Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checking attestors for duplicates #332

Closed
wants to merge 13 commits into from
Closed

Checking attestors for duplicates #332

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
53649d3
added all imports
ChaosInTheCRD Dec 13, 2023
a9c82b0
fixing go sum
ChaosInTheCRD Dec 13, 2023
c7e725e
changing go-witness back for now, makes more sense
ChaosInTheCRD Dec 13, 2023
e828be0
moved witness to using new in-toto/go-witness module
ChaosInTheCRD Dec 15, 2023
98b06f1
adding change to test now following newer version of policy
ChaosInTheCRD Dec 15, 2023
9514e0a
running docgen as changes found from use of new module
ChaosInTheCRD Dec 15, 2023
da03354
checking for duplicate attestors declared on `witness run`
ChaosInTheCRD Dec 15, 2023
7955bff
updating go mod
ChaosInTheCRD Dec 15, 2023
f208908
Merge branch 'main' into checking-new-attestors
ChaosInTheCRD Dec 18, 2023
7377a06
updating go sum
ChaosInTheCRD Dec 18, 2023
4ccf0d5
removing autobuild for declarative in CodeQL
ChaosInTheCRD Dec 19, 2023
0fce4c8
Merge branch 'main' into checking-new-attestors
ChaosInTheCRD Dec 19, 2023
12564de
Merge branch 'main' into checking-new-attestors
ChaosInTheCRD Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions cmd/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,22 @@
attestors = append(attestors, commandrun.New(commandrun.WithCommand(args), commandrun.WithTracing(ro.Tracing)))
}

addtlAttestors, err := attestation.Attestors(ro.Attestations)
if err != nil {
return fmt.Errorf("failed to create attestors := %w", err)
for _, a := range ro.Attestations {
for _, att := range attestors {
if a == att.Name() {
log.Warnf("Attestator %s already declared, skipping", a)
break
} else {
attestor, err := attestation.AddAttestor(a)

Check failure on line 94 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Verify Docgen 

undefined: attestation.AddAttestor

Check failure on line 94 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness 

undefined: attestation.AddAttestor

Check failure on line 94 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness 

undefined: attestation.AddAttestor
if err != nil {
return fmt.Errorf("failed to create attestor: %w", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to fail at the first attestor, or would it be better to continue trying to add the subsequent attestors and give the user an error with all failed attestors?
My question is, because we do it for duplicated ones, we warn the user. Is there any reason to fail at the first attestors?

Example: Let's say the user sends attestors a, b, c, d, e, f
a and c are duplicated
d return error.
b, e, f are good.

We will warn the user about a, include b, warn the user about c, and fail in e,

Feel free to ignore if I'm missing some context here :)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm, so I don't feel really strongly either way, but I suppose you're asking 'if failing to create an attestor fails, should we fail?'.

If the AddAttestor function fails, I think we should stop. I don't think a witness run should continue if not all the expected attestations are going to be generated. I think that I am confident that the command should fail on failed attestor creation.

Going back to the original problem that this PR removes, I tackled this by warning the user that they have repeated themselves / declared an attestor that has already been declared (e.g., by default). Possibly it could be a better practice to just fail in this situation. After all, it may be better to be simple and say "you've duplicated attestor defintion, please fix the invocation".

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkjell @mikhailswift, any thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To throw a 🔧 in the conversation, I create #340 to capture thoughts around a future idea that may be counter to this one.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkjell I think that what you mention in #340 makes sense, but I don't think it collides too much with this due to the fact that (at least for now) there is no reason why you would want to run an attestor more than once. I think that we should merge this for now, and we could potentially change it in future if/when we implement #340.

}
attestors = append(attestors, attestor)
break
}
}
}

attestors = append(attestors, addtlAttestors...)
for _, attestor := range attestors {
setters, ok := ro.AttestorOptSetters[attestor.Name()]
if !ok {
Expand Down
6 changes: 1 addition & 5 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,12 +225,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe h1:SNafk19rV7gMlu3YyFuVkj/9vsXnMp6yrFMXDguT3fE=
github.com/in-toto/archivista v0.1.3-0.20231214050507-e28a4170a9fe/go.mod h1:AJU7zhcITsaufiqYMFPLZM66/vwmHVQtZeC2/JFxw7w=
github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20=
github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0=
github.com/in-toto/go-witness v0.1.18-0.20231214175634-5b5647c42b3c h1:BrnFYv8TI/uFBkB+WkY5npqveeNFG/fVf1k4Hd9LMl8=
github.com/in-toto/go-witness v0.1.18-0.20231214175634-5b5647c42b3c/go.mod h1:uiBFKD3cykEKWZzzc5Vshy3YeKAwlafIm9/7NGx+Xck=
github.com/in-toto/go-witness v0.2.0 h1:lxp3+Kc4Der2C1jV9ZePjSCEHUr2NsB4sImXI5sZHu4=
github.com/in-toto/go-witness v0.2.0/go.mod h1:Jr6ZlYoVfTS3hjUSmJ10J8qiHjpF1cfSE4NLAIJpbLw=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
Expand Down Expand Up @@ -359,8 +355,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY=
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/vmihailenco/tagparser v0.1.2 h1:gnjoVuB/kljJ5wICEEOpx98oXMWPLj22G67Vbd1qPqc=
github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
Expand Down
Loading