Support controlling secure hashes req in CLI update

Signed-off-by: Michał Górny <mgorny@gentoo.org>
author: Michał Górny <mgorny@gentoo.org> 2022-09-17 08:53:09 +0200
committer: Michał Górny <mgorny@gentoo.org> 2022-09-17 08:53:09 +0200
commit: 64d398834925001923dec85821b56ee284b80b16 (patch)
tree: 06ce8fc104c2f41bc8dbcc781a145b1741d91f57 /tests
parent: 4fe74c5b55f5b29ab832b61f8c0eef290c40d1e3 (diff)
download: gemato-64d398834925001923dec85821b56ee284b80b16.tar.gz
2 files changed, 78 insertions, 33 deletions
diff --git a/tests/test_openpgp.py b/tests/test_openpgp.py
index 6895a13..d11e0c1 100644
--- a/tests/test_openpgp.py
+++ b/tests/test_openpgp.py
@@ -46,6 +46,7 @@ from tests.keydata import (
     OTHER_PUBLIC_KEY, OTHER_PUBLIC_KEY_UID, OTHER_PUBLIC_KEY_SIG,
     UNEXPIRE_SIG,
     )
+from tests.test_recursiveloader import INSECURE_HASH_TESTS
 from tests.testutil import HKPServer
 
 
@@ -554,30 +555,37 @@ def test_recursive_manifest_loader(tmp_path, openpgp_env, filename,
         pytest.skip(str(e))
 
 
+@pytest.fixture
+def base_tree(tmp_path):
+    os.mkdir(tmp_path / 'eclass')
+    with open(tmp_path / 'eclass' / 'Manifest', 'w'):
+        pass
+    with open(tmp_path / 'myebuild-0.ebuild', 'wb') as f:
+        pass
+    with open(tmp_path / 'metadata.xml', 'wb'):
+        pass
+    return tmp_path
+
+
 @pytest.mark.parametrize('manifest_var,key_var,expected',
                          [(m, k, e) for m, k, e in MANIFEST_VARIANTS
                           if k is not None])
-def test_cli(tmp_path, caplog, manifest_var, key_var, expected):
+def test_cli(base_tree, caplog, manifest_var, key_var, expected):
     """Test Manifest verification via CLI"""
-    with open(tmp_path / '.key.bin', 'wb') as f:
+    with open(base_tree / '.key.bin', 'wb') as f:
         f.write(globals()[key_var])
-    with open(tmp_path / 'Manifest', 'w') as f:
+    with open(base_tree / 'Manifest', 'w') as f:
         f.write(globals()[manifest_var])
-    os.mkdir(tmp_path / 'eclass')
-    with open(tmp_path / 'eclass' / 'Manifest', 'w'):
-        pass
-    with open(tmp_path / 'myebuild-0.ebuild', 'wb') as f:
-        if manifest_var == 'MODIFIED_SIGNED_MANIFEST':
+    if manifest_var == 'MODIFIED_SIGNED_MANIFEST':
+        with open(base_tree / 'myebuild-0.ebuild', 'wb') as f:
             f.write(b'12345678901234567890123456789012')
-    with open(tmp_path / 'metadata.xml', 'wb'):
-        pass
 
     retval = gemato.cli.main(['gemato', 'verify',
                               '--openpgp-key',
-                              str(tmp_path / '.key.bin'),
+                              str(base_tree / '.key.bin'),
                               '--no-refresh-keys',
                               '--require-signed-manifest',
-                              str(tmp_path)])
+                              str(base_tree)])
     if str(OpenPGPNoImplementation('install gpg')) in caplog.text:
         pytest.skip('OpenPGP implementation missing')
 
@@ -962,13 +970,7 @@ def test_cli_gpg_wrap(tmp_path, caplog, command, expected, match):
         assert match in caplog.text
 
