Use @EnabledIfOidcExists instead of several Gradle test tasks

-PskipOidc command-line option could be used to skip OIDC tests. skipOidc=true could be added to gradle.properties or $HOME/gradle.properties Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
sigstore · Sep 14, 2022 · daaf37d · daaf37d
1 parent 85d0ff3
commit daaf37d
Show file tree

Hide file tree

Showing 13 changed files with 115 additions and 122 deletions.
diff --git a/.github/workflows/ci-oidc.yaml b/.github/workflows/ci-oidc.yaml
diff --git a/build-logic/jvm/src/main/kotlin/build-logic.java.gradle.kts b/build-logic/jvm/src/main/kotlin/build-logic.java.gradle.kts
@@ -3,6 +3,7 @@ import buildlogic.filterEolSimple
 plugins {
     `java-base`
     id("com.github.vlsi.gradle-extensions")
+    id("build-logic.testing")
 }
 
 java {

diff --git a/build-logic/jvm/src/main/kotlin/build-logic.kotlin.gradle.kts b/build-logic/jvm/src/main/kotlin/build-logic.kotlin.gradle.kts
@@ -3,6 +3,7 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 plugins {
     id("java-library")
     id("build-logic.java")
+    id("build-logic.testing")
     id("com.github.vlsi.gradle-extensions")
     id("com.github.autostyle")
     kotlin("jvm")

diff --git a/build-logic/jvm/src/main/kotlin/build-logic.testing.gradle.kts b/build-logic/jvm/src/main/kotlin/build-logic.testing.gradle.kts
@@ -0,0 +1,6 @@
+tasks.withType<Test>().configureEach {
+    if (project.hasProperty("skipOidc")) {
+        println("skipOidc: ${project.findProperty("skipOidc")}")
+        systemProperty("sigstore-java.test.skipOidc", project.findProperty("skipOidc")!!)
+    }
+}
diff --git a/.../sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/SigstoreSignTest.kt b/.../sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/SigstoreSignTest.kt
@@ -17,12 +17,12 @@
 package dev.sigstore.gradle
 
 import dev.sigstore.testkit.BaseGradleTest
-import dev.sigstore.testkit.DisableIfCiWithoutOidc
+import dev.sigstore.testkit.annotations.EnabledIfOidcExists
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@DisableIfCiWithoutOidc
+@EnabledIfOidcExists
 class SigstoreSignTest: BaseGradleTest() {
     @ParameterizedTest
     @MethodSource("gradleVersionAndSettings")

diff --git a/...igstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/SigstorePublishSignTest.kt b/...igstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/SigstorePublishSignTest.kt
@@ -17,13 +17,12 @@
 package dev.sigstore.gradle
 
 import dev.sigstore.testkit.BaseGradleTest
-import dev.sigstore.testkit.DisableIfCiWithoutOidc
-import org.assertj.core.api.AbstractCharSequenceAssert
+import dev.sigstore.testkit.annotations.EnabledIfOidcExists
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.MethodSource
 
-@DisableIfCiWithoutOidc
+@EnabledIfOidcExists
 class SigstorePublishSignTest : BaseGradleTest() {
     @ParameterizedTest
     @MethodSource("gradleVersionAndSettings")

diff --git a/sigstore-java/build.gradle.kts b/sigstore-java/build.gradle.kts
@@ -49,6 +49,8 @@ dependencies {
     testImplementation("net.sourceforge.htmlunit:htmlunit:2.64.0")
     testImplementation("org.eclipse.jetty:jetty-server:11.0.11")
 
+    testImplementation(project(":sigstore-testkit"))
+
     implementation("javax.validation:validation-api:2.0.1.Final")
 }
 
@@ -114,20 +116,5 @@ tasks.named("sourcesJar") {
 
 tasks.test {
     useJUnitPlatform {
-        includeTags("none()")
-    }
-}
-
-// a special test grouping for tests that require a valid gha oidc token
-val testGithubOidc by tasks.registering(Test::class) {
-    useJUnitPlatform {
-        includeTags("github_oidc")
-    }
-}
-
-// manual test groups that are *not* run in CI, these should be run before
-val testManual by tasks.registering(Test::class) {
-    useJUnitPlatform {
-        includeTags("manual")
     }
 }
diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessTest.java
@@ -20,6 +20,8 @@
 import dev.sigstore.oidc.client.GithubActionsOidcClient;
 import dev.sigstore.rekor.client.RekorTypeException;
 import dev.sigstore.rekor.client.RekorTypes;
+import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
+import dev.sigstore.testkit.annotations.OidcProviderType;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -29,7 +31,6 @@
 import org.bouncycastle.util.encoders.Hex;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 
@@ -51,7 +52,7 @@ public static void setupArtifact() throws IOException {
   }
 
   @Test
-  @Tag("manual")
+  @EnabledIfOidcExists(provider = OidcProviderType.MANUAL)
   public void sign_production() throws Exception {
     var signer = KeylessSigner.builder().sigstorePublicDefaults().build();
     var result = signer.sign(testArtifact);
@@ -66,7 +67,7 @@ public void sign_production() throws Exception {
   }
 
   @Test
-  @Tag("manual")
+  @EnabledIfOidcExists(provider = OidcProviderType.MANUAL)
   public void sign_staging() throws Exception {
     var signer = KeylessSigner.builder().sigstoreStagingDefaults().build();
     var result = signer.sign(testArtifact);
@@ -80,7 +81,7 @@ public void sign_staging() throws Exception {
   }
 
