From c258392ea18580424dd537f90bcdfa43b22ac3ce Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Sun, 1 Sep 2024 08:36:13 +0000 Subject: [PATCH] chore: address comments --- .../clusterresource/verifier_controller.go | 7 ++++--- .../clusterresource/verifier_controller_test.go | 2 +- .../namespaceresource/verifier_controller.go | 5 +++-- .../namespaceresource/verifier_controller_test.go | 2 +- pkg/controllers/utils/verifier.go | 4 ++-- pkg/executor/core/executor.go | 4 ++-- pkg/keymanagementprovider/keymanagementprovider.go | 8 ++++---- pkg/referrerstore/oras/oras.go | 14 +++++++------- pkg/verifier/factory/factory.go | 8 ++++---- pkg/verifier/notation/certstoresbytype.go | 6 +++--- pkg/verifier/notation/notation.go | 14 +++++++------- pkg/verifier/notation/truststore.go | 2 +- 12 files changed, 39 insertions(+), 37 deletions(-) diff --git a/pkg/controllers/clusterresource/verifier_controller.go b/pkg/controllers/clusterresource/verifier_controller.go index 1f9f9da637..7df677f98d 100644 --- a/pkg/controllers/clusterresource/verifier_controller.go +++ b/pkg/controllers/clusterresource/verifier_controller.go @@ -82,12 +82,13 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c return ctrl.Result{}, nil } -// creates a verifier reference from CRD spec and add store to map +// creates a verifier reference from CR spec and add verifier to map func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string) error { verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source) if err != nil { - logrus.Error(err, "unable to convert crd specification to verifier config") - return re.ErrorCodeConfigInvalid.WithDetail("Unable to convert crd specification to verifier config").WithError(err) + errMsg := fmt.Sprintf("Unable to apply cluster-wide resource %s of Verifier kind", objectName) + logrus.Error(err, errMsg) + return re.ErrorCodeConfigInvalid.WithDetail(errMsg).WithError(err) } return cutils.UpsertVerifier(spec.Version, spec.Address, constants.EmptyNamespace, objectName, verifierConfig) diff --git a/pkg/controllers/clusterresource/verifier_controller_test.go b/pkg/controllers/clusterresource/verifier_controller_test.go index e064584785..a5d6b32bb3 100644 --- a/pkg/controllers/clusterresource/verifier_controller_test.go +++ b/pkg/controllers/clusterresource/verifier_controller_test.go @@ -123,7 +123,7 @@ func TestVerifierAdd_WithParameters(t *testing.T) { func TestVerifierAddOrReplace_PluginNotFound(t *testing.T) { resetVerifierMap() resource := "invalidplugin" - expectedMsg := "PLUGIN_NOT_FOUND: Plugin: pluginnotfound not found: failed to find plugin \"pluginnotfound\" in paths [test/path]" + expectedMsg := "PLUGIN_NOT_FOUND: Verifier plugin pluginnotfound not found: failed to find plugin \"pluginnotfound\" in paths [test/path]: Please check if the correct built-in verifier is specified or if required custom verifier plugin is available." var testVerifierSpec = getInvalidVerifierSpec() err := verifierAddOrReplace(testVerifierSpec, resource) diff --git a/pkg/controllers/namespaceresource/verifier_controller.go b/pkg/controllers/namespaceresource/verifier_controller.go index 88008bcf12..263e530757 100644 --- a/pkg/controllers/namespaceresource/verifier_controller.go +++ b/pkg/controllers/namespaceresource/verifier_controller.go @@ -86,8 +86,9 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c func verifierAddOrReplace(spec configv1beta1.NamespacedVerifierSpec, objectName string, namespace string) error { verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source) if err != nil { - logrus.Error(err, "unable to convert crd specification to verifier config") - return re.ErrorCodeConfigInvalid.WithDetail("Unable to convert crd specification to verifier config").WithError(err) + errMsg := fmt.Sprintf("Unable to apply the resource %s of NamespacedVerifier kind in the namespace %s", objectName, namespace) + logrus.Error(err, errMsg) + return re.ErrorCodeConfigInvalid.WithDetail(errMsg).WithError(err) } return cutils.UpsertVerifier(spec.Version, spec.Address, namespace, objectName, verifierConfig) diff --git a/pkg/controllers/namespaceresource/verifier_controller_test.go