Add end-to-end tests for reusable monitoring workflow #472
Conversation
linus-sun
force-pushed
the
linussun/e2e-test
branch
from
5d05eb3
to
6c11e44
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #472 +/- ##
==========================================
+ Coverage 64.02% 72.94% +8.91%
==========================================
Files 4 13 +9
Lines 303 765 +462
==========================================
+ Hits 194 558 +364
- Misses 78 154 +76
- Partials 31 53 +22 ☔ View full report in Codecov by Sentry. |
linus-sun
force-pushed
the
linussun/e2e-test
branch
from
6c11e44
to
ff76eb4
Compare
linus-sun
changed the title
Signed-off-by: linus-sun <linussun@google.com>
linus-sun
force-pushed
the
linussun/e2e-test
branch
2 times, most recently
from
d820b24
to
411275c
Compare
linus-sun
force-pushed
the
linussun/e2e-test
branch
2 times, most recently
from
ebe4ea1
to
8237e89
Compare
| if !strings.Contains(tempOutputIdentitiesString, subject) { | ||
| t.Errorf("expected to find %s, did not", subject) | ||
| } | ||
| } |
There was a problem hiding this comment.
Just for thoroughness, should we check issuer as well?
There was a problem hiding this comment.
MatchedIndices will only add the matching identity it's monitoring to its output (see here, where it is only appending the subject)- then, WriteIdentity only writes the subject, so the issuer won't be present here. If we would prefer to include the entire identity, I'm happy to add that functionality into MatchedIndices
There was a problem hiding this comment.
For identities in certificates, the issuer should be included -
rekor-monitor/pkg/rekor/identity.go
Line 101 in c3b66b9
The Subjects field is somewhat confusingly named - this includes references to identifiers found in everything but certificates, like how PGP keys have emails.
There was a problem hiding this comment.
Actually, I think this would be a good thing to test for as well - record a key and check for its fingerprint, check only a subject, check a subject+issuer, and check for an OID match.
linus-sun
force-pushed
the
linussun/e2e-test
branch
from
8237e89
to
ccf7588
Compare
linus-sun
force-pushed
the
linussun/e2e-test
branch
3 times, most recently
from
a97fe20
to
162061f
Compare
Signed-off-by: linus-sun <linussun@google.com>
linus-sun
force-pushed
the
linussun/e2e-test
branch
from
162061f
to
31560d7
Compare
|
One other comment, we will also need to hook this up in the GitHub action that runs tests. |
Summary
This test adds an end-to-end test checking the functionality of rekor-monitor's reusable monitoring workflow. It spins up a local instance of Rekor, adds 3 log entries, and then verifies that rekor-monitor is able to successfully verify the consistency proof of the tree hash and finds the given monitored identities and writes it to disk. This test is currently skipped by the rekor-monitor PR CI, and is runnable locally from the
e2e_test.shshell script. Future PRs will, in the process of overall refactoring the monitoring workflow into separate components, add this test to the PR CI as well as relocate it from thecmd/verifierpkg into the corresponding package as its components after the refactor. For now, this PR exists to add an e2e test that is able to verify the consistent functionality of rekor-monitor as future improvements are made in refactoring the monitoring workflow.Additionally, this test updates the name of the monitoring workflow to prepare it for future exports/refactors, and removes the
stableparameter from GetLogInfo so that rekor-monitor fetches the up-to-date tree head and checkpoints when it fetches log info using its rekor client instance.Release Note
NONE
Documentation
Future PRs will update documentation as the monitoring workflow is refactored- for now, this PR does not require documentation updates.