in-toto · Mar 22, 2025
diff --git a/‎cmd/run.go
+170-12 b/‎cmd/run.go
+170-12
diff --git a/‎cmd/run_test.go
+103-207 b/‎cmd/run_test.go
+103-207
diff --git a/‎docs/commands.md
+3 b/‎docs/commands.md
+3
diff --git a/‎internal/errors/errors.go
+77 b/‎internal/errors/errors.go
+77
diff --git a/‎internal/errors/errors_test.go
+294 b/‎internal/errors/errors_test.go
+294
diff --git a/‎options/run.go
+8 b/‎options/run.go
+8
@@ -30,6 +30,7 @@ import (
 	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/registry"
 	"github.com/in-toto/go-witness/timestamp"
+	"github.com/in-toto/witness/internal/errors"
 	"github.com/in-toto/witness/options"
 	"github.com/spf13/cobra"
 )
@@ -63,15 +64,91 @@ func RunCmd() *cobra.Command {
 	return cmd
 }
 
+// isAttestorError determines if an error is attestor-related
+func isAttestorError(err error) bool {
+	return errors.IsAttestorError(err)
+}
+
+// handleInfraError handles infrastructure operation errors based on continue flags
+// Returns true if execution should continue, and the error if it should be tracked
+func handleInfraError(ro options.RunOptions, err error, operationDesc string, commandSucceeded bool) (bool, error) {
+	if !commandSucceeded {
+		return false, nil
+	}
+	
+	// Wrap the error with infrastructure error type
+	infraErr := errors.NewInfrastructureError(operationDesc, err)
+	
+	if ro.ContinueOnAllErrors {
+		log.Warnf("Failed to %s: %v", operationDesc, err)
+		log.Warnf("Continuing due to --continue-on-errors flag")
+		return true, infraErr
+	} else if ro.ContinueOnInfraError {
+		log.Warnf("Failed to %s: %v", operationDesc, err)
+		log.Warnf("Continuing due to --continue-on-infra-error flag")
+		return true, infraErr
+	}
+	
+	return false, nil
+}
+
+// handleErrorWithContinueFlags applies the appropriate error handling logic based on flags
+// Returns true if execution should continue, false if the error should be returned
+func handleErrorWithContinueFlags(ro options.RunOptions, err error, commandSucceeded bool) (bool, error, error) {
+	var infraError, attestorError error
+	
+	// If command didn't succeed or no continue flags are set, don't continue
+	if !commandSucceeded {
+		return false, nil, nil
+	}
+	
+	// Check if the all-errors flag is set, which takes precedence
+	if ro.ContinueOnAllErrors {
+		log.Warnf("Encountered error: %v", err)
+		log.Warnf("Continuing due to --continue-on-errors flag")
+		
+		// Still classify the error for summary purposes
+		if isAttestorError(err) {
+			attestorError = err
+		} else {
+			// Default to infrastructure error if not an attestor error
+			infraError = errors.NewInfrastructureError("run command", err)
+		}
+		return true, infraError, attestorError
+	}
+	
+	// Check specific error type flags
+	isAttestor := isAttestorError(err)
+	if isAttestor && ro.ContinueOnAttestorError {
+		log.Warnf("Encountered attestor error: %v", err)
+		log.Warnf("Continuing due to --continue-on-attestor-error flag")
+		attestorError = err
+		return true, infraError, attestorError
+	} else if !isAttestor && ro.ContinueOnInfraError {
+		log.Warnf("Encountered infrastructure error: %v", err)
+		log.Warnf("Continuing due to --continue-on-infra-error flag")
+		infraError = errors.NewInfrastructureError("run command", err)
+		return true, infraError, attestorError
+	}
+	
+	// No applicable flag was set, don't continue
+	return false, nil, nil
+}
+
 func runRun(ctx context.Context, ro options.RunOptions, args []string, signers ...cryptoutil.Signer) error {
 	if len(signers) > 1 {
-		return fmt.Errorf("only one signer is supported")
+		return errors.NewInfrastructureError("signer validation", fmt.Errorf("only one signer is supported"))
 	}
 
 	if len(signers) == 0 {
-		return fmt.Errorf("no signers found")
+		return errors.NewInfrastructureError("signer validation", fmt.Errorf("no signers found"))
 	}
 
+	// Track if wrapped command succeeded but we had errors
+	var commandSucceeded bool
+	var infraError error
+	var attestorError error
+
 	timestampers := []timestamp.Timestamper{}
 	for _, url := range ro.TimestampServers {
 		timestampers = append(timestampers, timestamp.NewTimestamper(timestamp.TimestampWithUrl(url)))
@@ -101,7 +178,7 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 		if !duplicate {
 			attestor, err := attestation.GetAttestor(a)
 			if err != nil {
-				return fmt.Errorf("failed to create attestor: %w", err)
+				return errors.NewAttestorError(a, fmt.Errorf("failed to create attestor: %w", err))
 			}
 			attestors = append(attestors, attestor)
 		}
@@ -115,23 +192,23 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 
 		attestor, err := registry.SetOptions(attestor, setters...)
 		if err != nil {
-			return fmt.Errorf("failed to set attestor option for %v: %w", attestor.Type(), err)
+			return errors.NewAttestorError(attestor.Name(), fmt.Errorf("failed to set attestor option for %v: %w", attestor.Type(), err))
 		}
 	}
 
 	var roHashes []cryptoutil.DigestValue
 	for _, hashStr := range ro.Hashes {
 		hash, err := cryptoutil.HashFromString(hashStr)
 		if err != nil {
-			return fmt.Errorf("failed to parse hash: %w", err)
+			return errors.NewInfrastructureError("parse hash", fmt.Errorf("failed to parse hash: %w", err))
 		}
 		roHashes = append(roHashes, cryptoutil.DigestValue{Hash: hash, GitOID: false})
 	}
 
 	for _, dirHashGlobItem := range ro.DirHashGlobs {
 		_, err := glob.Compile(dirHashGlobItem)
 		if err != nil {
-			return fmt.Errorf("failed to compile glob: %v", err)	
+			return errors.NewInfrastructureError("compile glob", fmt.Errorf("failed to compile glob: %v", err))	
 		}
 	}
 
@@ -149,14 +226,49 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 		),
 		witness.RunWithTimestampers(timestampers...),
 	)
+	
+	// Check if command ran successfully
+	if len(args) > 0 { // Only check for command success if a command was run
+		for _, result := range results {
+			if result.AttestorName == "command-run" {
+				// Command completed and we have the attestation, so it succeeded
+				commandSucceeded = true
+				break
+			}
+		}
+	} else {
+		// If no command was specified, we're just collecting attestations
+		// In this case, treat as if command succeeded for flag purposes
+		commandSucceeded = true
+	}
+	
 	if err != nil {
-		return err
+		// Apply error handling logic based on flags
+		shouldContinue, newInfraErr, newAttestorErr := handleErrorWithContinueFlags(ro, err, commandSucceeded)
+		if shouldContinue {
+			// Update the error tracking variables
+			if newInfraErr != nil {
+				infraError = newInfraErr
+			}
+			if newAttestorErr != nil {
+				attestorError = newAttestorErr
+			}
+		} else {
+			// If we shouldn't continue, return the error
+			return err
+		}
 	}
 
 	for _, result := range results {
 		signedBytes, err := json.Marshal(&result.SignedEnvelope)
 		if err != nil {
-			return fmt.Errorf("failed to marshal envelope: %w", err)
+			shouldContinue, newInfraErr := handleInfraError(ro, err, "marshal envelope", commandSucceeded)
+			if shouldContinue {
+				infraError = newInfraErr
+				continue // Skip to next result
+			} else {
+				return fmt.Errorf("failed to marshal envelope: %w", err)
+			}
 		}
 
 		// TODO: Find out explicit way to describe "prefix" in CLI options
@@ -167,22 +279,68 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 
 		out, err := loadOutfile(outfile)
 		if err != nil {
-			return fmt.Errorf("failed to open out file: %w", err)
+			shouldContinue, newInfraErr := handleInfraError(ro, err, fmt.Sprintf("open out file %s", outfile), commandSucceeded)
+			if shouldContinue {
+				infraError = newInfraErr
+				continue // Skip to next result
+			} else {
+				return fmt.Errorf("failed to open out file: %w", err)
+			}
 		}
 		defer out.Close()
 
 		if _, err := out.Write(signedBytes); err != nil {
-			return fmt.Errorf("failed to write envelope to out file: %w", err)
+			shouldContinue, newInfraErr := handleInfraError(ro, err, fmt.Sprintf("write envelope to file %s", outfile), commandSucceeded)
+			if shouldContinue {
+				infraError = newInfraErr
+				continue // Skip to next result
+			} else {
+				return fmt.Errorf("failed to write envelope to out file: %w", err)
+			}
 		}
 
