Add end-to-end tests to sign & verify #5
Comments
|
@woodruffw @di we want to implement e2e signing / verification for our pre-submit tests. Could you point us to how you set this up for sigstore-python? I recall you're pre-generating OIDC tokens every 15mn or so? |
If I'm understanding correctly, I think this is what you want: https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon That repository has a repeating workflow that continuously leaks an OIDC credential solely for testing purposes, both as a workflow artifact and as a GitHub pages asset here: https://sigstore-conformance.github.io/extremely-dangerous-public-oidc-beacon/oidc-token.txt. You should be able to point any HTTP client at that URL, pull the token, and go from there 🙂 Does that cover your testing use case? |
|
Thanks @woodruffw yes that should cover our use case. Exactly what I was looking for! |
|
No problem, happy to help! |
|
Also to consider when doing end-to-end testing: #190 (comment) |
* Configure coverage reporting By default, `hatch test -c` coverage report lists only counts of lines and lines missing and percentages but there is no way to see which are the ones that are missing. We don't have an option to generate an html report at the moment (pypa/hatch#1477). Added some options to display missing lines. Also, by default, all files are included in the report, including tests (covering the test-only code). I removed the tests, but if we decide we should add them that's easy to do. More importantly, the report lists files that are 100% covered (not useful in CI) and empty files (not useful at all). So, I removed those from the output. There is another bigger issue that only files that are imported by a test get reported, so if we have code that is not tested at all it will not show up here. We already have such code in `signature/` and `signing/sigstore.py`. Fixing this will be left for later. Current output is: ``` Name Stmts Miss Cover Missing -------------------------------------------------------------------------- src/model_signing/signing/in_toto.py 168 68 60% 65-78, 181-190, 342-367, 485-512, 660-671, 793-806 -------------------------------------------------------------------------- TOTAL 745 70 91% ``` Fixing the missing coverage is left for later. We should aim for 95%+ or so coverage, I think. We should probably make it so that GitHub reports this table back on PRs, so reviewers can quickly ask for more testing without needing to check the GHA report. Punted for later, for now I'll just remember to just keep checking. Signed-off-by: Mihai Maruseac <[email protected]> * Add unit tests for signing with sigstore. We need to do quite a lot of mocking around Sigstore, but we are able to test all logic in our library. What is left to do for testing is e2e integration tests (#5) and testing with signing on one OS and verifying on another (#25). Both of these are integration style tests and we will only be able to run them in GHA. I'll send a PR for those soon. While testing, I discovered some minor bugs with error reporting and one moderate bug. Fixed in this PR. We now have achieved 100% test coverage! 🎉 ``` Name Stmts Miss Cover Missing ------------------------------------- TOTAL 835 0 100% ``` Well, almost. There are 2 files that are not imported by tests at all, so they don't get included in the report: ``` src/model_signing/signature/fake.py src/model_signing/signature/pki.py ``` This depends on #287 which configures the coverage reporting. Signed-off-by: Mihai Maruseac <[email protected]> --------- Signed-off-by: Mihai Maruseac <[email protected]>
We also need to add a GitHub Action to run tests on PR submission.
The text was updated successfully, but these errors were encountered: