in-toto · jkjell · Oct 10, 2024 · Sep 5, 2024 · Sep 5, 2024 · Oct 10, 2024
diff --git a/dsse/verify.go b/dsse/verify.go
@@ -72,8 +72,6 @@ type CheckedVerifier struct {
 	Error              error
 }
 
-type FailedVerifier struct{}
-
 func (e Envelope) Verify(opts ...VerificationOption) ([]CheckedVerifier, error) {
 	options := &verificationOptions{
 		threshold: 1,

diff --git a/policy/policy.go b/policy/policy.go
@@ -250,9 +250,9 @@ func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (bool, map[str
 			}
 
 			// Verify the functionaries
-			collections = step.checkFunctionaries(collections, trustBundles)
-
-			stepResult := step.validateAttestations(collections)
+			functionaryCheckResults := step.checkFunctionaries(collections, trustBundles)
+			stepResult := step.validateAttestations(functionaryCheckResults.Passed)
+			stepResult.Rejected = append(stepResult.Rejected, functionaryCheckResults.Rejected...)
 
 			// We perform many searches against the same step, so we need to merge the relevant fields
 			if resultsByStep[stepName].Step == "" {
@@ -293,11 +293,12 @@ func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (bool, map[str
 
 // checkFunctionaries checks to make sure the signature on each statement corresponds to a trusted functionary for
 // the step the statement corresponds to
-func (step Step) checkFunctionaries(statements []source.CollectionVerificationResult, trustBundles map[string]TrustBundle) []source.CollectionVerificationResult {
+func (step Step) checkFunctionaries(statements []source.CollectionVerificationResult, trustBundles map[string]TrustBundle) StepResult {
+	result := StepResult{Step: step.Name}
 	for i, statement := range statements {
 		// Check that the statement contains a predicate type that we accept
 		if statement.Statement.PredicateType != attestation.CollectionType {
-			statements[i].Errors = append(statement.Errors, fmt.Errorf("predicate type %v is not a collection predicate type", statement.Statement.PredicateType))
+			result.Rejected = append(result.Rejected, RejectedCollection{Collection: statement, Reason: fmt.Errorf("predicate type %v is not a collection predicate type", statement.Statement.PredicateType)})
 		}
 
 		if len(statement.Verifiers) > 0 {
@@ -311,12 +312,18 @@ func (step Step) checkFunctionaries(statements []source.CollectionVerificationRe
 					}
 				}
 			}
+
+			if len(statements[i].ValidFunctionaries) == 0 {
+				result.Rejected = append(result.Rejected, RejectedCollection{Collection: statements[i], Reason: fmt.Errorf("no verifiers matched with allowed functionaries for step %s", step.Name)})
+			} else {
+				result.Passed = append(result.Passed, statements[i])
+			}
 		} else {
-			statements[i].Errors = append(statement.Errors, fmt.Errorf("no verifiers present to validate against collection verifiers"))
+			result.Rejected = append(result.Rejected, RejectedCollection{Collection: statements[i], Reason: fmt.Errorf("no verifiers present to validate against collection verifiers")})
 		}
 	}
 
-	return statements
+	return result
 }
 
 // verifyArtifacts will check the artifacts (materials+products) of the step referred to by `ArtifactsFrom` against the

diff --git a/policy/policy_test.go b/policy/policy_test.go
@@ -588,7 +588,7 @@ func TestCheckFunctionaries(t *testing.T) {
 		fmt.Println("running test case: ", testCase.name)
 		result := testCase.step.checkFunctionaries(testCase.statements, testCase.trustBundles)
 		resultCheckFields := []source.CollectionVerificationResult{}
-		for _, r := range result {
+		for _, r := range result.Passed {
 			o := source.CollectionVerificationResult{
 				Errors:             r.Errors,
 				Warnings:           r.Warnings,
@@ -597,6 +597,15 @@ func TestCheckFunctionaries(t *testing.T) {
 			resultCheckFields = append(resultCheckFields, o)
 		}
 
+		for _, r := range result.Rejected {
+			o := source.CollectionVerificationResult{
+				Errors:             r.Collection.Errors,
+				Warnings:           r.Collection.Warnings,
+				ValidFunctionaries: r.Collection.ValidFunctionaries,
+			}
+			resultCheckFields = append(resultCheckFields, o)
+		}
+
 		assert.Equal(t, testCase.expectedResults, resultCheckFields)
 	}
 }
diff --git a/source/verified.go b/source/verified.go
@@ -64,7 +64,9 @@ func (s *VerifiedSource) Search(ctx context.Context, collectionName string, subj
 
 		passedVerifiers := make([]cryptoutil.Verifier, 0)
 		for _, verifier := range envelopeVerifiers {
-			passedVerifiers = append(passedVerifiers, verifier.Verifier)
+			if verifier.Error == nil {
+				passedVerifiers = append(passedVerifiers, verifier.Verifier)
+			}
 		}
 
 		var Errors []error