Updated rule verification error messages and error workflow

Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou · Nov 8, 2018 · 58d0004 · 58d0004
1 parent d41e7a9
commit 58d0004
Showing 1 changed file with 6 additions and 20 deletions.
diff --git a/in_toto/verifylib.py b/in_toto/verifylib.py
@@ -572,16 +572,7 @@ def verify_match_rule(rule, source_artifacts_queue, source_artifacts, links):
     The rule only modifies the source artifacts queue, by removing artifacts
     that were successfully consumed by the rule, i.e. if there was a match with
     a target artifact.
-
-    FIXME:
-    In in-toto/in-toto#204 the behavior of the match rule was changed to NOT
-    FAIL if a required destination artifact could not be found in the
-    corresponding destination link, or if a source and destination artifact
-    pair has no matching hashes. However, the rule verification still fails
-    if a required destination link is not found.
-    As failing the overall rule verification is now left to a subsequent
-    DISALLOW rule, the "fail on missing destination link" should be removed.
-
+    
   <Terms>
     queued source artifacts:
         Artifacts reported by the link for the step/inspection containing passed
@@ -652,9 +643,6 @@ def verify_match_rule(rule, source_artifacts_queue, source_artifacts, links):
     FormatError
         if the rule does not conform with the rule format.
 
-    RuleVerificationError
-        if the destination link is not found in the passed link dictionary.
-
   <Side Effects>
     None.
 
@@ -672,9 +660,7 @@ def verify_match_rule(rule, source_artifacts_queue, source_artifacts, links):
   try:
     dest_link = links[dest_name]
   except KeyError:
-    raise RuleVerificationError("Rule '{rule}' failed, destination link"
-        " '{dest_link}' not found in link dictionary".format(
-            rule=" ".join(rule), dest_link=dest_name))
+    return source_artifacts_queue
 
   # Extract destination artifacts from destination link
   if dest_type.lower() == "materials":
@@ -797,8 +783,7 @@ def verify_create_rule(rule, source_materials_queue, source_products_queue):
 
   """
   rule_data = in_toto.rulelib.unpack_rule(rule)
-
-
+
   matched_products = fnmatch.filter(
       source_products_queue, rule_data["pattern"])
 
@@ -1026,8 +1011,9 @@ def verify_disallow_rule(rule, source_artifacts_queue):
       source_artifacts_queue, rule_data["pattern"])
 
   if len(matched_artifacts):
-    raise RuleVerificationError("Rule '{0}' failed, pattern matched disallowed"
-        " artifacts: '{1}' ".format(" ".join(rule), matched_artifacts))
+    raise RuleVerificationError("Rule '{0}' failed, rule pattern matches the"
+        " following artifacts of the artifact queue, which is disallowed:"
+        " '{1}' ".format(" ".join(rule), matched_artifacts))
 
 
 def verify_item_rules(source_name, source_type, rules, links):