git.stella-ops.org/examples/policies/opa/cve-gate-base_test.rego

# -----------------------------------------------------------------------------
# cve-gate-base_test.rego
# Tests for base attestation verification policy
# -----------------------------------------------------------------------------

package stellaops.gates.base

import future.keywords.if

# Test valid attestation with DSSE and Rekor
test_valid_attestation_with_rekor if {
    valid_attestation with input as {
        "attestation": {
            "dsse_envelope": {
                "payloadType": "application/vnd.in-toto+json",
                "payload": "eyJzdWJqZWN0IjpbXX0=",
                "signatures": [{"keyid": "key-1", "sig": "abc123"}]
            },
            "rekor_entry": {
                "log_index": 12345,
                "integrated_time": 1705689600,
                "inclusion_proof": {"root_hash": "abc", "tree_size": 100, "hashes": []}
            },
            "trusted_keys": ["key-1"]
        },
        "config": {"require_rekor": true}
    }
}

# Test valid attestation without Rekor when not required
test_valid_attestation_no_rekor_not_required if {
    valid_attestation with input as {
        "attestation": {
            "dsse_envelope": {
                "payloadType": "application/vnd.in-toto+json",
                "payload": "eyJzdWJqZWN0IjpbXX0=",
                "signatures": [{"keyid": "key-1", "sig": "abc123"}]
            },
            "trusted_keys": ["key-1"]
        },
        "config": {"require_rekor": false}
    }
}

# Test invalid - missing DSSE envelope
test_invalid_missing_dsse if {
    not valid_attestation with input as {
        "attestation": {},
        "config": {}
    }
}

# Test invalid - untrusted key
test_invalid_untrusted_key if {
    not valid_attestation with input as {
        "attestation": {
            "dsse_envelope": {
                "payloadType": "application/vnd.in-toto+json",
                "payload": "eyJzdWJqZWN0IjpbXX0=",
                "signatures": [{"keyid": "untrusted-key", "sig": "abc123"}]
            },
            "trusted_keys": ["key-1"]
        },
        "config": {}
    }
}

# Test invalid - Rekor required but missing
test_invalid_rekor_required_but_missing if {
    not valid_attestation with input as {
        "attestation": {
            "dsse_envelope": {
                "payloadType": "application/vnd.in-toto+json",
                "payload": "eyJzdWJqZWN0IjpbXX0=",
                "signatures": [{"keyid": "key-1", "sig": "abc123"}]
            },
            "trusted_keys": ["key-1"]
        },
        "config": {"require_rekor": true}
    }
}

# Test denial messages
test_deny_missing_dsse if {
    "Missing DSSE envelope in attestation" in deny with input as {
        "attestation": {},
        "config": {}
    }
}

test_deny_no_valid_signature if {
    "No valid signature from trusted key" in deny with input as {
        "attestation": {
            "dsse_envelope": {
                "payloadType": "application/vnd.in-toto+json",
                "payload": "eyJzdWJqZWN0IjpbXX0=",
                "signatures": [{"keyid": "bad-key", "sig": "abc123"}]
            },
            "trusted_keys": ["key-1"]
        },
        "config": {}
    }
}