Skip to content

Commit 00a1207

Browse files
committed
refactor: apply simplify review on signature fix
- Guard BundleFromDSSEEnvelope against empty DSSE Signatures slice. - Trim narrative comment on BundleBytesFromEnvelope testhelper. - Deduplicate attestations_test.go with a shared test envelope helper; add explicit no-signatures and no-op cases. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
1 parent 7949339 commit 00a1207

3 files changed

Lines changed: 32 additions & 42 deletions

File tree

app/controlplane/pkg/biz/testhelpers/attestation.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,8 @@ import (
2626
"google.golang.org/protobuf/encoding/protojson"
2727
)
2828

29-
// BundleBytesFromEnvelope reads a DSSE envelope fixture from disk, wraps it into a
30-
// Sigstore bundle, and returns its protojson-encoded bytes. Useful to feed envelope
31-
// test fixtures into APIs that now only accept Sigstore bundles.
29+
// BundleBytesFromEnvelope reads a DSSE envelope fixture from disk and returns the
30+
// protojson-encoded bytes of an equivalent Sigstore bundle.
3231
func BundleBytesFromEnvelope(t *testing.T, path string) []byte {
3332
t.Helper()
3433
raw, err := os.ReadFile(path)

pkg/attestation/attestations.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,9 @@ func DSSEEnvelopeFromBundle(bundle *protobundle.Bundle) *dsse.Envelope {
7070
}
7171

7272
func BundleFromDSSEEnvelope(dsseEnvelope *dsse.Envelope) (*protobundle.Bundle, error) {
73+
if len(dsseEnvelope.Signatures) == 0 {
74+
return nil, fmt.Errorf("DSSE envelope has no signatures")
75+
}
7376
// DSSE Envelope payload and signature are base64 encoded, we need to decode them so they
7477
// are not encoded twice when stored as raw bytes in the Sigstore bundle. See #1832.
7578
payload, err := base64.StdEncoding.DecodeString(dsseEnvelope.Payload)

pkg/attestation/attestations_test.go

Lines changed: 27 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -25,70 +25,58 @@ import (
2525
"github.com/stretchr/testify/require"
2626
)
2727

28-
// Guards against the double-base64 bug in https://github.com/chainloop-dev/chainloop/issues/1832.
29-
func TestBundleFromDSSEEnvelopeDecodesSignature(t *testing.T) {
30-
rawSig := []byte{0x30, 0x44, 0x02, 0x20, 0xAA, 0xBB, 0xCC, 0xDD}
31-
rawPayload := []byte(`{"_type":"statement"}`)
28+
var (
29+
testRawSig = []byte{0x30, 0x44, 0x02, 0x20, 0xAA, 0xBB, 0xCC, 0xDD}
30+
testRawPayload = []byte(`{"_type":"statement"}`)
31+
)
3232

33-
env := &dsse.Envelope{
33+
func newTestEnvelope(t *testing.T) *dsse.Envelope {
34+
t.Helper()
35+
return &dsse.Envelope{
3436
PayloadType: "application/vnd.in-toto+json",
35-
Payload: base64.StdEncoding.EncodeToString(rawPayload),
37+
Payload: base64.StdEncoding.EncodeToString(testRawPayload),
3638
Signatures: []dsse.Signature{
37-
{KeyID: "key-1", Sig: base64.StdEncoding.EncodeToString(rawSig)},
39+
{KeyID: "key-1", Sig: base64.StdEncoding.EncodeToString(testRawSig)},
3840
},
3941
}
42+
}
4043

41-
bundle, err := attestation.BundleFromDSSEEnvelope(env)
44+
// Guards against the double-base64 bug in https://github.com/chainloop-dev/chainloop/issues/1832.
45+
func TestBundleFromDSSEEnvelopeDecodesSignature(t *testing.T) {
46+
bundle, err := attestation.BundleFromDSSEEnvelope(newTestEnvelope(t))
4247
require.NoError(t, err)
4348

