assocaite signature warnings with the dependency that caused them (#6314)

tomerd · web-flow · commit 68703d0bc9b6 · 2023-03-22T17:44:43.000-07:00
motivation: better UX for warnings

changes: add metadata with the package information to the warnings emitted when checking package signatures
diff --git a/Sources/PackageRegistry/SignatureValidation.swift b/Sources/PackageRegistry/SignatureValidation.swift
@@ -148,21 +148,24 @@ struct SignatureValidation {
                 observabilityScope: observabilityScope,
                 completion: completion
             )
-        } catch RegistryError.sourceArchiveNotSigned(let registry, let package, let version) {
-            observabilityScope.emit(info: "\(package) \(version) from \(registry) is unsigned")
+        } catch RegistryError.sourceArchiveNotSigned {
+            observabilityScope.emit(
+                info: "\(package) \(version) from \(registry) is unsigned",
+                metadata: .registryPackageMetadata(identity: package)
+            )
             guard let onUnsigned = configuration.onUnsigned else {
                 return completion(.failure(RegistryError.missingConfiguration(details: "security.signing.onUnsigned")))
             }
 
             let sourceArchiveNotSignedError = RegistryError.sourceArchiveNotSigned(
                 registry: registry,
-                package: package,
+                package: package.underlying,
                 version: version
             )
 
             switch onUnsigned {
             case .prompt:
-                self.delegate.onUnsigned(registry: registry, package: package, version: version) { `continue` in
+                self.delegate.onUnsigned(registry: registry, package: package.underlying, version: version) { `continue` in
                     if `continue` {
                         completion(.success(.none))
                     } else {
@@ -172,7 +175,10 @@ struct SignatureValidation {
             case .error:
                 completion(.failure(sourceArchiveNotSignedError))
             case .warn:
-                observabilityScope.emit(warning: "\(sourceArchiveNotSignedError)")
+                observabilityScope.emit(
+                    warning: "\(sourceArchiveNotSignedError)",
+                    metadata: .registryPackageMetadata(identity: package)
+                )
                 completion(.success(.none))
             case .silentAllow:
                 // Continue without logging
@@ -283,21 +289,24 @@ struct SignatureValidation {
             )
         } catch ManifestSignatureParser.Error.malformedManifestSignature {
             completion(.failure(RegistryError.invalidSignature(reason: "manifest signature is malformed")))
-        } catch RegistryError.sourceArchiveNotSigned(let registry, let package, let version) {
-            observabilityScope.emit(info: "\(package) \(version) from \(registry) is unsigned")
+        } catch RegistryError.sourceArchiveNotSigned {
+            observabilityScope.emit(
+                info: "\(package) \(version) from \(registry) is unsigned",
+                metadata: .registryPackageMetadata(identity: package)
+            )
             guard let onUnsigned = configuration.onUnsigned else {
                 return completion(.failure(RegistryError.missingConfiguration(details: "security.signing.onUnsigned")))
             }
 
             let sourceArchiveNotSignedError = RegistryError.sourceArchiveNotSigned(
                 registry: registry,
-                package: package,
+                package: package.underlying,
                 version: version
             )
 
             switch onUnsigned {
             case .prompt:
-                self.delegate.onUnsigned(registry: registry, package: package, version: version) { `continue` in
+                self.delegate.onUnsigned(registry: registry, package: package.underlying, version: version) { `continue` in
                     if `continue` {
                         completion(.success(.none))
                     } else {
@@ -307,7 +316,10 @@ struct SignatureValidation {
             case .error:
                 completion(.failure(sourceArchiveNotSignedError))
             case .warn:
-                observabilityScope.emit(warning: "\(sourceArchiveNotSignedError)")
+                observabilityScope.emit(
+                    warning: "\(sourceArchiveNotSignedError)",
+                    metadata: .registryPackageMetadata(identity: package)
+                )
                 completion(.success(.none))
             case .silentAllow:
                 // Continue without logging
@@ -394,7 +406,10 @@ struct SignatureValidation {
                     case .error:
                         completion(.failure(signerNotTrustedError))
                     case .warn:
-                        observabilityScope.emit(warning: "\(signerNotTrustedError)")
+                        observabilityScope.emit(
+                            warning: "\(signerNotTrustedError)",
+                            metadata: .registryPackageMetadata(identity: package)
+                        )
                         completion(.success(.none))
                     case .silentAllow:
                         // Continue without logging
@@ -470,3 +485,12 @@ extension VerifierConfiguration {
         return verifierConfiguration
     }
 }
+
+extension ObservabilityMetadata {
+    public static func registryPackageMetadata(identity: PackageIdentity.RegistryIdentity) -> Self {
+        var metadata = ObservabilityMetadata()
+        metadata.packageIdentity = identity.underlying
+        metadata.packageKind = .registry(identity.underlying)
+        return metadata
+    }
+}
diff --git a/Tests/PackageRegistryTests/SignatureValidationTests.swift b/Tests/PackageRegistryTests/SignatureValidationTests.swift
@@ -161,7 +161,8 @@ final class SignatureValidationTests: XCTestCase {
         )
 
