Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: Have the policy-tester library check policy result.
🐛 The policy tester library blindly checked the errors, but with multiple authorities we might have errors, but still successfully evaluated the policy. Here is the comment from the ~equivalent call to `ValidatePolicy(` from `validator.go` for comparison: ```go switch { // Return AuthorityMatches before errors, since even if there // are errors, if there are 0 or more authorities that match, // it will pass the Policy. Of course, a CIP level policy can // override this behaviour, but that has been checked above and // if it failed, it will nil out the policyResult. case result.policyResult != nil: policyResults[result.name] = result.policyResult case len(result.errors) > 0: ret[result.name] = append(ret[result.name], result.errors...) default: ret[result.name] = append(ret[result.name], fmt.Errorf("failed to process policy: %s", result.name)) } ``` ... with this I was able to successfully run the policy tester using a policy that had a separate authority for SLSA `v0.2` and `v1` predicate types without it failing. /kind bug Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
- Loading branch information