Skip to content

Commit

Permalink
fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@Yongxuanzhang
Yongxuanzhang committed May 17, 2023
1 parent aa07dee commit 265cf3d
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 32 deletions.
36 changes: 18 additions & 18 deletions pkg/trustedresources/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,10 @@ type VerificationResult struct {
// VerificationResult is returned with different types for different cases:
// 1) Return VerificationResult with VerificationSkip type, when no policies are found and no-match-policy is set to ignore
// 2) Return VerificationResult with VerificationPass type when verification passed;
// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field if filled with the warning;
// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field is filled with the warning;
// 4) Return VerificationResult with VerificationError type when no policies are found and no-match-policy is set to fail, the resource fails to pass matched enforce verification policy, or there are errors during verification. Err is filled with the err.
// refSource contains the source information of the task.
func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) *VerificationResult {
func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult {
var refSourceURI string
if refSource != nil {
refSourceURI = refSource.URI
Expand All @@ -80,19 +80,19 @@ func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Inter
if errors.Is(err, ErrNoMatchedPolicies) {
switch config.GetVerificationNoMatchPolicy(ctx) {
case config.IgnoreNoMatchPolicy:
return &VerificationResult{VerificationResultType: VerificationSkip}
return VerificationResult{VerificationResultType: VerificationSkip}
case config.WarnNoMatchPolicy:
logger := logging.FromContext(ctx)
logger.Warnf("failed to get matched policies: %v", err)
return &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}
return VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}
}
}
return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)}
return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)}
}

tm, signature, err := prepareObjectMeta(taskObj.TaskMetadata())
if err != nil {
return &VerificationResult{VerificationResultType: VerificationError, Err: err}
return VerificationResult{VerificationResultType: VerificationError, Err: err}
}
task := v1beta1.Task{
TypeMeta: metav1.TypeMeta{
Expand All @@ -109,10 +109,10 @@ func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Inter
// VerificationResult is returned with different types for different cases:
// 1) Return VerificationResult with VerificationSkip type, when no policies are found and no-match-policy is set to ignore
// 2) Return VerificationResult with VerificationPass type when verification passed;
// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field if filled with the warning;
// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field is filled with the warning;
// 4) Return VerificationResult with VerificationError type when no policies are found and no-match-policy is set to fail, the resource fails to pass matched enforce verification policy, or there are errors during verification. Err is filled with the err.
// refSource contains the source information of the pipeline.
func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) *VerificationResult {
func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult {
var refSourceURI string
if refSource != nil {
refSourceURI = refSource.URI
Expand All @@ -122,18 +122,18 @@ func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kube
if errors.Is(err, ErrNoMatchedPolicies) {
switch config.GetVerificationNoMatchPolicy(ctx) {
case config.IgnoreNoMatchPolicy:
return &VerificationResult{VerificationResultType: VerificationSkip}
return VerificationResult{VerificationResultType: VerificationSkip}
case config.WarnNoMatchPolicy:
logger := logging.FromContext(ctx)
logger.Warnf("failed to get matched policies: %v", err)
return &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}
return VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}
}
}
return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)}
return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)}
}
pm, signature, err := prepareObjectMeta(pipelineObj.PipelineMetadata())
if err != nil {
return &VerificationResult{VerificationResultType: VerificationError, Err: err}
return VerificationResult{VerificationResultType: VerificationError, Err: err}
}
pipeline := v1beta1.Pipeline{
TypeMeta: metav1.TypeMeta{
Expand Down Expand Up @@ -173,7 +173,7 @@ func getMatchedPolicies(resourceName string, source string, policies []*v1alpha1
// 1. If multiple policies match, the resource must satisfy all the "enforce" policies to pass verification. The matching "enforce" policies are evaluated using AND logic.
// Alternatively, if the resource only matches policies in "warn" mode, it will still pass verification and only log a warning if these policies are not satisfied.
// 2. To pass one policy, the resource can pass any public keys in the policy. We use OR logic on public keys of one policy.
func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.Interface, signature []byte, matchedPolicies []*v1alpha1.VerificationPolicy) *VerificationResult {
func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.Interface, signature []byte, matchedPolicies []*v1alpha1.VerificationPolicy) VerificationResult {
logger := logging.FromContext(ctx)
var warnPolicies []*v1alpha1.VerificationPolicy
var enforcePolicies []*v1alpha1.VerificationPolicy
Expand All @@ -190,7 +190,7 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.
passVerification := false
verifiers, err := verifier.FromPolicy(ctx, k8s, p)
if err != nil {
return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get verifiers from policy: %w", err)}
return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get verifiers from policy: %w", err)}
}
for _, verifier := range verifiers {
// if one of the verifier passes verification, then this policy passes verification
Expand All @@ -200,7 +200,7 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.
}
}
if !passVerification {
return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("%w: resource %s in namespace %s fails verification", ErrResourceVerificationFailed, resource.GetName(), resource.GetNamespace())}
return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("%w: resource %s in namespace %s fails verification", ErrResourceVerificationFailed, resource.GetName(), resource.GetNamespace())}
}
}