         testDiagnostics(observability.diagnostics) { result in
-            result.check(diagnostic: .contains("is not signed"), severity: .warning)
+            let diagnostics = result.check(diagnostic: .contains("is not signed"), severity: .warning)
+            XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)
         }
     }
 
@@ -446,7 +447,8 @@ final class SignatureValidationTests: XCTestCase {
         )
 
         testDiagnostics(observability.diagnostics) { result in
-            result.check(diagnostic: .contains("is not signed"), severity: .warning)
+            let diagnostics = result.check(diagnostic: .contains("is not signed"), severity: .warning)
+            XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)
         }
     }
 
@@ -1335,7 +1337,8 @@ final class SignatureValidationTests: XCTestCase {
         )
 
         testDiagnostics(observability.diagnostics) { result in
-            result.check(diagnostic: .contains("not trusted"), severity: .warning)
+            let diagnostics = result.check(diagnostic: .contains("not trusted"), severity: .warning)
+            XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)
         }
     }
 
@@ -1897,7 +1900,8 @@ final class SignatureValidationTests: XCTestCase {
         )
 
         testDiagnostics(observability.diagnostics) { result in
-            result.check(diagnostic: .contains("not trusted"), severity: .warning)
+            let diagnostics = result.check(diagnostic: .contains("not trusted"), severity: .warning)
+            XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)
         }
     }
     #endif

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,8 @@ final class SignatureValidationTests: XCTestCase {`
`161`	`161`	`)`
`162`	`162`
`163`	`163`	`testDiagnostics(observability.diagnostics) { result in`
`164`		`- result.check(diagnostic: .contains("is not signed"), severity: .warning)`
	`164`	`+ let diagnostics = result.check(diagnostic: .contains("is not signed"), severity: .warning)`
	`165`	`+ XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)`
`165`	`166`	`}`
`166`	`167`	`}`
`167`	`168`
`@@ -446,7 +447,8 @@ final class SignatureValidationTests: XCTestCase {`
`446`	`447`	`)`
`447`	`448`
`448`	`449`	`testDiagnostics(observability.diagnostics) { result in`
`449`		`- result.check(diagnostic: .contains("is not signed"), severity: .warning)`
	`450`	`+ let diagnostics = result.check(diagnostic: .contains("is not signed"), severity: .warning)`
	`451`	`+ XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)`
`450`	`452`	`}`
`451`	`453`	`}`
`452`	`454`
`@@ -1335,7 +1337,8 @@ final class SignatureValidationTests: XCTestCase {`
`1335`	`1337`	`)`
`1336`	`1338`
`1337`	`1339`	`testDiagnostics(observability.diagnostics) { result in`
`1338`		`- result.check(diagnostic: .contains("not trusted"), severity: .warning)`
	`1340`	`+ let diagnostics = result.check(diagnostic: .contains("not trusted"), severity: .warning)`
	`1341`	`+ XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)`
`1339`	`1342`	`}`
`1340`	`1343`	`}`
`1341`	`1344`
`@@ -1897,7 +1900,8 @@ final class SignatureValidationTests: XCTestCase {`
`1897`	`1900`	`)`
`1898`	`1901`
`1899`	`1902`	`testDiagnostics(observability.diagnostics) { result in`
`1900`		`- result.check(diagnostic: .contains("not trusted"), severity: .warning)`
	`1903`	`+ let diagnostics = result.check(diagnostic: .contains("not trusted"), severity: .warning)`
	`1904`	`+ XCTAssertEqual(diagnostics?.metadata?.packageIdentity, package.underlying)`
`1901`	`1905`	`}`
`1902`	`1906`	`}`
`1903`	`1907`	`#endif`