[TEP-0091] add more no error test cases for taskrun and pipelinerun

This commit adds 3 more cases when the trusted resources doesn't fail the run. They are 1) no match policies and feature flag is set to ignore 2) no match policies and feature flag is set to warn 3) only warn mode policies fail. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
tektoncd · Jun 1, 2023 · 0ff0263 · 0ff0263
1 parent 8d1a903
commit 0ff0263
Show file tree

Hide file tree

Showing 2 changed files with 159 additions and 67 deletions.
diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go
@@ -35,6 +35,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
+	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	resolutionv1beta1 "github.com/tektoncd/pipeline/pkg/apis/resolution/v1beta1"
 	resolutionutil "github.com/tektoncd/pipeline/pkg/internal/resolution"
@@ -11580,7 +11581,51 @@ spec:
 		t.Fatal("fail to marshal task", err)
 	}
 
-	prs := parse.MustParseV1beta1PipelineRun(t, fmt.Sprintf(`
+	noMatchPolicy := []*v1alpha1.VerificationPolicy{{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "no-match",
+			Namespace: ts.Namespace,
+		},
+		Spec: v1alpha1.VerificationPolicySpec{
+			Resources: []v1alpha1.ResourcePattern{{Pattern: "no-match"}},
+		}}}
+	// warnPolicy doesn't contain keys so it will fail verification but doesn't fail the run
+	warnPolicy := []*v1alpha1.VerificationPolicy{{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "warn-policy",
+			Namespace: ts.Namespace,
+		},
+		Spec: v1alpha1.VerificationPolicySpec{
+			Resources: []v1alpha1.ResourcePattern{{Pattern: ".*"}},
+			Mode:      v1alpha1.ModeWarn,
+		}}}
+
+	testCases := []struct {
+		name                 string
+		task                 []*v1beta1.Task
+		noMatchPolicy        string
+		verificationPolicies []*v1alpha1.VerificationPolicy
+	}{{
+		name:                 "ignore no match policy",
+		noMatchPolicy:        config.IgnoreNoMatchPolicy,
+		verificationPolicies: noMatchPolicy,
+	}, {
+		name:                 "warn no match policy",
+		noMatchPolicy:        config.WarnNoMatchPolicy,
+		verificationPolicies: noMatchPolicy,
+	}, {
+		name:                 "pass enforce policy",
+		noMatchPolicy:        config.FailNoMatchPolicy,
+		verificationPolicies: vps,
+	}, {
+		name:                 "only fail warn policy",
+		noMatchPolicy:        config.FailNoMatchPolicy,
+		verificationPolicies: warnPolicy,
+	},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			prs := parse.MustParseV1beta1PipelineRun(t, fmt.Sprintf(`
 metadata:
   name: test-pipelinerun
   namespace: foo
@@ -11590,30 +11635,32 @@ spec:
     resolver: %s
 `, resolverName))
 
-	cms := []*corev1.ConfigMap{
-		{
-			ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
-			Data: map[string]string{
-				"trusted-resources-verification-no-match-policy": config.FailNoMatchPolicy,
-			},
-		},
-	}
+			cms := []*corev1.ConfigMap{
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
+					Data: map[string]string{
+						"trusted-resources-verification-no-match-policy": tc.noMatchPolicy,
+					},
+				},
+			}
 
-	pipelineReq := getResolvedResolutionRequest(t, resolverName, signedPipelineBytes, prs.Namespace, prs.Name)
-	taskReq := getResolvedResolutionRequest(t, resolverName, signedTaskBytes, prs.Namespace, prs.Name+"-"+ps.Spec.Tasks[0].Name)
+			pipelineReq := getResolvedResolutionRequest(t, resolverName, signedPipelineBytes, prs.Namespace, prs.Name)
+			taskReq := getResolvedResolutionRequest(t, resolverName, signedTaskBytes, prs.Namespace, prs.Name+"-"+ps.Spec.Tasks[0].Name)
 
-	d := test.Data{
-		PipelineRuns:         []*v1beta1.PipelineRun{prs},
-		VerificationPolicies: vps,
-		ConfigMaps:           cms,
-		ResolutionRequests:   []*resolutionv1beta1.ResolutionRequest{&pipelineReq, &taskReq},
-	}
-	prt := newPipelineRunTest(t, d)
-	defer prt.Cancel()
+			d := test.Data{
+				PipelineRuns:         []*v1beta1.PipelineRun{prs},
+				VerificationPolicies: tc.verificationPolicies,
+				ConfigMaps:           cms,
+				ResolutionRequests:   []*resolutionv1beta1.ResolutionRequest{&pipelineReq, &taskReq},
+			}
+			prt := newPipelineRunTest(t, d)
+			defer prt.Cancel()
 
