54 lines
2.5 KiB
JavaScript
54 lines
2.5 KiB
JavaScript
// Unit tests for SHA normalization in verify paths.
|
|
// Run with: node --test test/sha-comparison.test.js
|
|
import assert from 'node:assert/strict';
|
|
import { test } from 'node:test';
|
|
|
|
// The canonical normalization function used in verifyStatelessRecreated()
|
|
// and runtime-status — must stay in sync with server.js.
|
|
const stripSha = (s) => (s || '').replace(/^sha256:/, '');
|
|
|
|
// ------------------------------------------------------------------
|
|
// Bug #3 regression: docker compose images returns bare hex,
|
|
// docker inspect .Image returns sha256:<hex>. They must compare equal.
|
|
// ------------------------------------------------------------------
|
|
|
|
test('sha: bare hex == bare hex', () => {
|
|
const a = 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2';
|
|
assert.equal(stripSha(a), stripSha(a));
|
|
assert.ok(stripSha(a) === stripSha(a));
|
|
});
|
|
|
|
test('sha: sha256-prefixed == bare hex (the failing case before the fix)', () => {
|
|
const bare = 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2';
|
|
const prefixed = `sha256:${bare}`;
|
|
// Before fix: prefixed === bare => false
|
|
assert.notEqual(prefixed, bare, 'raw strings are indeed unequal — this is the bug');
|
|
// After fix: stripSha(prefixed) === stripSha(bare) => true
|
|
assert.equal(stripSha(prefixed), stripSha(bare), 'normalized strings must be equal');
|
|
});
|
|
|
|
test('sha: both sha256-prefixed', () => {
|
|
const a = 'sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2';
|
|
const b = 'sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2';
|
|
assert.equal(stripSha(a), stripSha(b));
|
|
});
|
|
|
|
test('sha: different digests stay different after normalization', () => {
|
|
const a = 'sha256:aaaa0000000000000000000000000000000000000000000000000000000000001111';
|
|
const b = 'sha256:bbbb0000000000000000000000000000000000000000000000000000000000002222';
|
|
assert.notEqual(stripSha(a), stripSha(b));
|
|
});
|
|
|
|
test('sha: empty/null input returns empty string', () => {
|
|
assert.equal(stripSha(''), '');
|
|
assert.equal(stripSha(null), '');
|
|
assert.equal(stripSha(undefined), '');
|
|
});
|
|
|
|
test('sha: imageMatch logic mirrors server.js verifyStatelessRecreated', () => {
|
|
const expectedSha = 'a0845a6c5772e01234567890abcdef01234567890abcdef01234567890abcdef01';
|
|
const actualSha = `sha256:${expectedSha}`;
|
|
const imageMatch = !!expectedSha && stripSha(actualSha) === stripSha(expectedSha);
|
|
assert.ok(imageMatch, 'imageMatch must be true when digests are the same modulo sha256: prefix');
|
|
});
|