2024-04-10 17:57:01 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
|
|
require "diagnostic"
|
|
|
|
|
|
|
|
|
|
RSpec.describe Homebrew::Attestation do
|
|
|
|
|
let(:fake_gh) { Pathname.new("/extremely/fake/gh") }
|
2024-07-14 12:06:21 -04:00
|
|
|
let(:fake_old_gh) { Pathname.new("/extremely/fake/old/gh") }
|
2024-05-03 13:01:02 -04:00
|
|
|
let(:fake_gh_creds) { "fake-gh-api-token" }
|
|
|
|
|
let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) }
|
2024-05-03 13:17:31 -04:00
|
|
|
let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) }
|
2024-04-10 17:57:01 -04:00
|
|
|
let(:cached_download) { "/fake/cached/download" }
|
2024-06-06 11:35:43 -04:00
|
|
|
let(:fake_bottle_filename) do
|
|
|
|
|
instance_double(Bottle::Filename, name: "fakebottle", version: "1.0",
|
|
|
|
|
to_s: "fakebottle--1.0.faketag.bottle.tar.gz")
|
|
|
|
|
end
|
2024-04-11 16:44:57 -04:00
|
|
|
let(:fake_bottle_url) { "https://example.com/#{fake_bottle_filename}" }
|
2024-06-06 11:23:03 -04:00
|
|
|
let(:fake_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :faketag) }
|
2024-06-06 11:35:43 -04:00
|
|
|
let(:fake_all_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :all) }
|
2024-04-11 16:44:57 -04:00
|
|
|
let(:fake_bottle) do
|
2024-06-06 11:30:11 -04:00
|
|
|
instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url,
|
|
|
|
|
tag: fake_bottle_tag)
|
2024-04-11 16:44:57 -04:00
|
|
|
end
|
2024-06-06 11:35:43 -04:00
|
|
|
let(:fake_all_bottle) do
|
|
|
|
|
instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url,
|
|
|
|
|
tag: fake_all_bottle_tag)
|
|
|
|
|
end
|
2024-05-14 14:32:23 -04:00
|
|
|
let(:fake_result_invalid_json) { instance_double(SystemCommand::Result, stdout: "\"invalid JSON") }
|
|
|
|
|
let(:fake_result_json_resp) do
|
|
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
|
|
|
|
|
statement: { subject: [{ name: fake_bottle_filename.to_s }] },
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
2024-05-14 14:32:23 -04:00
|
|
|
let(:fake_result_json_resp_backfill) do
|
|
|
|
|
digest = Digest::SHA256.hexdigest(fake_bottle_url)
|
|
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
|
|
|
|
|
statement: {
|
|
|
|
|
subject: [{ name: "#{digest}--#{fake_bottle_filename}" }],
|
|
|
|
|
},
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 16:44:57 -04:00
|
|
|
end
|
2024-05-14 14:32:23 -04:00
|
|
|
let(:fake_result_json_resp_too_new) do
|
|
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-15T00:00:00Z" }],
|
|
|
|
|
statement: { subject: [{ name: fake_bottle_filename.to_s }] },
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
|
|
|
|
let(:fake_json_resp_wrong_sub) do
|
2024-05-14 14:32:23 -04:00
|
|
|
instance_double(SystemCommand::Result,
|
|
|
|
|
stdout: JSON.dump([
|
|
|
|
|
{ verificationResult: {
|
|
|
|
|
verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
|
|
|
|
|
statement: { subject: [{ name: "wrong-subject.tar.gz" }] },
|
|
|
|
|
} },
|
|
|
|
|
]))
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
2024-04-10 17:57:01 -04:00
|
|
|
|
|
|
|
|
describe "::gh_executable" do
|
2024-07-29 12:59:29 -04:00
|
|
|
it "calls ensure_executable" do
|
2024-07-15 12:23:10 -04:00
|
|
|
expect(described_class).to receive(:ensure_executable!)
|
2024-07-29 12:59:29 -04:00
|
|
|
.with("gh", reason: "verifying attestations", latest: true)
|
|
|
|
|
.and_return(fake_gh)
|
2024-07-14 12:06:21 -04:00
|
|
|
|
2024-07-15 12:23:10 -04:00
|
|
|
described_class.gh_executable
|
2024-07-14 12:06:21 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2024-07-18 21:35:18 -07:00