 		if ro.ArchivistaOptions.Enable {
 			archivistaClient := archivista.New(ro.ArchivistaOptions.Url)
-			if gitoid, err := archivistaClient.Store(ctx, result.SignedEnvelope); err != nil {
-				return fmt.Errorf("failed to store artifact in archivista: %w", err)
+			gitoid, err := archivistaClient.Store(ctx, result.SignedEnvelope)
+			if err != nil {
+				shouldContinue, newInfraErr := handleInfraError(ro, err, "store artifact in archivista", commandSucceeded)
+				if shouldContinue {
+					infraError = newInfraErr
+				} else {
+					return fmt.Errorf("failed to store artifact in archivista: %w", err)
+				}
 			} else {
 				log.Infof("Stored in archivista as %v\n", gitoid)
 			}
 		}
 	}
+	
+	// Display summary warnings if we had errors but continued
+	if commandSucceeded && (attestorError != nil || infraError != nil) {
+		// Show a combined message if we used the combined flag
+		if ro.ContinueOnAllErrors {
+			log.Warnf("Command completed successfully, but encountered errors")
+			if attestorError != nil {
+				log.Warnf("Some attestations may be missing")
+			}
+			if infraError != nil {
+				log.Warnf("Some attestation functionality may have been compromised")
+			}
+		} else {
+			// Show specific messages for specific flags
+			if attestorError != nil && ro.ContinueOnAttestorError {
+				log.Warnf("Command completed successfully, but encountered attestor errors")
+				log.Warnf("Some attestations may be missing")
+			}
+			
+			if infraError != nil && ro.ContinueOnInfraError {
+				log.Warnf("Command completed successfully, but encountered infrastructure errors")
+				log.Warnf("Some attestation functionality may have been compromised")
+			}
+		}
+		
+		// We had errors but continued, so return success
+		return nil
+	}
 	return nil
 }
@@ -15,234 +15,130 @@
 package cmd
 
 import (
-	"context"
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
-	"encoding/json"
+	"errors"
 	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
 	"testing"
 
-	"github.com/in-toto/go-witness/cryptoutil"
-	"github.com/in-toto/go-witness/dsse"
-	"github.com/in-toto/go-witness/log"
-	"github.com/in-toto/go-witness/signer"
-	"github.com/in-toto/go-witness/signer/file"
+	werrors "github.com/in-toto/witness/internal/errors"
 	"github.com/in-toto/witness/options"
-	"github.com/sirupsen/logrus"
-	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
-func TestRunRSAKeyPair(t *testing.T) {
-	privatekey, err := rsa.GenerateKey(rand.Reader, keybits)
-	require.NoError(t, err)
-	signer := cryptoutil.NewRSASigner(privatekey, crypto.SHA256)
-
-	workingDir := t.TempDir()
-	attestationPath := filepath.Join(workingDir, "outfile.txt")
-	runOptions := options.RunOptions{
-		WorkingDir:   workingDir,
-		Attestations: []string{},
-		OutFilePath:  attestationPath,
-		StepName:     "teststep",
-		Tracing:      false,
-	}
-
-	args := []string{
-		"bash",
-		"-c",
-		"echo 'test' > test.txt",
-	}
-
-	require.NoError(t, runRun(context.Background(), runOptions, args, signer))
-	attestationBytes, err := os.ReadFile(attestationPath)
-	require.NoError(t, err)
-	env := dsse.Envelope{}
-	require.NoError(t, json.Unmarshal(attestationBytes, &env))
-}
-
-func Test_runRunRSACA(t *testing.T) {
-	_, intermediates, leafcert, leafkey := fullChain(t)
-	signerOptions := options.SignerOptions{}
-	signerOptions["file"] = []func(signer.SignerProvider) (signer.SignerProvider, error){
-		func(sp signer.SignerProvider) (signer.SignerProvider, error) {
-			fsp := sp.(file.FileSignerProvider)
-			fsp.KeyPath = leafkey.Name()
-			fsp.IntermediatePaths = []string{intermediates[0].Name()}
-			for _, intermediate := range intermediates {
-				fsp.IntermediatePaths = append(fsp.IntermediatePaths, intermediate.Name())
-			}
-
-			fsp.CertPath = leafcert.Name()
-			return fsp, nil
-		},
-	}
-
-	signers, err := loadSigners(context.Background(), signerOptions, options.KMSSignerProviderOptions{}, map[string]struct{}{"file": {}})
-	require.NoError(t, err)
-
-	workingDir := t.TempDir()
-	attestationPath := filepath.Join(workingDir, "outfile.txt")
-	runOptions := options.RunOptions{
-		SignerOptions: signerOptions,
-		WorkingDir:    workingDir,
-		Attestations:  []string{},
-		OutFilePath:   attestationPath,
-		StepName:      "teststep",
-		Tracing:       false,
-	}
+// TestRunAttestorFailure tests the new error type detection logic
+func TestRunAttestorFailure(t *testing.T) {
+	err1 := fmt.Errorf("attestor did not work")
+	err2 := fmt.Errorf("failed to save artifact")
 
