Skip to content

Commit

Permalink
Merge pull request #2945 from CheeseStick/junjung/pipeline-verificati…
Browse files Browse the repository at this point in the history
…on/failure-behaviour

Allow `buildkite-agent` to run a job when JWK is unavailable but failure behaviour is set to `warn`
  • Loading branch information
wolfeidau authored Sep 6, 2024
2 parents 36b3346 + 1bd8d64 commit fc6e3ac
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 12 deletions.
21 changes: 18 additions & 3 deletions agent/integration/job_verification_integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -423,17 +423,32 @@ func TestJobVerification(t *testing.T) {
},
{
name: "when the step has a signature, but the JobRunner doesn't have a verification key, it fails signature verification",
agentConf: agent.AgentConfiguration{},
agentConf: agent.AgentConfiguration{VerificationFailureBehaviour: agent.VerificationBehaviourBlock},
job: job,
repositoryURL: defaultRepositoryURL,
signingKey: symmetricJWKFor(t, signingKeyLlamas),
verificationJWKS: nil,
mockBootstrapExpectation: func(bt *bintest.Mock) { bt.Expect().NotCalled() },
expectedExitStatus: "-1",
expectedSignalReason: agent.SignalReasonSignatureRejected,
expectedSignalReason: agent.SignalReasonUnableToVerifySignature,
expectLogsContain: []string{
"+++ ⛔",
"cannot verify signature. JWK for pipeline verification is not configured",
},
},
{
name: "when the step has a signature, but the JobRunner doesn't have a verification key, and JobVerificationFailureBehaviour is warn, it warns and runs the job",
agentConf: agent.AgentConfiguration{VerificationFailureBehaviour: agent.VerificationBehaviourWarn},
job: job,
repositoryURL: defaultRepositoryURL,
signingKey: symmetricJWKFor(t, signingKeyLlamas),
verificationJWKS: nil,
mockBootstrapExpectation: func(bt *bintest.Mock) { bt.Expect().Once().AndExitWith(0) },
expectedExitStatus: "0",
expectedSignalReason: "",
expectLogsContain: []string{
"+++ ⛔",
"but no verification key was provided",
"cannot verify signature. JWK for pipeline verification is not configured",
},
},
{
Expand Down
22 changes: 13 additions & 9 deletions agent/run_job.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,12 @@ import (
)

const (
SignalReasonAgentRefused = "agent_refused"
SignalReasonAgentStop = "agent_stop"
SignalReasonCancel = "cancel"
SignalReasonSignatureRejected = "signature_rejected"
SignalReasonProcessRunError = "process_run_error"
SignalReasonAgentRefused = "agent_refused"
SignalReasonAgentStop = "agent_stop"
SignalReasonCancel = "cancel"
SignalReasonSignatureRejected = "signature_rejected"
SignalReasonUnableToVerifySignature = "unable_to_verify_signature"
SignalReasonProcessRunError = "process_run_error"
)

type missingKeyError struct {
Expand Down Expand Up @@ -92,11 +93,14 @@ func (r *JobRunner) Run(ctx context.Context) error {
if r.conf.JWKS == nil && job.Step.Signature != nil {
r.verificationFailureLogs(
VerificationBehaviourBlock,
&missingKeyError{signature: job.Step.Signature.Value},
fmt.Errorf("cannot verify signature. JWK for pipeline verification is not configured"),
)
exit.Status = -1
exit.SignalReason = SignalReasonSignatureRejected
return nil

if r.VerificationFailureBehavior == VerificationBehaviourBlock {
exit.Status = -1
exit.SignalReason = SignalReasonUnableToVerifySignature
return nil
}
}

if r.conf.JWKS != nil {
Expand Down

0 comments on commit fc6e3ac

Please sign in to comment.