Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: refactor cosign verification error messages #1750

Merged
merged 38 commits into from
Sep 10, 2024
Merged

feat: refactor cosign verification error messages #1750

merged 38 commits into from
Sep 10, 2024

Conversation

binbin-li
Copy link
Collaborator

@binbin-li binbin-li commented Aug 26, 2024
edited
Loading

Description

What this PR does / why we need it:

This PR is based on #1730, check the actual diff at: binbin-li#230

It refactors error messages involved in Cosign signature validation, improving the clarity of error messages and providing more intuitive remediation steps for users.

For errors that are self-explanatory, I have not included remediation steps.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Part of work for #1321

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

duffney and others added 22 commits August 16, 2024 05:55
@duffney
Mod: Add interval and refreshable to spec
48ac346 
feat: refresher interface

fix: formatting and license

test: kuberefresher

test: kuberefresher helpers

refactor: IsRefreshable KMP interface method

fix: add IsRefreshable method

refactor: kmp spec interval as string

mod: rm todo

mod: rm comment

style: use embedded type

feat: namespaced refresher interface

test: mock factory & test refreshable logic

refactor: use kubeRefreshNamespaced in controller

mod: add license blocks

refactor: kmp.spec.interval default to empty string disabling refresh

tests: increase refresher coverage

refactor(kmp): use factory for creating refresher objects

This change introduces a RefresherFactory that is responsible for creating the
appropriate refresher object based on a configuration that's passed in. This decouples the
reconcile logic from the object creation, making the code more modular and easier to test

mod: rename interval to refreshinterval & adds crd descriptions

mod: remove verbose logging from refresher

docs: kmp refresh interval samples

doc: corrected resource name of akv samples

fix: kmp spec json tag using incorrect values & add refresh interval description

fix: add licenses & update interval name in tests

mod: comments for exported interfaces

test: improve refresher test coverage
Signed-off-by: Joshua Duffney <[email protected]>
@duffney
mod: add const for refresherTypes
7442b8a 
Signed-off-by: Joshua Duffney <[email protected]>
@duffney
mod: Add cast checks & refresherType constants
aeaeacc 
Signed-off-by: Joshua Duffney <[email protected]>
@duffney
style: rename kmp.spec.refreshinterval to refreshInterval json tag
3b7e47c 
Signed-off-by: Joshua Duffney <[email protected]>
@duffney
fix: update samples with correct refreshInterval name
b566b2d 
Signed-off-by: Joshua Duffney <[email protected]>
@duffney
fix: new error for refresher.GetResult() cast check
8cb3f0d 
Signed-off-by: Joshua Duffney <[email protected]>
@dependabot @duffney
chore: Bump anchore/sbom-action from 0.17.0 to 0.17.1
b6d3b60 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.0 to 0.17.1.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](anchore/sbom-action@d94f46e...ab9d16d)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
@dependabot @duffney
chore: Bump github/codeql-action from 3.26.0 to 3.26.1
5893c69 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@eb055d7...29d86d2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
@junczhu @duffney
chore: update helm charts (ratify-project#1702)
bed493d 
Signed-off-by: Joshua Duffney <[email protected]>
@binbin-li @duffney
feat: add timestamp and traceId to verification response (ratify-proj…
2a36491 
…ect#1697)

Signed-off-by: Joshua Duffney <[email protected]>
@dependabot @duffney
chore: Bump github/codeql-action from 3.26.1 to 3.26.2
f470985 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.1 to 3.26.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@29d86d2...429e197)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
@yizha1 @duffney
chore: add the governance doc link to readme.md (ratify-project#1713)
7a89eac 
Signed-off-by: Yi Zha <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
@binbin-li
Merge branch 'dev' into issue-1131/refresher
a8177a5
@binbin-li
Merge pull request ratify-project#1625 from duffney/issue-1131/refresher
ad92eb8
@binbin-li
refactor: refactor error messages
78ea559
@binbin-li
Merge remote-tracking branch 'upstream/dev' into refactor-error-msg
7ff80d1
@binbin-li
Merge remote-tracking branch 'upstream/dev' into refactor-error-msg
fa90085
@binbin-li
test: fix broken tests
dfaaa0d
@binbin-li
Merge remote-tracking branch 'upstream/dev' into refactor-error-msg
b737156
@binbin-li
Merge remote-tracking branch 'upstream/dev' into refactor-error-msg
c3112d7
@binbin-li
chore: address comments
8a010b1
@binbin-li
chore: remove ending period from error details
aaba189
@codecov Codecov
Copy link

