update: improve missing trustpolicy error message (#282)

This PR improves the error message for a missing trustpolicy file [notaryproject/notation/#128](notaryproject/notation#128 (comment)). This is the output when the trustpolicy is missing: ``` c889f3b9d811:notation kodysk$ ./bin/notation verify $IMAGE Error: Trust policy is not present, please create trust policy at /Users/kodysk/Library/Application Support/notation/trustpolicy.json ``` Signed-off-by: Kody Kimberl kody.kimberl.work@gmail.com
notaryproject · Mar 3, 2023 · 9920fb7 · 9920fb7
1 parent 8c3ed92
commit 9920fb7
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/verifier/trustpolicy/trustpolicy.go b/verifier/trustpolicy/trustpolicy.go
@@ -6,6 +6,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -265,7 +267,14 @@ func (trustPolicyDoc *Document) GetApplicableTrustPolicy(artifactReference strin
 func LoadDocument() (*Document, error) {
 	jsonFile, err := dir.ConfigFS().Open(dir.PathTrustPolicy)
 	if err != nil {
-		return nil, err
+		switch {
+		case errors.Is(err, os.ErrNotExist):
+			return nil, fmt.Errorf("trust policy is not present, please create trust policy at %s", filepath.Join(dir.UserConfigDir, dir.PathTrustPolicy))
+		case errors.Is(err, os.ErrPermission):
+			return nil, fmt.Errorf("unable to read trust policy due to file permissions, please verify the permissions of %s", filepath.Join(dir.UserConfigDir, dir.PathTrustPolicy))
+		default:
+			return nil, err
+		}
 	}
 	defer jsonFile.Close()
 	policyDocument := &Document{}

diff --git a/verifier/trustpolicy/trustpolicy_test.go b/verifier/trustpolicy/trustpolicy_test.go
@@ -545,7 +545,7 @@ func TestLoadDocument(t *testing.T) {
 	tempRoot := t.TempDir()
 	dir.UserConfigDir = tempRoot
 	_, err := LoadDocument()
-	if err == nil {
+	if err == nil || err.Error() != fmt.Sprintf("trust policy is not present, please create trust policy at %s/trustpolicy.json", tempRoot) {
 		t.Fatalf("TestLoadPolicyDocument should throw error for non existent policy")
 	}
 
@@ -576,4 +576,20 @@ func TestLoadDocument(t *testing.T) {
 	if err != nil {
 		t.Fatalf("TestLoadPolicyDocument should not throw error for an existing policy file. Error: %v", err)
 	}
+
+	// existing policy file with bad permissions
+	tempRoot = t.TempDir()
+	dir.UserConfigDir = tempRoot
+	path = filepath.Join(tempRoot, "trustpolicy.json")
+	policyDoc2 := dummyPolicyDocument()
+	policyJson2, _ := json.Marshal(policyDoc2)
+	err = os.WriteFile(path, policyJson2, 0000)
+	err = os.Chmod(path, 0000)
+	if err != nil {
+		t.Fatalf("TestLoadPolicyDocument create policy file with bad permissions failed. Error: %v", err)
+	}
+	_, err = LoadDocument()
+	if err == nil || err.Error() != fmt.Sprintf("unable to read trust policy due to file permissions, please verify the permissions of %s/trustpolicy.json", tempRoot) {
+		t.Fatalf("TestLoadPolicyDocument should throw error for a policy file with bad permissions. Error: %v", err)
+	}
 }