diff options
| author | Michał Górny <mgorny@gentoo.org> | 2022-09-17 18:00:10 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2022-09-17 18:16:04 +0200 |
| commit | 1cdca1a14706c46f9161c8eca319dad7b15e7cd6 (patch) | |
| tree | c106cb870bca211153186566d663dc27f4bd3618 /tests/test_recursiveloader.py | |
| parent | 435ac57ea627a521e0232bcc78ac7cdbefd1d166 (diff) | |
| download | gemato-1cdca1a14706c46f9161c8eca319dad7b15e7cd6.tar.gz | |
Support --require-secure-hashes in verify
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'tests/test_recursiveloader.py')
| -rw-r--r-- | tests/test_recursiveloader.py | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/tests/test_recursiveloader.py b/tests/test_recursiveloader.py index 5cbd4d8..6e2395b 100644 --- a/tests/test_recursiveloader.py +++ b/tests/test_recursiveloader.py @@ -817,6 +817,20 @@ DATA test 0 X-UNKNOWN 0123456789abcdef } +class SecureHashLayout(BaseLayout): + """Layout using at least one cryptographically secure hash""" + + MANIFESTS = { + "Manifest": """ +DATA test 0 MD5 d41d8cd98f00b204e9800998ecf8427e\ + SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 +""", + } + FILES = { + "test": "", + } + + FLAT_LAYOUTS = [ DuplicateEntryLayout, DuplicateEbuildEntryLayout, @@ -2490,6 +2504,12 @@ INSECURE_HASH_TESTS = [ ("", []), ] +INSECURE_HASH_VERIFY_TESTS = [ + # layout, insecure + (UnknownHashLayout, ["MD5"]), + (SecureHashLayout, None), +] + @pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS) def test_insecure_hashes(layout_factory, hashes_arg, insecure): @@ -2504,6 +2524,36 @@ def test_insecure_hashes(layout_factory, hashes_arg, insecure): require_secure_hashes=True) +@pytest.mark.parametrize("layout,insecure", INSECURE_HASH_VERIFY_TESTS) +@pytest.mark.parametrize( + "func,path", + [(ManifestRecursiveLoader.verify_path, "test"), + (ManifestRecursiveLoader.assert_path_verifies, "test"), + (ManifestRecursiveLoader.assert_directory_verifies, ""), + ]) +def test_insecure_hashes_verify(layout_factory, layout, insecure, func, path): + tmp_path = layout_factory.create(layout) + m = ManifestRecursiveLoader(tmp_path / layout.TOP_MANIFEST, + allow_xdev=False, + require_secure_hashes=True) + + ctx = (pytest.raises(ManifestInsecureHashes) if insecure is not None + else contextlib.nullcontext()) + with ctx: + func(m, path) + + +def test_insecure_hashes_load(layout_factory): + layout = BasicTestLayout + tmp_path = layout_factory.create(layout) + m = ManifestRecursiveLoader(tmp_path / layout.TOP_MANIFEST, + allow_xdev=False, + require_secure_hashes=True) + + with pytest.raises(ManifestInsecureHashes): + m.load_manifests_for_path("sub") + + @pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS) @pytest.mark.parametrize( "func,arg", @@ -2534,6 +2584,17 @@ def test_insecure_hashes_update_no_arg(layout_factory): m.update_entry_for_path("sub/deeper/test") +@pytest.mark.parametrize("layout,insecure", INSECURE_HASH_VERIFY_TESTS) +def test_insecure_hashes_verify_cli(layout_factory, caplog, layout, + insecure): + tmp_path = layout_factory.create(layout) + expected = 1 if insecure is not None else 0 + assert gemato.cli.main(["gemato", "verify", "--require-secure-hashes", + str(tmp_path)]) == expected + if insecure is not None: + assert str(ManifestInsecureHashes(insecure)) in caplog.text + + @pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS) @pytest.mark.parametrize("command", ["create", "update"]) def test_insecure_hashes_update_cli(layout_factory, caplog, |