From c59f6cfabec87541b77cfb69b39aac32aa455b3d Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Tue, 30 Apr 2024 16:18:35 +0200
Subject: [PATCH] add test for provenance attestation

The test performs some basic checks on the generated provenance data,
e.g. that it describes the artifact and that env vars are captured / not
captured - depending on the provenance mode.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 tests/test_build.py             | 27 +++++++++++++++++++++++++++
 tests/test_build/provenance.yml | 15 +++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 tests/test_build/provenance.yml

diff --git a/tests/test_build.py b/tests/test_build.py
index 6bcc6c88..1903103b 100644
--- a/tests/test_build.py
+++ b/tests/test_build.py
@@ -22,9 +22,13 @@
 
 import shutil
 import pytest
+import json
 from kas import kas
 from kas.kasusererror import ArtifactNotFoundError
 
+BITBAKE_OPTIONS_SHA256 = "e35d535e81cfdc4ed304af8000284c36" \
+                         "19d2c4c78392ddcefe9ca46b158235f8"
+
 
 def test_artifact_node(monkeykas, tmpdir):
     tdir = str(tmpdir / 'test_build')
@@ -35,3 +39,26 @@ def test_artifact_node(monkeykas, tmpdir):
 
     with pytest.raises(ArtifactNotFoundError):
         kas.kas(['build', 'artifact-invalid.yml'])
+
+
+def test_provenance(monkeykas, tmpdir):
+    tdir = str(tmpdir / 'test_build')
+    shutil.copytree('tests/test_build', tdir)
+    monkeykas.chdir(tdir)
+
+    kas.kas(['build', '--provenance', 'mode=min', 'provenance.yml'])
+    with open('build/attestation/kas-build.provenance.json', 'r') as f:
+        prov = json.load(f)
+        assert prov['subject'][0]['name'] == 'bitbake.options'
+        assert 'env' not in \
+            prov['predicate']['buildDefinition']['internalParameters']
+
+    with monkeykas.context() as mp:
+        mp.setenv('CAPTURE_THIS', 'OK Sir!')
+        kas.kas(['build', '--provenance', 'mode=max', 'provenance.yml'])
+    with open('build/attestation/kas-build.provenance.json', 'r') as f:
+        prov = json.load(f)
+        params = prov['predicate']['buildDefinition']['internalParameters']
+        assert params['env']['CAPTURE_THIS'] == 'OK Sir!'
+        assert prov['subject'][0]['name'] == 'bitbake.options'
+        assert prov['subject'][0]['digest']['sha256'] == BITBAKE_OPTIONS_SHA256
diff --git a/tests/test_build/provenance.yml b/tests/test_build/provenance.yml
new file mode 100644
index 00000000..8f5553f5
--- /dev/null
+++ b/tests/test_build/provenance.yml
@@ -0,0 +1,15 @@
+header:
+  version: 17
+
+env:
+  CAPTURE_THIS: null
+
+repos:
+  this:
+
+  kas:
+    url: https://github.com/siemens/kas.git
+    commit: 907816a5c4094b59a36aec12226e71c461c05b77
+
+artifacts:
+  disk-file: bitbake.options