|
|
|
# NOTE: `Homebrew::CLI::NamedArgs` will often return frozen arrays of formulae
|
|
|
|
|
# so that's why we test with frozen arrays here.
|
|
|
|
|
describe "::sort_formulae_for_install", :integration_test do
|
|
|
|
|
let(:gh) { Formula["gh"] }
|
|
|
|
|
let(:other) { Formula["other"] }
|
|
|
|
|
|
|
|
|
|
before do
|
|
|
|
|
setup_test_formula("gh")
|
|
|
|
|
setup_test_formula("other")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context "when `gh` is in the formula list" do
|
|
|
|
|
it "moves `gh` formulae to the front of the list" do
|
|
|
|
|
expect(described_class).not_to receive(:gh_executable)
|
|
|
|
|
|
|
|
|
|
[
|
|
|
|
|
[[gh], [gh]],
|
|
|
|
|
[[gh, other], [gh, other]],
|
|
|
|
|
[[other, gh], [gh, other]],
|
|
|
|
|
].each do |input, output|
|
|
|
|
|
expect(described_class.sort_formulae_for_install(input.freeze)).to eq(output)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context "when the formula list is empty" do
|
|
|
|
|
it "checks for the `gh` executable" do
|
|
|
|
|
expect(described_class).to receive(:gh_executable).once
|
|
|
|
|
expect(described_class.sort_formulae_for_install([].freeze)).to eq([])
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context "when `gh` is not in the formula list" do
|
|
|
|
|
it "checks for the `gh` executable" do
|
|
|
|
|
expect(described_class).to receive(:gh_executable).once
|
|
|
|
|
expect(described_class.sort_formulae_for_install([other].freeze)).to eq([other])
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
describe "::check_attestation" do
|
|
|
|
|
before do
|
|
|
|
|
allow(described_class).to receive(:gh_executable)
|
|
|
|
|
.and_return(fake_gh)
|
|
|
|
|
end
|
|
|
|
|
|
2024-05-03 13:01:02 -04:00
|
|
|
it "raises without any gh credentials" do
|
|
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(nil)
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::GhAuthNeeded)
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "raises when gh subprocess fails" do
|
2024-05-03 13:01:02 -04:00
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-05-03 13:01:02 -04:00
|
|
|
.and_raise(ErrorDuringExecution.new(["foo"], status: fake_error_status))
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
|
|
|
|
end
|
|
|
|
|
|
2024-05-03 13:17:31 -04:00
|
|
|
it "raises auth error when gh subprocess fails with auth exit code" do
|
|
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-05-03 13:17:31 -04:00
|
|
|
.and_raise(ErrorDuringExecution.new(["foo"], status: fake_auth_status))
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
2024-07-18 16:11:25 +01:00
|
|
|
end.to raise_error(described_class::GhAuthInvalid)
|
2024-05-03 13:17:31 -04:00
|
|
|
end
|
|
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "raises when gh returns invalid JSON" do
|
2024-05-03 13:01:02 -04:00
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-05-14 14:32:23 -04:00
|
|
|
.and_return(fake_result_invalid_json)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "raises when gh returns other subjects" do
|
2024-05-03 13:01:02 -04:00
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-04-11 13:39:13 -04:00
|
|
|
.and_return(fake_json_resp_wrong_sub)
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_attestation fake_bottle,
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
2024-06-06 11:35:43 -04:00
|
|
|
|
|
|
|
|
it "checks subject prefix when the bottle is an :all bottle" do
|
|
|
|
|
expect(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
|
|
|
|
|
|
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-06-06 11:35:43 -04:00
|
|
|
.and_return(fake_result_json_resp)
|
|
|
|
|
|
|
|
|
|
described_class.check_attestation fake_all_bottle, described_class::HOMEBREW_CORE_REPO
|
|
|
|
|
end
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe "::check_core_attestation" do
|
|
|
|
|
before do
|
2024-04-11 13:39:13 -04:00
|
|
|
allow(described_class).to receive(:gh_executable)
|
2024-04-10 17:57:01 -04:00
|
|
|
.and_return(fake_gh)
|
2024-05-03 13:01:02 -04:00
|
|
|
|
|
|
|
|
allow(GitHub::API).to receive(:credentials)
|
|
|
|
|
.and_return(fake_gh_creds)
|
2024-04-11 13:39:13 -04:00
|
|
|
end
|
2024-04-10 17:57:01 -04:00
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
it "calls gh with args for homebrew-core" do
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
2024-05-18 10:04:53 -04:00
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-05-14 14:32:23 -04:00
|
|
|
.and_return(fake_result_json_resp)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
described_class.check_core_attestation fake_bottle
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
|
|
|
|
|
2024-07-23 16:59:52 +01:00
|
|
|
it "calls gh with args for backfill when homebrew-core attestation is missing" do
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
2024-05-18 10:04:53 -04:00
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-04-11 13:39:13 -04:00
|
|
|
.once
|
2024-07-23 16:59:52 +01:00
|
|
|
.and_raise(described_class::MissingAttestationError)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::BACKFILL_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-05-14 14:32:23 -04:00
|
|
|
.and_return(fake_result_json_resp_backfill)
|
2024-04-10 17:57:01 -04:00
|
|
|
|
2024-04-11 13:39:13 -04:00
|
|
|
described_class.check_core_attestation fake_bottle
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "raises when the backfilled attestation is too new" do
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
2024-05-18 10:04:53 -04:00
|
|
|
described_class::HOMEBREW_CORE_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-04-11 13:39:13 -04:00
|
|
|
.once
|
2024-07-23 16:59:52 +01:00
|
|
|
.and_raise(described_class::MissingAttestationError)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
2024-05-14 14:32:23 -04:00
|
|
|
expect(described_class).to receive(:system_command!)
|
|
|
|
|
.with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
|
|
|
|
|
described_class::BACKFILL_REPO, "--format", "json"],
|
2024-07-18 16:11:25 +01:00
|
|
|
env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
|
2024-07-17 17:26:59 +01:00
|
|
|
print_stderr: false, chdir: HOMEBREW_TEMP)
|
2024-05-14 14:32:23 -04:00
|
|
|
.and_return(fake_result_json_resp_too_new)
|
2024-04-11 13:39:13 -04:00
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
described_class.check_core_attestation fake_bottle
|
|
|
|
|
end.to raise_error(described_class::InvalidAttestationError)
|
2024-04-10 17:57:01 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
