-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add end-to-end tests for reusable monitoring workflow #472
Conversation
5d05eb3
to
6c11e44
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #472 +/- ##
==========================================
+ Coverage 64.02% 72.94% +8.91%
==========================================
Files 4 13 +9
Lines 303 765 +462
==========================================
+ Hits 194 558 +364
- Misses 78 154 +76
- Partials 31 53 +22 ☔ View full report in Codecov by Sentry. |
6c11e44
to
ff76eb4
Compare
Signed-off-by: linus-sun <linussun@google.com>
d820b24
to
411275c
Compare
ebe4ea1
to
8237e89
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work on this!
if !strings.Contains(tempOutputIdentitiesString, subject) { | ||
t.Errorf("expected to find %s, did not", subject) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for thoroughness, should we check issuer as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MatchedIndices will only add the matching identity it's monitoring to its output (see here, where it is only appending the subject)- then, WriteIdentity only writes the subject, so the issuer won't be present here. If we would prefer to include the entire identity, I'm happy to add that functionality into MatchedIndices
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For identities in certificates, the issuer should be included -
rekor-monitor/pkg/rekor/identity.go
Line 101 in c3b66b9
Issuer: iss, |
The Subjects
field is somewhat confusingly named - this includes references to identifiers found in everything but certificates, like how PGP keys have emails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I think this would be a good thing to test for as well - record a key and check for its fingerprint, check only a subject, check a subject+issuer, and check for an OID match.
8237e89
to
ccf7588
Compare
a97fe20
to
162061f
Compare
Signed-off-by: linus-sun <linussun@google.com>
162061f
to
31560d7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work on this!
One other comment, we will also need to hook this up in the GitHub action that runs tests. |
Summary
This test adds an end-to-end test checking the functionality of rekor-monitor's reusable monitoring workflow. It spins up a local instance of Rekor, adds 3 log entries, and then verifies that rekor-monitor is able to successfully verify the consistency proof of the tree hash and finds the given monitored identities and writes it to disk. This test is currently skipped by the rekor-monitor PR CI, and is runnable locally from the
e2e_test.sh
shell script. Future PRs will, in the process of overall refactoring the monitoring workflow into separate components, add this test to the PR CI as well as relocate it from thecmd/verifier
pkg into the corresponding package as its components after the refactor. For now, this PR exists to add an e2e test that is able to verify the consistent functionality of rekor-monitor as future improvements are made in refactoring the monitoring workflow.Additionally, this test updates the name of the monitoring workflow to prepare it for future exports/refactors, and removes the
stable
parameter from GetLogInfo so that rekor-monitor fetches the up-to-date tree head and checkpoints when it fetches log info using its rekor client instance.Release Note
NONE
Documentation
Future PRs will update documentation as the monitoring workflow is refactored- for now, this PR does not require documentation updates.