Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: backport #469 for updating logs #489

Merged
merged 1 commit into from
Dec 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions notation.go
Original file line number Diff line number Diff line change
Expand Up @@ -357,10 +357,10 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
return ocispec.Descriptor{}, nil, err
}
if skip {
logger.Infoln("Verification skipped for", verifyOpts.ArtifactReference)
logger.Infoln("Signature verification skipped for", verifyOpts.ArtifactReference)
return ocispec.Descriptor{}, []*VerificationOutcome{{VerificationLevel: verificationLevel}}, nil
}
logger.Info("Check over. Trust policy is not configured to skip signature verification")
logger.Info("Check over. The signature verification level is not set to 'skip' in the trust policy.")
}

// get artifact descriptor
Expand Down
52 changes: 37 additions & 15 deletions notation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ func TestSignOptsUnknownMediaType(t *testing.T) {
func TestRegistryResolveError(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}

errorMessage := "network error"
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}
Expand All @@ -243,7 +243,7 @@ func TestRegistryResolveError(t *testing.T) {
func TestVerifyEmptyReference(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}

errorMessage := "reference is missing digest or tag"
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}
Expand All @@ -259,7 +259,7 @@ func TestVerifyEmptyReference(t *testing.T) {
func TestVerifyTagReferenceFailed(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}

errorMessage := "invalid reference: invalid repository \"UPPERCASE/test\""
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}
Expand All @@ -276,7 +276,7 @@ func TestVerifyDigestNotMatchResolve(t *testing.T) {
repo := mock.NewRepository()
repo.MissMatchDigest = true
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}

errorMessage := fmt.Sprintf("user input digest %s does not match the resolved digest %s", mock.SampleDigest, mock.ZeroDigest)
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}
Expand All @@ -300,7 +300,7 @@ func TestSignDigestNotMatchResolve(t *testing.T) {
}

errorMessage := fmt.Sprintf("user input digest %s does not match the resolved digest %s", mock.SampleDigest, mock.ZeroDigest)
expectedErr := fmt.Errorf(errorMessage)
expectedErr := errors.New(errorMessage)

_, err := Sign(context.Background(), &dummySigner{}, repo, signOpts)
if err == nil || err.Error() != errorMessage {
Expand All @@ -311,7 +311,7 @@ func TestSignDigestNotMatchResolve(t *testing.T) {
func TestSkippedSignatureVerification(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelSkip}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelSkip, false}

opts := VerifyOptions{ArtifactReference: mock.SampleArtifactUri, MaxSignatureAttempts: 50}
_, outcomes, err := Verify(context.Background(), &verifier, repo, opts)
Expand All @@ -324,7 +324,7 @@ func TestSkippedSignatureVerification(t *testing.T) {
func TestRegistryNoSignatureManifests(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}
errorMessage := fmt.Sprintf("no signature is associated with %q, make sure the artifact was signed successfully", mock.SampleArtifactUri)
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}

Expand All @@ -341,7 +341,7 @@ func TestRegistryNoSignatureManifests(t *testing.T) {
func TestRegistryFetchSignatureBlobError(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}
errorMessage := fmt.Sprintf("unable to retrieve digital signature with digest %q associated with %q from the Repository, error : network error", mock.SampleDigest, mock.SampleArtifactUri)
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}

Expand All @@ -358,21 +358,35 @@ func TestRegistryFetchSignatureBlobError(t *testing.T) {
func TestVerifyValid(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}

// mock the repository
opts := VerifyOptions{ArtifactReference: mock.SampleArtifactUri, MaxSignatureAttempts: 50}
_, _, err := Verify(context.Background(), &verifier, repo, opts)

if err != nil {
t.Fatalf("SignaureMediaTypeMismatch expected: %v got: %v", nil, err)
t.Fatalf("expected nil error, but got: %v", err)
}
}

func TestVerifySkip(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, true}

// mock the repository
opts := VerifyOptions{ArtifactReference: mock.SampleArtifactUri, MaxSignatureAttempts: 50}
_, _, err := Verify(context.Background(), &verifier, repo, opts)

if err != nil {
t.Fatalf("expected nil error, but got: %v", err)
}
}

func TestMaxSignatureAttemptsMissing(t *testing.T) {
repo := mock.NewRepository()
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}
expectedErr := ErrorSignatureRetrievalFailed{Msg: fmt.Sprintf("verifyOptions.MaxSignatureAttempts expects a positive number, got %d", 0)}

