From 265cf3dd2d37393e7e4173f1f929f44274904401 Mon Sep 17 00:00:00 2001 From: Yongxuan Zhang Date: Wed, 17 May 2023 15:40:37 +0000 Subject: [PATCH] fix --- pkg/trustedresources/verify.go | 36 ++++++++++++++--------------- pkg/trustedresources/verify_test.go | 28 +++++++++++----------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/pkg/trustedresources/verify.go b/pkg/trustedresources/verify.go index 24cf4fbade4..b9cc9d3718c 100644 --- a/pkg/trustedresources/verify.go +++ b/pkg/trustedresources/verify.go @@ -67,10 +67,10 @@ type VerificationResult struct { // VerificationResult is returned with different types for different cases: // 1) Return VerificationResult with VerificationSkip type, when no policies are found and no-match-policy is set to ignore // 2) Return VerificationResult with VerificationPass type when verification passed; -// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field if filled with the warning; +// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field is filled with the warning; // 4) Return VerificationResult with VerificationError type when no policies are found and no-match-policy is set to fail, the resource fails to pass matched enforce verification policy, or there are errors during verification. Err is filled with the err. // refSource contains the source information of the task. -func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) *VerificationResult { +func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult { var refSourceURI string if refSource != nil { refSourceURI = refSource.URI @@ -80,19 +80,19 @@ func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Inter if errors.Is(err, ErrNoMatchedPolicies) { switch config.GetVerificationNoMatchPolicy(ctx) { case config.IgnoreNoMatchPolicy: - return &VerificationResult{VerificationResultType: VerificationSkip} + return VerificationResult{VerificationResultType: VerificationSkip} case config.WarnNoMatchPolicy: logger := logging.FromContext(ctx) logger.Warnf("failed to get matched policies: %v", err) - return &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies} + return VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies} } } - return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)} + return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)} } tm, signature, err := prepareObjectMeta(taskObj.TaskMetadata()) if err != nil { - return &VerificationResult{VerificationResultType: VerificationError, Err: err} + return VerificationResult{VerificationResultType: VerificationError, Err: err} } task := v1beta1.Task{ TypeMeta: metav1.TypeMeta{ @@ -109,10 +109,10 @@ func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Inter // VerificationResult is returned with different types for different cases: // 1) Return VerificationResult with VerificationSkip type, when no policies are found and no-match-policy is set to ignore // 2) Return VerificationResult with VerificationPass type when verification passed; -// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field if filled with the warning; +// 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field is filled with the warning; // 4) Return VerificationResult with VerificationError type when no policies are found and no-match-policy is set to fail, the resource fails to pass matched enforce verification policy, or there are errors during verification. Err is filled with the err. // refSource contains the source information of the pipeline. -func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) *VerificationResult { +func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, refSource *v1beta1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult { var refSourceURI string if refSource != nil { refSourceURI = refSource.URI @@ -122,18 +122,18 @@ func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kube if errors.Is(err, ErrNoMatchedPolicies) { switch config.GetVerificationNoMatchPolicy(ctx) { case config.IgnoreNoMatchPolicy: - return &VerificationResult{VerificationResultType: VerificationSkip} + return VerificationResult{VerificationResultType: VerificationSkip} case config.WarnNoMatchPolicy: logger := logging.FromContext(ctx) logger.Warnf("failed to get matched policies: %v", err) - return &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies} + return VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies} } } - return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)} + return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get matched policies: %w", err)} } pm, signature, err := prepareObjectMeta(pipelineObj.PipelineMetadata()) if err != nil { - return &VerificationResult{VerificationResultType: VerificationError, Err: err} + return VerificationResult{VerificationResultType: VerificationError, Err: err} } pipeline := v1beta1.Pipeline{ TypeMeta: metav1.TypeMeta{ @@ -173,7 +173,7 @@ func getMatchedPolicies(resourceName string, source string, policies []*v1alpha1 // 1. If multiple policies match, the resource must satisfy all the "enforce" policies to pass verification. The matching "enforce" policies are evaluated using AND logic. // Alternatively, if the resource only matches policies in "warn" mode, it will still pass verification and only log a warning if these policies are not satisfied. // 2. To pass one policy, the resource can pass any public keys in the policy. We use OR logic on public keys of one policy. -func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.Interface, signature []byte, matchedPolicies []*v1alpha1.VerificationPolicy) *VerificationResult { +func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.Interface, signature []byte, matchedPolicies []*v1alpha1.VerificationPolicy) VerificationResult { logger := logging.FromContext(ctx) var warnPolicies []*v1alpha1.VerificationPolicy var enforcePolicies []*v1alpha1.VerificationPolicy @@ -190,7 +190,7 