Skip to content

Commit

Permalink
Improving Verify Error Response (#430)
Browse files Browse the repository at this point in the history
* Will log details about evidence evaluation that doesn't not meet policy requirements.

---------

Signed-off-by: chaosinthecrd <[email protected]>
Signed-off-by: Tom Meadows <[email protected]>
  • Loading branch information
ChaosInTheCRD authored May 10, 2024
1 parent fc48494 commit d866f90
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 12 deletions.
1 change: 1 addition & 0 deletions cmd/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .

results, err := witness.RunWithExports(
ro.StepName,
witness.RunWithSigners(signers...),
witness.RunWithAttestors(attestors),
witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)),
witness.RunWithTimestampers(timestampers...),
Expand Down
42 changes: 30 additions & 12 deletions cmd/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
return fmt.Errorf("must supply either a public key, CA certificates or a verifier")
}

if !vo.ArchivistaOptions.Enable && len(vo.AttestationFilePaths) == 0 {
return fmt.Errorf("must either specify attestation file paths or enable archivista as an attestation source")
}

if vo.KeyPath != "" {
keyFile, err := os.Open(vo.KeyPath)
if err != nil {
Expand Down Expand Up @@ -124,26 +128,40 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
}
}

verifiedResult, err := witness.Verify(
verifiedEvidence, err := witness.Verify(
ctx,
policyEnvelope,
verifiers,
witness.VerifyWithSubjectDigests(subjects),
witness.VerifyWithCollectionSource(collectionSource),
)
if err != nil {
if verifiedEvidence.StepResults != nil {
log.Error("Verification failed")
log.Error("Evidence:")
for step, result := range verifiedEvidence.StepResults {
log.Error("Step: ", step)
for _, p := range result.Rejected {
if p.Collection.Collection.Name != "" {
log.Errorf("collection rejected: %s, Reason: %s ", p.Collection.Collection.Name, p.Reason)
} else {
log.Errorf("verification failure: Reason: %s", p.Reason)
}
}
}
}
return fmt.Errorf("failed to verify policy: %w", err)
}

log.Info("Verification succeeded")
log.Info("Evidence:")
num := 0
for _, stepEvidence := range verifiedResult.StepResults {
for _, e := range stepEvidence.Passed {
log.Info(fmt.Sprintf("%d: %s", num, e.Reference))
num++
} else {
log.Info("Verification succeeded")
log.Info("Evidence:")
num := 0
for step, result := range verifiedEvidence.StepResults {
log.Info("Step: ", step)
for _, p := range result.Passed {
log.Info(fmt.Sprintf("%d: %s", num, p.Reference))
num++
}
}
return nil
}

return nil
}

0 comments on commit d866f90

Please sign in to comment.