From db82d6e0822292b47f396926b18658b980fcbf05 Mon Sep 17 00:00:00 2001 From: Wang Yan Date: Tue, 25 Jul 2023 21:30:32 +0800 Subject: [PATCH] fix signer name (#19001) Append the signer name to the error message which will be returned by the client Signed-off-by: wang yan --- src/server/middleware/contenttrust/contentrust.go | 12 ++++++++---- .../test_project_level_policy_content_trust.py | 2 +- tests/robot-cases/Group1-Nightly/Common.robot | 2 +- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/server/middleware/contenttrust/contentrust.go b/src/server/middleware/contenttrust/contentrust.go index 28003dbc9..e3eabcdc1 100644 --- a/src/server/middleware/contenttrust/contentrust.go +++ b/src/server/middleware/contenttrust/contentrust.go @@ -46,11 +46,17 @@ func ContentTrust() func(http.Handler) http.Handler { // If signature policy enabled, it has to at least have one signature. if pro.ContentTrustCosignEnabled() { if err := signatureChecking(ctx, r, af, pro.ProjectID, model.TypeCosignSignature); err != nil { + if errors.IsErr(err, errors.PROJECTPOLICYVIOLATION) { + return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed by cosign.") + } return err } } if pro.ContentTrustEnabled() { if err := signatureChecking(ctx, r, af, pro.ProjectID, model.TypeNotationSignature); err != nil { + if errors.IsErr(err, errors.PROJECTPOLICYVIOLATION) { + return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed by notation.") + } return err } } @@ -78,8 +84,7 @@ func signatureChecking(ctx context.Context, r *http.Request, af lib.ArtifactInfo } if len(art.Accessories) == 0 { - pkgE := errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed.") - return pkgE + return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION) } var hasSignature bool @@ -90,8 +95,7 @@ func signatureChecking(ctx context.Context, r *http.Request, af lib.ArtifactInfo } } if !hasSignature { - pkgE := errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed.") - return pkgE + return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION) } return nil diff --git a/tests/apitests/python/test_project_level_policy_content_trust.py b/tests/apitests/python/test_project_level_policy_content_trust.py index 002741e04..5e174de5b 100644 --- a/tests/apitests/python/test_project_level_policy_content_trust.py +++ b/tests/apitests/python/test_project_level_policy_content_trust.py @@ -84,7 +84,7 @@ class TestProjects(unittest.TestCase): restart_process("containerd") restart_process("dockerd") time.sleep(30) - pull_harbor_image(harbor_server, ADMIN_CLIENT["username"], ADMIN_CLIENT["password"], TestProjects.repo_name, tag, expected_error_message = "The image is not signed") + pull_harbor_image(harbor_server, ADMIN_CLIENT["username"], ADMIN_CLIENT["password"], TestProjects.repo_name, tag, expected_error_message = "The image is not signed by cosign") if __name__ == '__main__': unittest.main() diff --git a/tests/robot-cases/Group1-Nightly/Common.robot b/tests/robot-cases/Group1-Nightly/Common.robot index 50de09214..e892b211e 100644 --- a/tests/robot-cases/Group1-Nightly/Common.robot +++ b/tests/robot-cases/Group1-Nightly/Common.robot @@ -773,7 +773,7 @@ Test Case - Cosign And Cosign Deployment Security Policy Go Into Project project${d} Go Into Repo project${d} ${image} Should Not Be Signed By Cosign ${tag} - Cannot Pull Image ${ip} ${user} ${pwd} project${d} ${image}:${tag} err_msg=The image is not signed. + Cannot Pull Image ${ip} ${user} ${pwd} project${d} ${image}:${tag} err_msg=The image is not signed by cosign. Cosign Generate Key Pair Cosign Verify ${ip}/project${d}/${image}:${tag} ${false}