From 64fa0cc30b2be8323343fac425abc733113b3450 Mon Sep 17 00:00:00 2001 From: Michał Górny Date: Fri, 16 Sep 2022 08:37:12 +0200 Subject: Support rejecting insecure hashes when updating MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Górny --- tests/test_verify.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/test_verify.py b/tests/test_verify.py index 1f3170b..7ee4545 100644 --- a/tests/test_verify.py +++ b/tests/test_verify.py @@ -1,8 +1,9 @@ # gemato: Verification tests # vim:fileencoding=utf-8 -# (c) 2017-2020 Michał Górny +# (c) 2017-2022 Michał Górny # Licensed under the terms of 2-clause BSD license +import contextlib import itertools import os import os.path @@ -14,6 +15,7 @@ import pytest from gemato.exceptions import ( ManifestInvalidPath, ManifestCrossDevice, + ManifestInsecureHashes, ) from gemato.hash import hash_path from gemato.manifest import new_manifest_entry @@ -443,6 +445,26 @@ def test_unreadable_file(test_tree, function, args): pass +@pytest.mark.parametrize( + "entry_hash,hashes_arg,insecure", + [("MD5", None, True), + ("SHA1", None, True), + ("SHA512", None, False), + ("MD5", "SHA1 SHA512", True), + ("MD5", "SHA512", False), + ("SHA512", "MD5 SHA512", True), + ]) +def test_insecure_hashes(test_tree, entry_hash, hashes_arg, insecure): + ctx = (pytest.raises(ManifestInsecureHashes) if insecure + else contextlib.nullcontext()) + with ctx: + update_entry_for_path( + test_tree / "empty-file", + new_manifest_entry("DATA", "empty-file", 0, {entry_hash: ""}), + hashes=hashes_arg.split() if hashes_arg else None, + require_secure_hashes=True) + + @pytest.mark.parametrize( 'a_cls,a_name,a_args,b_cls,b_name,b_args,expected,diff', [('DATA', 'test', [0, {'MD5': 'd41d8cd98f00b204e9800998ecf8427e'}], -- cgit v1.2.3