fix: add tests

Signed-off-by: SequeI <asiek@redhat.com>

Author: SequeI

internal/attestation/attestation_test.go

@@ -20,6 +20,7 @@ package attestation
 
 import (
 	"crypto/x509"
+	"encoding/base64"
 	"fmt"
 	"testing"
 
@@ -220,6 +221,91 @@ func TestProvenance_Signatures(t *testing.T) {
 	}
 }
 
+func TestProvenanceFromBundlePayload(t *testing.T) {
+	sig1 := `{"keyid": "key-id-1", "sig": "sig-1"}`
+
+	payloadJson := `{
+		"_type": "https://in-toto.io/Statement/v0.1",
+		"predicateType": "https://cool-type.example.io/Amazing/v2.0",
+		"predicate": {
+			"secure": "very",
+			"hacks": "none"
+		}
+	}`
+
+	fullAtt := fmt.Sprintf(`{"payloadType":"application/vnd.in-toto+json","signatures": [%s], "payload": "%s"}`, sig1, encode(payloadJson))
+
+	cases := []struct {
+		name      string
+		setup     func(l *mockSignature)
+		dsseJSON  string
+		expectErr string
+	}{
+		{
+			name: "valid bundle attestation with signature from payload",
+			setup: func(l *mockSignature) {
+				l.On("Base64Signature").Return("", nil)
+				l.On("Cert").Return(&x509.Certificate{}, nil)
+				l.On("Chain").Return([]*x509.Certificate{}, nil)
+			},
+			dsseJSON: fullAtt,
+		},
+		{
+			name: "valid bundle attestation with signature from certificate",
+			setup: func(l *mockSignature) {
+				l.On("Base64Signature").Return("sig-from-cert", nil)
+				l.On("Cert").Return(signature.ParseChainguardReleaseCert(), nil)
+				l.On("Chain").Return(signature.ParseSigstoreChainCert(), nil)
+			},
+			dsseJSON: fullAtt,
+		},
+		{
+			name:      "malformed JSON",
+			setup:     func(l *mockSignature) {},
+			dsseJSON:  `{not json`,
+			expectErr: "malformed bundle attestation",
+		},
+		{
+			name:      "empty payload field",
+			setup:     func(l *mockSignature) {},
+			dsseJSON:  `{"signatures": [], "payload": ""}`,
+			expectErr: "no `payload` data found in bundle attestation",
+		},
+		{
+			name:      "invalid base64 payload",
+			setup:     func(l *mockSignature) {},
+			dsseJSON:  `{"signatures": [], "payload": "not-valid-base64!@#"}`,
+			expectErr: "malformed attestation data",
+		},
+		{
+			name:  "invalid statement JSON in payload",
+			setup: func(l *mockSignature) {},
+			dsseJSON: fmt.Sprintf(`{"signatures": [], "payload": "%s"}`,
+				base64.StdEncoding.EncodeToString([]byte(`not-json`))),
+			expectErr: "malformed bundle attestation",
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			sig := mockSignature{&mock.Mock{}}
+			c.setup(&sig)
+
+			p, err := ProvenanceFromBundlePayload(sig, []byte(c.dsseJSON))
+			if c.expectErr != "" {
+				assert.ErrorContains(t, err, c.expectErr)
+				assert.Nil(t, p)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.JSONEq(t, payloadJson, string(p.Statement()))
+			assert.Equal(t, "https://cool-type.example.io/Amazing/v2.0", p.PredicateType())
+			assert.NotEmpty(t, p.Signatures())
+		})
+	}
+}
+
 func TestProvenance_Subject(t *testing.T) {
 	//nolint:staticcheck
 	mockSubject1 := in_toto.Subject{

internal/evaluation_target/application_snapshot_image/application_snapshot_image_test.go