-	reconciledRun, _ := prt.reconcileRun("foo", "test-pipelinerun", []string{}, false)
+			reconciledRun, _ := prt.reconcileRun("foo", "test-pipelinerun", []string{}, false)
 
-	checkPipelineRunConditionStatusAndReason(t, reconciledRun, corev1.ConditionUnknown, v1beta1.PipelineRunReasonRunning.String())
+			checkPipelineRunConditionStatusAndReason(t, reconciledRun, corev1.ConditionUnknown, v1beta1.PipelineRunReasonRunning.String())
+		})
+	}
 }
 
 func TestReconcile_verifyResolvedPipeline_Error(t *testing.T) {
@@ -11737,6 +11784,17 @@ spec:
 		},
 	}
 
+	pr := parse.MustParseV1beta1PipelineRun(t, fmt.Sprintf(`
+metadata:
+  name: test-pipelinerun
+  namespace: foo
+  selfLink: /pipeline/1234
+spec:
+  pipelineRef:
+    resolver: %s
+  serviceAccountName: default
+`, resolverName))
+
 	testCases := []struct {
 		name          string
 		pipelinerun   []*v1beta1.PipelineRun
@@ -11766,22 +11824,11 @@ spec:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			prs := parse.MustParseV1beta1PipelineRun(t, fmt.Sprintf(`
-metadata:
-  name: test-pipelinerun
-  namespace: foo
-  selfLink: /pipeline/1234
-spec:
-  pipelineRef:
-    resolver: %s
-  serviceAccountName: default
-`, resolverName))
-
-			pipelineReq := getResolvedResolutionRequest(t, resolverName, tc.pipelineBytes, prs.Namespace, prs.Name)
-			taskReq := getResolvedResolutionRequest(t, resolverName, tc.taskBytes, prs.Namespace, prs.Name+"-"+ps.Spec.Tasks[0].Name)
+			pipelineReq := getResolvedResolutionRequest(t, resolverName, tc.pipelineBytes, pr.Namespace, pr.Name)
+			taskReq := getResolvedResolutionRequest(t, resolverName, tc.taskBytes, pr.Namespace, pr.Name+"-"+ps.Spec.Tasks[0].Name)
 
 			d := test.Data{
-				PipelineRuns:         []*v1beta1.PipelineRun{prs},
+				PipelineRuns:         []*v1beta1.PipelineRun{pr},
 				ConfigMaps:           cms,
 				VerificationPolicies: vps,
 				ResolutionRequests:   []*resolutionv1beta1.ResolutionRequest{&pipelineReq, &taskReq},

diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go
@@ -36,6 +36,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/pod"
+	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	resolutionv1beta1 "github.com/tektoncd/pipeline/pkg/apis/resolution/v1beta1"
 	resolutionutil "github.com/tektoncd/pipeline/pkg/internal/resolution"
@@ -4925,6 +4926,24 @@ spec:
 		t.Fatal("fail to marshal task", err)
 	}
 
