diff --git a/examples/log4shell/verify.sh b/examples/log4shell/verify.sh index 8f5e165f..7d71cce2 100755 --- a/examples/log4shell/verify.sh +++ b/examples/log4shell/verify.sh @@ -19,5 +19,5 @@ printf "\nVerifying policy on nonvulnerable package...\n" docker run --rm -it --net host -v "$(pwd):/src" -w /src/nonvuln witness-log4shell-demo witness verify -c ../witness.yaml --artifactfile target/my-app-1.0-SNAPSHOT.jar printf "\nVerifying policy on vulnerable package...\n" -docker run --rm -it --net host -v "$(pwd):/src" -w /src/vuln witness-log4shell-demo witness verify -c ../witness.yaml -a ./demo-attestation.json --artifactfile target/my-app-1.0-SNAPSHOT.jar +docker run --rm -it --net host -v "$(pwd):/src" -w /src/vuln witness-log4shell-demo witness verify -c ../witness.yaml --artifactfile target/my-app-1.0-SNAPSHOT.jar diff --git a/pkg/policy/errors.go b/pkg/policy/errors.go index 63d78093..35604300 100644 --- a/pkg/policy/errors.go +++ b/pkg/policy/errors.go @@ -16,7 +16,10 @@ package policy import ( "fmt" + "strings" "time" + + "github.com/testifysec/witness/pkg/cryptoutil" ) type ErrNoAttestations string @@ -48,3 +51,43 @@ type ErrKeyIDMismatch struct { func (e ErrKeyIDMismatch) Error() string { return fmt.Sprintf("public key in policy has expected key id %v but got %v", e.Expected, e.Actual) } + +type ErrUnknownStep string + +func (e ErrUnknownStep) Error() string { + return fmt.Sprintf("policy has no step named %v", string(e)) +} + +type ErrArtifactCycle string + +func (e ErrArtifactCycle) Error() string { + return fmt.Sprintf("cycle detected in step's artifact dependencies: %v", string(e)) +} + +type ErrMismatchArtifact struct { + Artifact cryptoutil.DigestSet + Material cryptoutil.DigestSet + Path string +} + +func (e ErrMismatchArtifact) Error() string { + return fmt.Sprintf("mismatched digests for %v", e.Path) +} + +type ErrRegoInvalidData struct { + Path string + Expected string + Actual interface{} +} + +func (e ErrRegoInvalidData) Error() string { + return fmt.Sprintf("invalid data from rego at %v, expected %v but got %T", e.Path, e.Expected, e.Actual) +} + +type ErrPolicyDenied struct { + Reasons []string +} + +func (e ErrPolicyDenied) Error() string { + return fmt.Sprintf("policy was denied due to:\n%v", strings.Join(e.Reasons, "\n -")) +} diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index 01ec779d..91b2fb3e 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -280,25 +280,3 @@ func compareArtifacts(mats map[string]cryptoutil.DigestSet, arts map[string]cryp return nil } - -type ErrUnknownStep string - -func (e ErrUnknownStep) Error() string { - return fmt.Sprintf("policy has no step named %v", string(e)) -} - -type ErrArtifactCycle string - -func (e ErrArtifactCycle) Error() string { - return fmt.Sprintf("cycle detected in step's artifact dependencies: %v", string(e)) -} - -type ErrMismatchArtifact struct { - Artifact cryptoutil.DigestSet - Material cryptoutil.DigestSet - Path string -} - -func (e ErrMismatchArtifact) Error() string { - return fmt.Sprintf("mismatched digests for %v", e.Path) -} diff --git a/pkg/policy/rego.go b/pkg/policy/rego.go index 303f8d5c..a7964f01 100644 --- a/pkg/policy/rego.go +++ b/pkg/policy/rego.go @@ -19,31 +19,12 @@ import ( "context" "encoding/json" "fmt" - "strings" "github.com/open-policy-agent/opa/ast" "github.com/open-policy-agent/opa/rego" "github.com/testifysec/witness/pkg/attestation" ) -type ErrRegoInvalidData struct { - Path string - Expected string - Actual interface{} -} - -func (e ErrRegoInvalidData) Error() string { - return fmt.Sprintf("invalid data from rego at %v, expected %v but got %T", e.Path, e.Expected, e.Actual) -} - -type ErrPolicyDenied struct { - Reasons []string -} - -func (e ErrPolicyDenied) Error() string { - return fmt.Sprintf("policy was denied due to:\n%v", strings.Join(e.Reasons, "\n -")) -} - func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error { if len(policies) == 0 { return nil diff --git a/pkg/policy/step.go b/pkg/policy/step.go index 0a7abb7f..20ae527d 100644 --- a/pkg/policy/step.go +++ b/pkg/policy/step.go @@ -93,6 +93,7 @@ func (s Step) validateAttestations(attestCollections []attestation.Collection) S found[attestation.Type] = attestation.Attestation } + passed := true for _, expected := range s.Attestations { attestor, ok := found[expected.Type] if !ok { @@ -104,7 +105,8 @@ func (s Step) validateAttestations(attestCollections []attestation.Collection) S }, }) - continue + passed = false + break } if err := EvaluateRegoPolicy(attestor, expected.RegoPolicies); err != nil { @@ -113,9 +115,12 @@ func (s Step) validateAttestations(attestCollections []attestation.Collection) S Reason: err, }) - continue + passed = false + break } + } + if passed { result.Passed = append(result.Passed, collection) } }