-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathcheck_for_go_fips_test.py
More file actions
125 lines (101 loc) · 4.03 KB
/
check_for_go_fips_test.py
File metadata and controls
125 lines (101 loc) · 4.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
from __future__ import annotations
import argparse
import sys
from collections.abc import Sequence
from typing import Any
import ruamel.yaml
yaml = ruamel.yaml.YAML(typ="safe")
def check_go_fips_compliance(melange_cfg: dict[str, Any]) -> tuple[bool, list[str]]:
"""
Check if all go-fips usages have corresponding tests.
Returns (is_compliant, list_of_missing_tests).
"""
issues = []
# Check if main package uses go-fips
main_uses_fips = False
main_has_test = False
# Check environment packages for any go-fips variant
env_packages = (
melange_cfg.get("environment", {}).get("contents", {}).get("packages", [])
)
for pkg in env_packages:
if pkg.startswith("go-fips"):
main_uses_fips = True
break
# Check main pipeline steps for go/build with go-package: go-fips*
pipelines = melange_cfg.get("pipeline", [])
for step in pipelines:
if step.get("uses") == "go/build":
go_package = step.get("with", {}).get("go-package", "")
if go_package.startswith("go-fips"):
main_uses_fips = True
break
# Check main test section
test_section = melange_cfg.get("test", {})
test_pipelines = test_section.get("pipeline", [])
main_has_emptypackage_test = False
for step in test_pipelines:
if step.get("uses") == "test/go-fips-check":
main_has_test = True
elif step.get("uses") == "test/emptypackage":
main_has_emptypackage_test = True
# If main package has emptypackage test, it doesn't need go-fips test
if main_uses_fips and not main_has_test and not main_has_emptypackage_test:
issues.append("main package uses go-fips but lacks test/go-fips-check")
# Check each subpackage
for i, subpkg in enumerate(melange_cfg.get("subpackages", [])):
subpkg_uses_fips = False
subpkg_has_test = False
subpkg_name = subpkg.get("name", f"subpackage-{i}")
# Check subpackage pipelines for go-fips usage
subpkg_pipelines = subpkg.get("pipeline", [])
for step in subpkg_pipelines:
if step.get("uses") == "go/build":
go_package = step.get("with", {}).get("go-package", "")
if go_package.startswith("go-fips"):
subpkg_uses_fips = True
break
# Check subpackage test sections
subpkg_test_section = subpkg.get("test", {})
subpkg_test_pipelines = subpkg_test_section.get("pipeline", [])
subpkg_has_emptypackage_test = False
for step in subpkg_test_pipelines:
if step.get("uses") == "test/go-fips-check":
subpkg_has_test = True
elif step.get("uses") == "test/emptypackage":
subpkg_has_emptypackage_test = True
# If subpackage has emptypackage test, it doesn't need go-fips test
if (
subpkg_uses_fips
and not subpkg_has_test
and not subpkg_has_emptypackage_test
):
issues.append(
f"subpackage '{subpkg_name}' uses go-fips but lacks test/go-fips-check",
)
return len(issues) == 0, issues
def main(argv: Sequence[str] | None = None) -> int:
parser = argparse.ArgumentParser(
description="Check that packages using go-fips have corresponding go-fips tests",
)
parser.add_argument("filenames", nargs="*", help="Filenames to check")
args = parser.parse_args(argv)
retval = 0
for filename in args.filenames:
try:
with open(filename) as f:
melange_cfg = yaml.load(f)
except Exception as e:
print(f"Error loading {filename}: {e}")
retval = 1
continue
if not melange_cfg:
continue
is_compliant, issues = check_go_fips_compliance(melange_cfg)
if not is_compliant:
for issue in issues:
print(f"{filename}: {issue}")
retval = 1
return retval
if __name__ == "__main__":
sys.exit(main())