From 4fe74c5b55f5b29ab832b61f8c0eef290c40d1e3 Mon Sep 17 00:00:00 2001
From: Michał Górny <mgorny@gentoo.org>
Date: Fri, 16 Sep 2022 19:09:16 +0200
Subject: Support defaulting secure_hashes to top-level Manifest signing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 tests/test_openpgp.py | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

(limited to 'tests/test_openpgp.py')

diff --git a/tests/test_openpgp.py b/tests/test_openpgp.py
index c57a612..6895a13 100644
--- a/tests/test_openpgp.py
+++ b/tests/test_openpgp.py
@@ -1,8 +1,9 @@
 # gemato: OpenPGP signature support tests
 # vim:fileencoding=utf-8
-# (c) 2017-2020 Michał Górny
+# (c) 2017-2022 Michał Górny
 # Licensed under the terms of 2-clause BSD license
 
+import contextlib
 import datetime
 import io
 import logging
@@ -26,6 +27,7 @@ from gemato.exceptions import (
     OpenPGPKeyRefreshError,
     OpenPGPRuntimeError,
     OpenPGPUntrustedSigFailure,
+    ManifestInsecureHashes,
     )
 from gemato.manifest import ManifestFile
 from gemato.openpgp import (
@@ -958,3 +960,38 @@ def test_cli_gpg_wrap(tmp_path, caplog, command, expected, match):
     assert retval == expected
     if match is not None:
         assert match in caplog.text
+
+
+@pytest.mark.parametrize(
+    "hashes_arg,insecure",
+    [("MD5", True),
+     ("SHA1", True),
+     ("SHA512", False),
+     ("SHA1 SHA512", True),
+     ])
+@pytest.mark.parametrize(
+    "sign,require_secure",
+    [(None, None),
+     (False, None),
+     (True, None),
+     (None, False),
+     (True, False),
+     ])
+def test_recursive_manifest_loader_require_secure(tmp_path, privkey_env,
+                                                  hashes_arg, insecure,
+                                                  sign, require_secure):
+    with open(tmp_path / "Manifest", "w") as f:
+        f.write(SIGNED_MANIFEST)
+
+    ctx = (pytest.raises(ManifestInsecureHashes)
+           if insecure and sign is not False and require_secure is not False
+           else contextlib.nullcontext())
+    with ctx:
+        m = ManifestRecursiveLoader(tmp_path / "Manifest",
+                                    hashes=hashes_arg.split(),
+                                    require_secure_hashes=require_secure,
+                                    verify_openpgp=not sign,
+                                    sign_openpgp=sign,
+                                    openpgp_env=privkey_env)
+        if not sign:
+            assert m.openpgp_signed
-- 
cgit v1.2.3