Skip to content

Commit

Permalink
RekorError type
Browse files Browse the repository at this point in the history
  • Loading branch information
@elchead
elchead committed Nov 28, 2023
1 parent 6e6063a commit 9c99720
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 20 deletions.
3 changes: 2 additions & 1 deletion cli/internal/cmd/configfetchmeasurements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,8 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
fetchedMeasurements, err := cfm.verifyFetcher.FetchAndVerifyMeasurements(ctx, conf.Image, conf.GetProvider(),
conf.GetAttestationConfig().GetVariant(), cfm.flags.insecure)
if err != nil {
if errors.Is(err, measurements.ErrRekor) {
var rekorErr *measurements.RekorError
if errors.As(err, &rekorErr) {
cmd.PrintErrf("Ignoring Rekor related error: %v\n", err)
cmd.PrintErrln("Make sure the downloaded measurements are trustworthy!")
} else {
Expand Down
2 changes: 1 addition & 1 deletion cli/internal/cmd/configfetchmeasurements_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ func TestConfigFetchMeasurements(t *testing.T) {
}{
"no error succeeds": {},
"failing rekor verify should not result in error": {
err: measurements.ErrRekor,
err: &measurements.RekorError{},
},
"error other than Rekor fails": {
err: assert.AnError,
Expand Down
19 changes: 15 additions & 4 deletions internal/attestation/measurements/fetchmeasurements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ package measurements

import (
"context"
"errors"
"fmt"
"net/http"

Expand All @@ -19,8 +18,20 @@ import (
"github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect"
)

// ErrRekor is returned when verifying measurements with Rekor fails.
var ErrRekor = errors.New("verifying measurements with Rekor")
// RekorError is returned when verifying measurements with Rekor fails.
type RekorError struct {
err error
}

// Error returns the error message.
func (e *RekorError) Error() string {
return fmt.Sprintf("verifying measurements with Rekor failed: %s", e.err)
}

// Unwrap returns the wrapped error.
func (e *RekorError) Unwrap() error {
return e.err
}

// VerifyFetcher is a high-level fetcher that fetches measurements and verifies them.
type VerifyFetcher struct {
Expand Down Expand Up @@ -88,7 +99,7 @@ func (m *VerifyFetcher) FetchAndVerifyMeasurements(ctx context.Context,
return nil, fmt.Errorf("fetching and verifying measurements: %w", err)
}
if err := sigstore.VerifyWithRekor(ctx, publicKey, m.rekor, hash); err != nil {
return nil, fmt.Errorf("%w: %w", ErrRekor, err)
return nil, &RekorError{err: err}
}
}
return fetchedMeasurements, nil
Expand Down
25 changes: 12 additions & 13 deletions internal/attestation/measurements/fetchmeasurements_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"bytes"
"context"
"encoding/hex"
"fmt"
"io"
"net/http"
"testing"
Expand Down Expand Up @@ -82,7 +81,6 @@ func TestFetchMeasurements(t *testing.T) {
}
}

fmt.Println("unexpected request", req.URL.String())
return &http.Response{
StatusCode: http.StatusNotFound,
Body: io.NopCloser(bytes.NewBufferString("Not found.")),
Expand All @@ -91,11 +89,11 @@ func TestFetchMeasurements(t *testing.T) {
})

testCases := map[string]struct {
cosign cosignVerifierConstructor
rekor rekorVerifier
noVerify bool
wantErr bool
isErr error
cosign cosignVerifierConstructor
rekor rekorVerifier
noVerify bool
wantErr bool
asRekorErr bool
}{
"success": {
cosign: newStubCosignVerifier,
Expand All @@ -116,17 +114,17 @@ func TestFetchMeasurements(t *testing.T) {
SearchByHashUUIDs: []string{},
SearchByHashError: assert.AnError,
},
wantErr: true,
isErr: ErrRekor,
wantErr: true,
asRekorErr: true,
},
"failing verify is ErrRekor": {
cosign: newStubCosignVerifier,
rekor: &stubRekorVerifier{
SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"},
VerifyEntryError: assert.AnError,
},
wantErr: true,
isErr: ErrRekor,
wantErr: true,
asRekorErr: true,
},
"signature verification failure": {
cosign: func(_ []byte) (sigstore.Verifier, error) {
Expand All @@ -146,8 +144,9 @@ func TestFetchMeasurements(t *testing.T) {
m, err := sut.FetchAndVerifyMeasurements(context.Background(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify)
if tc.wantErr {
assert.Error(err)
if tc.isErr != nil {
assert.ErrorIs(err, tc.isErr)
if tc.asRekorErr {
var rekErr *RekorError
assert.ErrorAs(err, &rekErr)
}
return
}
Expand Down
3 changes: 2 additions & 1 deletion terraform-provider-constellation/internal/provider/attestation_data_source.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,8 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq
fetchedMeasurements, err := verifyFetcher.FetchAndVerifyMeasurements(ctx, data.ImageVersion.ValueString(),
csp, attestationVariant, false)
if err != nil {
if errors.Is(err, measurements.ErrRekor) {
var rekErr *measurements.RekorError
if errors.As(err, &rekErr) {
resp.Diagnostics.AddWarning("Ignoring Rekor related error", err.Error())
} else {
resp.Diagnostics.AddError("fetching and verifying measurements", err.Error())
Expand Down

0 comments on commit 9c99720

Please sign in to comment.