Skip to content

Commit

Permalink
Fix a bug where an error would send duplicate results.
Browse files Browse the repository at this point in the history
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
  • Loading branch information
vaikas committed Apr 24, 2022
1 parent f08ae46 commit 54e56fe
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 2 deletions.
4 changes: 2 additions & 2 deletions pkg/cosign/kubernetes/webhook/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -267,9 +267,9 @@ func validatePolicies(ctx context.Context, ref name.Reference, policies map[stri
logging.FromContext(ctx).Infof("Validating CIP level policy for %s", cipName)
policyJSON, err := json.Marshal(result.policyResult)
if err != nil {
results <- result
result.errors = append(result.errors, err)
} else {
logging.FromContext(ctx).Infof("Validating CIP level policy against %s", string(policyJSON))
logging.FromContext(ctx).Debugf("Validating CIP level policy against %s", string(policyJSON))
err = policy.EvaluatePolicyAgainstJSON(ctx, "ClusterImagePolicy", cip.Policy.Type, cip.Policy.Data, policyJSON)
if err != nil {
result.errors = append(result.errors, err)
Expand Down
48 changes: 48 additions & 0 deletions pkg/cosign/kubernetes/webhook/validator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,54 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
return errs
}(),
cvs: fail,
}, {
name: "simple, authority keyless checks out, good fulcio, bad cip policy",
ps: &corev1.PodSpec{
InitContainers: []corev1.Container{{
Name: "setup-stuff",
Image: digest.String(),
}},
Containers: []corev1.Container{{
Name: "user-container",
Image: digest.String(),
}},
},
customContext: config.ToContext(context.Background(),
&config.Config{
ImagePolicyConfig: &config.ImagePolicyConfig{
Policies: map[string]webhookcip.ClusterImagePolicy{
"cluster-image-policy-keyless": {
Images: []v1alpha1.ImagePattern{{
Regex: ".*",
}},
Authorities: []webhookcip.Authority{
{
Keyless: &webhookcip.KeylessRef{
URL: fulcioURL,
},
},
},
Policy: &webhookcip.AttestationPolicy{
Name: "invalid json policy",
Type: "cue",
Data: `{"wontgo}`,
},
},
},
},
},
),
want: func() *apis.FieldError {
var errs *apis.FieldError
fe := apis.ErrGeneric("failed policy: cluster-image-policy-keyless", "image").ViaFieldIndex("initContainers", 0)
fe.Details = fmt.Sprintf("%s failed evaluating cue policy for ClusterImagePolicy : string literal not terminated", digest.String())
errs = errs.Also(fe)
fe2 := apis.ErrGeneric("failed policy: cluster-image-policy-keyless", "image").ViaFieldIndex("containers", 0)
fe2.Details = fmt.Sprintf("%s failed evaluating cue policy for ClusterImagePolicy : string literal not terminated", digest.String())
errs = errs.Also(fe2)
return errs
}(),
cvs: pass,
}, {
name: "simple, no error, authority keyless, good fulcio",
ps: &corev1.PodSpec{
Expand Down

0 comments on commit 54e56fe

Please sign in to comment.