From 083998d2178332dfc0d1567a2e0e4a09173f34d5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 15 Jul 2024 14:32:48 -0400 Subject: [PATCH 1/2] _impl: catch another _ultranormalize_dist_filename error case Signed-off-by: William Woodruff --- src/pypi_attestations/_impl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pypi_attestations/_impl.py b/src/pypi_attestations/_impl.py index 0db7e2d..da53dd5 100644 --- a/src/pypi_attestations/_impl.py +++ b/src/pypi_attestations/_impl.py @@ -181,10 +181,10 @@ def verify( try: # We always ultranormalize when signing, but other signers may not. subject_name = _ultranormalize_dist_filename(subject.name) + normalized = _ultranormalize_dist_filename(dist.name) except ValueError as e: raise VerificationError(f"invalid subject: {str(e)}") - normalized = _ultranormalize_dist_filename(dist.name) if subject_name != normalized: raise VerificationError( f"subject does not match distribution name: {subject_name} != {normalized}" From aed7a5f9839d63c7b0ae6da11d153a8ca8a7d424 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 15 Jul 2024 14:41:54 -0400 Subject: [PATCH 2/2] tests Signed-off-by: William Woodruff --- src/pypi_attestations/_impl.py | 6 +++++- test/test_impl.py | 35 ++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/src/pypi_attestations/_impl.py b/src/pypi_attestations/_impl.py index da53dd5..2bf4882 100644 --- a/src/pypi_attestations/_impl.py +++ b/src/pypi_attestations/_impl.py @@ -181,10 +181,14 @@ def verify( try: # We always ultranormalize when signing, but other signers may not. subject_name = _ultranormalize_dist_filename(subject.name) - normalized = _ultranormalize_dist_filename(dist.name) except ValueError as e: raise VerificationError(f"invalid subject: {str(e)}") + try: + normalized = _ultranormalize_dist_filename(dist.name) + except ValueError as e: + raise VerificationError(f"invalid distribution name: {str(e)}") + if subject_name != normalized: raise VerificationError( f"subject does not match distribution name: {subject_name} != {normalized}" diff --git a/test/test_impl.py b/test/test_impl.py index ec181b5..e91e6bd 100644 --- a/test/test_impl.py +++ b/test/test_impl.py @@ -310,6 +310,41 @@ def test_verify_subject_invalid_name(self) -> None: with pytest.raises(impl.VerificationError, match="invalid subject: Invalid wheel filename"): attestation.verify(verifier, pol, artifact_path) + def test_verify_distribution_invalid_name(self, tmp_path: Path) -> None: + statement = ( + _StatementBuilder() # noqa: SLF001 + .subjects( + [ + _Subject( + name=artifact_path.name, + digest=_DigestSet(root={"sha256": "abcd"}), + ), + ] + ) + .predicate_type("foo") + .build() + ._inner.model_dump_json() + ) + + verifier = pretend.stub( + verify_dsse=pretend.call_recorder( + lambda bundle, policy: ( + "application/vnd.in-toto+json", + statement.encode(), + ) + ) + ) + pol = pretend.stub() + + attestation = impl.Attestation.model_validate_json(attestation_path.read_text()) + bad_artifact = tmp_path / "bad.whl" + bad_artifact.write_bytes(artifact_path.read_bytes()) + + with pytest.raises( + impl.VerificationError, match="invalid distribution name: Invalid wheel filename" + ): + attestation.verify(verifier, pol, bad_artifact) + def test_verify_unknown_attestation_type(self) -> None: statement = ( _StatementBuilder() # noqa: SLF001