b/pkg/controllers/namespaceresource/verifier_controller_test.go index 8ff9c3d8c9..4e1c777ca3 100644 --- a/pkg/controllers/namespaceresource/verifier_controller_test.go +++ b/pkg/controllers/namespaceresource/verifier_controller_test.go @@ -141,7 +141,7 @@ func TestVerifierAdd_WithParameters(t *testing.T) { func TestVerifierAddOrReplace_PluginNotFound(t *testing.T) { resetVerifierMap() resource := "invalidplugin" - expectedMsg := "PLUGIN_NOT_FOUND: Plugin: pluginnotfound not found: failed to find plugin \"pluginnotfound\" in paths [test/path]" + expectedMsg := "PLUGIN_NOT_FOUND: Verifier plugin pluginnotfound not found: failed to find plugin \"pluginnotfound\" in paths [test/path]: Please check if the correct built-in verifier is specified or if required custom verifier plugin is available." var testVerifierSpec = getInvalidVerifierSpec() err := verifierAddOrReplace(testVerifierSpec, resource, testNamespace) diff --git a/pkg/controllers/utils/verifier.go b/pkg/controllers/utils/verifier.go index fc6bd14977..e65a059737 100644 --- a/pkg/controllers/utils/verifier.go +++ b/pkg/controllers/utils/verifier.go @@ -58,9 +58,9 @@ func SpecToVerifierConfig(raw []byte, verifierName, verifierType, artifactTypes if string(raw) != "" { if err := json.Unmarshal(raw, &verifierConfig); err != nil { - errMsg := fmt.Sprintf("Unable to decode verifier parameters, Parameters.Raw: %s", string(raw)) + errMsg := fmt.Sprintf("Unable to recognize the parameters of the Verifier resource %s", string(raw)) logrus.Error(err, errMsg) - return vc.VerifierConfig{}, re.ErrorCodeConfigInvalid.WithError(err).WithDetail(errMsg).WithRemediation("Please revise verifier parameters and try again. Refer to verifier configuration: https://ratify.dev/docs/reference/custom%20resources/verifiers") + return vc.VerifierConfig{}, re.ErrorCodeConfigInvalid.WithError(err).WithDetail(errMsg).WithRemediation("Please update the Verifier parameters and try again. Refer to the Verifier configuration guide: https://ratify.dev/docs/reference/custom%20resources/verifiers") } } verifierConfig[types.Name] = verifierName diff --git a/pkg/executor/core/executor.go b/pkg/executor/core/executor.go index 60991bc74e..b364bee30a 100644 --- a/pkg/executor/core/executor.go +++ b/pkg/executor/core/executor.go @@ -61,7 +61,7 @@ type Executor struct { // VerifySubject verifies the subject and returns results. func (executor Executor) VerifySubject(ctx context.Context, verifyParameters e.VerifyParameters) (types.VerifyResult, error) { if executor.PolicyEnforcer == nil { - return types.VerifyResult{}, errors.ErrorCodePolicyProviderNotFound.WithDetail("Policy Provider not found") + return types.VerifyResult{}, errors.ErrorCodePolicyProviderNotFound.WithDetail("Policy configuration not found") } result, err := executor.verifySubjectInternal(ctx, verifyParameters) if err != nil { @@ -83,7 +83,7 @@ func (executor Executor) verifySubjectInternal(ctx context.Context, verifyParame } if executor.PolicyEnforcer.GetPolicyType(ctx) == pt.ConfigPolicy { if len(verifierReports) == 0 { - return types.VerifyResult{}, errors.ErrorCodeNoVerifierReport.WithDetail("No verifier report generated") + return types.VerifyResult{}, errors.ErrorCodeNoVerifierReport.WithDetail(fmt.Sprintf("No verification results for the artifact %s. Ensure verifiers are properly configured and that artifact metadata is attached", verifyParameters.Subject)) } } // If it requires embedded Rego Policy Engine make the decision, execute diff --git a/pkg/keymanagementprovider/keymanagementprovider.go b/pkg/keymanagementprovider/keymanagementprovider.go index bdd861b0de..584f508287 100644 --- a/pkg/keymanagementprovider/keymanagementprovider.go +++ b/pkg/keymanagementprovider/keymanagementprovider.go @@ -136,7 +136,7 @@ func setCertificatesInMap(resource string, certs map[KMPMapKey][]*x509.Certifica // GetCertificatesFromMap gets the certificates from the map and returns an empty map of certificate arrays if not found or an error happened. func GetCertificatesFromMap(ctx context.Context, resource string) (map[KMPMapKey][]*x509.Certificate, error) { if !hasAccessToProvider(ctx, resource) { - return