trust policy overlapped trust stores were not checked
JeyJeyGao opened this issue · comments
The following trust policy file has overlapped trust stores which should be checked and return an error or at least a warning.
{
"version": "1.0",
"trustPolicies": [
{
"name": "e2e",
"registryScopes": [ "*" ],
"signatureVerification": {
"level" : "strict"
},
// overlapped trust stores
"trustStores": [ "ca:e2e", "ca:e2e" ],
"trustedIdentities": [
"*"
]
}
]
}
@JeyJeyGao This part is checked here. For a certain trust policy statement, a valid trust store will be loaded once and only once.
@JeyJeyGao This part is checked here. For a certain trust policy statement, a valid trust store will be loaded once and only once.
Do we need log an warning or return an error here? Because overlapped name
and trustedIdentities
fields trigger errors, do we need to keep the same behavior?
@JeyJeyGao This part is checked here. For a certain trust policy statement, a valid trust store will be loaded once and only once.
Do we need log an warning or return an error here? Because overlapped
name
andtrustedIdentities
fields trigger errors, do we need to keep the same behavior?
For name
, yes, because if we do not check duplication, there will be confusion on which policy statement to be used. For trustStores
, it's a bit different. Because for a certain trust store ca:e2e
, it always points to the same trust store no matter how many times we put it in the trustStores
array.
I'm actually thinking of usability here, imagine a user has lots of trust stores, "requiring each of them to be unique" = "asking the user to find all the duplications and remove them manually from the file". Whereas the current logic is: oh, your trustStores
has duplications, notation will de-duplicate for you.
This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.
@JeyJeyGao @Two-Hearts is this still a valid issue?
Accepted @Two-Hearts 's idea, so we can close it.