Skip to content

Commit

Permalink
fix: update doc and test
Browse files Browse the repository at this point in the history 
Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
  • Loading branch information
@JeyJeyGao
JeyJeyGao committed Jul 13, 2023
1 parent e33803d commit 03f0f24
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 16 deletions.
51 changes: 37 additions & 14 deletions Notation.Plugin.AzureKeyVault.Tests/Command/GenerateSignatureTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ public async Task RunAsync_SelfSigned_ReturnsValidGenerateSignatureResponseAsync
// Arrange
var keyId = "https://testvault.vault.azure.net/keys/testkey/123";
var expectedKeySpec = "RSA-2048";
var mockCert = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "rsa_2048.crt"));
var mockSignature = new byte[] { 0x01, 0x02, 0x03, 0x04 };

var mockKeyVaultClient = new Mock<IKeyVaultClient>();
// mock GetCertificateAsync
mockKeyVaultClient.Setup(client => client.GetCertificateAsync())
.ReturnsAsync(mockCert);

// mock GetCertificateChainAsync
var mockCertChain = CertificateBundle.Create(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "rsa_2048.crt"));
mockKeyVaultClient.Setup(client => client.GetCertificateChainAsync())
.ReturnsAsync(mockCertChain);

// mock SignAsync
mockKeyVaultClient.Setup(client => client.SignAsync(It.IsAny<SignatureAlgorithm>(), It.IsAny<byte[]>()))
Expand Down Expand Up @@ -54,7 +54,7 @@ public async Task RunAsync_SelfSigned_ReturnsValidGenerateSignatureResponseAsync
Assert.Equal("RSASSA-PSS-SHA-256", response.SigningAlgorithm);
Assert.Equal(mockSignature, response.Signature);
Assert.Single(response.CertificateChain);
Assert.Equal(mockCert.RawData, response.CertificateChain[0]);
Assert.Equal(mockCertChain[0].RawData, response.CertificateChain[0]);
}

[Fact]
Expand Down Expand Up @@ -106,16 +106,16 @@ public async Task RunAsync_ca_certs_ReturnsValidGenerateSignatureResponseAsync()
}

[Fact]
public async Task RunAsync_as_secret_ReturnsValidGenerateSignatureResponseAsync()
public async Task RunAsync_default_ReturnsValidGenerateSignatureResponseAsync()
{
// Arrange
var keyId = "https://testvault.vault.azure.net/keys/testkey/123";
var expectedKeySpec = "RSA-2048";
var mockSignature = new byte[] { 0x01, 0x02, 0x03, 0x04 };
var mockCertChain = CertificateBundle.Create(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "cert_chain.pem"));

var mockKeyVaultClient = new Mock<IKeyVaultClient>();
// mock GetCertificateAsync

// mock GetCertificateChainAsync
var mockCertChain = CertificateBundle.Create(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "cert_chain.pem"));
mockKeyVaultClient.Setup(client => client.GetCertificateChainAsync())
.ReturnsAsync(mockCertChain);

Expand All @@ -126,10 +126,7 @@ public async Task RunAsync_as_secret_ReturnsValidGenerateSignatureResponseAsync(
var request = new GenerateSignatureRequest(
contractVersion: "1.0",
keyId: keyId,
pluginConfig: new Dictionary<string, string>()
{
["as_secret"] = "true"
},
pluginConfig: new Dictionary<string, string>(){},
keySpec: expectedKeySpec,
hashAlgorithm: "SHA-256",
payload: Encoding.UTF8.GetBytes("Cg=="));
Expand Down Expand Up @@ -167,5 +164,31 @@ public void Constructor_Invalid()

Assert.Throws<ValidationException>(() => new GenerateSignature(InvalidInputJson));
}

[Fact]
public void RunAsync_NoSecertsGetPermission(){
// Arrange
var keyId = "https://testvault.vault.azure.net/keys/testkey/123";
var expectedKeySpec = "RSA-2048";
var mockSignature = new byte[] { 0x01, 0x02, 0x03, 0x04 };
var mockKeyVaultClient = new Mock<IKeyVaultClient>();

// mock GetCertificateChainAsync
var mockCertChain = CertificateBundle.Create(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "cert_chain.pem"));
mockKeyVaultClient.Setup(client => client.GetCertificateChainAsync())
.ThrowsAsync(new Azure.RequestFailedException("does not have secrets get permission"));

var request = new GenerateSignatureRequest(
contractVersion: "1.0",
keyId: keyId,
pluginConfig: new Dictionary<string, string>(){},
keySpec: expectedKeySpec,
hashAlgorithm: "SHA-256",
payload: Encoding.UTF8.GetBytes("Cg=="));

var generateSignatureCommand = new GenerateSignature(request, mockKeyVaultClient.Object);

Assert.Throws<PluginException>(() => generateSignatureCommand.RunAsync().GetAwaiter().GetResult());
}
}
}
2 changes: 1 addition & 1 deletion docs/ca-signed-workflow.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Sign and verify an artifact with a certificate signed by a trusted CA in Azure Key Vault
> **Note** The following guide can be executed on Linux bash, macOS Zsh and Windows WSL
1. [Install the Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli)
2. Log in to Azure with Azure CLI, set the subscription and make sure the `GetCertificate` and `Sign` permission have been granted to your role:
2. Log in to Azure with Azure CLI, set the subscription and make sure the `GetCertificates`, `GetSecrets` and `Sign` permission for Azure Key Vault have been granted to your role:
```sh
az login
az account set --subscription $subscriptionID
Expand Down
2 changes: 1 addition & 1 deletion docs/self-signed-workflow.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
> **Note** The following guide can be executed on Linux bash, macOS Zsh and Windows WSL
1. [Install the Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli)
2. Log in using the Azure CLI, set the subscription, and confirm the `GetCertificate` and `Sign` permission have been granted to your role:
2. Log in using the Azure CLI, set the subscription, and confirm the `GetCertificates`, `GetSecrets` and `Sign` permission for Azure Key Vault have been granted to your role:
```sh
az login
az account set --subscription $subscriptionID
Expand Down

0 comments on commit 03f0f24

Please sign in to comment.