map[KMPMapKey][]*x509.Certificate{}, errors.ErrorCodeForbidden.WithDetail(fmt.Sprintf("namespace [%s] does not have access to key management provider [%s]", ctxUtils.GetNamespace(ctx), resource)).WithRemediation(fmt.Sprintf("Ensure the key management provider: %s is created under namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) + return map[KMPMapKey][]*x509.Certificate{}, errors.ErrorCodeForbidden.WithDetail(fmt.Sprintf("Resources in namespace [%s] do not have access to key management provider [%s]", ctxUtils.GetNamespace(ctx), resource)).WithRemediation(fmt.Sprintf("Make sure the key management provider: %s is created in the namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) } if err, ok := certificateErrMap.Load(resource); ok && err != nil { return map[KMPMapKey][]*x509.Certificate{}, err.(error) @@ -144,7 +144,7 @@ func GetCertificatesFromMap(ctx context.Context, resource string) (map[KMPMapKey if certs, ok := certificatesMap.Load(resource); ok { return certs.(map[KMPMapKey][]*x509.Certificate), nil } - return map[KMPMapKey][]*x509.Certificate{}, errors.ErrorCodeNotFound.WithDetail(fmt.Sprintf("failed to access non-existent key management provider [%s]", resource)).WithRemediation(fmt.Sprintf("Ensure the key management provider: %s is created under namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) + return map[KMPMapKey][]*x509.Certificate{}, errors.ErrorCodeNotFound.WithDetail(fmt.Sprintf("The key management provider [%s] does not exist", resource)).WithRemediation(fmt.Sprintf("Make sure the key management provider: %s is created in the namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) } // DeleteResourceFromMap deletes the certificates, keys and errors from the map @@ -186,7 +186,7 @@ func GetKeysFromMap(ctx context.Context, resource string) (map[KMPMapKey]PublicK // A cluster-wide operation can access cluster-wide provider // A namespaced operation can only fetch the provider in the same namespace or cluster-wide provider. if !hasAccessToProvider(ctx, resource) { - return map[KMPMapKey]PublicKey{}, errors.ErrorCodeForbidden.WithDetail(fmt.Sprintf("namespace [%s] does not have access to key management provider [%s]", ctxUtils.GetNamespace(ctx), resource)).WithRemediation(fmt.Sprintf("Ensure the key management provider: %s is created under namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) + return map[KMPMapKey]PublicKey{}, errors.ErrorCodeForbidden.WithDetail(fmt.Sprintf("The resources in namespace [%s] do not have access to key management provider [%s]", ctxUtils.GetNamespace(ctx), resource)).WithRemediation(fmt.Sprintf("Make sure the key management provider [%s] is created in the namespace [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) } if err, ok := keyErrMap.Load(resource); ok && err != nil { return map[KMPMapKey]PublicKey{}, err.(error) @@ -194,7 +194,7 @@ func GetKeysFromMap(ctx context.Context, resource string) (map[KMPMapKey]PublicK if keys, ok := keyMap.Load(resource); ok { return keys.(map[KMPMapKey]PublicKey), nil } - return map[KMPMapKey]PublicKey{}, errors.ErrorCodeNotFound.WithDetail(fmt.Sprintf("failed to access non-existent key management provider [%s]", resource)).WithRemediation(fmt.Sprintf("Ensure the key management provider: %s is created under namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) + return map[KMPMapKey]PublicKey{}, errors.ErrorCodeNotFound.WithDetail(fmt.Sprintf("The key management provider [%s] does not exist", resource)).WithRemediation(fmt.Sprintf("Make sure the key management provider: %s is created in the namespace: [%s] or as a cluster-wide resource.", resource, ctxUtils.GetNamespace(ctx))) } // SetCertificateError sets the error while fetching certificates from key management provider. diff --git a/pkg/referrerstore/oras/oras.go b/pkg/referrerstore/oras/oras.go index 533f9270a7..a8462d2012 100644 --- a/pkg/referrerstore/oras/oras.go +++ b/pkg/referrerstore/oras/oras.go @@ -313,7 +313,7 @@ func (store *orasStore) GetBlobContent(ctx context.Context, subjectReference com func (store *orasStore) GetReferenceManifest(ctx context.Context, subjectReference common.Reference, referenceDesc