-	args := []string{
-		"bash",
-		"-c",
-		"echo 'test' > test.txt",
-	}
-
-	require.NoError(t, runRun(context.Background(), runOptions, args, signers...))
-	attestationBytes, err := os.ReadFile(attestationPath)
-	require.NoError(t, err)
-	assert.True(t, len(attestationBytes) > 0)
-
-	env := dsse.Envelope{}
-	if err := json.Unmarshal(attestationBytes, &env); err != nil {
-		t.Errorf("Error reading envelope: %v", err)
-	}
-
-	b, err := os.ReadFile(intermediates[0].Name())
-	require.NoError(t, err)
-	assert.Equal(t, b, env.Signatures[0].Intermediates[0])
-
-	b, err = os.ReadFile(leafcert.Name())
-	require.NoError(t, err)
-	assert.Equal(t, b, env.Signatures[0].Certificate)
-}
-
-func TestRunHashesOptions(t *testing.T) {
 	tests := []struct {
-		name         string
-		hashesOption []string
-		expectErr    bool
+		name        string
+		err         error
+		errType     string
+		expectedErr error
 	}{
 		{
-			name:         "Valid RSA key pair",
-			hashesOption: []string{"sha256"},
-			expectErr:    false,
+			name:        "attestor error is AttestorError",
+			err:         werrors.NewAttestorError("test-attestor", err1),
+			errType:     "attestor",
+			expectedErr: err1,
 		},
 		{
-			name:         "Invalid hashes option",
-			hashesOption: []string{"invalidHash"},
-			expectErr:    true,
+			name:        "infrastructure error is InfrastructureError",
+			err:         werrors.NewInfrastructureError("test-operation", err2),
+			errType:     "infra",
+			expectedErr: err2,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			privatekey, err := rsa.GenerateKey(rand.Reader, keybits)
-			require.NoError(t, err)
-			signer := cryptoutil.NewRSASigner(privatekey, crypto.SHA256)
-
-			workingDir := t.TempDir()
-			attestationPath := filepath.Join(workingDir, "outfile.txt")
-			runOptions := options.RunOptions{
-				WorkingDir:   workingDir,
-				Attestations: []string{},
-				Hashes:       tt.hashesOption,
-				OutFilePath:  attestationPath,
-				StepName:     "teststep",
-				Tracing:      false,
-			}
-
-			args := []string{
-				"bash",
-				"-c",
-				"echo 'test' > test.txt",
-			}
-
-			err = runRun(context.Background(), runOptions, args, signer)
-			if tt.expectErr {
-				require.Error(t, err)
+			// Test error type detection
+			if tt.errType == "attestor" {
+				assert.True(t, isAttestorError(tt.err), "Error should be detected as attestor error")
+				assert.True(t, werrors.IsAttestorError(tt.err), "Error should be detected as attestor error")
 			} else {
-				require.NoError(t, err)
-				attestationBytes, err := os.ReadFile(attestationPath)
-				require.NoError(t, err)
-				env := dsse.Envelope{}
-				require.NoError(t, json.Unmarshal(attestationBytes, &env))
+				assert.False(t, isAttestorError(tt.err), "Error should not be detected as attestor error")
+				assert.True(t, werrors.IsInfrastructureError(tt.err), "Error should be detected as infrastructure error")
 			}
-		})
-	}
-}
 
