fix: discard crl cache error (notaryproject#1076)

Signed-off-by: Patrick Zheng <[email protected]>
Two-Hearts · Dec 10, 2024 · 88f39d2 · 88f39d2
1 parent 4190c31
commit 88f39d2
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go
@@ -246,6 +246,7 @@ func getVerifier(ctx context.Context) (notation.Verifier, error) {
 	if err != nil {
 		return nil, err
 	}
+	crlFetcher.DiscardCacheError = true // discard cache error
 	revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
 		OCSPHTTPClient:   ocspHttpClient,
 		CRLFetcher:       crlFetcher,

diff --git a/cmd/notation/verify_test.go b/cmd/notation/verify_test.go
@@ -15,11 +15,15 @@ package main
 
 import (
 	"context"
+	"encoding/json"
+	"os"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 )
 
 func TestVerifyCommand_BasicArgs(t *testing.T) {
@@ -86,6 +90,27 @@ func TestVerifyCommand_MissingArgs(t *testing.T) {
 }
 
 func TestGetVerifier(t *testing.T) {
+	defer func(oldConfiDir, oldCacheDir string) {
+		dir.UserConfigDir = oldConfiDir
+		dir.UserCacheDir = oldCacheDir
+	}(dir.UserConfigDir, dir.UserCacheDir)
+
+	t.Run("success", func(t *testing.T) {
+		tempRoot := t.TempDir()
+		dir.UserConfigDir = tempRoot
+		path := filepath.Join(tempRoot, "trustpolicy.json")
+		policyJson, _ := json.Marshal(dummyOCIPolicyDocument())
+		if err := os.WriteFile(path, policyJson, 0600); err != nil {
+			t.Fatalf("TestLoadOCIDocument write policy file failed. Error: %v", err)
+		}
+		t.Cleanup(func() { os.RemoveAll(tempRoot) })
+
+		_, err := getVerifier(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+
 	t.Run("non-existing trust policy", func(t *testing.T) {
 		dir.UserConfigDir = "/"
 		expectedErrMsg := "trust policy is not present. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy"
@@ -107,3 +132,18 @@ func TestGetVerifier(t *testing.T) {
 		}
 	})
 }
+
+func dummyOCIPolicyDocument() trustpolicy.OCIDocument {
+	return trustpolicy.OCIDocument{
+		Version: "1.0",
+		TrustPolicies: []trustpolicy.OCITrustPolicy{
+			{
+				Name:                  "test-statement-name",
+				RegistryScopes:        []string{"registry.acme-rockets.io/software/net-monitor"},
+				SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: "strict"},
+				TrustStores:           []string{"ca:valid-trust-store", "signingAuthority:valid-trust-store"},
+				TrustedIdentities:     []string{"x509.subject:CN=Notation Test Root,O=Notary,L=Seattle,ST=WA,C=US"},
+			},
+		},
+	}
+}