ocispecs.ReferenceDescriptor) (ocispecs.ReferenceManifest, error) { repository, err := store.createRepository(ctx, store, subjectReference) if err != nil { - return ocispecs.ReferenceManifest{}, re.ErrorCodeCreateRepositoryFailure.WithDetail("Failed to create client to remote registry").WithError(err) + return ocispecs.ReferenceManifest{}, re.ErrorCodeRepositoryOperationFailure.WithDetail("Failed to connect to the remote registry").WithError(err) } var manifestBytes []byte // check if manifest exists in local ORAS cache @@ -336,12 +336,12 @@ func (store *orasStore) GetReferenceManifest(ctx context.Context, subjectReferen manifestReader, err := repository.Fetch(ctx, referenceDesc.Descriptor) if err != nil { evictOnError(ctx, err, subjectReference.Original) - return ocispecs.ReferenceManifest{}, re.ErrorCodeRepositoryOperationFailure.WithDetail("Failed to fetch manifest content from repository").WithError(err) + return ocispecs.ReferenceManifest{}, re.ErrorCodeRepositoryOperationFailure.WithDetail("Failed to fetch the artifact metadata from the registry").WithError(err) } manifestBytes, err = io.ReadAll(manifestReader) if err != nil { - return ocispecs.ReferenceManifest{}, re.ErrorCodeManifestInvalid.WithDetail("Failed to parse fetched manifest").WithError(err) + return ocispecs.ReferenceManifest{}, re.ErrorCodeManifestInvalid.WithDetail("Failed to parse the artifact metadata").WithError(err) } // push fetched manifest to local ORAS cache @@ -360,15 +360,15 @@ func (store *orasStore) GetReferenceManifest(ctx context.Context, subjectReferen if referenceDesc.Descriptor.MediaType == oci.MediaTypeImageManifest { var imageManifest oci.Manifest if err := json.Unmarshal(manifestBytes, &imageManifest); err != nil { - return ocispecs.ReferenceManifest{}, re.ErrorCodeDataDecodingFailure.WithDetail("Failed to parse manifest content in `application/vnd.oci.image.manifest.v1+json` mediatype").WithError(err).WithRemediation("Please check if the manifest was created correctly.") + return ocispecs.ReferenceManifest{}, re.ErrorCodeDataDecodingFailure.WithDetail("Failed to parse artifact metadata of mediatype `application/vnd.oci.image.manifest.v1+json`").WithError(err).WithRemediation("Please check if the artifact metadata was created correctly.") } referenceManifest = commonutils.OciManifestToReferenceManifest(imageManifest) } else if referenceDesc.Descriptor.MediaType == ocispecs.MediaTypeArtifactManifest { if err := json.Unmarshal(manifestBytes, &referenceManifest); err != nil { - return ocispecs.ReferenceManifest{}, re.ErrorCodeDataDecodingFailure.WithDetail("Failed to parse manifest content in `application/vnd.oci.artifact.manifest.v1+json` mediatype").WithError(err).WithRemediation("Please check if the manifest was created correctly.") + return ocispecs.ReferenceManifest{}, re.ErrorCodeDataDecodingFailure.WithDetail("Failed to parse artifact metadata of mediatype `application/vnd.oci.artifact.manifest.v1+json`").WithError(err).WithRemediation("Please check if the artifact metadata was created correctly.") } } else { - return ocispecs.ReferenceManifest{}, re.ErrorCodeGetReferenceManifestFailure.WithDetail(fmt.Sprintf("Unsupported manifest media type: %s", referenceDesc.Descriptor.MediaType)).WithRemediation("Please check if the manifest was created correctly.") + return ocispecs.ReferenceManifest{}, re.ErrorCodeGetReferenceManifestFailure.WithDetail(fmt.Sprintf("Unsupported artifact metadata of media type %s", referenceDesc.Descriptor.MediaType)).WithRemediation("Please check if the artifact metadata was created correctly.") } return referenceManifest, nil @@ -377,7 +377,7 @@ func (store *orasStore) GetReferenceManifest(ctx context.Context, subjectReferen func (store *orasStore) GetSubjectDescriptor(ctx context.Context, subjectReference common.Reference) (*ocispecs.SubjectDescriptor, error) { repository, err := store.createRepository(ctx, store, subjectReference) if err != nil { - return nil, re.ErrorCodeCreateRepositoryFailure.WithDetail("Failed to create client to remote registry").WithError(err) + return nil, re.ErrorCodeRepositoryOperationFailure.WithDetail("Failed to connect to remote registry").WithError(err) } desc, err := repository.Resolve(ctx, subjectReference.Original) diff --git a/pkg/verifier/factory/factory.go b/pkg/verifier/factory/factory.go index 5aac45f116..f5d0f3c440 100644 --- a/pkg/verifier/factory/factory.go +++ b/pkg/verifier/factory/factory.go @@ -58,7 +58,7 @@ func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersio if value, ok := verifierConfig[types.Name]; ok { verifierTypeStr = value.