fix signer name (#19001)

Append the signer name to the error message which will be returned by the client

Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
Wang Yan 2023-07-25 21:30:32 +08:00 committed by GitHub
parent c25a7ca68d
commit db82d6e082
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 6 deletions

View File

@ -46,11 +46,17 @@ func ContentTrust() func(http.Handler) http.Handler {
// If signature policy enabled, it has to at least have one signature.
if pro.ContentTrustCosignEnabled() {
if err := signatureChecking(ctx, r, af, pro.ProjectID, model.TypeCosignSignature); err != nil {
if errors.IsErr(err, errors.PROJECTPOLICYVIOLATION) {
return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed by cosign.")
}
return err
}
}
if pro.ContentTrustEnabled() {
if err := signatureChecking(ctx, r, af, pro.ProjectID, model.TypeNotationSignature); err != nil {
if errors.IsErr(err, errors.PROJECTPOLICYVIOLATION) {
return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed by notation.")
}
return err
}
}
@ -78,8 +84,7 @@ func signatureChecking(ctx context.Context, r *http.Request, af lib.ArtifactInfo
}
if len(art.Accessories) == 0 {
pkgE := errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed.")
return pkgE
return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION)
}
var hasSignature bool
@ -90,8 +95,7 @@ func signatureChecking(ctx context.Context, r *http.Request, af lib.ArtifactInfo
}
}
if !hasSignature {
pkgE := errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION).WithMessage("The image is not signed.")
return pkgE
return errors.New(nil).WithCode(errors.PROJECTPOLICYVIOLATION)
}
return nil

View File

@ -84,7 +84,7 @@ class TestProjects(unittest.TestCase):
restart_process("containerd")
restart_process("dockerd")
time.sleep(30)
pull_harbor_image(harbor_server, ADMIN_CLIENT["username"], ADMIN_CLIENT["password"], TestProjects.repo_name, tag, expected_error_message = "The image is not signed")
pull_harbor_image(harbor_server, ADMIN_CLIENT["username"], ADMIN_CLIENT["password"], TestProjects.repo_name, tag, expected_error_message = "The image is not signed by cosign")
if __name__ == '__main__':
unittest.main()

View File

@ -773,7 +773,7 @@ Test Case - Cosign And Cosign Deployment Security Policy
Go Into Project project${d}
Go Into Repo project${d} ${image}
Should Not Be Signed By Cosign ${tag}
Cannot Pull Image ${ip} ${user} ${pwd} project${d} ${image}:${tag} err_msg=The image is not signed.
Cannot Pull Image ${ip} ${user} ${pwd} project${d} ${image}:${tag} err_msg=The image is not signed by cosign.
Cosign Generate Key Pair
Cosign Verify ${ip}/project${d}/${image}:${tag} ${false}