Skip to content

Commit

Permalink
feat: fail if tuf options set and tuf disabled
Browse files Browse the repository at this point in the history
  • Loading branch information
@kipz
kipz committed Aug 28, 2024
1 parent d109ffb commit 0fdb133
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 3 deletions.
5 changes: 2 additions & 3 deletions pkg/attest/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ func NewVerifier(opts *policy.Options) (Verifier, error) {
}
var tufClient tuf.Downloader
if !opts.DisableTUF {
// use client from context if available
tufClient, err = tuf.NewClient(opts.TUFClientOptions)
if err != nil {
return nil, fmt.Errorf("failed to create TUF client: %w", err)
Expand Down Expand Up @@ -104,8 +103,8 @@ func populateDefaultOptions(opts *policy.Options) (err error) {
return err
}
}
if opts.DisableTUF {
opts.TUFClientOptions = nil
if opts.DisableTUF && opts.TUFClientOptions != nil {
return fmt.Errorf("TUF client options set but TUF disabled")
} else if opts.TUFClientOptions == nil {
opts.TUFClientOptions = tuf.NewDockerDefaultClientOptions(opts.LocalTargetsDir)
}
Expand Down
3 changes: 3 additions & 0 deletions pkg/attest/verify_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ func TestDefaultOptions(t *testing.T) {
referrersRepo string
expectedError string
disableTuf bool
localPolicyDir string
}{
{name: "empty"},
{name: "tufClient provided", tufOpts: &tuf.ClientOptions{MetadataSource: "a", TargetsSource: "b"}},
Expand All @@ -256,6 +257,7 @@ func TestDefaultOptions(t *testing.T) {
{name: "referrersRepo provided", referrersRepo: "referrers"},
{name: "referrersRepo provided with attached", referrersRepo: "referrers", attestationStyle: config.AttestationStyleAttached, expectedError: "referrers repo specified but attestation source not set to referrers"},
{name: "tuf disabled and no local-policy-dir", disableTuf: true, expectedError: "local policy dir must be set if not using TUF"},
{name: "tuf disabled but options set", disableTuf: true, tufOpts: &tuf.ClientOptions{MetadataSource: "a", TargetsSource: "b"}, localPolicyDir: "foo", expectedError: "TUF client options set but TUF disabled"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
Expand All @@ -268,6 +270,7 @@ func TestDefaultOptions(t *testing.T) {
AttestationStyle: tc.attestationStyle,
ReferrersRepo: tc.referrersRepo,
DisableTUF: tc.disableTuf,
LocalPolicyDir: tc.localPolicyDir,
}

err = populateDefaultOptions(opts)
Expand Down
1 change: 1 addition & 0 deletions pkg/policy/policy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
require.NoError(t, err)
resolver, err := policy.CreateImageDetailsResolver(src)
require.NoError(t, err)
//nil below indicates TUF is disabled

Check failure on line 89 in pkg/policy/policy_test.go

View workflow job for this annotation

GitHub Actions / lint 

commentFormatting: put a space between `//` and comment text (gocritic)
policy, err := policy.ResolvePolicy(ctx, nil, resolver, tc.policy)
if tc.resolveErrorStr != "" {
require.Error(t, err)
Expand Down

0 comments on commit 0fdb133

Please sign in to comment.