 
-@pytest.mark.parametrize(
-    "hashes_arg,insecure",
-    [("MD5", True),
-     ("SHA1", True),
-     ("SHA512", False),
-     ("SHA1 SHA512", True),
-     ])
+@pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
 @pytest.mark.parametrize(
     "sign,require_secure",
     [(None, None),
@@ -995,3 +997,35 @@ def test_recursive_manifest_loader_require_secure(tmp_path, privkey_env,
                                     openpgp_env=privkey_env)
         if not sign:
             assert m.openpgp_signed
+
+
+@pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
+@pytest.mark.parametrize(
+    "sign,require_secure",
+    [("", ""),
+     ("--no-sign", ""),
+     ("--sign", ""),
+     ("", "--no-require-secure-hashes"),
+     ("--sign", "--no-require-secure-hashes"),
+     ])
+def test_update_require_secure_cli(base_tree, caplog, hashes_arg,
+                                   insecure, sign, require_secure):
+    with open(base_tree / ".key.bin", "wb") as keyf:
+        keyf.write(PRIVATE_KEY)
+    with open(base_tree / "Manifest", "w") as f:
+        f.write(SIGNED_MANIFEST)
+
+    retval = gemato.cli.main(["gemato", "update",
+                              "-K", str(base_tree / ".key.bin"),
+                              "--hashes", hashes_arg,
+                              str(base_tree)] +
+                             f"{sign} {require_secure}".split())
+    if str(OpenPGPNoImplementation('install gpg')) in caplog.text:
+        pytest.skip('OpenPGP implementation missing')
+
+    expected = (1 if insecure and sign != "--no-sign"
+                and require_secure != "--no-require-secure_hashes"
+                else 0)
+    assert retval == expected
+    if expected == 1:
+        assert str(ManifestInsecureHashes(insecure)) in caplog.text
diff --git a/tests/test_recursiveloader.py b/tests/test_recursiveloader.py
index f00deb9..860bace 100644
--- a/tests/test_recursiveloader.py
+++ b/tests/test_recursiveloader.py
@@ -2461,13 +2461,16 @@ def test_update_mtime(layout_factory, last_mtime, manifest_update):
     assert output == expected
 
 
-@pytest.mark.parametrize(
-    "hashes_arg,insecure",
-    [("MD5", True),
-     ("SHA1", True),
-     ("SHA512", False),
-     ("SHA1 SHA512", True),
-     ])
+INSECURE_HASH_TESTS = [
+    # hashes, insecure
+    ("MD5", ["MD5"]),
+    ("SHA1", ["SHA1"]),
+    ("SHA512", None),
+    ("SHA1 SHA512", ["SHA1"]),
+]
+
+
+@pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
 def test_insecure_hashes(layout_factory, hashes_arg, insecure):
     layout = BasicTestLayout
     tmp_path = layout_factory.create(layout)
@@ -2480,13 +2483,7 @@ def test_insecure_hashes(layout_factory, hashes_arg, insecure):
                                 require_secure_hashes=True)
 
 
-@pytest.mark.parametrize(
-    "hashes_arg,insecure",
-    [("MD5", True),
-     ("SHA1", True),
-     ("SHA512", False),
-     ("SHA1 SHA512", True),
-     ])
+@pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
 @pytest.mark.parametrize(
     "func,arg",
     [(ManifestRecursiveLoader.update_entry_for_path, "sub/deeper/test"),
@@ -2514,3 +2511,17 @@ def test_insecure_hashes_update_no_arg(layout_factory):
                                 require_secure_hashes=True)
     with pytest.raises(ManifestInsecureHashes):
         m.update_entry_for_path("sub/deeper/test")
+
+
+@pytest.mark.parametrize("hashes_arg,insecure", INSECURE_HASH_TESTS)
+@pytest.mark.parametrize("command", ["create", "update"])
+def test_insecure_hashes_update_cli(layout_factory, caplog,
+                                    hashes_arg, insecure, command):
+    layout = BasicTestLayout
+    tmp_path = layout_factory.create(layout)
+    expected = 1 if insecure else 0
+    assert gemato.cli.main(["gemato", command, "--hashes", hashes_arg,
+                            "--require-secure-hashes", "--force-rewrite",
+                            str(tmp_path)]) == expected
+    if insecure:
+        assert str(ManifestInsecureHashes(insecure)) in caplog.text
author	Michał Górny <mgorny@gentoo.org>	2022-09-17 08:53:09 +0200
committer	Michał Górny <mgorny@gentoo.org>	2022-09-17 08:53:09 +0200
commit	64d398834925001923dec85821b56ee284b80b16 (patch)
tree	06ce8fc104c2f41bc8dbcc781a145b1741d91f57 /tests
parent	4fe74c5b55f5b29ab832b61f8c0eef290c40d1e3 (diff)
download	gemato-64d398834925001923dec85821b56ee284b80b16.tar.gz