) + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-no-flag` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects[0].name).toBe('artifact-no-flag') + }) + + it('should skip malformed lines', async () => { + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d valid-artifact +badline +9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 another-artifact` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(2) + }) + + it('should deduplicate identical entries', async () => { + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact +187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(1) + }) + + it('should throw for invalid digest characters', async () => { + const checksums = `!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e artifact` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i) + }) + + it('should throw for unknown digest algorithm', async () => { + const checksums = `f861e artifact` + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksums + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow(/unknown digest algorithm/i) + }) + }) + + describe('from file', () => { + it('should read checksums from file', async () => { + const checksumFile = path.join(tempDir, 'SHA256SUMS') + const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-linux +9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 artifact-darwin` + + await fs.writeFile(checksumFile, checksums) + + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: checksumFile + } + + const subjects = await subjectFromInputs(inputs) + + expect(subjects).toHaveLength(2) + }) + + it('should throw when checksums path is a directory', async () => { + const inputs: SubjectInputs = { + ...blankInputs, + subjectChecksums: tempDir + } + + await expect(subjectFromInputs(inputs)).rejects.toThrow( + /subject checksums file not found/i + ) + }) + }) + }) +}) + +describe('formatSubjectDigest', () => { + it('should format digest as algorithm:hash', () => { + const subject = { + name: 'artifact', + digest: { sha256: 'abc123def456' } + } + + expect(formatSubjectDigest(subject)).toBe('sha256:abc123def456') + }) + + it('should use first algorithm alphabetically when multiple exist', () => { + const subject = { + name: 'artifact', + digest: { + sha512: 'longer-hash', + sha256: 'shorter-hash' + } + } + + expect(formatSubjectDigest(subject)).toBe('sha256:shorter-hash') + }) +}) diff --git a/dist/index.js b/dist/index.js index 0d5f54e..6176025 100644 --- a/dist/index.js +++ b/dist/index.js @@ -120896,6 +120896,7 @@ function getRegistryURL(subjectName) { catch { url = new URL(`https://${subjectName}`); } + /* istanbul ignore if */ if (url.protocol !== 'https:') { throw new Error(`Unsupported protocol ${url.protocol} in subject name ${subjectName}`); } @@ -121141,6 +121142,7 @@ async function run(inputs) { setOutput('attestation-id', att.attestationID); setOutput('attestation-url', attestationURL(att.attestationID)); } + /* istanbul ignore if */ if (att.storageRecordIds) { setOutput('storage-record-ids', att.storageRecordIds.join(',')); } @@ -121175,6 +121177,7 @@ const logAttestation = (subjects, attestation, sigstoreInstance) => { startGroup(highlight(`Attestation signed using certificate from ${instanceName} Sigstore instance`)); info(attestation.certificate); endGroup(); + /* istanbul ignore if */ if (attestation.tlogID) { info(highlight('Attestation signature uploaded to Rekor transparency log')); info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`); @@ -121188,6 +121191,7 @@ const logAttestation = (subjects, attestation, sigstoreInstance) => { info(highlight('Attestation uploaded to registry')); info(`${subjects[0].name}@${attestation.attestationDigest}`); } + /* istanbul ignore next */ if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) { info(highlight('Storage record created')); info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`); diff --git a/package-lock.json b/package-lock.json index 0c782db..f22c42b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -175,7 +175,6 @@ "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==", "dev": true, "license": "MIT", - "peer": true, "dependencies": { "@babel/code-frame": "^7.29.0", "@babel/generator": "^7.29.0", @@ -1498,7 +1497,6 @@ "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz", "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==", "license": "MIT", - "peer": true, "dependencies": { "@octokit/auth-token": "^6.0.0", "@octokit/graphql": "^9.0.3", @@ -2367,7 +2365,6 @@ "integrity": "sha512-1y/MVSz0NglV1ijHC8OT49mPJ4qhPYjiK08YUQVbIOyu+5k862LKUHFkpKHWu//zmr7hDR2rhwUm6gnCGNmGBQ==", "dev": true, "license": "MIT", - "peer": true, "dependencies": { "@eslint-community/regexpp": "^4.12.2", "@typescript-eslint/scope-manager": "8.55.0", @@ -2407,7 +2404,6 @@ "integrity": "sha512-4z2nCSBfVIMnbuu8uinj+f0o4qOeggYJLbjpPHka3KH1om7e+H9yLKTYgksTaHcGco+NClhhY2vyO3HsMH1RGw==", "dev": true, "license": "MIT", - "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.55.0", "@typescript-eslint/types": "8.55.0", @@ -2924,7 +2920,6 @@ "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "dev": true, "license": "MIT", - "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -3372,7 +3367,6 @@ } ], "license": "MIT", - "peer": true, "dependencies": { "baseline-browser-mapping": "^2.9.0", "caniuse-lite": "^1.0.30001759", @@ -4401,7 +4395,6 @@ "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==", "dev": true, "license": "MIT", - "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.1", @@ -6097,7 +6090,6 @@ "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==", "dev": true, "license": "MIT", - "peer": true, "dependencies": { "@jest/core": "30.2.0", "@jest/types": "30.2.0", @@ -9496,7 +9488,6 @@ "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", "dev": true, "license": "MIT", - "peer": true, "engines": { "node": ">=12" }, @@ -9808,7 +9799,6 @@ "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "dev": true, "license": "Apache-2.0", - "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" diff --git a/src/attest.ts b/src/attest.ts index 62f5048..56c626b 100644 --- a/src/attest.ts +++ b/src/attest.ts @@ -126,6 +126,7 @@ function getRegistryURL(subjectName: string): string { url = new URL(`https://${subjectName}`) } + /* istanbul ignore if */ if (url.protocol !== 'https:') { throw new Error( `Unsupported protocol ${url.protocol} in subject name ${subjectName}` diff --git a/src/main.ts b/src/main.ts index 017db96..e803d61 100644 --- a/src/main.ts +++ b/src/main.ts @@ -129,6 +129,7 @@ export async function run(inputs: RunInputs): Promise { core.setOutput('attestation-url', attestationURL(att.attestationID)) } + /* istanbul ignore if */ if (att.storageRecordIds) { core.setOutput('storage-record-ids', att.storageRecordIds.join(',')) } @@ -182,6 +183,7 @@ const logAttestation = ( core.info(attestation.certificate) core.endGroup() + /* istanbul ignore if */ if (attestation.tlogID) { core.info( style.highlight( @@ -202,6 +204,7 @@ const logAttestation = ( core.info(`${subjects[0].name}@${attestation.attestationDigest}`) } + /* istanbul ignore next */ if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) { core.info(style.highlight('Storage record created')) core.info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`)