mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 07:20:43 +00:00
136 lines
4.4 KiB
TypeScript
136 lines
4.4 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import {
|
|
collectDockerAttestationErrors,
|
|
imageRefForDigest,
|
|
parsePlatform,
|
|
} from "../../scripts/verify-docker-attestations.mjs";
|
|
|
|
const imageDigest = "sha256:1111111111111111111111111111111111111111111111111111111111111111";
|
|
const attestationDigest = "sha256:2222222222222222222222222222222222222222222222222222222222222222";
|
|
|
|
function createIndex() {
|
|
return {
|
|
schemaVersion: 2,
|
|
mediaType: "application/vnd.oci.image.index.v1+json",
|
|
manifests: [
|
|
{
|
|
mediaType: "application/vnd.oci.image.manifest.v1+json",
|
|
digest: imageDigest,
|
|
size: 482,
|
|
platform: { architecture: "amd64", os: "linux" },
|
|
},
|
|
{
|
|
mediaType: "application/vnd.oci.image.manifest.v1+json",
|
|
digest: attestationDigest,
|
|
size: 1110,
|
|
annotations: {
|
|
"vnd.docker.reference.digest": imageDigest,
|
|
"vnd.docker.reference.type": "attestation-manifest",
|
|
},
|
|
platform: { architecture: "unknown", os: "unknown" },
|
|
},
|
|
],
|
|
};
|
|
}
|
|
|
|
function createAttestation(
|
|
predicates = ["https://spdx.dev/Document", "https://slsa.dev/provenance/v1"],
|
|
) {
|
|
return {
|
|
schemaVersion: 2,
|
|
mediaType: "application/vnd.oci.image.manifest.v1+json",
|
|
artifactType: "application/vnd.docker.attestation.manifest.v1+json",
|
|
layers: predicates.map((predicate) => ({
|
|
mediaType: "application/vnd.in-toto+json",
|
|
digest: imageDigest,
|
|
size: 1,
|
|
annotations: {
|
|
"in-toto.io/predicate-type": predicate,
|
|
},
|
|
})),
|
|
};
|
|
}
|
|
|
|
function createAttestationWithoutArtifactType() {
|
|
const { artifactType: _artifactType, ...attestation } = createAttestation();
|
|
return attestation;
|
|
}
|
|
|
|
describe("verify-docker-attestations", () => {
|
|
it("resolves digest refs from tagged image refs", () => {
|
|
expect(imageRefForDigest("ghcr.io/openclaw/openclaw:2026.4.26", imageDigest)).toBe(
|
|
`ghcr.io/openclaw/openclaw@${imageDigest}`,
|
|
);
|
|
expect(imageRefForDigest("localhost:5000/openclaw:main", imageDigest)).toBe(
|
|
`localhost:5000/openclaw@${imageDigest}`,
|
|
);
|
|
});
|
|
|
|
it("accepts an image index with SBOM and provenance predicates", () => {
|
|
const errors = collectDockerAttestationErrors({
|
|
imageRef: "ghcr.io/openclaw/openclaw:test",
|
|
index: createIndex(),
|
|
requiredPlatforms: [parsePlatform("linux/amd64")],
|
|
inspectAttestation: () => createAttestation(),
|
|
});
|
|
|
|
expect(errors).toEqual([]);
|
|
});
|
|
|
|
it("accepts OCI attestation manifests without artifactType", () => {
|
|
const errors = collectDockerAttestationErrors({
|
|
imageRef: "ghcr.io/openclaw/openclaw:test",
|
|
index: createIndex(),
|
|
requiredPlatforms: [parsePlatform("linux/amd64")],
|
|
inspectAttestation: () => createAttestationWithoutArtifactType(),
|
|
});
|
|
|
|
expect(errors).toEqual([]);
|
|
});
|
|
|
|
it("reports missing attestation manifests", () => {
|
|
const index = createIndex();
|
|
index.manifests = index.manifests.slice(0, 1);
|
|
|
|
const errors = collectDockerAttestationErrors({
|
|
imageRef: "ghcr.io/openclaw/openclaw:test",
|
|
index,
|
|
requiredPlatforms: [parsePlatform("linux/amd64")],
|
|
inspectAttestation: () => createAttestation(),
|
|
});
|
|
|
|
expect(errors).toEqual([
|
|
"ghcr.io/openclaw/openclaw:test: missing attestation manifest for linux/amd64",
|
|
]);
|
|
});
|
|
|
|
it("reports missing SBOM or provenance predicates", () => {
|
|
const errors = collectDockerAttestationErrors({
|
|
imageRef: "ghcr.io/openclaw/openclaw:test",
|
|
index: createIndex(),
|
|
requiredPlatforms: [parsePlatform("linux/amd64")],
|
|
inspectAttestation: () => createAttestation(["https://spdx.dev/Document"]),
|
|
});
|
|
|
|
expect(errors).toEqual([
|
|
"ghcr.io/openclaw/openclaw:test: linux/amd64 missing predicate https://slsa.dev/provenance/v1",
|
|
]);
|
|
});
|
|
|
|
it("reports an unexpected attestation manifest shape", () => {
|
|
const errors = collectDockerAttestationErrors({
|
|
imageRef: "ghcr.io/openclaw/openclaw:test",
|
|
index: createIndex(),
|
|
requiredPlatforms: [parsePlatform("linux/amd64")],
|
|
inspectAttestation: () => ({
|
|
...createAttestation(),
|
|
artifactType: "application/vnd.example.invalid",
|
|
}),
|
|
});
|
|
|
|
expect(errors).toEqual([
|
|
`ghcr.io/openclaw/openclaw:test: linux/amd64 attestation ${attestationDigest} has unexpected manifest shape artifactType="application/vnd.example.invalid" mediaType="application/vnd.oci.image.manifest.v1+json"`,
|
|
]);
|
|
});
|
|
});
|