fix: cliplugin: return ErrorProviderNotFound when calling Get with a …

…path (#1982) * return ErrorProviderNotFound when calling Get with a path Signed-off-by: Ramon Petgrave <[email protected]> * doc update Signed-off-by: Ramon Petgrave <[email protected]> * uodate test error message Signed-off-by: Ramon Petgrave <[email protected]> --------- Signed-off-by: Ramon Petgrave <[email protected]>
sigstore · Feb 17, 2025 · ce0fa17 · ce0fa17
1 parent a5ada3f
commit ce0fa17
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/pkg/signature/kms/kms.go b/pkg/signature/kms/kms.go
@@ -52,8 +52,10 @@ var providersMap = map[string]ProviderInit{}
 
 // Get returns a KMS SignerVerifier for the given resource string and hash function.
 // If no matching built-in provider is found, it will try to use the plugin system as a provider.
-// If keyResourceID doesn't match any of our hard-coded providers' schemas, or the plugin program
-// can't be found, then it returns ProviderNotFoundError.
+// It returns a ProviderNotFoundError in these situations:
+// - keyResourceID doesn't match any of our hard-coded providers' schemas,
+// - the plugin name and key ref cannot be parsed from the input keyResourceID,
+// - the plugin program, can't be found.
 // It also returns an error if initializing the SignerVerifier fails.
 func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts ...signature.RPCOption) (SignerVerifier, error) {
 	for ref, pi := range providersMap {
@@ -66,7 +68,7 @@ func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts .
 		}
 	}
 	sv, err := cliplugin.LoadSignerVerifier(ctx, keyResourceID, hashFunc, opts...)
-	if errors.Is(err, exec.ErrNotFound) {
+	if errors.Is(err, exec.ErrNotFound) || errors.Is(err, cliplugin.ErrorInputKeyResourceID) {
 		return nil, fmt.Errorf("%w: %w", &ProviderNotFoundError{ref: keyResourceID}, err)
 	}
 	return sv, err

diff --git a/pkg/signature/kms/kms_test.go b/pkg/signature/kms/kms_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/signature/kms/cliplugin"
 )
 
 // TestGet ensures that there is are load attempts on registered providers, including the CLIPlugin,
@@ -36,11 +37,12 @@ func TestGet(t *testing.T) {
 	testHashFunc := crypto.SHA256
 	testCtx := context.Background()
 
+	var providerNotFoundError *ProviderNotFoundError
+
 	t.Run("cliplugin", func(t *testing.T) {
 		t.Parallel()
 
 		testKey := "gundam://00"
-		var providerNotFoundError *ProviderNotFoundError
 
 		// we only check for errors because we can't assume that there exists on the system
 		// a program prefixed with "sigstore-kms-".
@@ -71,6 +73,18 @@ func TestGet(t *testing.T) {
 		}
 	})
 
+	t.Run("file path", func(t *testing.T) {
+		t.Parallel()
+		testKeyResourceID := "/this/is/the/way"
+		_, err := Get(testCtx, testKeyResourceID, testHashFunc)
+		if !errors.As(err, &providerNotFoundError) {
+			t.Errorf("wanted ProviderNotFoundError, got: %v", err)
+		}
+		if !errors.Is(err, cliplugin.ErrorInputKeyResourceID) {
+			t.Errorf("wanted cliplugin.ErrorInputKeyResourceID, got: %v", err)
+		}
+	})
+
 	t.Run("successful provider", func(t *testing.T) {
 		t.Parallel()