Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: refactor cosign verification error messages #1750

Merged
merged 38 commits into from
Sep 10, 2024

Conversation

binbin-li
Copy link
Collaborator

@binbin-li binbin-li commented Aug 26, 2024

Description

What this PR does / why we need it:

This PR is based on #1730, check the actual diff at: binbin-li#230

It refactors error messages involved in Cosign signature validation, improving the clarity of error messages and providing more intuitive remediation steps for users.

For errors that are self-explanatory, I have not included remediation steps.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Part of work for #1321

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

duffney and others added 22 commits August 16, 2024 05:55
feat: refresher interface

fix: formatting and license

test: kuberefresher

test: kuberefresher helpers

refactor: IsRefreshable KMP interface method

fix: add IsRefreshable method

refactor: kmp spec interval as string

mod: rm todo

mod: rm comment

style: use embedded type

feat: namespaced refresher interface

test: mock factory & test refreshable logic

refactor: use kubeRefreshNamespaced in controller

mod: add license blocks

refactor: kmp.spec.interval default to empty string disabling refresh

tests: increase refresher coverage

refactor(kmp): use factory for creating refresher objects

This change introduces a RefresherFactory that is responsible for creating the
appropriate refresher object based on a configuration that's passed in. This decouples the
reconcile logic from the object creation, making the code more modular and easier to test

mod: rename interval to refreshinterval & adds crd descriptions

mod: remove verbose logging from refresher

docs: kmp refresh interval samples

doc: corrected resource name of akv samples

fix: kmp spec json tag using incorrect values & add refresh interval description

fix: add licenses & update interval name in tests

mod: comments for exported interfaces

test: improve refresher test coverage
Signed-off-by: Joshua Duffney <[email protected]>
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.0 to 0.17.1.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](anchore/sbom-action@d94f46e...ab9d16d)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@eb055d7...29d86d2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.1 to 3.26.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@29d86d2...429e197)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Copy link

codecov bot commented Aug 26, 2024

Codecov Report

Attention: Patch coverage is 82.75862% with 10 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/verifier/cosign/cosign.go 75.00% 5 Missing ⚠️
pkg/verifier/cosign/trustpolicies.go 80.00% 2 Missing ⚠️
pkg/verifier/cosign/trustpolicy.go 90.90% 2 Missing ⚠️
pkg/referrerstore/oras/oras.go 75.00% 1 Missing ⚠️
Files with missing lines Coverage Δ
pkg/referrerstore/oras/cosign.go 100.00% <100.00%> (ø)
pkg/referrerstore/oras/oras.go 80.97% <75.00%> (ø)
pkg/verifier/cosign/trustpolicies.go 94.52% <80.00%> (ø)
pkg/verifier/cosign/trustpolicy.go 90.59% <90.90%> (+8.54%) ⬆️
pkg/verifier/cosign/cosign.go 80.97% <75.00%> (+2.30%) ⬆️

@binbin-li binbin-li force-pushed the refactor-cosign-msg branch 2 times, most recently from 360d80b to 381d61a Compare August 28, 2024 04:55
@binbin-li
Copy link
Collaborator Author

I've resolved comments from @yizha1 at the PR from my forked repo: binbin-li#230

pkg/verifier/cosign/cosign.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated Show resolved Hide resolved
pkg/verifier/cosign/trustpolicy.go Outdated Show resolved Hide resolved
Copy link
Collaborator

@yizha1 yizha1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Collaborator

@FeynmanZhou FeynmanZhou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@binbin-li binbin-li enabled auto-merge (squash) September 10, 2024 05:36
@binbin-li binbin-li disabled auto-merge September 10, 2024 05:56
@binbin-li binbin-li enabled auto-merge (squash) September 10, 2024 06:05
Copy link
Collaborator

@akashsinghal akashsinghal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this! Left some non blocking comments.

@@ -46,7 +46,7 @@ func getCosignReferences(ctx context.Context, subjectReference common.Reference,
return nil, nil
}
evictOnError(ctx, err, subjectReference.Original)
return nil, re.ErrorCodeRepositoryOperationFailure.WithError(err).WithComponentType(re.ReferrerStore)
return nil, re.ErrorCodeRepositoryOperationFailure.WithDetail(fmt.Sprintf("Failed to validate the signature of the artifact: %+v", subjectReference)).WithError(err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: consider adding cosign in the error message since it's co-sign specific. Also maybe adding failed to validate existence of cosign signature instead?

@@ -224,18 +224,18 @@ func (v *cosignVerifier) verifyInternal(ctx context.Context, subjectReference co
// get the reference manifest (cosign oci image)
referenceManifest, err := referrerStore.GetReferenceManifest(ctx, subjectReference, referenceDescriptor)
if err != nil {
return errorToVerifyResult(v.name, v.verifierType, fmt.Errorf("failed to get reference manifest: %w", err)), nil
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get cosign signature metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil

@@ -540,14 +540,14 @@ func verifyWithKeys(ctx context.Context, keysMap map[PKKey]keymanagementprovider
if pubKey.ProviderType == azurekeyvault.ProviderName {
hashType, sig, err = processAKVSignature(sigEncoded, sig, pubKey.Key, payload, staticOpts)
if err != nil {
return verifications, false, fmt.Errorf("failed to process AKV signature: %w", err)
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by AKV").WithError(err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by AKV").WithError(err)
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by Azure Key Vault").WithError(err)

@binbin-li binbin-li merged commit 4d4d00c into ratify-project:dev Sep 10, 2024
19 checks passed
akashsinghal pushed a commit to akashsinghal/ratify that referenced this pull request Sep 13, 2024
binbin-li added a commit to binbin-li/ratify that referenced this pull request Sep 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants