toolkit/packages/attest/__tests__/sign.test.ts

import {mockFulcio, mockRekor, mockTSA} from '@sigstore/mock'
import nock from 'nock'
import {Payload, signPayload} from '../src/sign'

describe('signProvenance', () => {
  const originalEnv = process.env

  // Fake an OIDC token
  const subject = 'foo@bar.com'
  const oidcPayload = {sub: subject, iss: ''}
  const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
    'base64'
  )}.}`

  // Dummy provenance to be signed
  const provenance = {
    _type: 'https://in-toto.io/Statement/v1',
    subject: {
      name: 'subjective',
      digest: {
        sha256:
          '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
      }
    }
  }

  const payload: Payload = {
    body: Buffer.from(JSON.stringify(provenance)),
    type: 'application/vnd.in-toto+json'
  }

  const fulcioURL = 'https://fulcio.url'
  const rekorURL = 'https://rekor.url'
  const tsaServerURL = 'https://tsa.url'

  beforeEach(() => {
    // Mock OIDC token endpoint
    const tokenURL = 'https://token.url'

    process.env = {
      ...originalEnv,
      ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token'
    }

    nock(tokenURL)
      .get('/')
      .query({audience: 'sigstore'})
      .reply(200, {value: oidcToken})
  })

  afterEach(() => {
    process.env = originalEnv
  })

  describe('when visibility is public', () => {
    beforeEach(async () => {
      await mockFulcio({baseURL: fulcioURL, strict: false})
      await mockRekor({baseURL: rekorURL})
    })

    it('returns a bundle', async () => {
      const att = await signPayload(payload, {fulcioURL, rekorURL})

      expect(att).toBeDefined()
      expect(att.mediaType).toEqual(
        'application/vnd.dev.sigstore.bundle+json;version=0.2'
      )

      expect(att.content.$case).toEqual('dsseEnvelope')
      expect(att.verificationMaterial.content.$case).toEqual(
        'x509CertificateChain'
      )
      expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
      expect(
        att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
      ).toHaveLength(0)
    })
  })

  describe('when visibility is private', () => {
    beforeEach(async () => {
      await mockFulcio({baseURL: fulcioURL, strict: false})
      await mockTSA({baseURL: tsaServerURL})
    })

    it('returns a bundle', async () => {
      const att = await signPayload(payload, {fulcioURL, tsaServerURL})

      expect(att).toBeDefined()
      expect(att.mediaType).toEqual(
        'application/vnd.dev.sigstore.bundle+json;version=0.2'
      )

      expect(att.content.$case).toEqual('dsseEnvelope')
      expect(att.verificationMaterial.content.$case).toEqual(
        'x509CertificateChain'
      )
      expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
      expect(
        att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
      ).toHaveLength(1)
    })
  })
})
add new @actions/attest package Signed-off-by: Brian DeHamer <bdehamer@github.com> 2024-02-18 03:14:10 +00:00			`import {mockFulcio, mockRekor, mockTSA} from '@sigstore/mock'`
			`import nock from 'nock'`
			`import {Payload, signPayload} from '../src/sign'`

			`describe('signProvenance', () => {`
			`const originalEnv = process.env`

			`// Fake an OIDC token`
			`const subject = 'foo@bar.com'`
			`const oidcPayload = {sub: subject, iss: ''}`
			const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
			`'base64'`
			)}.}`

			`// Dummy provenance to be signed`
			`const provenance = {`
			`_type: 'https://in-toto.io/Statement/v1',`
			`subject: {`
			`name: 'subjective',`
			`digest: {`
			`sha256:`
			`'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'`
			`}`
			`}`
			`}`

			`const payload: Payload = {`
			`body: Buffer.from(JSON.stringify(provenance)),`
			`type: 'application/vnd.in-toto+json'`
			`}`

			`const fulcioURL = 'https://fulcio.url'`
			`const rekorURL = 'https://rekor.url'`
			`const tsaServerURL = 'https://tsa.url'`

			`beforeEach(() => {`
			`// Mock OIDC token endpoint`
			`const tokenURL = 'https://token.url'`

			`process.env = {`
			`...originalEnv,`
			`ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,`
			`ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token'`
			`}`

			`nock(tokenURL)`
			`.get('/')`
			`.query({audience: 'sigstore'})`
			`.reply(200, {value: oidcToken})`
			`})`

			`afterEach(() => {`
			`process.env = originalEnv`
			`})`

			`describe('when visibility is public', () => {`
			`beforeEach(async () => {`
			`await mockFulcio({baseURL: fulcioURL, strict: false})`
			`await mockRekor({baseURL: rekorURL})`
			`})`

			`it('returns a bundle', async () => {`
			`const att = await signPayload(payload, {fulcioURL, rekorURL})`

			`expect(att).toBeDefined()`
			`expect(att.mediaType).toEqual(`
			`'application/vnd.dev.sigstore.bundle+json;version=0.2'`
			`)`

			`expect(att.content.$case).toEqual('dsseEnvelope')`
			`expect(att.verificationMaterial.content.$case).toEqual(`
			`'x509CertificateChain'`
			`)`
			`expect(att.verificationMaterial.tlogEntries).toHaveLength(1)`
			`expect(`
			`att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps`
			`).toHaveLength(0)`
			`})`
			`})`

			`describe('when visibility is private', () => {`
			`beforeEach(async () => {`
			`await mockFulcio({baseURL: fulcioURL, strict: false})`
			`await mockTSA({baseURL: tsaServerURL})`
			`})`

			`it('returns a bundle', async () => {`
			`const att = await signPayload(payload, {fulcioURL, tsaServerURL})`

			`expect(att).toBeDefined()`
			`expect(att.mediaType).toEqual(`
			`'application/vnd.dev.sigstore.bundle+json;version=0.2'`
			`)`

			`expect(att.content.$case).toEqual('dsseEnvelope')`
			`expect(att.verificationMaterial.content.$case).toEqual(`
			`'x509CertificateChain'`
			`)`
			`expect(att.verificationMaterial.tlogEntries).toHaveLength(0)`
			`expect(`
			`att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps`
			`).toHaveLength(1)`
			`})`
			`})`
			`})`