aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKonstantin Ryabitsev <konstantin@linuxfoundation.org>2020-03-17 17:34:51 -0400
committerKonstantin Ryabitsev <konstantin@linuxfoundation.org>2020-03-17 17:34:51 -0400
commit39dcb5a265e89ec4828f7f9b5625e3c243e188ec (patch)
treec0d7620ac2a3f5daed1cf46d22debc7246fcb797
parent57776234978c0dc634b0bd92fa0eca70cd1ef10e (diff)
downloadb4-39dcb5a265e89ec4828f7f9b5625e3c243e188ec.tar.gz
Show which patches failed attestation
If one patch in the series fails attestation, show which one it is and point out which part failed (commit metadata, commit message, or patch content). At this time, this only works if it's not the *first* patch that fails attestation, because otherwise we aren't able to locate the attestation document in the first place. There's no simple solution here, because otherwise we'd have to hit lore too many times, which would be murder on large series. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rw-r--r--b4/__init__.py39
1 files changed, 27 insertions, 12 deletions
diff --git a/b4/__init__.py b/b4/__init__.py
index b8d4892..5e7e952 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -357,6 +357,7 @@ class LoreSeries:
attfail = FAIL_SIMPLE
at = 1
+ atterrors = list()
for lmsg in self.patches[1:]:
if lmsg is not None:
if self.has_cover and covertrailers and self.patches[0].followup_trailers:
@@ -375,11 +376,26 @@ class LoreSeries:
if attdoc is None:
if attpolicy in ('softfail', 'hardfail'):
logger.info(' %s %s', attfail, lmsg.full_subject)
+ # Which part failed?
+ failed = ['commit metadata', 'commit message', 'patch content']
+ for attdoc in ATTESTATIONS:
+ for i, m, p in attdoc.hashes:
+ if p == lmsg.attestation.p:
+ failed.remove('patch content')
+ if m == lmsg.attestation.m:
+ failed.remove('commit message')
+ if i == lmsg.attestation.i:
+ failed.remove('commit metadata')
+ atterrors.append('Patch %s/%s failed attestation (%s)' % (at, lmsg.expected,
+ ', '.join(failed)))
else:
logger.info(' %s', lmsg.full_subject)
else:
logger.info(' %s %s', attpass, lmsg.full_subject)
attdata[at-1] = attdoc.attestor.get_trailer(lmsg.fromemail)
+ if attpolicy == 'check':
+ # switch to softfail policy now that we have at least one hit
+ attpolicy = 'softfail'
else:
logger.info(' %s', lmsg.full_subject)
@@ -402,7 +418,7 @@ class LoreSeries:
logger.info(' %s %s', attpass, trailer)
return mbx
- errors = set()
+ errors = set(atterrors)
for attdoc in ATTESTATIONS:
errors.update(attdoc.errors)
@@ -410,7 +426,7 @@ class LoreSeries:
logger.critical(' ---')
logger.critical(' Attestation is available, but did not succeed:')
for error in errors:
- logger.critical(' %s %s', attfail, error)
+ logger.critical(' %s %s', attfail, error)
if attpolicy == 'hardfail':
import sys
@@ -965,7 +981,8 @@ class LoreAttestationDocument:
logger.debug(' TRUST_%s', matches.groups()[0])
self.trusted = True
else:
- self.errors.add('Insufficient trust on key: %s (%s)' % (keyid, puid))
+ self.errors.add('Insufficient trust (model=%s): %s (%s)'
+ % (config['attestation-trust-model'], keyid, puid))
else:
self.errors.add('Signature not valid from key: %s (%s)' % (keyid, puid))
else:
@@ -1070,15 +1087,13 @@ class LoreAttestation:
self.passing = True
self.attdocs.append(attdoc)
- if len(self.attdocs) or not lore_lookup:
- return
-
- attdocs = LoreAttestationDocument.get_from_lore(self.attid)
- ATTESTATIONS += attdocs
- for attdoc in attdocs:
- if hg in attdoc.hashes and attdoc.passing:
- self.passing = True
- self.attdocs.append(attdoc)
+ if not len(self.attdocs) and lore_lookup:
+ attdocs = LoreAttestationDocument.get_from_lore(self.attid)
+ ATTESTATIONS += attdocs
+ for attdoc in attdocs:
+ if hg in attdoc.hashes and attdoc.passing:
+ self.passing = True
+ self.attdocs.append(attdoc)
def __repr__(self):
out = list()