refactor out identity search into separate func

Signed-off-by: linus-sun <[email protected]>
sigstore · Oct 10, 2024 · 6fd3fdb · 6fd3fdb
1 parent 21f7300
commit 6fd3fdb
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 29 deletions.
diff --git a/pkg/rekor/identity.go b/pkg/rekor/identity.go
@@ -16,19 +16,24 @@ package rekor
 
 import (
 	"bytes"
+	"context"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"os"
 	"regexp"
 
 	"github.com/go-openapi/runtime"
 	"github.com/sigstore/rekor-monitor/pkg/fulcio/extensions"
 	"github.com/sigstore/rekor-monitor/pkg/identity"
+	"github.com/sigstore/rekor-monitor/pkg/util/file"
+	"github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/pki"
 	"github.com/sigstore/rekor/pkg/types"
+	"github.com/sigstore/rekor/pkg/util"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 
 	// required imports to call init methods
@@ -335,3 +340,37 @@ func oidMatchesPolicy(cert *x509.Certificate, oid asn1.ObjectIdentifier, extensi
 
 	return false, nil, "", nil
 }
+
+// writeIdentitiesBetweenCheckpoints monitors for given identities between two checkpoints and writes any found identities to file.
+func writeIdentitiesBetweenCheckpoints(logInfo *models.LogInfo, prevCheckpoint *util.SignedCheckpoint, checkpoint *util.SignedCheckpoint, monitoredValues identity.MonitoredValues, rekorClient *client.Rekor, outputIdentitiesFile *string) error {
+	// Get log size of inactive shards
+	totalSize := 0
+	for _, s := range logInfo.InactiveShards {
+		totalSize += int(*s.TreeSize)
+	}
+	startIndex := int(prevCheckpoint.Size) + totalSize - 1 //nolint: gosec // G115, log will never be large enough to overflow
+	endIndex := int(checkpoint.Size) + totalSize - 1       //nolint: gosec // G115
+
+	// Search for identities in the log range
+	if len(monitoredValues.CertificateIdentities) > 0 || len(monitoredValues.Fingerprints) > 0 || len(monitoredValues.Subjects) > 0 || len(monitoredValues.OIDMatchers) > 0 {
+		entries, err := GetEntriesByIndexRange(context.Background(), rekorClient, startIndex, endIndex)
+		if err != nil {
+			return fmt.Errorf("error getting entries by index range: %v", err)
+		}
+		idEntries, err := MatchedIndices(entries, monitoredValues)
+		if err != nil {
+			return fmt.Errorf("error finding log indices: %v", err)
+		}
+
+		if len(idEntries) > 0 {
+			for _, idEntry := range idEntries {
+				fmt.Fprintf(os.Stderr, "Found %s\n", idEntry.String())
+
+				if err := file.WriteIdentity(*outputIdentitiesFile, idEntry); err != nil {
+					return fmt.Errorf("failed to write entry: %v", err)
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/pkg/rekor/verifier.go b/pkg/rekor/verifier.go
@@ -116,39 +116,16 @@ func RunConsistencyCheck(interval *time.Duration, rekorClient *client.Rekor, ver
 		// Write if there was no stored checkpoint or the sizes differ
 		if prevCheckpoint == nil || prevCheckpoint.Size != checkpoint.Size {
 			if err := file.WriteCheckpoint(checkpoint, *logInfoFile); err != nil {
-				return fmt.Errorf("failed to write checkpoint: %v", err)
+				// TODO: Once the consistency check and identity search are split into separate tasks, this should hard fail.
+				// Temporarily skipping this to allow this job to succeed, remediating the issue noted here: https://github.com/sigstore/rekor-monitor/issues/271
+				fmt.Fprintf(os.Stderr, "failed to write checkpoint: %v", err)
 			}
 		}
 
 		if prevCheckpoint != nil && prevCheckpoint.Size != checkpoint.Size {
-			// Get log size of inactive shards
-			totalSize := 0
-			for _, s := range logInfo.InactiveShards {
-				totalSize += int(*s.TreeSize)
-			}
-			startIndex := int(prevCheckpoint.Size) + totalSize - 1 //nolint: gosec // G115, log will never be large enough to overflow
-			endIndex := int(checkpoint.Size) + totalSize - 1       //nolint: gosec // G115
-
-			// Search for identities in the log range
-			if len(mvs.CertificateIdentities) > 0 || len(mvs.Fingerprints) > 0 || len(mvs.Subjects) > 0 {
-				entries, err := GetEntriesByIndexRange(context.Background(), rekorClient, startIndex, endIndex)
-				if err != nil {
-					return fmt.Errorf("error getting entries by index range: %v", err)
-				}
-				idEntries, err := MatchedIndices(entries, mvs)
-				if err != nil {
-					return fmt.Errorf("error finding log indices: %v", err)
-				}
-
-				if len(idEntries) > 0 {
-					for _, idEntry := range idEntries {
-						fmt.Fprintf(os.Stderr, "Found %s\n", idEntry.String())
-
-						if err := file.WriteIdentity(*outputIdentitiesFile, idEntry); err != nil {
-							return fmt.Errorf("failed to write entry: %v", err)
-						}
-					}
-				}
+			err = writeIdentitiesBetweenCheckpoints(logInfo, prevCheckpoint, checkpoint, mvs, rekorClient, outputIdentitiesFile)
+			if err != nil {
+				return fmt.Errorf("failed to monitor identities: %v", err)
 			}
 		}