Merge pull request #549 from carvel-dev/do-not-error-out-on-denied-er…

…ror-for-signatures

Do not error out on denied error for signatures

pkg/imgpkg/signature/fetch_signatures.go

@@ -4,6 +4,7 @@
 package signature
 
 import (
+	"errors"
 	"fmt"
 	"sync"
 
@@ -62,9 +63,9 @@ type FetchError struct {
 
 // Error message that contains all errors
 func (f *FetchError) Error() string {
-	msg := "Unable to retrieve the following images:\n"
+	msg := "Unable to retrieve the following images:"
 	for _, err := range f.AllErrors {
-		msg = fmt.Sprintf("%sImage: '%s'\nError:%s", msg, err.ImageRef(), err.Error())
+		msg = fmt.Sprintf("%s\nImage: '%s'\nError: %s", msg, err.ImageRef(), err.Error())
 	}
 	return msg
 }
@@ -104,7 +105,17 @@ func (s *Signatures) Fetch(images *imageset.UnprocessedImageRefs) (*imageset.Unp
 	}
 	imagesRefs, err := s.FetchForImageRefs(imgs)
 	if err != nil {
-		return nil, err
+		var fetchError *FetchError
+		if !errors.As(err, &fetchError) {
+			return nil, err
+		}
+
+		for _, fError := range fetchError.AllErrors {
+			var accessDeniedErr AccessDeniedErr
+			if !errors.As(fError, &accessDeniedErr) {
+				return nil, fetchError
+			}
+		}
 	}
 	for _, ref := range imagesRefs {
 		signatures.Add(imageset.UnprocessedImageRef{
@@ -113,7 +124,7 @@ func (s *Signatures) Fetch(images *imageset.UnprocessedImageRefs) (*imageset.Unp
 		})
 	}
 
-	return signatures, err
+	return signatures, nil
 }
 
 // FetchForImageRefs Retrieve the available signatures associated with the images provided

pkg/imgpkg/signature/fetch_signatures_test.go

@@ -45,7 +45,32 @@ func TestSignatureRetriever_Signatures(t *testing.T) {
 		assert.Equal(t, imageset.UnprocessedImageRef{DigestRef: "registry.io/img@sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88eb681d93", Tag: "some-tag"}, sign2)
 	})
 
-	t.Run("denied errors are provided as part of the error", func(t *testing.T) {
+	t.Run("denied errors, when calling Fetch, work as not found", func(t *testing.T) {
+		fakeSignatureFinder := &signaturefakes.FakeFinder{}
+		subject := signature.NewSignatures(fakeSignatureFinder, 2)
+		fakeSignatureFinder.SignatureCalls(func(digest regname.Digest) (imageset.UnprocessedImageRef, error) {
+			availableResults := map[string]imageset.UnprocessedImageRef{
+				"sha256:4c8b96d4fffdfae29258d94a22ae4ad1fe36139d47288b8960d9958d1e63a9d0": {DigestRef: "registry.io/img@sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88eb681d93", Tag: "some-tag"},
+				"sha256:56cb33b3b4bc45509c5ff7513ddc6ed78764f9ad5165cc32826e04da49d5462b": {DigestRef: "registry.io/img2@sha256:be154cc2b1211a9f98f4d708f4266650c9129784d0485d4507d9b0fa05d928b6", Tag: "some-other-tag"},
+			}
+			if res, ok := availableResults[digest.DigestStr()]; ok {
+				return res, nil
+			}
+			return imageset.UnprocessedImageRef{}, signature.AccessDeniedErr{}
+		})
+
+		args := imageset.NewUnprocessedImageRefs()
+		args.Add(imageset.UnprocessedImageRef{DigestRef: "registry.io/img@sha256:4c8b96d4fffdfae29258d94a22ae4ad1fe36139d47288b8960d9958d1e63a9d0"})
+		args.Add(imageset.UnprocessedImageRef{DigestRef: "registry.io/img1@sha256:6716afd7a68262a37d3f67681ed9dedf3b882938ad777f268f44d68894531f7a"})
+		args.Add(imageset.UnprocessedImageRef{DigestRef: "registry.io/img2@sha256:56cb33b3b4bc45509c5ff7513ddc6ed78764f9ad5165cc32826e04da49d5462b"})
+		args.Add(imageset.UnprocessedImageRef{DigestRef: "registry.io/img2@sha256:a40a266ca606d8dcbac60b4bb1ec42128ba7063f5eed3a997ec4546edc6cf209"})
+		signatures, err := subject.Fetch(args)
+		require.NoError(t, err)
+
+		require.Equal(t, 2, signatures.Length())
+	})
+
+	t.Run("denied errors are provided as part of the error, when calling FetchForImageRefs", func(t *testing.T) {
 		fakeSignatureFinder := &signaturefakes.FakeFinder{}
 		subject := signature.NewSignatures(fakeSignatureFinder, 2)
 		fakeSignatureFinder.SignatureCalls(func(digest regname.Digest) (imageset.UnprocessedImageRef, error) {