test: add tests for SBOMs

ctron · ctron · commit 1a6293090ccd · 2025-06-05T11:44:16.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/etc/deploy/compose/compose.yaml b/etc/deploy/compose/compose.yaml
@@ -10,3 +10,5 @@ services:
     shm_size: '1g'
     command: >
       postgres -c random_page_cost=1.1 -c max_parallel_workers_per_gather=4 -c shared_preload_libraries='pg_stat_statements'
+    volumes:
+      - /home/jreimann/Downloads/trustify/dump.sql.gz:/docker-entrypoint-initdb.d/dump-20250604T002104Z.sql.gz:Z
diff --git a/modules/fundamental/tests/signature/mod.rs b/modules/fundamental/tests/signature/mod.rs
@@ -1,34 +1,23 @@
-use crate::caller;
-use crate::common::create_zip;
+use crate::{caller, common::create_zip};
 use actix_http::StatusCode;
 use actix_web::test::{TestRequest, read_body_json};
-use base64::Engine;
-use base64::engine::general_purpose::STANDARD;
+use base64::{Engine, engine::general_purpose::STANDARD};
 use serde_json::{Value, json};
 use test_context::test_context;
 use test_log::test;
+use trustify_module_ingestor::service::dataset::DatasetIngestResult;
+use trustify_module_signature::service::DocumentType;
 use trustify_test_context::{TrustifyContext, call::CallService, document_bytes};
 use urlencoding::encode;
 
-#[test_context(TrustifyContext)]
-#[test(tokio::test)]
-async fn simple(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
-    let app = caller(ctx).await?;
-
-    // create zip and ingest (ds6 has signatures)
-
-    let sig = document_bytes("../datasets/ds6/csaf/2022/cve-2022-45787.json.asc").await?;
-    let trust_anchor = document_bytes("trust_anchor/97f5eac4.txt").await?;
-
-    let data = create_zip(ctx.absolute_path("../datasets/ds6")?)?;
-    let result = ctx.ingestor.ingest_dataset(&data, (), 0).await?;
-
-    let id = result.files["csaf/2022/cve-2022-45787.json"].id.to_string();
-
-    // get the signatures
-
+async fn ensure_one_signature(
+    app: &impl CallService,
+    r#type: DocumentType,
+    id: &str,
+    signature: &[u8],
+) {
     let request = TestRequest::get()
-        .uri(&format!("/api/v2/advisory/{}/signature", encode(&id)))
+        .uri(&format!("/api/v2/{type}/{}/signature", encode(id)))
         .to_request();
 
     let response = app.call_service(request).await;
@@ -43,16 +32,22 @@ async fn simple(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
                 {
                     "id": result["items"][0]["id"].clone(),
                     "type": "pgp",
-                    "payload": STANDARD.encode(&sig),
+                    "payload": STANDARD.encode(signature),
                 }
             ]
         })
     );
+}
 
-    // verify (without trust anchors)
-
+async fn ensure_valid_signature(
+    app: &impl CallService,
+    r#type: DocumentType,
+    id: &str,
+    signature: &[u8],
+    expected_trust_anchors: Value,
+) {
     let request = TestRequest::get()
-        .uri(&format!("/api/v2/advisory/{}/verify", encode(&id)))
+        .uri(&format!("/api/v2/{type}/{}/verify", encode(id)))
         .to_request();
     let response = app.call_service(request).await;
     assert_eq!(response.status(), StatusCode::OK);
@@ -65,59 +60,126 @@ async fn simple(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
                     "signature": {
                         "id": result["items"][0]["signature"]["id"].clone(),
                         "type": "pgp",
-                        "payload": STANDARD.encode(&sig),
+                        "payload": STANDARD.encode(signature),
                     },
-                    "trustAnchors": []
+                    "trustAnchors": expected_trust_anchors
                 }
             ],
             "total": 1,
         })
     );
+}
 