4449
gotEnv := bundle.GetDsseEnvelope()
45-
assert.Equal(t, rawPayload, gotEnv.GetPayload())
50+
assert.Equal(t, testRawPayload, gotEnv.GetPayload())
4651
require.Len(t, gotEnv.GetSignatures(), 1)
47-
assert.Equal(t, rawSig, gotEnv.GetSignatures()[0].GetSig())
52+
assert.Equal(t, testRawSig, gotEnv.GetSignatures()[0].GetSig())
4853
assert.Equal(t, "key-1", gotEnv.GetSignatures()[0].GetKeyid())
4954
}
5055

51-
func TestBundleRoundTripWithFixedSignature(t *testing.T) {
52-
rawSig := []byte{0x30, 0x44, 0x02, 0x20, 0xAA, 0xBB, 0xCC, 0xDD}
53-
encodedSig := base64.StdEncoding.EncodeToString(rawSig)
54-
55-
env := &dsse.Envelope{
56-
PayloadType: "application/vnd.in-toto+json",
57-
Payload: base64.StdEncoding.EncodeToString([]byte("payload")),
58-
Signatures: []dsse.Signature{
59-
{KeyID: "key-1", Sig: encodedSig},
60-
},
61-
}
56+
func TestBundleFromDSSEEnvelopeNoSignatures(t *testing.T) {
57+
env := newTestEnvelope(t)
58+
env.Signatures = nil
59+
_, err := attestation.BundleFromDSSEEnvelope(env)
60+
require.Error(t, err)
61+
}
6262

63-
bundle, err := attestation.BundleFromDSSEEnvelope(env)
63+
func TestFixSignatureInBundleIsNoOpOnFixedBundles(t *testing.T) {
64+
bundle, err := attestation.BundleFromDSSEEnvelope(newTestEnvelope(t))
6465
require.NoError(t, err)
6566

6667
before := bundle.GetDsseEnvelope().GetSignatures()[0].GetSig()
6768
attestation.FixSignatureInBundle(bundle)
68-
assert.Equal(t, before, bundle.GetDsseEnvelope().GetSignatures()[0].GetSig(),
69-
"FixSignatureInBundle should be a no-op on properly formed bundles")
70-
71-
gotEnv := attestation.DSSEEnvelopeFromBundle(bundle)
72-
assert.Equal(t, encodedSig, gotEnv.Signatures[0].Sig)
69+
assert.Equal(t, before, bundle.GetDsseEnvelope().GetSignatures()[0].GetSig())
7370
}
7471

7572
func TestFixSignatureInBundleRepairsLegacyBundles(t *testing.T) {
76-
rawSig := []byte{0x30, 0x44, 0x02, 0x20, 0xAA, 0xBB, 0xCC, 0xDD}
77-
encodedSig := base64.StdEncoding.EncodeToString(rawSig)
78-
79-
env := &dsse.Envelope{
80-
PayloadType: "application/vnd.in-toto+json",
81-
Payload: base64.StdEncoding.EncodeToString([]byte("payload")),
82-
Signatures: []dsse.Signature{
83-
{KeyID: "key-1", Sig: encodedSig},
84-
},
85-
}
86-
bundle, err := attestation.BundleFromDSSEEnvelope(env)
73+
bundle, err := attestation.BundleFromDSSEEnvelope(newTestEnvelope(t))
8774
require.NoError(t, err)
8875

8976
// Simulate the legacy bug: signature is stored as the ASCII bytes of the base64 string.
77+
encodedSig := base64.StdEncoding.EncodeToString(testRawSig)
9078
bundle.GetDsseEnvelope().GetSignatures()[0].Sig = []byte(encodedSig)
9179

9280
attestation.FixSignatureInBundle(bundle)
93-
assert.Equal(t, rawSig, bundle.GetDsseEnvelope().GetSignatures()[0].GetSig())
81+
assert.Equal(t, testRawSig, bundle.GetDsseEnvelope().GetSignatures()[0].GetSig())
9482
}

0 commit comments

Comments
 (0)