From 02725469d7236e116662f5d863a9f34d5a3c616a Mon Sep 17 00:00:00 2001
From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Date: Mon, 23 Nov 2020 14:52:45 -0500
Subject: Fix softfail/hardfail messages

Multiple fixes for error messages displayed in softfail and hardfail
modes.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 b4/__init__.py | 33 ++++++++++++++++++---------------
 b4/attest.py   | 33 +++++++++++++++++++++++----------
 2 files changed, 41 insertions(+), 25 deletions(-)

diff --git a/b4/__init__.py b/b4/__init__.py
index e50c8e3..2069e81 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -540,12 +540,15 @@ class LoreSeries:
                         if attpolicy in ('softfail', 'hardfail'):
                             logger.info('  %s %s', attfail, lmsg.full_subject)
                             failed = list()
-                            if not latt.pv:
-                                failed.append('patch content')
-                            if not latt.pm:
-                                failed.append('commit message')
-                            if not latt.pi:
-                                failed.append('patch metadata')
+                            if latt and latt.lsig and latt.lsig.attestor and latt.lsig.attestor.mode == 'domain':
+                                failed.append(latt.lsig.attestor.get_trailer())
+                            else:
+                                if not latt.pv:
+                                    failed.append('patch content')
+                                if not latt.mv:
+                                    failed.append('commit message')
+                                if not latt.iv:
+                                    failed.append('patch metadata')
                             atterrors.append('Patch %s/%s failed attestation (%s)' % (at, lmsg.expected,
                                                                                       ', '.join(failed)))
                         else:
@@ -1473,8 +1476,10 @@ class LoreAttestorDKIM(LoreAttestor):
         self.mode = 'domain'
         super().__init__(keyid)
 
-    def get_trailer(self, fromaddr): # noqa
-        return 'DKIM/%s (From: %s)' % (self.keyid, fromaddr)
+    def get_trailer(self, fromaddr=None): # noqa
+        if fromaddr:
+            return 'DKIM/%s (From: %s)' % (self.keyid, fromaddr)
+        return 'DKIM/%s' % self.keyid
 
 
 class LoreAttestorPGP(LoreAttestor):
@@ -1636,6 +1641,9 @@ class LoreAttestationSignatureDKIM(LoreAttestationSignature):
         # self.native_verify()
         # return
 
+        dks = self.msg.get('dkim-signature')
+        ddata = get_parts_from_header(dks)
+        self.attestor = LoreAttestorDKIM(ddata['d'])
         # Do we have a resolve method?
         if hasattr(_resolver, 'resolve'):
             res = dkim.verify(self.msg.as_bytes(), dnsfunc=dkim_get_txt)
@@ -1647,9 +1655,6 @@ class LoreAttestationSignatureDKIM(LoreAttestationSignature):
         self.good = True
 
         # Grab toplevel signature that we just verified
-        dks = self.msg.get('dkim-signature')
-        ddata = get_parts_from_header(dks)
-        self.attestor = LoreAttestorDKIM(ddata['d'])
         self.valid = True
         self.trusted = True
         self.passing = True
@@ -1763,10 +1768,8 @@ class LoreAttestationSignaturePGP(LoreAttestationSignature):
 
         if self.good and self.valid and self.trusted:
             self.passing = True
-
-        # A couple of final verifications
-        self.verify_time_drift()
-        # XXX: Need to verify identity domain
+            self.verify_time_drift()
+            # XXX: Need to verify identity domain
 
 
 class LoreAttestation:
diff --git a/b4/attest.py b/b4/attest.py
index 8ae939e..d7fbc27 100644
--- a/b4/attest.py
+++ b/b4/attest.py
@@ -114,23 +114,36 @@ def mutt_filter() -> None:
     if inb.find(b'X-Patch-Sig:') < 0:
         sys.stdout.buffer.write(inb)
         return
+    msg = email.message_from_bytes(inb)
     try:
-        msg = email.message_from_bytes(inb)
         if msg.get('x-patch-sig'):
             lmsg = b4.LoreMessage(msg)
             lmsg.load_hashes()
             latt = lmsg.attestation
-            if latt and latt.validate(msg):
-                trailer = latt.lsig.attestor.get_trailer(lmsg.fromemail)
-                msg.add_header('Attested-By', trailer)
-                # Delete the x-patch-hashes and x-patch-sig headers so
-                # they don't boggle up the view
-                for i in reversed(range(len(msg._headers))):  # noqa
-                    hdrName = msg._headers[i][0].lower()  # noqa
-                    if hdrName in ('x-patch-hashes', 'x-patch-sig'):
-                        del msg._headers[i]  # noqa
+            if latt:
+                if latt.validate(msg):
+                    trailer = latt.lsig.attestor.get_trailer(lmsg.fromemail)
+                    msg.add_header('Attested-By', trailer)
+                elif latt.lsig:
+                    if not latt.lsig.errors:
+                        failed = list()
+                        if not latt.pv:
+                            failed.append('patch content')
+                        if not latt.mv:
+                            failed.append('commit message')
+                        if not latt.iv:
+                            failed.append('patch metadata')
+                        latt.lsig.errors.add('signature failed (%s)'  % ', '.join(failed))
+                    msg.add_header('Attestation-Failed', ', '.join(latt.lsig.errors))
+            # Delete the x-patch-hashes and x-patch-sig headers so
+            # they don't boggle up the view
+            for i in reversed(range(len(msg._headers))):  # noqa
+                hdrName = msg._headers[i][0].lower()  # noqa
+                if hdrName in ('x-patch-hashes', 'x-patch-sig'):
+                    del msg._headers[i]  # noqa
     except:  # noqa
         # Don't prevent email from being displayed even if we died horribly
         sys.stdout.buffer.write(inb)
         return
+
     sys.stdout.buffer.write(msg.as_bytes(policy=b4.emlpolicy))
-- 
cgit v1.2.3