mirror of https://github.com/helm/helm
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
99 lines
2.5 KiB
99 lines
2.5 KiB
/*
|
|
Copyright The Helm Authors.
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package plugin
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"helm.sh/helm/v4/pkg/provenance"
|
|
)
|
|
|
|
func TestSignPlugin(t *testing.T) {
|
|
// Create a test plugin directory
|
|
tempDir := t.TempDir()
|
|
pluginDir := filepath.Join(tempDir, "test-plugin")
|
|
if err := os.MkdirAll(pluginDir, 0755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Create a plugin.yaml file
|
|
pluginYAML := `apiVersion: v1
|
|
name: test-plugin
|
|
type: cli/v1
|
|
runtime: subprocess
|
|
version: 1.0.0
|
|
runtimeConfig:
|
|
platformCommand:
|
|
- command: echo`
|
|
if err := os.WriteFile(filepath.Join(pluginDir, "plugin.yaml"), []byte(pluginYAML), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Create a tarball
|
|
tarballPath := filepath.Join(tempDir, "test-plugin.tgz")
|
|
tarFile, err := os.Create(tarballPath)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := CreatePluginTarball(pluginDir, "test-plugin", tarFile); err != nil {
|
|
tarFile.Close()
|
|
t.Fatal(err)
|
|
}
|
|
tarFile.Close()
|
|
|
|
// Create a test key for signing
|
|
keyring := "../../pkg/cmd/testdata/helm-test-key.secret"
|
|
signer, err := provenance.NewFromKeyring(keyring, "helm-test")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := signer.DecryptKey(func(_ string) ([]byte, error) {
|
|
return []byte(""), nil
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Read the tarball data
|
|
tarballData, err := os.ReadFile(tarballPath)
|
|
if err != nil {
|
|
t.Fatalf("failed to read tarball: %v", err)
|
|
}
|
|
|
|
// Sign the plugin tarball
|
|
sig, err := SignPlugin(tarballData, filepath.Base(tarballPath), signer)
|
|
if err != nil {
|
|
t.Fatalf("failed to sign plugin: %v", err)
|
|
}
|
|
|
|
// Verify the signature contains the expected content
|
|
if !strings.Contains(sig, "-----BEGIN PGP SIGNED MESSAGE-----") {
|
|
t.Error("signature does not contain PGP header")
|
|
}
|
|
|
|
// Verify the tarball hash is in the signature
|
|
expectedHash, err := provenance.DigestFile(tarballPath)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// The signature should contain the tarball hash
|
|
if !strings.Contains(sig, "sha256:"+expectedHash) {
|
|
t.Errorf("signature does not contain expected tarball hash: sha256:%s", expectedHash)
|
|
}
|
|
}
|