Improving Verify Error Response (#430)

* Will log details about evidence evaluation that doesn't not meet policy requirements. --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk>
in-toto · May 10, 2024 · d866f90 · d866f90
1 parent fc48494
commit d866f90
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 12 deletions.
diff --git a/cmd/run.go b/cmd/run.go
@@ -129,6 +129,7 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 
 	results, err := witness.RunWithExports(
 		ro.StepName,
+		witness.RunWithSigners(signers...),
 		witness.RunWithAttestors(attestors),
 		witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)),
 		witness.RunWithTimestampers(timestampers...),

diff --git a/cmd/verify.go b/cmd/verify.go
@@ -80,6 +80,10 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		return fmt.Errorf("must supply either a public key, CA certificates or a verifier")
 	}
 
+	if !vo.ArchivistaOptions.Enable && len(vo.AttestationFilePaths) == 0 {
+		return fmt.Errorf("must either specify attestation file paths or enable archivista as an attestation source")
+	}
+
 	if vo.KeyPath != "" {
 		keyFile, err := os.Open(vo.KeyPath)
 		if err != nil {
@@ -124,26 +128,40 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		}
 	}
 
-	verifiedResult, err := witness.Verify(
+	verifiedEvidence, err := witness.Verify(
 		ctx,
 		policyEnvelope,
 		verifiers,
 		witness.VerifyWithSubjectDigests(subjects),
 		witness.VerifyWithCollectionSource(collectionSource),
 	)
 	if err != nil {
+		if verifiedEvidence.StepResults != nil {
+			log.Error("Verification failed")
+			log.Error("Evidence:")
+			for step, result := range verifiedEvidence.StepResults {
+				log.Error("Step: ", step)
+				for _, p := range result.Rejected {
+					if p.Collection.Collection.Name != "" {
+						log.Errorf("collection rejected: %s, Reason: %s ", p.Collection.Collection.Name, p.Reason)
+					} else {
+						log.Errorf("verification failure: Reason: %s", p.Reason)
+					}
+				}
+			}
+		}
 		return fmt.Errorf("failed to verify policy: %w", err)
-	}
-
-	log.Info("Verification succeeded")
-	log.Info("Evidence:")
-	num := 0
-	for _, stepEvidence := range verifiedResult.StepResults {
-		for _, e := range stepEvidence.Passed {
-			log.Info(fmt.Sprintf("%d: %s", num, e.Reference))
-			num++
+	} else {
+		log.Info("Verification succeeded")
+		log.Info("Evidence:")
+		num := 0
+		for step, result := range verifiedEvidence.StepResults {
+			log.Info("Step: ", step)
+			for _, p := range result.Passed {
+				log.Info(fmt.Sprintf("%d: %s", num, p.Reference))
+				num++
+			}
 		}
+		return nil
 	}
-
-	return nil
 }