feat: update unit test

Signed-off-by: Juncheng Zhu <[email protected]>
ratify-project · Feb 14, 2025 · 05d3557 · 05d3557
1 parent 414a753
commit 05d3557
Show file tree

Hide file tree

Showing 5 changed files with 365 additions and 11 deletions.
diff --git a/cosign/certoptions.go b/cosign/certoptions.go
@@ -0,0 +1,40 @@
+/*
+Copyright The Ratify Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cosign
+
+import (
+	"crypto/x509"
+
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
+)
+
+type CertOptions interface {
+	// GetRoots retrieves the root certificate for the given subject.
+	GetRoots() (*x509.CertPool, error)
+
+	// GetIntermediate retrieves the intermediate certificate for the given subject.
+	GetIntermediates() (*x509.CertPool, error)
+}
+
+type DefaultCertOptions struct{}
+
+func (d *DefaultCertOptions) GetRoots() (*x509.CertPool, error) {
+	return fulcio.GetRoots()
+}
+
+func (d *DefaultCertOptions) GetIntermediates() (*x509.CertPool, error) {
+	return fulcio.GetIntermediates()
+}
diff --git a/cosign/certoptions_test.go b/cosign/certoptions_test.go
@@ -0,0 +1,38 @@
+/*
+Copyright The Ratify Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cosign
+
+import (
+	"testing"
+)
+
+func TestDefaultCertOptions_GetRoots(t *testing.T) {
+	d := &DefaultCertOptions{}
+
+	_, err := d.GetRoots()
+	if err != nil {
+		t.Fatalf("expected no error from GetRoots, got %v", err)
+	}
+}
+
+func TestDefaultCertOptions_GetIntermediates(t *testing.T) {
+	d := &DefaultCertOptions{}
+
+	_, err := d.GetIntermediates()
+	if err != nil {
+		t.Fatalf("expected no error from GetIntermediates, got %v", err)
+	}
+}
diff --git a/cosign/go.mod b/cosign/go.mod
@@ -3,6 +3,7 @@ module github.com/ratify-project/ratify-verifier-go/cosign
 go 1.22.0
 
 require (
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/ratify-project/ratify-go v0.0.0-20250121002110-2815af359901
 	github.com/sigstore/cosign/v2 v2.2.4
@@ -123,7 +124,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect

diff --git a/cosign/verifier.go b/cosign/verifier.go
@@ -22,7 +22,6 @@ import (
 
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/ratify-project/ratify-go"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -91,8 +90,8 @@ func (v *Verifier) Verify(ctx context.Context, opts *ratify.VerifyOptions) (*rat
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse subject reference: %w", err)
 	}
-
-	err = updateRepoSigVerifierKeys(opts.Subject, v.CheckOpts, v.keysMap)
+	// Use the Fulcio root certificate for keyless verification
+	err = updateCheckOpts(opts.Subject, v.CheckOpts, v.keysMap, &DefaultCertOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to update signature verifier keys: %w", err)
 	}
@@ -144,22 +143,25 @@ func getSignatureBlobDesc(ctx context.Context, store ratify.Store, artifactRef r
 	return signatureLayers, nil
 }
 
-// updateRepoSigVerifierKeys updates the signature verifier keys for the given repository.
-func updateRepoSigVerifierKeys(repo string, opts *cosign.CheckOpts, keysMap map[string]crypto.PublicKey) error {
+// updateCheckOpts updates the signature verifierOpts by verifyOpts.
+func updateCheckOpts(repo string, opts *cosign.CheckOpts, keysMap map[string]crypto.PublicKey, certOpt CertOptions) error {
+	if opts.RekorClient == nil {
+		opts.IgnoreTlog = true
+	}
+
 	hashType := crypto.SHA256
 	key, exists := keysMap[repo]
 	if !exists {
-		// Use the Fulcio root certificate for keyless verification
 		// TODO: support passing certChain and no CARoots
 		opts.SigVerifier = nil
-		roots, err := fulcio.GetRoots()
+		roots, err := certOpt.GetRoots()
 		if err != nil || roots == nil {
 			return err
 		}
 		opts.RootCerts = roots
 		opts.IgnoreSCT = true
 
-		opts.IntermediateCerts, err = fulcio.GetIntermediates()
+		opts.IntermediateCerts, err = certOpt.GetIntermediates()
 		if err != nil {
 			return err
 		}