Add unit tests for signing with sigstore (sigstore#291)

* Configure coverage reporting By default, `hatch test -c` coverage report lists only counts of lines and lines missing and percentages but there is no way to see which are the ones that are missing. We don't have an option to generate an html report at the moment (pypa/hatch#1477). Added some options to display missing lines. Also, by default, all files are included in the report, including tests (covering the test-only code). I removed the tests, but if we decide we should add them that's easy to do. More importantly, the report lists files that are 100% covered (not useful in CI) and empty files (not useful at all). So, I removed those from the output. There is another bigger issue that only files that are imported by a test get reported, so if we have code that is not tested at all it will not show up here. We already have such code in `signature/` and `signing/sigstore.py`. Fixing this will be left for later. Current output is: ``` Name Stmts Miss Cover Missing -------------------------------------------------------------------------- src/model_signing/signing/in_toto.py 168 68 60% 65-78, 181-190, 342-367, 485-512, 660-671, 793-806 -------------------------------------------------------------------------- TOTAL 745 70 91% ``` Fixing the missing coverage is left for later. We should aim for 95%+ or so coverage, I think. We should probably make it so that GitHub reports this table back on PRs, so reviewers can quickly ask for more testing without needing to check the GHA report. Punted for later, for now I'll just remember to just keep checking. Signed-off-by: Mihai Maruseac <[email protected]> * Add unit tests for signing with sigstore. We need to do quite a lot of mocking around Sigstore, but we are able to test all logic in our library. What is left to do for testing is e2e integration tests (#5) and testing with signing on one OS and verifying on another (sigstore#25). Both of these are integration style tests and we will only be able to run them in GHA. I'll send a PR for those soon. While testing, I discovered some minor bugs with error reporting and one moderate bug. Fixed in this PR. We now have achieved 100% test coverage! 🎉 ``` Name Stmts Miss Cover Missing ------------------------------------- TOTAL 835 0 100% ``` Well, almost. There are 2 files that are not imported by tests at all, so they don't get included in the report: ``` src/model_signing/signature/fake.py src/model_signing/signature/pki.py ``` This depends on sigstore#287 which configures the coverage reporting. Signed-off-by: Mihai Maruseac <[email protected]> --------- Signed-off-by: Mihai Maruseac <[email protected]>
susperius · Aug 21, 2024 · ad1b79e · ad1b79e
1 parent f00c9b6
commit ad1b79e
Show file tree

Hide file tree

Showing 4 changed files with 698 additions and 19 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -63,6 +63,18 @@ randomize = true
 [[tool.hatch.envs.hatch-test.matrix]]
 python = ["3.11", "3.12"]
 
+[tool.hatch.envs.docs]
+description = """Custom environment for pdoc.
+Use `hatch run docs:serve` to view documentation.
+"""
+extra-dependencies = [
+  "pdoc"
+]
+
+[tool.hatch.envs.docs.scripts]
+serve = "pdoc src/model_signing --docformat google --no-show-source"
+build = "serve --output-directory html"
+
 [tool.hatch.envs.type]
 description = """Custom environment for pytype.
 Use `hatch run type:check` to check types.
@@ -77,17 +89,15 @@ python = "3.11"
 [tool.hatch.envs.type.scripts]
 check = "pytype -k -j auto src tests"
 
-[tool.hatch.envs.docs]
-description = """Custom environment for pdoc.
-Use `hatch run docs:serve` to view documentation.
-"""
-extra-dependencies = [
-  "pdoc"
+[tool.coverage.report]
+exclude_also = [
+  "pass",
+  "return NotImplemented",
 ]
-
-[tool.hatch.envs.docs.scripts]
-serve = "pdoc src/model_signing --docformat google --no-show-source"
-build = "serve --output-directory html"
+omit = ["tests/*"]
+show_missing = true
+skip_covered = true
+skip_empty = true
 
 # Add support for testing via the old `pytest .` way, too.
 [tool.pytest.ini_options]

diff --git a/src/model_signing/signing/in_toto.py b/src/model_signing/signing/in_toto.py
@@ -80,7 +80,7 @@ def manifest_from_payload(
             if predicate_type == subcls.predicate_type:
                 return subcls.manifest_from_payload(payload)
 
-        raise ValueError("Unknown in-toto predicate type {predicate_type}")
+        raise ValueError(f"Unknown in-toto predicate type {predicate_type}")
 
 
 class SingleDigestIntotoPayload(IntotoPayload):
@@ -187,10 +187,10 @@ def manifest_from_payload(
         predicate = payload["predicate"]
 
         if len(subjects) != 1:
-            raise ValueError("Expected one single subject, got {subjects}")
+            raise ValueError(f"Expected one single subject, got {subjects}")
 
         algorithm = predicate["actual_hash_algorithm"]
-        digest_value = subjects[0]["digest"]["sha256"]
+        digest_value = bytes.fromhex(subjects[0]["digest"]["sha256"])
         digest = hashing.Digest(algorithm, digest_value)
         return manifest_module.DigestManifest(digest)
 
@@ -348,7 +348,7 @@ def manifest_from_payload(
         predicate = payload["predicate"]
 
         if len(subjects) != 1:
-            raise ValueError("Expected one single subject, got {subjects}")
+            raise ValueError(f"Expected one single subject, got {subjects}")
 
         hasher = memory.SHA256()
         items = []
@@ -365,7 +365,7 @@ def manifest_from_payload(
         obtained_digest = hasher.compute().digest_hex
         if obtained_digest != expected_digest:
             raise ValueError(
-                f"Verification failed. "
+                "Verification failed. "
                 f"Expected {expected_digest}, got {obtained_digest}"
             )
 
@@ -491,7 +491,7 @@ def manifest_from_payload(
         predicate = payload["predicate"]
 
         if len(subjects) != 1:
-            raise ValueError("Expected one single subject, got {subjects}")
+            raise ValueError(f"Expected one single subject, got {subjects}")
 
         hasher = memory.SHA256()
         items = []
@@ -510,7 +510,7 @@ def manifest_from_payload(
         obtained_digest = hasher.compute().digest_hex
         if obtained_digest != expected_digest:
             raise ValueError(
-                f"Verification failed. "
+                "Verification failed. "
                 f"Expected {expected_digest}, got {obtained_digest}"
             )
 

diff --git a/src/model_signing/signing/sigstore.py b/src/model_signing/signing/sigstore.py
@@ -337,8 +337,8 @@ def verify(self, signature: signing.Signature) -> manifest.Manifest:
 
         if payload_type != _IN_TOTO_JSON_PAYLOAD_TYPE:
             raise ValueError(
-                f"Only {_IN_TOTO_JSON_PAYLOAD_TYPE} DSSE payload acceped, "
-                f"got {payload_type}"
+                f"Expected DSSE payload {_IN_TOTO_JSON_PAYLOAD_TYPE}, "
+                f"but got {payload_type}"
             )
 
         payload = json.loads(payload)