Skip to content

Commit

Permalink
revert: fix: repetitive and incorrect log lines on witness verify (#…
Browse files Browse the repository at this point in the history
…317)"

This reverts commit 26ee2dc.

This commit breaks policy evaluations, causing good policies to fail.
  • Loading branch information
mikhailswift committed Aug 22, 2024
1 parent cf898e1 commit da5228f
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 24 deletions.
33 changes: 20 additions & 13 deletions policy/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -239,30 +239,30 @@ func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (bool, map[str
resultsByStep := make(map[string]StepResult)
for depth := 0; depth < vo.searchDepth; depth++ {
for stepName, step := range p.Steps {
// initialize the result for this step if it hasn't been already
if _, ok := resultsByStep[stepName]; !ok {
resultsByStep[stepName] = StepResult{Step: stepName}
}

// Use search to get all the attestations that match the supplied step name and subjects
collections, err := vo.verifiedSource.Search(ctx, stepName, vo.subjectDigests, attestationsByStep[stepName])
if err != nil {
return false, nil, err
}

if len(collections) == 0 {
continue
collections = append(collections, source.CollectionVerificationResult{Errors: []error{ErrNoCollections{Step: stepName}}})
}

// Verify the functionaries and validate attestations
// Verify the functionaries
collections = step.checkFunctionaries(collections, trustBundles)
stepResult := step.validateAttestations(collections)

// Merge the results
if result, ok := resultsByStep[stepName]; ok {
result.Passed = append(result.Passed, stepResult.Passed...)
result.Rejected = append(result.Rejected, stepResult.Rejected...)
stepResult := step.validateAttestations(collections)

resultsByStep[stepName] = result
// We perform many searches against the same step, so we need to merge the relevant fields
if resultsByStep[stepName].Step == "" {
resultsByStep[stepName] = stepResult
} else {
if result, ok := resultsByStep[stepName]; ok {
result.Passed = append(result.Passed, stepResult.Passed...)
result.Rejected = append(result.Rejected, stepResult.Rejected...)
resultsByStep[stepName] = result
}
}

for _, coll := range stepResult.Passed {
Expand Down Expand Up @@ -325,6 +325,13 @@ func (p Policy) verifyArtifacts(resultsByStep map[string]StepResult) (map[string
for _, step := range p.Steps {
accepted := false
if len(resultsByStep[step.Name].Passed) == 0 {
if result, ok := resultsByStep[step.Name]; ok {
result.Rejected = append(result.Rejected, RejectedCollection{Reason: fmt.Errorf("failed to verify artifacts for step %s: no passed collections present", step.Name)})
resultsByStep[step.Name] = result
} else {
return nil, fmt.Errorf("failed to find step %s in step results map", step.Name)
}

continue
}

Expand Down
2 changes: 1 addition & 1 deletion policy/step.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ func (s Step) validateAttestations(collectionResults []source.CollectionVerifica
if passed {
result.Passed = append(result.Passed, collection)
} else {
r := strings.Join(reasons, "\n - ")
r := strings.Join(reasons, ",\n - ")
reason := fmt.Sprintf("collection validation failed:\n - %s", r)
result.Rejected = append(result.Rejected, RejectedCollection{
Collection: collection,
Expand Down
24 changes: 14 additions & 10 deletions source/memory.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (
"os"

"github.com/in-toto/go-witness/dsse"
"github.com/in-toto/go-witness/log"
)

type ErrDuplicateReference string
Expand All @@ -32,7 +31,6 @@ func (e ErrDuplicateReference) Error() string {
}

type MemorySource struct {
searched bool
envelopesByReference map[string]CollectionEnvelope
referencesByCollectionName map[string][]string
subjectDigestsByReference map[string]map[string]struct{}
Expand All @@ -41,7 +39,6 @@ type MemorySource struct {

func NewMemorySource() *MemorySource {
return &MemorySource{
searched: false,
envelopesByReference: make(map[string]CollectionEnvelope),
referencesByCollectionName: make(map[string][]string),
subjectDigestsByReference: make(map[string]map[string]struct{}),
Expand Down Expand Up @@ -107,13 +104,6 @@ func (s *MemorySource) LoadEnvelope(reference string, env dsse.Envelope) error {
}

func (s *MemorySource) Search(ctx context.Context, collectionName string, subjectDigests, attestations []string) ([]CollectionEnvelope, error) {
if s.searched {
log.Debug("skipping memory source search: already performed")
return []CollectionEnvelope{}, nil
} else {
s.searched = true
}

matches := make([]CollectionEnvelope, 0)
for _, potentialMatchReference := range s.referencesByCollectionName[collectionName] {
env, ok := s.envelopesByReference[potentialMatchReference]
Expand All @@ -135,6 +125,20 @@ func (s *MemorySource) Search(ctx context.Context, collectionName string, subjec
continue
}

// make sure all the expected attestations appear in the collection
attestationsMatched := true
indexAttestations := s.attestationsByReference[potentialMatchReference]
for _, checkAttestation := range attestations {
if _, ok := indexAttestations[checkAttestation]; !ok {
attestationsMatched = false
break
}
}

if !attestationsMatched {
continue
}

matches = append(matches, env)
}

Expand Down

0 comments on commit da5228f

Please sign in to comment.