// mock the repository
Expand All @@ -388,7 +402,7 @@ func TestExceededMaxSignatureAttempts(t *testing.T) {
repo := mock.NewRepository()
repo.ExceededNumOfSignatures = true
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, true, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, true, *trustpolicy.LevelStrict, false}

expectedErr := ErrorVerificationFailed{Msg: fmt.Sprintf("signature evaluation stopped. The configured limit of %d signatures to verify per artifact exceeded", 1)}

Expand All @@ -405,7 +419,7 @@ func TestVerifyFailed(t *testing.T) {
t.Run("verification error", func(t *testing.T) {
policyDocument := dummyPolicyDocument()
repo := mock.NewRepository()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, true, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, true, *trustpolicy.LevelStrict, false}
expectedErr := ErrorVerificationFailed{}

// mock the repository
Expand All @@ -432,7 +446,7 @@ func TestVerifyFailed(t *testing.T) {

t.Run("repo is nil", func(t *testing.T) {
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}
expectedErr := errors.New("repo cannot be nil")

// mock the repository
Expand Down Expand Up @@ -494,6 +508,7 @@ type dummyVerifier struct {
PluginManager plugin.Manager
FailVerify bool
VerificationLevel trustpolicy.VerificationLevel
SkipVerification bool
}

func (v *dummyVerifier) Verify(_ context.Context, _ ocispec.Descriptor, _ []byte, _ VerifierVerifyOptions) (*VerificationOutcome, error) {
Expand All @@ -507,6 +522,13 @@ func (v *dummyVerifier) Verify(_ context.Context, _ ocispec.Descriptor, _ []byte
return outcome, nil
}

func (v *dummyVerifier) SkipVerify(_ context.Context, _ VerifierVerifyOptions) (bool, *trustpolicy.VerificationLevel, error) {
if v.SkipVerification {
return true, nil, nil
}
return false, nil, nil
}

var (
reference = "sha256:19dbd2e48e921426ee8ace4dc892edfb2ecdc1d1a72d5416c83670c30acecef0"
artifactReference = "local/oci-layout@sha256:19dbd2e48e921426ee8ace4dc892edfb2ecdc1d1a72d5416c83670c30acecef0"
Expand Down Expand Up @@ -567,7 +589,7 @@ func TestLocalContent(t *testing.T) {
MaxSignatureAttempts: math.MaxInt64,
}
policyDocument := dummyPolicyDocument()
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict, false}
// verify signatures inside the OCI layout folder
_, _, err = Verify(context.Background(), &verifier, repo, verifyOpts)
if err != nil {
Expand Down
8 changes: 6 additions & 2 deletions verifier/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -888,7 +888,7 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin
}

// Performing timestamp verification
logger.Info("Performing timestamp verification...")
logger.Debug("Performing timestamp verification...")

// 1. Timestamp countersignature MUST be present
logger.Debug("Checking timestamp countersignature existence...")
Expand Down Expand Up @@ -937,7 +937,7 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin
if err := nx509.ValidateTimestampingCertChain(tsaCertChain); err != nil {
return fmt.Errorf("failed to validate the timestamping certificate chain with error: %w", err)
}
logger.Info("TSA identity is: ", tsaCertChain[0].Subject)
logger.Debug("The subject of TSA signing certificate is: ", tsaCertChain[0].Subject)

// 4. Check the timestamp against the signing certificate chain
logger.Debug("Checking the timestamp against the signing certificate chain...")
Expand All @@ -949,6 +949,9 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin
if !timestamp.BoundedBefore(cert.NotAfter) {
return fmt.Errorf("timestamp can be after certificate %q validity period, it was expired at %q", cert.Subject, cert.NotAfter.Format(time.RFC1123Z))
}
if timeOfVerification.After(cert.NotAfter) {
logger.Debugf("Certificate %q expired at %q, but timestamp is within certificate validity period", cert.Subject, cert.NotAfter.Format(time.RFC1123Z))
}
}

// 5. Perform the timestamping certificate chain revocation check
Expand All @@ -971,5 +974,6 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin
}

// success
logger.Debug("Timestamp verification: Success")
return nil
}
Loading