Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional verification of required fields in the bundle #63

Open
haydentherapper opened this issue Jan 2, 2024 · 7 comments
Open

Additional verification of required fields in the bundle #63

haydentherapper opened this issue Jan 2, 2024 · 7 comments
Labels
enhancement New feature or request v1.0 items we want to consider for a v1.0 release

Comments

@haydentherapper
Copy link
Contributor

Description

We currently check for an inclusion proof or promise in a validation function when constructing the bundle.

Further verification for required fields would be ideal. Using proto reflection, we could use the field annotation field_behavior to determine if the field has been annotated as required.

@vishal-chdhry
Copy link
Contributor

@haydentherapper I was looking into this and I encountered an issue with content field. The protobuf bundle marks all of the field in content as REQUIRED. Validation of content field fails for this test case.

The proposal says that:

The use of REQUIRED indicates that the field must be present (and set to a non-empty value) on the request or resource.

There is something wrong in either the implementation library or the bundle, but I am not sure, what do you think?

@kommendorkapten
Copy link
Member

Try with this branch and see if that resolves the issue: sigstore/protobuf-specs#337

@vishal-chdhry
Copy link
Contributor

vishal-chdhry commented May 28, 2024

@kommendorkapten It fixes that test but it makes an empty VerificationMaterial a valid payload

bundle: &ProtobufBundle{
	Bundle: &protobundle.Bundle{
		MediaType:            "application/vnd.dev.sigstore.bundle+json;version=0.3",
		VerificationMaterial: &protobundle.VerificationMaterial{},
		Content:              nil,
	},
},
$ go test -run=Test_BundleValidation .
--- FAIL: Test_BundleValidation (0.00s)
    --- FAIL: Test_BundleValidation/name:Empty_verification_material (0.00s)
        bundle_test.go:182: Protobuf.Bundle() error = <nil>, wantErr bundle validation failed: missing required field: verification_material.public_key
FAIL
FAIL    github.com/sigstore/sigstore-go/pkg/bundle      0.190s
FAIL

I think this test case should fail

@haydentherapper
Copy link
Contributor Author

I agree that an empty VerificationMaterials should cause a test failure as at least a key hint or certificate should be required. Could this be because we need to add some logic that checks for the one_of behavior extension value?

@vishal-chdhry
Copy link
Contributor

Could this be because we need to add some logic that checks for the one_of behavior extension value?

Yes, it might require some changes in the library I am using.
But since we have only 1 protobuf message to validate, and the message is simple, should I just write a validation function specific to that struct myself. This will cut a dependency to that library and it will be faster as it is specific to the struct and not general purpose.

@haydentherapper @kommendorkapten wdyt?

@kommendorkapten
Copy link
Member

@vishal-chdhry I think that makes sense to extend the custom method we have, and avoid reflection. As you said, the number of messages is low, and the so is the general complexity. I'm in favour 👍

@steiza
Copy link
Member

steiza commented Sep 25, 2024

At the sigstore-go client meeting, we said this was a "should" (not must) for v1.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request v1.0 items we want to consider for a v1.0 release
Projects
None yet
Development

No branches or pull requests

4 participants