Expand All @@ -211,7 +211,7 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.
if err != nil {
warn := fmt.Errorf("fails to get verifiers for resource %s from namespace %s: %w", resource.GetName(), resource.GetNamespace(), err)
logger.Warnf(warn.Error())
return &VerificationResult{VerificationResultType: VerificationWarn, Err: warn}
return VerificationResult{VerificationResultType: VerificationWarn, Err: warn}
}
for _, verifier := range verifiers {
if err := verifyInterface(resource, verifier, signature); err == nil {
Expand All @@ -222,11 +222,11 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.
if !passVerification {
warn := fmt.Errorf("%w: resource %s in namespace %s fails verification", ErrResourceVerificationFailed, resource.GetName(), resource.GetNamespace())
logger.Warnf(warn.Error())
return &VerificationResult{VerificationResultType: VerificationWarn, Err: warn}
return VerificationResult{VerificationResultType: VerificationWarn, Err: warn}
}
}

return &VerificationResult{VerificationResultType: VerificationPass}
return VerificationResult{VerificationResultType: VerificationPass}
}

// verifyInterface get the checksum of json marshalled object and verify it.
Expand Down
28 changes: 14 additions & 14 deletions pkg/trustedresources/verify_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,61 +222,61 @@ func TestVerifyTask_Success(t *testing.T) {
signer signature.SignerVerifier
verificationNoMatchPolicy string
verificationPolicies []*v1alpha1.VerificationPolicy
expectedVerificationResult *VerificationResult
expectedVerificationResult VerificationResult
}{{
name: "signed git source task passes verification",
task: signedTask,
source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
verificationPolicies: vps,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass},
}, {
name: "signed bundle source task passes verification",
task: signedTask,
source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
verificationPolicies: vps,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass},
}, {
name: "signed task with sha384 key",
task: signedTask384,
source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/sha384"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
verificationPolicies: []*v1alpha1.VerificationPolicy{sha384Vp},
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass},
}, {
name: "ignore no match policy skips verification when no matching policies",
task: unsignedTask,
source: &v1beta1.RefSource{URI: mismatchedSource},
verificationNoMatchPolicy: config.IgnoreNoMatchPolicy,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationSkip},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip},
}, {
name: "warn no match policy skips verification when no matching policies",
task: unsignedTask,
source: &v1beta1.RefSource{URI: mismatchedSource},
verificationNoMatchPolicy: config.WarnNoMatchPolicy,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies},
}, {
name: "unsigned task matches warn policy doesn't fail verification",
task: unsignedTask,
source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy},
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed},
}, {
name: "modified task matches warn policy doesn't fail verification",
task: modifiedTask,
source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy},
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed},
}, {
name: "modified task matches warn policy with empty key doesn't fail verification",
task: modifiedTask,
source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
verificationPolicies: []*v1alpha1.VerificationPolicy{warnNoKeyPolicy},
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: verifier.ErrEmptyPublicKeys},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: verifier.ErrEmptyPublicKeys},
}}

for _, tc := range tcs {
Expand Down Expand Up @@ -404,31 +404,31 @@ func TestVerifyPipeline_Success(t *testing.T) {
pipeline *v1beta1.Pipeline
source *v1beta1.RefSource
verificationNoMatchPolicy string
expectedVerificationResult *VerificationResult
expectedVerificationResult VerificationResult
}{{
name: "signed git source pipeline passes verification",
pipeline: signedPipeline,
source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass},
}, {
name: "signed bundle source pipeline passes verification",
pipeline: signedPipeline,
source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"},
verificationNoMatchPolicy: config.FailNoMatchPolicy,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass},
}, {
name: "ignore no match policy skips verification when no matching policies",
pipeline: unsignedPipeline,
source: &v1beta1.RefSource{URI: mismatchedSource},
verificationNoMatchPolicy: config.IgnoreNoMatchPolicy,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationSkip},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip},
}, {
name: "warn no match policy skips verification when no matching policies",
pipeline: unsignedPipeline,
source: &v1beta1.RefSource{URI: mismatchedSource},
verificationNoMatchPolicy: config.WarnNoMatchPolicy,
expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies},
expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies},
}}
for _, tc := range tcs {
t.Run(tc.name, func(t *testing.T) {
Expand Down

0 comments on commit 265cf3d

Please sign in to comment.