Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Have the policy-tester library check policy result. #809

Merged
merged 1 commit into from
May 31, 2023
Merged

Fix: Have the policy-tester library check policy result. #809

merged 1 commit into from
May 31, 2023

Commits on May 30, 2023

  1. Fix: Have the policy-tester library check policy result. 

    馃悰 The policy tester library blindly checked the errors, but with multiple authorities we might have errors, but still successfully evaluated the policy.

Here is the comment from the ~equivalent call to `ValidatePolicy(` from `validator.go` for comparison:

```go
			switch {
			// Return AuthorityMatches before errors, since even if there
			// are errors, if there are 0 or more authorities that match,
			// it will pass the Policy. Of course, a CIP level policy can
			// override this behaviour, but that has been checked above and
			// if it failed, it will nil out the policyResult.
			case result.policyResult != nil:
				policyResults[result.name] = result.policyResult
			case len(result.errors) > 0:
				ret[result.name] = append(ret[result.name], result.errors...)
			default:
				ret[result.name] = append(ret[result.name], fmt.Errorf("failed to process policy: %s", result.name))
			}

```

... with this I was able to successfully run the policy tester using a policy that had a separate authority for SLSA `v0.2` and `v1` predicate types without it failing.

/kind bug

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
    @mattmoor
    mattmoor committed May 30, 2023
    Configuration menu
    Copy the full SHA
    b4622d1 View commit details
    Browse the repository at this point in the history