Add GetApplicableTrustPolicy function #51
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
gokarnm
reviewed
Jun 15, 2022
gokarnm
reviewed
Jun 15, 2022
gokarnm
requested changes
Jun 15, 2022
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
gokarnm
reviewed
Jun 15, 2022
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
gokarnm
requested changes
Jun 15, 2022
verification/policy.go
Outdated
| } else if wildcardPolicy != nil { | ||
| return wildcardPolicy, nil | ||
| } else { | ||
| return nil, fmt.Errorf("registry scope %q has no applicable trust policy", artifactPath) |
There was a problem hiding this comment.
Suggested change
| return nil, fmt.Errorf("registry scope %q has no applicable trust policy", artifactPath) | |
| return nil, fmt.Errorf("artifact %q has no applicable trust policy", artifactUri) |
verification/helpers.go
Outdated
| // TODO support more types of URI like "domain.com/repository", "domain.com/repository:tag", "domain.com/repository@sha256:digest" | ||
| i := strings.LastIndex(artifactUri, ":") | ||
| if i < 0 { | ||
| return "", fmt.Errorf("registry URI %q could not be parsed, make sure it is the fully qualified registry URI without the scheme/protocol. e.g domain.com:80/my/repository:digest", artifactUri) |
There was a problem hiding this comment.
Suggested change
| return "", fmt.Errorf("registry URI %q could not be parsed, make sure it is the fully qualified registry URI without the scheme/protocol. e.g domain.com:80/my/repository:digest", artifactUri) | |
| return "", fmt.Errorf("artifact URI %q could not be parsed, make sure it is the fully qualified OCI artifact URI without the scheme/protocol. e.g domain.com:80/my/repository:digest", artifactUri) |
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
gokarnm
reviewed
Jun 16, 2022
verification/policy.go
Outdated
| } else if wildcardPolicy != nil { | ||
| return wildcardPolicy, nil | ||
| } else { | ||
| return nil, fmt.Errorf("artifact %q has no applicable trust policy", artifactPath) |
There was a problem hiding this comment.
Nit, I'd prefer artifactUri in the error message which is the user provided input, artifactPath is calculated in our internal logic.
Suggested change
| return nil, fmt.Errorf("artifact %q has no applicable trust policy", artifactPath) | |
| return nil, fmt.Errorf("artifact %q has no applicable trust policy", artifactUri) |
gokarnm
approved these changes
Jun 16, 2022
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
Signed-off-by: rgnote <5878554+rgnote@users.noreply.github.com>
| // Constants | ||
| supportedPolicyVersions := []string{"1.0"} | ||
| supportedVerificationPresets := []string{"strict", "permissive", "audit", "skip"} | ||
| supportedVerificationLevels := []string{"strict", "permissive", "audit", "skip"} |
There was a problem hiding this comment.
Are you going to replaces this with levels define in #55 ?
There was a problem hiding this comment.
Yes. I have a TODO to do that.
Comment on lines
+222
to
+224
| } else if isPresent(artifactPath, policyStatement.RegistryScopes) { | ||
| applicablePolicy = policyStatement.deepCopy() | ||
| } |
There was a problem hiding this comment.
qq: Where are we validating that there is only one applicable trust policy fir a given repository?
There was a problem hiding this comment.
|
@shizhMSFT merging this PR with two approvals. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Followed the rules from https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#selecting-a-trust-policy-based-on-artifact-uri
Signed-off-by: rgnote 5878554+rgnote@users.noreply.github.com