   @Test
-  @Tag("github_oidc")
+  @EnabledIfOidcExists(provider = OidcProviderType.GITHUB)
   public void sign_productionWithGithubOidc() throws Exception {
     var signer =
         KeylessSigner.builder()
@@ -98,7 +99,7 @@ public void sign_productionWithGithubOidc() throws Exception {
   }
 
   @Test
-  @Tag("github_oidc")
+  @EnabledIfOidcExists(provider = OidcProviderType.GITHUB)
   public void sign_stagingWithGithubOidc() throws Exception {
     var signer =
         KeylessSigner.builder()

diff --git a/sigstore-java/src/test/java/dev/sigstore/oidc/client/GithubActionsOidcClientTest.java b/sigstore-java/src/test/java/dev/sigstore/oidc/client/GithubActionsOidcClientTest.java
@@ -15,14 +15,15 @@
  */
 package dev.sigstore.oidc.client;
 
-import dev.sigstore.testing.annotations.RequiresGithubOidc;
+import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
+import dev.sigstore.testkit.annotations.OidcProviderType;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
 public class GithubActionsOidcClientTest {
 
   @Test
-  @RequiresGithubOidc
+  @EnabledIfOidcExists(provider = OidcProviderType.GITHUB)
   public void getToken() throws OidcException {
     var client = GithubActionsOidcClient.builder().build();
     var token = client.getIDToken();

diff --git a/sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/DisableIfCiWithoutOidc.kt b/sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/DisableIfCiWithoutOidc.kt
diff --git a/sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/EnableIfOidcExistsCondition.kt b/sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/EnableIfOidcExistsCondition.kt
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2022 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package dev.sigstore.testkit
+
+import dev.sigstore.testkit.annotations.EnabledIfOidcExists
+import dev.sigstore.testkit.annotations.OidcProviderType
+import org.junit.jupiter.api.extension.ConditionEvaluationResult
+import org.junit.jupiter.api.extension.ConditionEvaluationResult.disabled
+import org.junit.jupiter.api.extension.ConditionEvaluationResult.enabled
+import org.junit.jupiter.api.extension.ExecutionCondition
+import org.junit.jupiter.api.extension.ExtensionContext
+import org.junit.platform.commons.util.AnnotationUtils
+
+class EnableIfOidcExistsCondition : ExecutionCondition {
+    override fun evaluateExecutionCondition(context: ExtensionContext): ConditionEvaluationResult {
+        val element = context.element.orElse(null)
+        val provider = AnnotationUtils.findAnnotation(element, EnabledIfOidcExists::class.java)
+            .map { it.provider }.orElse(OidcProviderType.ANY)
+
+        return when {
+            provider == OidcProviderType.MANUAL ->
+                if (System.getenv("CI") == "true") {
+                    disabled("CI environment is present, and the test has been configured to run with MANUAL OIDC only")
+                } else {
+                    enabled("the test has been configured with MANUAL OIDC, and no CI environment variable is detected")
+                }
+
+            provider in listOf(OidcProviderType.ANY, OidcProviderType.CI, OidcProviderType.GITHUB) &&
+                    System.getenv("ACTIONS_ID_TOKEN_REQUEST_URL") != null ->
+                enabled("ACTIONS_ID_TOKEN_REQUEST_URL is present, so OIDC matches the requested $provider")
+
+            else ->
+                disabled("test requires $provider OIDC provider")
+        }
+    }
+}
diff --git a/sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/annotations/EnabledIfOidcExists.kt b/sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/annotations/EnabledIfOidcExists.kt
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2022 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package dev.sigstore.testkit.annotations
+
+import dev.sigstore.testkit.EnableIfOidcExistsCondition
+import org.junit.jupiter.api.condition.DisabledIfSystemProperty
+import org.junit.jupiter.api.extension.ExtendWith
+
+@Target(AnnotationTarget.CLASS, AnnotationTarget.FUNCTION)
+@DisabledIfSystemProperty(
+    named = "sigstore-java.test.skipOidc",
+    matches = "^\\s*+(true|y|on|)\\s*+$",
+    disabledReason = "sigstore-java.test.skipOidc system property is present",
+)
+@ExtendWith(EnableIfOidcExistsCondition::class)
+annotation class EnabledIfOidcExists(
+    val provider: OidcProviderType = OidcProviderType.ANY
+)
diff --git a/...sting/annotations/RequiresGithubOidc.java → ...e/testkit/annotations/OidcProviderType.kt b/...sting/annotations/RequiresGithubOidc.java → ...e/testkit/annotations/OidcProviderType.kt
@@ -12,21 +12,15 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
+ *
  */
-package dev.sigstore.testing.annotations;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import org.junit.jupiter.api.Tag;
-import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable;
+package dev.sigstore.testkit.annotations
 
-@Target(ElementType.METHOD)
-@Tag("github_oidc")
-@Retention(RetentionPolicy.RUNTIME)
-@EnabledIfEnvironmentVariable(
-    named = "GITHUB_ACTIONS",
-    matches = "true",
-    disabledReason = "test only runs on github actions")
-public @interface RequiresGithubOidc {}
+enum class OidcProviderType {
+    ANY,
+    MANUAL,
+    CI,
+    AWS,
+    AZURE,
+    GITHUB,
+}