Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: refactor error messages for cosign verification #230

Open
wants to merge 8 commits into
base: refactor-error-msg
Choose a base branch
from
Open

feat: refactor error messages for cosign verification #230

wants to merge 8 commits into from

Conversation

binbin-li
Copy link
Owner

Description

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@binbin-li binbin-li force-pushed the refactor-cosign-msg branch 2 times, most recently from 0e31b2f to dd98fe2 Compare August 26, 2024 08:02
@binbin-li binbin-li mentioned this pull request Aug 26, 2024
Merged
12 tasks
@binbin-li binbin-li force-pushed the refactor-cosign-msg branch 8 times, most recently from 86e32c9 to fac5b5a Compare September 1, 2024 15:17
@binbin-li binbin-li force-pushed the refactor-cosign-msg branch 2 times, most recently from 99bd939 to 7bd896d Compare September 2, 2024 05:34
yizha1
yizha1 reviewed Sep 9, 2024
View reviewed changes
pkg/referrerstore/oras/cosign.go Outdated Show resolved Hide resolved
pkg/referrerstore/oras/cosign.go Outdated Show resolved Hide resolved
pkg/referrerstore/oras/oras.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/cosign.go Outdated
}

config, err := parseVerifierConfig(verifierConfig)
if err != nil {
return nil, re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithPluginName(verifierName)
return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create Cosign Verifier").WithError(err)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create Cosign Verifier").WithError(err)
return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create the Cosign Verifier").WithError(err)

pkg/verifier/cosign/cosign.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated
}
cosignOpts.RootCerts = roots
if tp.config.Keyless.CTLogVerify != nil && *tp.config.Keyless.CTLogVerify {
cosignOpts.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
if err != nil {
return cosignOpts, fmt.Errorf("failed to fetch certificate transparency log public keys: %w", err)
return cosignOpts, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to fetch certificate transparency log public keys").WithError(err).WithRemediation("Please check if TUF root is experiencing any outages")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return cosignOpts, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to fetch certificate transparency log public keys").WithError(err).WithRemediation("Please check if TUF root is experiencing any outages")
return cosignOpts, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to fetch public keys of the certificate transparency log").WithError(err).WithRemediation("Please check if TUF root is available")

pkg/verifier/cosign/trustpolicy.go Outdated
}
} else {
cosignOpts.IgnoreSCT = true
}
cosignOpts.IntermediateCerts, err = fulcio.GetIntermediates()
if err != nil {
return cosignOpts, fmt.Errorf("failed to get fulcio intermediate certificates: %w", err)
return cosignOpts, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to get fulcio intermediate certificates").WithError(err).WithRemediation("Please check if Fulcio is experiencing any outages")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return cosignOpts, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to get fulcio intermediate certificates").WithError(err).WithRemediation("Please check if Fulcio is experiencing any outages")
return cosignOpts, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to get fulcio intermediate certificates").WithError(err).WithRemediation("Please check if Fulcio is available")

pkg/verifier/cosign/trustpolicy.go
}

for _, keyConfig := range config.Keys {
// check if the key is defined by file path or by key management provider
if keyConfig.File == "" && keyConfig.Provider == "" {
return re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithPluginName(verifierName).WithDetail(fmt.Sprintf("trust policy %s failed: key management provider name is required when not using file path", config.Name))
return re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Invalid trust policy %s: key management provider name is required when not using file path", config.Name))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Invalid trust policy %s: key management provider name is required when not using file path", config.Name))
return re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Invalid trust policy %s: key management provider name is required if not using file path", config.Name))

pkg/verifier/cosign/trustpolicy.go
}

if config.Name == "" {
return re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithPluginName(verifierName).WithDetail("missing trust policy name")
return re.ErrorCodeConfigInvalid.WithDetail("name parameter is required in trust policy configuration").WithRemediation("Please provide a name for the trust policy.")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return re.ErrorCodeConfigInvalid.WithDetail("name parameter is required in trust policy configuration").WithRemediation("Please provide a name for the trust policy.")
return re.ErrorCodeConfigInvalid.WithDetail("The name parameter is required in trust policy configuration").WithRemediation("Please provide a name for the trust policy.")

pkg/verifier/cosign/trustpolicy.go
}

if len(config.Scopes) == 0 {
return re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithPluginName(verifierName).WithDetail(fmt.Sprintf("trust policy %s failed: no scopes defined", config.Name))
return re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("scopes parameter is required in trust policy configuration %s", config.Name)).WithRemediation("Please provide at least one scope for the trust policy.")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("scopes parameter is required in trust policy configuration %s", config.Name)).WithRemediation("Please provide at least one scope for the trust policy.")
return re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("The scopes parameter is required in trust policy configuration %s", config.Name)).WithRemediation("Please provide at least one scope for the trust policy.")

@binbin-li binbin-li force-pushed the refactor-cosign-msg branch 2 times, most recently from 0c99179 to 51d56e5 Compare September 9, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yizha1 yizha1 yizha1 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@binbin-li @yizha1 @junczhu @akashsinghal