codecov bot commented Aug 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 82.75862% with 10 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/verifier/cosign/cosign.go 75.00% 5 Missing ⚠️
pkg/verifier/cosign/trustpolicies.go 80.00% 2 Missing ⚠️
pkg/verifier/cosign/trustpolicy.go 90.90% 2 Missing ⚠️
pkg/referrerstore/oras/oras.go 75.00% 1 Missing ⚠️
Files with missing lines Coverage Δ
pkg/referrerstore/oras/cosign.go 100.00% <100.00%> (ø)
pkg/referrerstore/oras/oras.go 80.97% <75.00%> (ø)
pkg/verifier/cosign/trustpolicies.go 94.52% <80.00%> (ø)
pkg/verifier/cosign/trustpolicy.go 90.59% <90.90%> (+8.54%) ⬆️
pkg/verifier/cosign/cosign.go 80.97% <75.00%> (+2.30%) ⬆️

@binbin-li binbin-li force-pushed the refactor-cosign-msg branch 2 times, most recently from 360d80b to 381d61a Compare August 28, 2024 04:55
@binbin-li
Copy link
Collaborator Author

I've resolved comments from @yizha1 at the PR from my forked repo: binbin-li#230

yizha1
yizha1 reviewed Sep 10, 2024
View reviewed changes
pkg/verifier/cosign/cosign.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated Show resolved Hide resolved
yizha1
yizha1 approved these changes Sep 10, 2024
View reviewed changes
Copy link
Collaborator

@yizha1 yizha1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

FeynmanZhou
FeynmanZhou approved these changes Sep 10, 2024
View reviewed changes
Copy link
Collaborator

@FeynmanZhou FeynmanZhou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@binbin-li binbin-li enabled auto-merge (squash) September 10, 2024 05:36
@binbin-li binbin-li enabled auto-merge (squash) September 10, 2024 06:05
akashsinghal
akashsinghal approved these changes Sep 10, 2024
View reviewed changes
Copy link
Collaborator

@akashsinghal akashsinghal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this! Left some non blocking comments.

pkg/referrerstore/oras/cosign.go
@@ -46,7 +46,7 @@ func getCosignReferences(ctx context.Context, subjectReference common.Reference,
return nil, nil
}
evictOnError(ctx, err, subjectReference.Original)
return nil, re.ErrorCodeRepositoryOperationFailure.WithError(err).WithComponentType(re.ReferrerStore)
return nil, re.ErrorCodeRepositoryOperationFailure.WithDetail(fmt.Sprintf("Failed to validate the signature of the artifact: %+v", subjectReference)).WithError(err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: consider adding cosign in the error message since it's co-sign specific. Also maybe adding failed to validate existence of cosign signature instead?

pkg/verifier/cosign/cosign.go
@@ -224,18 +224,18 @@ func (v *cosignVerifier) verifyInternal(ctx context.Context, subjectReference co
// get the reference manifest (cosign oci image)
referenceManifest, err := referrerStore.GetReferenceManifest(ctx, subjectReference, referenceDescriptor)
if err != nil {
return errorToVerifyResult(v.name, v.verifierType, fmt.Errorf("failed to get reference manifest: %w", err)), nil
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get cosign signature metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil

pkg/verifier/cosign/cosign.go
@@ -540,14 +540,14 @@ func verifyWithKeys(ctx context.Context, keysMap map[PKKey]keymanagementprovider
if pubKey.ProviderType == azurekeyvault.ProviderName {
hashType, sig, err = processAKVSignature(sigEncoded, sig, pubKey.Key, payload, staticOpts)
if err != nil {
return verifications, false, fmt.Errorf("failed to process AKV signature: %w", err)
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by AKV").WithError(err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by AKV").WithError(err)
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by Azure Key Vault").WithError(err)

@binbin-li binbin-li merged commit 4d4d00c into ratify-project:dev Sep 10, 2024
19 checks passed
@binbin-li binbin-li mentioned this pull request Sep 10, 2024
Merged
12 tasks
akashsinghal pushed a commit to akashsinghal/ratify that referenced this pull request Sep 13, 2024
@binbin-li @akashsinghal
feat: refactor cosign verification error messages (ratify-project#1750)
e0b6c7c 
Signed-off-by: akashsinghal <[email protected]>
binbin-li added a commit to binbin-li/ratify that referenced this pull request Sep 14, 2024
@binbin-li
feat: refactor cosign verification error messages (ratify-project#1750)
da04523
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@junczhu junczhu junczhu left review comments

@yizha1 yizha1 yizha1 approved these changes

@FeynmanZhou FeynmanZhou FeynmanZhou approved these changes

@akashsinghal akashsinghal akashsinghal approved these changes

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@binbin-li @akashsinghal @FeynmanZhou @junczhu @yizha1 @duffney