-    // add a matching trust anchor
-
+async fn add_trust_anchor(app: &impl CallService, trust_anchor: &[u8]) {
     let request = TestRequest::post()
         .uri("/api/v2/trust-anchor/test")
         .set_json(json!({
             "type": "pgp",
-            "payload": STANDARD.encode(&trust_anchor),
+            "payload": STANDARD.encode(trust_anchor),
         }))
         .to_request();
     let response = app.call_service(request).await;
     assert_eq!(response.status(), StatusCode::CREATED);
+}
+
+async fn ingest_ds6(ctx: &TrustifyContext) -> anyhow::Result<DatasetIngestResult> {
+    let data = create_zip(ctx.absolute_path("../datasets/ds6")?)?;
+    let result = ctx.ingestor.ingest_dataset(&data, (), 0).await?;
+
+    Ok(result)
+}
+
+#[test_context(TrustifyContext)]
+#[test(tokio::test)]
+async fn simple_advisory(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    let app = caller(ctx).await?;
+
+    // create zip and ingest (ds6 has signatures)
+
+    let result = ingest_ds6(ctx).await?;
+
+    // get data
+
+    let trust_anchor = document_bytes("trust_anchor/97f5eac4.txt").await?;
+    let sig = document_bytes("../datasets/ds6/csaf/2022/cve-2022-45787.json.asc").await?;
+    let id = result.files["csaf/2022/cve-2022-45787.json"].id.to_string();
+
+    // get the signatures
+
+    ensure_one_signature(&app, DocumentType::Advisory, &id, &sig).await;
+
+    // verify (without trust anchors)
+
+    ensure_valid_signature(&app, DocumentType::Advisory, &id, &sig, json!([])).await;
+
+    // add a matching trust anchor
+
+    add_trust_anchor(&app, &trust_anchor).await;
 
     // verify (with a matching trust anchor)
 
-    let request = TestRequest::get()
-        .uri(&format!("/api/v2/advisory/{}/verify", encode(&id)))
-        .to_request();
-    let response = app.call_service(request).await;
-    assert_eq!(response.status(), StatusCode::OK);
-    let result: Value = read_body_json(response).await;
-    assert_eq!(
-        result,
-        json!({
-            "items": [
-                {
-                    "signature": {
-                        "id": result["items"][0]["signature"]["id"].clone(),
-                        "type": "pgp",
-                        "payload": STANDARD.encode(&sig),
-                    },
-                    "trustAnchors": [
-                        {
-                            "id": "test",
-                            "type": "pgp",
-                            "disabled": false,
-                            "description": "",
-                            "payload": STANDARD.encode(&trust_anchor),
-                        }
-                    ]
-                }
-            ],
-            "total": 1,
-        })
-    );
+    ensure_valid_signature(
+        &app,
+        DocumentType::Advisory,
+        &id,
+        &sig,
+        json!([{
+            "id": "test",
+            "type": "pgp",
+            "disabled": false,
+            "description": "",
+            "payload": STANDARD.encode(&trust_anchor),
+        }]),
+    )
+    .await;
+
+    // done
+
+    Ok(())
+}
+
+#[test_context(TrustifyContext)]
+#[test(tokio::test)]
+async fn simple_sbom(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    let app = caller(ctx).await?;
+
+    // create zip and ingest (ds6 has signatures)
+
+    let result = ingest_ds6(ctx).await?;
+
+    // get data
+
+    let trust_anchor = document_bytes("trust_anchor/97f5eac4.txt").await?;
+    let sig =
+        document_bytes("../datasets/ds6/spdx/quarkus-bom-2.13.8.Final-redhat-00004.json.bz2.asc")
+            .await?;
+    let id = result.files["spdx/quarkus-bom-2.13.8.Final-redhat-00004.json.bz2"]
+        .id
+        .to_string();
+
+    // get the signatures
+
+    ensure_one_signature(&app, DocumentType::Sbom, &id, &sig).await;
+
+    // verify (without trust anchors)
+
+    ensure_valid_signature(&app, DocumentType::Sbom, &id, &sig, json!([])).await;
+
+    // add a matching trust anchor
+
+    add_trust_anchor(&app, &trust_anchor).await;
+
+    // verify (with a matching trust anchor)
+
+    ensure_valid_signature(
+        &app,
+        DocumentType::Sbom,
+        &id,
+        &sig,
+        // we don't expect a valid signature here, since the signature is for the compressed file
+        json!([]),
+    )
+    .await;
 
     // done
 
diff --git a/modules/signature/Cargo.toml b/modules/signature/Cargo.toml
@@ -22,6 +22,7 @@ sequoia-openpgp = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_with = { workspace = true }
+strum= { workspace = true, features = ["derive"] }
 tempfile = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true }
diff --git a/modules/signature/src/service/mod.rs b/modules/signature/src/service/mod.rs
@@ -9,7 +9,8 @@ use sea_orm::{ConnectionTrait, EntityTrait, QueryFilter};
 use trustify_common::id::{Id, TryFilterForId};
 use trustify_entity::{advisory, sbom, source_document};
 
-#[derive(Copy, Clone, Eq, PartialEq)]
+#[derive(Copy, Clone, Eq, PartialEq, strum::Display)]
+#[strum(serialize_all = "lowercase")]
 pub enum DocumentType {
     Advisory,
     Sbom,