@@ -914,6 +914,169 @@ func TestAttestationDataMarshalJSON(t *testing.T) {
 	}
 }
 
+func TestParseAttestationsFromBundles(t *testing.T) {
+	ref := name.MustParseReference("registry.io/repository/image:tag")
+
+	slsaV02Statement := in_toto.ProvenanceStatementSLSA02{
+		//nolint:staticcheck
+		StatementHeader: in_toto.StatementHeader{
+			Type:          in_toto.StatementInTotoV01,
+			PredicateType: v02.PredicateSLSAProvenance,
+			//nolint:staticcheck
+			Subject: []in_toto.Subject{
+				{Name: "test-image", Digest: common.DigestSet{"sha256": "abc123"}},
+			},
+		},
+		Predicate: v02.ProvenancePredicate{
+			BuildType: pipelineRunBuildType,
+			Builder:   common.ProvenanceBuilder{ID: "https://tekton.dev/chains/v2"},
+		},
+	}
+
+	cases := []struct {
+		name              string
+		layers            []oci.Signature
+		expectErr         bool
+		errContains       string
+		expectedAttCount  int
+		expectedPredTypes []string
+	}{
+		{
+			name:             "empty layers",
+			layers:           []oci.Signature{},
+			expectedAttCount: 0,
+		},
+		{
+			name:              "single valid bundle attestation",
+			layers:            []oci.Signature{createBundleDSSESignature(t, slsaV02Statement)},
+			expectedAttCount:  1,
+			expectedPredTypes: []string{v02.PredicateSLSAProvenance},
+		},
+		{
+			name: "multiple valid bundle attestations",
+			layers: []oci.Signature{
+				createBundleDSSESignature(t, slsaV02Statement),
+				createBundleDSSESignature(t, slsaV02Statement),
+			},
+			expectedAttCount:  2,
+			expectedPredTypes: []string{v02.PredicateSLSAProvenance, v02.PredicateSLSAProvenance},
+		},
+		{
+			name: "skips non-intoto payload type",
+			layers: func() []oci.Signature {
+				payload := `{"payloadType":"application/octet-stream","payload":"aGVsbG8="}`
+				sig, err := static.NewSignature([]byte(payload), "test-sig")
+				require.NoError(t, err)
+				return []oci.Signature{sig}
+			}(),
+			expectedAttCount: 0,
+		},
+		{
+			name: "skips invalid JSON payload",
+			layers: func() []oci.Signature {
+				sig, err := static.NewSignature([]byte(`not-json`), "test-sig")
+				require.NoError(t, err)
+				return []oci.Signature{sig}
+			}(),
+			expectedAttCount: 0,
+		},
+		{
+			name: "valid attestation with populated signatures",
+			layers: []oci.Signature{createBundleDSSESignature(t, slsaV02Statement)},
+			expectedAttCount: 1,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			a := ApplicationSnapshotImage{reference: ref}
+
+			err := a.parseAttestationsFromBundles(tc.layers)
+
+			if tc.expectErr {
+				require.Error(t, err)
+				if tc.errContains != "" {
+					assert.Contains(t, err.Error(), tc.errContains)
+				}
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tc.expectedAttCount, len(a.attestations))
+
+				for i, expectedType := range tc.expectedPredTypes {
+					assert.Equal(t, expectedType, a.attestations[i].PredicateType())
+				}
+
+				for _, att := range a.attestations {
+					assert.NotNil(t, att.Signatures(), "bundle attestations should have signatures populated")
+				}
+			}
+		})
+	}
+}
+
+func TestParseAttestationsFromBundlesPopulatesSignatures(t *testing.T) {
+	ref := name.MustParseReference("registry.io/repository/image:tag")
+
+	//nolint:staticcheck
+	statement := in_toto.Statement{
+		//nolint:staticcheck
+		StatementHeader: in_toto.StatementHeader{
+			Type:          in_toto.StatementInTotoV01,
+			PredicateType: "https://example.com/test/v1",
+			//nolint:staticcheck
+			Subject: []in_toto.Subject{
+				{Name: "test", Digest: common.DigestSet{"sha256": "abc"}},
+			},
+		},
+		Predicate: json.RawMessage(`{"test":"data"}`),
+	}
+
+	a := ApplicationSnapshotImage{reference: ref}
+	layers := []oci.Signature{createBundleDSSESignature(t, statement)}
+
+	err := a.parseAttestationsFromBundles(layers)
+	require.NoError(t, err)
+	require.Len(t, a.attestations, 1)
+
+	sigs := a.attestations[0].Signatures()
+	assert.NotEmpty(t, sigs, "attestation signatures should be populated for bundle attestations")
+	assert.NotEmpty(t, sigs[0].Certificate, "attestation signature should have certificate")
+}
+
+// createBundleDSSESignature creates a test signature mimicking the bundle
+// format: a raw DSSE envelope accessible via Payload().
+func createBundleDSSESignature(t *testing.T, statement any) oci.Signature {
+	t.Helper()
+
+	statementJSON, err := json.Marshal(statement)
+	require.NoError(t, err)
+
+	encodedStatement := base64.StdEncoding.EncodeToString(statementJSON)
+
+	dsseEnvelope := dsse.Envelope{
+		Payload:     encodedStatement,
+		PayloadType: "application/vnd.in-toto+json",
+		Signatures: []dsse.Signature{
+			{KeyID: "test-key", Sig: "dGVzdC1zaWduYXR1cmU="},
+		},
+	}
+
+	payload, err := json.Marshal(dsseEnvelope)
+	require.NoError(t, err)
+
+	sig, err := static.NewSignature(
+		payload,
+		"test-signature",
+		static.WithCertChain(
+			signature.ChainguardReleaseCert,
+			signature.SigstoreChainCert,
+		),
+	)
+	require.NoError(t, err)
+
+	return sig
+}
+
 // createDSSESignature creates a test signature with a DSSE envelope containing the given statement
 func createDSSESignature(t *testing.T, statement any) oci.Signature {
 	t.Helper()