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes. passVerification := false verifiers, err := verifier.FromPolicy(ctx, k8s, p) if err != nil { - return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get verifiers from policy: %w", err)} + return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("failed to get verifiers from policy: %w", err)} } for _, verifier := range verifiers { // if one of the verifier passes verification, then this policy passes verification @@ -200,7 +200,7 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes. } } if !passVerification { - return &VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("%w: resource %s in namespace %s fails verification", ErrResourceVerificationFailed, resource.GetName(), resource.GetNamespace())} + return VerificationResult{VerificationResultType: VerificationError, Err: fmt.Errorf("%w: resource %s in namespace %s fails verification", ErrResourceVerificationFailed, resource.GetName(), resource.GetNamespace())} } } @@ -211,7 +211,7 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes. if err != nil { warn := fmt.Errorf("fails to get verifiers for resource %s from namespace %s: %w", resource.GetName(), resource.GetNamespace(), err) logger.Warnf(warn.Error()) - return &VerificationResult{VerificationResultType: VerificationWarn, Err: warn} + return VerificationResult{VerificationResultType: VerificationWarn, Err: warn} } for _, verifier := range verifiers { if err := verifyInterface(resource, verifier, signature); err == nil { @@ -222,11 +222,11 @@ func verifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes. if !passVerification { warn := fmt.Errorf("%w: resource %s in namespace %s fails verification", ErrResourceVerificationFailed, resource.GetName(), resource.GetNamespace()) logger.Warnf(warn.Error()) - return &VerificationResult{VerificationResultType: VerificationWarn, Err: warn} + return VerificationResult{VerificationResultType: VerificationWarn, Err: warn} } } - return &VerificationResult{VerificationResultType: VerificationPass} + return VerificationResult{VerificationResultType: VerificationPass} } // verifyInterface get the checksum of json marshalled object and verify it. diff --git a/pkg/trustedresources/verify_test.go b/pkg/trustedresources/verify_test.go index c27c098cfc7..b251204d47e 100644 --- a/pkg/trustedresources/verify_test.go +++ b/pkg/trustedresources/verify_test.go @@ -222,61 +222,61 @@ func TestVerifyTask_Success(t *testing.T) { signer signature.SignerVerifier verificationNoMatchPolicy string verificationPolicies []*v1alpha1.VerificationPolicy - expectedVerificationResult *VerificationResult + expectedVerificationResult VerificationResult }{{ name: "signed git source task passes verification", task: signedTask, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source task passes verification", task: signedTask, source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: vps, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed task with sha384 key", task: signedTask384, source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/sha384"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{sha384Vp}, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", task: unsignedTask, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationSkip}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", task: unsignedTask, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, }, { name: "unsigned task matches warn policy doesn't fail verification", task: unsignedTask, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy}, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed}, }, { name: "modified task matches warn policy doesn't fail verification", task: modifiedTask, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{warnPolicy}, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrResourceVerificationFailed}, }, { name: "modified task matches warn policy with empty key doesn't fail verification", task: modifiedTask, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, verificationPolicies: []*v1alpha1.VerificationPolicy{warnNoKeyPolicy}, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: verifier.ErrEmptyPublicKeys}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: verifier.ErrEmptyPublicKeys}, }} for _, tc := range tcs { @@ -404,31 +404,31 @@ func TestVerifyPipeline_Success(t *testing.T) { pipeline *v1beta1.Pipeline source *v1beta1.RefSource verificationNoMatchPolicy string - expectedVerificationResult *VerificationResult + expectedVerificationResult VerificationResult }{{ name: "signed git source pipeline passes verification", pipeline: signedPipeline, source: &v1beta1.RefSource{URI: "git+https://github.com/tektoncd/catalog.git"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "signed bundle source pipeline passes verification", pipeline: signedPipeline, source: &v1beta1.RefSource{URI: "gcr.io/tekton-releases/catalog/upstream/git-clone"}, verificationNoMatchPolicy: config.FailNoMatchPolicy, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationPass}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationPass}, }, { name: "ignore no match policy skips verification when no matching policies", pipeline: unsignedPipeline, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.IgnoreNoMatchPolicy, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationSkip}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationSkip}, }, { name: "warn no match policy skips verification when no matching policies", pipeline: unsignedPipeline, source: &v1beta1.RefSource{URI: mismatchedSource}, verificationNoMatchPolicy: config.WarnNoMatchPolicy, - expectedVerificationResult: &VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, + expectedVerificationResult: VerificationResult{VerificationResultType: VerificationWarn, Err: ErrNoMatchedPolicies}, }} for _, tc := range tcs { t.Run(tc.name, func(t *testing.T) {