From 9c997204c9409f6438671103db379c358af58c3f Mon Sep 17 00:00:00 2001 From: Adrian Stobbe Date: Tue, 28 Nov 2023 10:44:44 +0100 Subject: [PATCH] RekorError type --- cli/internal/cmd/configfetchmeasurements.go | 3 ++- .../cmd/configfetchmeasurements_test.go | 2 +- .../measurements/fetchmeasurements.go | 19 +++++++++++--- .../measurements/fetchmeasurements_test.go | 25 +++++++++---------- .../provider/attestation_data_source.go | 3 ++- 5 files changed, 32 insertions(+), 20 deletions(-) diff --git a/cli/internal/cmd/configfetchmeasurements.go b/cli/internal/cmd/configfetchmeasurements.go index 59a40140a4..705076846a 100644 --- a/cli/internal/cmd/configfetchmeasurements.go +++ b/cli/internal/cmd/configfetchmeasurements.go @@ -145,7 +145,8 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements( fetchedMeasurements, err := cfm.verifyFetcher.FetchAndVerifyMeasurements(ctx, conf.Image, conf.GetProvider(), conf.GetAttestationConfig().GetVariant(), cfm.flags.insecure) if err != nil { - if errors.Is(err, measurements.ErrRekor) { + var rekorErr *measurements.RekorError + if errors.As(err, &rekorErr) { cmd.PrintErrf("Ignoring Rekor related error: %v\n", err) cmd.PrintErrln("Make sure the downloaded measurements are trustworthy!") } else { diff --git a/cli/internal/cmd/configfetchmeasurements_test.go b/cli/internal/cmd/configfetchmeasurements_test.go index 591785118f..9cebbb7dac 100644 --- a/cli/internal/cmd/configfetchmeasurements_test.go +++ b/cli/internal/cmd/configfetchmeasurements_test.go @@ -158,7 +158,7 @@ func TestConfigFetchMeasurements(t *testing.T) { }{ "no error succeeds": {}, "failing rekor verify should not result in error": { - err: measurements.ErrRekor, + err: &measurements.RekorError{}, }, "error other than Rekor fails": { err: assert.AnError, diff --git a/internal/attestation/measurements/fetchmeasurements.go b/internal/attestation/measurements/fetchmeasurements.go index 56540c2a9b..7720d1a590 100644 --- a/internal/attestation/measurements/fetchmeasurements.go +++ b/internal/attestation/measurements/fetchmeasurements.go @@ -8,7 +8,6 @@ package measurements import ( "context" - "errors" "fmt" "net/http" @@ -19,8 +18,20 @@ import ( "github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect" ) -// ErrRekor is returned when verifying measurements with Rekor fails. -var ErrRekor = errors.New("verifying measurements with Rekor") +// RekorError is returned when verifying measurements with Rekor fails. +type RekorError struct { + err error +} + +// Error returns the error message. +func (e *RekorError) Error() string { + return fmt.Sprintf("verifying measurements with Rekor failed: %s", e.err) +} + +// Unwrap returns the wrapped error. +func (e *RekorError) Unwrap() error { + return e.err +} // VerifyFetcher is a high-level fetcher that fetches measurements and verifies them. type VerifyFetcher struct { @@ -88,7 +99,7 @@ func (m *VerifyFetcher) FetchAndVerifyMeasurements(ctx context.Context, return nil, fmt.Errorf("fetching and verifying measurements: %w", err) } if err := sigstore.VerifyWithRekor(ctx, publicKey, m.rekor, hash); err != nil { - return nil, fmt.Errorf("%w: %w", ErrRekor, err) + return nil, &RekorError{err: err} } } return fetchedMeasurements, nil diff --git a/internal/attestation/measurements/fetchmeasurements_test.go b/internal/attestation/measurements/fetchmeasurements_test.go index 2bd816d83c..d79a77a411 100644 --- a/internal/attestation/measurements/fetchmeasurements_test.go +++ b/internal/attestation/measurements/fetchmeasurements_test.go @@ -10,7 +10,6 @@ import ( "bytes" "context" "encoding/hex" - "fmt" "io" "net/http" "testing" @@ -82,7 +81,6 @@ func TestFetchMeasurements(t *testing.T) { } } - fmt.Println("unexpected request", req.URL.String()) return &http.Response{ StatusCode: http.StatusNotFound, Body: io.NopCloser(bytes.NewBufferString("Not found.")), @@ -91,11 +89,11 @@ func TestFetchMeasurements(t *testing.T) { }) testCases := map[string]struct { - cosign cosignVerifierConstructor - rekor rekorVerifier - noVerify bool - wantErr bool - isErr error + cosign cosignVerifierConstructor + rekor rekorVerifier + noVerify bool + wantErr bool + asRekorErr bool }{ "success": { cosign: newStubCosignVerifier, @@ -116,8 +114,8 @@ func TestFetchMeasurements(t *testing.T) { SearchByHashUUIDs: []string{}, SearchByHashError: assert.AnError, }, - wantErr: true, - isErr: ErrRekor, + wantErr: true, + asRekorErr: true, }, "failing verify is ErrRekor": { cosign: newStubCosignVerifier, @@ -125,8 +123,8 @@ func TestFetchMeasurements(t *testing.T) { SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"}, VerifyEntryError: assert.AnError, }, - wantErr: true, - isErr: ErrRekor, + wantErr: true, + asRekorErr: true, }, "signature verification failure": { cosign: func(_ []byte) (sigstore.Verifier, error) { @@ -146,8 +144,9 @@ func TestFetchMeasurements(t *testing.T) { m, err := sut.FetchAndVerifyMeasurements(context.Background(), "v999.999.999", cloudprovider.GCP, variant.GCPSEVES{}, tc.noVerify) if tc.wantErr { assert.Error(err) - if tc.isErr != nil { - assert.ErrorIs(err, tc.isErr) + if tc.asRekorErr { + var rekErr *RekorError + assert.ErrorAs(err, &rekErr) } return } diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source.go b/terraform-provider-constellation/internal/provider/attestation_data_source.go index bfc7e61dc7..2847ec7a10 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source.go @@ -215,7 +215,8 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq fetchedMeasurements, err := verifyFetcher.FetchAndVerifyMeasurements(ctx, data.ImageVersion.ValueString(), csp, attestationVariant, false) if err != nil { - if errors.Is(err, measurements.ErrRekor) { + var rekErr *measurements.RekorError + if errors.As(err, &rekErr) { resp.Diagnostics.AddWarning("Ignoring Rekor related error", err.Error()) } else { resp.Diagnostics.AddError("fetching and verifying measurements", err.Error())