fix: update test cases

Signed-off-by: Junjie Gao <[email protected]>
JeyJeyGao · Nov 12, 2024 · 280e3d6 · 280e3d6
1 parent a1437f2
commit 280e3d6
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 7 deletions.
diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go
@@ -27,6 +27,7 @@ import (
 	"github.com/notaryproject/notation-core-go/revocation/purpose"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/log"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/verifier"
 	"github.com/notaryproject/notation-go/verifier/crl"
@@ -233,6 +234,7 @@ func printMetadataIfPresent(outcome *notation.VerificationOutcome) {
 }
 
 func getVerifier(ctx context.Context) (notation.Verifier, error) {
+	logger := log.GetLogger(ctx)
 	// revocation check
 	ocspHttpClient := httputil.NewClient(ctx, &http.Client{Timeout: 2 * time.Second})
 	crlFetcher, err := corecrl.NewHTTPFetcher(httputil.NewClient(ctx, &http.Client{Timeout: 5 * time.Second}))
@@ -246,12 +248,19 @@ func getVerifier(ctx context.Context) (notation.Verifier, error) {
 	}
 	fileCache, err := crl.NewFileCache(cacheRoot)
 	if err != nil {
-		return nil, err
+		if !crlFetcher.DiscardCacheError {
+			return nil, err
+		}
+		logger.Debugf("failed to create file cache: %v", err)
 	}
-	crlFetcher.Cache = &clicrl.CacheWithLog{
-		Cache:             fileCache,
-		DiscardCacheError: crlFetcher.DiscardCacheError,
+	var cache corecrl.Cache
+	if fileCache != nil {
+		cache = &clicrl.CacheWithLog{
+			Cache:             fileCache,
+			DiscardCacheError: crlFetcher.DiscardCacheError,
+		}
 	}
+	crlFetcher.Cache = cache
 	revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
 		OCSPHTTPClient:   ocspHttpClient,
 		CRLFetcher:       crlFetcher,

diff --git a/test/e2e/run.sh b/test/e2e/run.sh
@@ -118,4 +118,4 @@ export NOTATION_E2E_PLUGIN_TAR_GZ_PATH=$CWD/plugin/bin/$PLUGIN_NAME.tar.gz
 export NOTATION_E2E_MALICIOUS_PLUGIN_ARCHIVE_PATH=$CWD/testdata/malicious-plugin
 
 # run tests
-ginkgo -r -p -v --focus "successfully completed with cache error in debug log"
+ginkgo -r -p -v
diff --git a/test/e2e/suite/scenario/crl.go b/test/e2e/suite/scenario/crl.go
@@ -131,7 +131,7 @@ var _ = Describe("notation CRL revocation check", Serial, func() {
 		})
 	})
 
-	It("successfully completed with cache error in debug log", func() {
+	It("successfully completed with cache creation error in debug log", func() {
 		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
 			notation.Exec("sign", artifact.ReferenceWithDigest()).
 				MatchKeyWords(SignSuccessfully)
@@ -144,6 +144,57 @@ var _ = Describe("notation CRL revocation check", Serial, func() {
 			}
 			defer os.Chmod(vhost.AbsolutePath(".cache"), 0700)
 
+			// verify without cache
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchKeyWords(
+					VerifySuccessfully,
+				).
+				MatchErrKeyWords(
+					"failed to create file cache",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					`"GET" "http://localhost:10086/intermediate.crl"`,
+					`"GET" "http://localhost:10086/leaf.crl"`,
+				).
+				NoMatchErrKeyWords(
+					"is revoked",
+				)
+		})
+	})
+
+	It("failed with revoked leaf certificate and cache creation error in debug log", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLRevoke()
+			utils.IntermediateCRLUnrevoke()
+
+			if err := os.MkdirAll(vhost.AbsolutePath(".cache"), 0500); err != nil {
+				Fail(err.Error())
+			}
+			defer os.Chmod(vhost.AbsolutePath(".cache"), 0700)
+
+			// verify without cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"failed to create file cache",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					`"GET" "http://localhost:10086/intermediate.crl"`,
+					`"GET" "http://localhost:10086/leaf.crl"`,
+					"is revoked",
+				)
+		})
+	})
+
+	It("successfully completed with cache read error in debug log", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLUnrevoke()
+			utils.IntermediateCRLUnrevoke()
+
 			// verify without cache
 			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
 				MatchKeyWords(
@@ -158,7 +209,24 @@ var _ = Describe("notation CRL revocation check", Serial, func() {
 				NoMatchErrKeyWords(
 					"is revoked",
 				)
-		})
 
+			utils.LeafCRLRevoke()
+			if err := os.Chmod(vhost.AbsolutePath(".cache", "crl"), 0000); err != nil {
+				Fail(err.Error())
+			}
+			defer os.Chmod(vhost.AbsolutePath(".cache", "crl"), 0700)
+
+			// verify with cache error
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"failed to get crl bundle from file cache with key",
+					"/.cache/crl/eaf8bbfe35f6c2c8b136081de9a994f9515752b2e30b9a6889ae3128ea97656c: permission denied",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					`"GET" "http://localhost:10086/intermediate.crl"`,
+					`"GET" "http://localhost:10086/leaf.crl"`,
+					"is revoked",
+				)
+		})
 	})
 })