add test for provenance attestation

The test performs some basic checks on the generated provenance data, e.g. that it describes the artifact and that env vars are captured / not captured - depending on the provenance mode. Signed-off-by: Felix Moessbauer <[email protected]> Signed-off-by: Jan Kiszka <[email protected]>
siemens · Apr 30, 2024 · c59f6cf · c59f6cf
1 parent 3e5b0c2
commit c59f6cf
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/tests/test_build.py b/tests/test_build.py
@@ -22,9 +22,13 @@
 
 import shutil
 import pytest
+import json
 from kas import kas
 from kas.kasusererror import ArtifactNotFoundError
 
+BITBAKE_OPTIONS_SHA256 = "e35d535e81cfdc4ed304af8000284c36" \
+                         "19d2c4c78392ddcefe9ca46b158235f8"
+
 
 def test_artifact_node(monkeykas, tmpdir):
     tdir = str(tmpdir / 'test_build')
@@ -35,3 +39,26 @@ def test_artifact_node(monkeykas, tmpdir):
 
     with pytest.raises(ArtifactNotFoundError):
         kas.kas(['build', 'artifact-invalid.yml'])
+
+
+def test_provenance(monkeykas, tmpdir):
+    tdir = str(tmpdir / 'test_build')
+    shutil.copytree('tests/test_build', tdir)
+    monkeykas.chdir(tdir)
+
+    kas.kas(['build', '--provenance', 'mode=min', 'provenance.yml'])
+    with open('build/attestation/kas-build.provenance.json', 'r') as f:
+        prov = json.load(f)
+        assert prov['subject'][0]['name'] == 'bitbake.options'
+        assert 'env' not in \
+            prov['predicate']['buildDefinition']['internalParameters']
+
+    with monkeykas.context() as mp:
+        mp.setenv('CAPTURE_THIS', 'OK Sir!')
+        kas.kas(['build', '--provenance', 'mode=max', 'provenance.yml'])
+    with open('build/attestation/kas-build.provenance.json', 'r') as f:
+        prov = json.load(f)
+        params = prov['predicate']['buildDefinition']['internalParameters']
+        assert params['env']['CAPTURE_THIS'] == 'OK Sir!'
+        assert prov['subject'][0]['name'] == 'bitbake.options'
+        assert prov['subject'][0]['digest']['sha256'] == BITBAKE_OPTIONS_SHA256
diff --git a/tests/test_build/provenance.yml b/tests/test_build/provenance.yml
@@ -0,0 +1,15 @@
+header:
+  version: 17
+
+env:
+  CAPTURE_THIS: null
+
+repos:
+  this:
+
+  kas:
+    url: https://github.com/siemens/kas.git
+    commit: 907816a5c4094b59a36aec12226e71c461c05b77
+
+artifacts:
+  disk-file: bitbake.options