+	noMatchPolicy := []*v1alpha1.VerificationPolicy{{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "no-match",
+			Namespace: ts.Namespace,
+		},
+		Spec: v1alpha1.VerificationPolicySpec{
+			Resources: []v1alpha1.ResourcePattern{{Pattern: "no-match"}},
+		}}}
+	// warnPolicy doesn't contain keys so it will fail verification but doesn't fail the run
+	warnPolicy := []*v1alpha1.VerificationPolicy{{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "warn-policy",
+			Namespace: ts.Namespace,
+		},
+		Spec: v1alpha1.VerificationPolicySpec{
+			Resources: []v1alpha1.ResourcePattern{{Pattern: ".*"}},
+			Mode:      v1alpha1.ModeWarn,
+		}}}
 	tr := parse.MustParseV1beta1TaskRun(t, fmt.Sprintf(`
 metadata:
   name: test-taskrun
@@ -4939,41 +4958,67 @@ spec:
 status:
   podName: the-pod
 `, resolverName))
-
-	cms := []*corev1.ConfigMap{
-		{
-			ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
-			Data: map[string]string{
-				"trusted-resources-verification-no-match-policy": config.FailNoMatchPolicy,
-			},
-		},
-	}
-	rr := getResolvedResolutionRequest(t, resolverName, signedTaskBytes, tr.Namespace, tr.Name)
-	d := test.Data{
-		TaskRuns:             []*v1beta1.TaskRun{tr},
-		ConfigMaps:           cms,
-		VerificationPolicies: vps,
-		ResolutionRequests:   []*resolutionv1beta1.ResolutionRequest{&rr},
+	testCases := []struct {
+		name                 string
+		task                 []*v1beta1.Task
+		noMatchPolicy        string
+		verificationPolicies []*v1alpha1.VerificationPolicy
+	}{{
+		name:                 "ignore no match policy",
+		noMatchPolicy:        config.IgnoreNoMatchPolicy,
+		verificationPolicies: noMatchPolicy,
+	}, {
+		name:                 "warn no match policy",
+		noMatchPolicy:        config.WarnNoMatchPolicy,
+		verificationPolicies: noMatchPolicy,
+	}, {
+		name:                 "pass enforce policy",
+		noMatchPolicy:        config.FailNoMatchPolicy,
+		verificationPolicies: vps,
+	}, {
+		name:                 "only fail warn policy",
+		noMatchPolicy:        config.FailNoMatchPolicy,
+		verificationPolicies: warnPolicy,
+	},
 	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cms := []*corev1.ConfigMap{
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: config.GetFeatureFlagsConfigName(), Namespace: system.Namespace()},
+					Data: map[string]string{
+						"trusted-resources-verification-no-match-policy": tc.noMatchPolicy,
+					},
+				},
+			}
+			rr := getResolvedResolutionRequest(t, resolverName, signedTaskBytes, tr.Namespace, tr.Name)
+			d := test.Data{
+				TaskRuns:             []*v1beta1.TaskRun{tr},
+				ConfigMaps:           cms,
+				VerificationPolicies: tc.verificationPolicies,
+				ResolutionRequests:   []*resolutionv1beta1.ResolutionRequest{&rr},
+			}
 
-	testAssets, cancel := getTaskRunController(t, d)
-	defer cancel()
-	createServiceAccount(t, testAssets, tr.Spec.ServiceAccountName, tr.Namespace)
-	err = testAssets.Controller.Reconciler.Reconcile(testAssets.Ctx, getRunName(tr))
+			testAssets, cancel := getTaskRunController(t, d)
+			defer cancel()
+			createServiceAccount(t, testAssets, tr.Spec.ServiceAccountName, tr.Namespace)
+			err = testAssets.Controller.Reconciler.Reconcile(testAssets.Ctx, getRunName(tr))
 
-	if ok, _ := controller.IsRequeueKey(err); !ok {
-		t.Errorf("Error reconciling TaskRun. Got error %v", err)
-	}
-	tr, err = testAssets.Clients.Pipeline.TektonV1beta1().TaskRuns(tr.Namespace).Get(testAssets.Ctx, tr.Name, metav1.GetOptions{})
-	if err != nil {
-		t.Fatalf("getting updated taskrun: %v", err)
-	}
-	condition := tr.Status.GetCondition(apis.ConditionSucceeded)
-	if condition == nil || condition.Status != corev1.ConditionUnknown {
-		t.Errorf("Expected fresh TaskRun to have in progress status, but had %v", condition)
-	}
-	if condition != nil && condition.Reason != v1beta1.TaskRunReasonRunning.String() {
-		t.Errorf("Expected reason %q but was %s", v1beta1.TaskRunReasonRunning.String(), condition.Reason)
+			if ok, _ := controller.IsRequeueKey(err); !ok {
+				t.Errorf("Error reconciling TaskRun. Got error %v", err)
+			}
+			tr, err = testAssets.Clients.Pipeline.TektonV1beta1().TaskRuns(tr.Namespace).Get(testAssets.Ctx, tr.Name, metav1.GetOptions{})
+			if err != nil {
+				t.Fatalf("getting updated taskrun: %v", err)
+			}
+			condition := tr.Status.GetCondition(apis.ConditionSucceeded)
+			if condition == nil || condition.Status != corev1.ConditionUnknown {
+				t.Errorf("Expected fresh TaskRun to have in progress status, but had %v", condition)
+			}
+			if condition != nil && condition.Reason != v1beta1.TaskRunReasonRunning.String() {
+				t.Errorf("Expected reason %q but was %s", v1beta1.TaskRunReasonRunning.String(), condition.Reason)
+			}
+		})
 	}
 }