(string) } else { - return nil, re.ErrorCodeConfigInvalid.WithDetail("Name field is required in verifier config") + return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("The name field is required in the Verifier configuration: %+v", verifierConfig)) } if value, ok := verifierConfig[types.Type]; ok { @@ -66,7 +66,7 @@ func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersio } if strings.ContainsRune(verifierTypeStr, os.PathSeparator) { - return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Invalid verifier plugin name [%s], [%v] is disallowed", verifierTypeStr, os.PathSeparator)) + return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Invalid name [%s] of kind Verifier, [%v] is disallowed", verifierTypeStr, os.PathSeparator)) } // if source is specified, download the plugin @@ -94,7 +94,7 @@ func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersio } if _, err := pluginCommon.FindInPaths(verifierTypeStr, pluginBinDir); err != nil { - return nil, re.ErrorCodePluginNotFound.WithDetail(fmt.Sprintf("Plugin: %s not found", verifierTypeStr)).WithError(err) + return nil, re.ErrorCodePluginNotFound.WithDetail(fmt.Sprintf("Verifier plugin %s not found", verifierTypeStr)).WithError(err).WithRemediation("Please check if the correct built-in verifier is specified or if required custom verifier plugin is available.") } pluginVersion := configVersion @@ -117,7 +117,7 @@ func CreateVerifiersFromConfig(verifiersConfig config.VerifiersConfig, defaultPl } if len(verifiersConfig.Verifiers) == 0 { - return nil, re.ErrorCodeConfigInvalid.WithDetail("Verifiers config should have at least one verifier") + return nil, re.ErrorCodeConfigInvalid.WithDetail("At least one verifier must be specified in the Verifiers configuration") } verifiers := make([]verifier.ReferenceVerifier, 0) diff --git a/pkg/verifier/notation/certstoresbytype.go b/pkg/verifier/notation/certstoresbytype.go index a7d459593b..9da8fa5a6a 100644 --- a/pkg/verifier/notation/certstoresbytype.go +++ b/pkg/verifier/notation/certstoresbytype.go @@ -72,18 +72,18 @@ func newCertStoreByType(confInNewFormat verificationCertStores) (certStores, err s[certStoreType(certstoretype)] = make(map[string][]string) parsedStoreData, ok := storeData.(verificationCertStores) if !ok { - return nil, fmt.Errorf("configuration is unsupported: %+v", storeData) + return nil, fmt.Errorf("provided verificationCertStores configuration is invalid: %+v", confInNewFormat) } for storeName, certProviderList := range parsedStoreData { var certProviderNames []string parsedCertProviders, ok := certProviderList.([]interface{}) if !ok { - return nil, fmt.Errorf("configuration is unsupported: %+v", certProviderList) + return nil, fmt.Errorf("provided verificationCertStores configuration is invalid: %+v", confInNewFormat) } for _, certProvider := range parsedCertProviders { certProviderName, ok := certProvider.(string) if !ok { - return nil, fmt.Errorf("configuration is unsupported: %+v", certProvider) + return nil, fmt.Errorf("provided verificationCertStores configuration is invalid: %+v", confInNewFormat) } certProviderNames = append(certProviderNames, certProviderName) } diff --git a/pkg/verifier/notation/notation.go b/pkg/verifier/notation/notation.go index 3f44280e88..449e5205d5 100644 --- a/pkg/verifier/notation/notation.go +++ b/pkg/verifier/notation/notation.go @@ -100,12 +100,12 @@ func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.V } conf, err := parseVerifierConfig(verifierConfig, namespace) if err != nil { - return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create notation verifier").WithError(err) + return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create Notation Verifier").WithError(err) } verifyService, err := getVerifierService(conf, pluginDirectory) if err != nil { - return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create Notation verifier").WithError(err) + return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create Notation Verifier").WithError(err) } artifactTypes := strings.Split(conf.ArtifactTypes, ",") @@ -147,7 +147,7 @@ func (v *notationPluginVerifier) Verify(ctx context.Context, referenceManifest, err := store.GetReferenceManifest(ctx, subjectReference, referenceDescriptor) if err != nil { - return verifier.VerifierResult{IsSuccess: false}, re.ErrorCodeGetReferenceManifestFailure.WithDetail(fmt.Sprintf("Failed to resolve reference manifest: %+v", referenceDescriptor)).WithError(err) + return verifier.VerifierResult{IsSuccess: false}, re.ErrorCodeGetReferenceManifestFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata: %+v", referenceDescriptor)).WithError(err) } if len(referenceManifest.Blobs) != 1 { @@ -156,7 +156,7 @@ func (v *notationPluginVerifier) Verify(ctx context.Context, blobDesc := referenceManifest.Blobs[0] refBlob, err := store.GetBlobContent(ctx, subjectReference, blobDesc.Digest) if err != nil { - return verifier.VerifierResult{IsSuccess: false}, re.ErrorCodeGetBlobContentFailure.WithDetail(fmt.Sprintf("failed to get blob content of digest: %s", blobDesc.Digest)).WithError(err) + return verifier.VerifierResult{IsSuccess: false}, re.ErrorCodeGetBlobContentFailure.WithDetail(fmt.Sprintf("Failed to get blob content of digest: %s", blobDesc.Digest)).WithError(err) } // TODO: notation verify API only accepts digested reference now. @@ -182,7 +182,7 @@ func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory stri } verifier, err := notationVerifier.New(&conf.TrustPolicyDoc, store, NewRatifyPluginManager(pluginDirectory)) if err != nil { - return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create Notation verifier").WithError(err) + return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create Notation Verifier").WithError(err) } return verifier, nil } @@ -202,11 +202,11 @@ func parseVerifierConfig(verifierConfig config.VerifierConfig, _ string) (*Notat verifierConfigBytes, err := json.Marshal(verifierConfig) if err != nil { - return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to marshal verifierConfig to bytes").WithError(err) + return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Failed to recognize Notation Verifier configuration: %+v", verifierConfig)).WithError(err) } if err := json.Unmarshal(verifierConfigBytes, &conf); err != nil { - return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Failed to unmarshal to notationPluginVerifierConfig from: %+v", verifierConfig)).WithError(err) + return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Failed to recognize Notation Verifier configuration: %+v", verifierConfig)).WithError(err) } defaultCertsDir := paths.Join(homedir.Get(), ratifyconfig.ConfigFileDir, defaultCertPath) diff --git a/pkg/verifier/notation/truststore.go b/pkg/verifier/notation/truststore.go index 19d147a9c5..c7867e6f55 100644 --- a/pkg/verifier/notation/truststore.go +++ b/pkg/verifier/notation/truststore.go @@ -41,7 +41,7 @@ type trustStore struct { func newTrustStore(certPaths []string, verificationCertStores verificationCertStores) (*trustStore, error) { certStores, err := newCertStoreByType(verificationCertStores) if err != nil { - return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create trust store from verificationCertStores").WithError(err).WithRemediation("Please check the configuration of verificationCertStores. Refer to Notation verifier configuration: https://ratify.dev/docs/plugins/verifier/notation#configuration") + return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("Failed to create the trust store from verificationCertStores parameter in Notation Verifier configuration: %+v", verificationCertStores)).WithError(err).WithRemediation("Please check the value of verificationCertStores parameter. Refer to the Notation Verifier configuration: https://ratify.dev/docs/plugins/verifier/notation#configuration") } store := &trustStore{ certPaths: certPaths,