-func TestRunDuplicateAttestors(t *testing.T) {
-	tests := []struct {
-		name       string
-		attestors  []string
-		expectWarn int
-	}{
-		{
-			name:       "No duplicate attestors",
-			attestors:  []string{"environment"},
-			expectWarn: 0,
-		},
-		{
-			name:       "duplicate attestors",
-			attestors:  []string{"environment", "environment"},
-			expectWarn: 1,
-		},
-		{
-			name:       "duplicate attestor due to default",
-			attestors:  []string{"product"},
-			expectWarn: 1,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			fmt.Println(tt.name)
-			testLogger, hook := test.NewNullLogger()
-			log.SetLogger(testLogger)
-
-			privatekey, err := rsa.GenerateKey(rand.Reader, keybits)
-			require.NoError(t, err)
-			signer := cryptoutil.NewRSASigner(privatekey, crypto.SHA256)
-
-			workingDir := t.TempDir()
-			attestationPath := filepath.Join(workingDir, "outfile.txt")
-			runOptions := options.RunOptions{
-				WorkingDir:   workingDir,
-				Attestations: tt.attestors,
-				OutFilePath:  attestationPath,
-				StepName:     "teststep",
-				Tracing:      false,
-			}
-
-			args := []string{
-				"bash",
-				"-c",
-				"echo 'test' > test.txt",
-			}
-
-			err = runRun(context.Background(), runOptions, args, signer)
-			if tt.expectWarn > 0 {
-				c := 0
-				for _, entry := range hook.AllEntries() {
-					fmt.Println(tt.name, "log:", entry.Message)
-					if entry.Level == logrus.WarnLevel && strings.Contains(entry.Message, "already declared, skipping") {
-						c++
-					}
-				}
-				assert.Equal(t, tt.expectWarn, c)
-			} else {
-				require.NoError(t, err)
-				attestationBytes, err := os.ReadFile(attestationPath)
-				require.NoError(t, err)
-				env := dsse.Envelope{}
-				require.NoError(t, json.Unmarshal(attestationBytes, &env))
-			}
+			// Test error unwrapping
+			assert.True(t, errors.Is(tt.err, tt.expectedErr), "Error should unwrap to the original error")
 		})
 	}
 }
+
+// TestErrorHandling tests the error handling infrastructure
+func TestErrorHandling(t *testing.T) {
+	// Test scenarios for handleInfraError
+	t.Run("handleInfraError", func(t *testing.T) {
+		origErr := fmt.Errorf("test error")
+		ro := options.RunOptions{
+			ContinueOnInfraError: true,
+		}
+
+		shouldContinue, resultErr := handleInfraError(ro, origErr, "test operation", true)
+		assert.True(t, shouldContinue, "Should continue when flag is set and command succeeded")
+		assert.NotNil(t, resultErr, "Result error should not be nil")
+		assert.True(t, werrors.IsInfrastructureError(resultErr), "Result should be an infrastructure error")
+
+		// Test when command failed
+		shouldContinue, resultErr = handleInfraError(ro, origErr, "test operation", false)
+		assert.False(t, shouldContinue, "Should not continue when command failed")
+		assert.Nil(t, resultErr, "Result error should be nil when not continuing")
+
+		// Test when flag is not set
+		ro.ContinueOnInfraError = false
+		shouldContinue, resultErr = handleInfraError(ro, origErr, "test operation", true)
+		assert.False(t, shouldContinue, "Should not continue when flag is not set")
+		assert.Nil(t, resultErr, "Result error should be nil when not continuing")
+	})
+
+	// Test scenarios for handleErrorWithContinueFlags with attestor error
+	t.Run("handleErrorWithContinueFlags-attestor", func(t *testing.T) {
+		attestorErr := werrors.NewAttestorError("test-attestor", fmt.Errorf("attestor error"))
+		ro := options.RunOptions{
+			ContinueOnAttestorError: true,
+		}
+
+		shouldContinue, infraErr, attErr := handleErrorWithContinueFlags(ro, attestorErr, true)
+		assert.True(t, shouldContinue, "Should continue when attestor flag is set and command succeeded")
+		assert.Nil(t, infraErr, "Infra error should be nil")
+		assert.NotNil(t, attErr, "Attestor error should not be nil")
+		assert.True(t, werrors.IsAttestorError(attErr), "Result should be an attestor error")
+
+		// Test when command failed
+		shouldContinue, infraErr, attErr = handleErrorWithContinueFlags(ro, attestorErr, false)
+		assert.False(t, shouldContinue, "Should not continue when command failed")
+		assert.Nil(t, infraErr, "Infra error should be nil")
+		assert.Nil(t, attErr, "Attestor error should be nil")
+
+		// Test with all errors flag
+		ro.ContinueOnAttestorError = false
+		ro.ContinueOnAllErrors = true
+		shouldContinue, infraErr, attErr = handleErrorWithContinueFlags(ro, attestorErr, true)
+		assert.True(t, shouldContinue, "Should continue when all errors flag is set")
+		assert.Nil(t, infraErr, "Infra error should be nil")
+		assert.NotNil(t, attErr, "Attestor error should not be nil")
+	})
+
+	// Test scenarios for handleErrorWithContinueFlags with infra error
+	t.Run("handleErrorWithContinueFlags-infra", func(t *testing.T) {
+		infraError := werrors.NewInfrastructureError("test-operation", fmt.Errorf("infra error"))
+		ro := options.RunOptions{
+			ContinueOnInfraError: true,
+		}
+
+		shouldContinue, infraErr, attErr := handleErrorWithContinueFlags(ro, infraError, true)
+		assert.True(t, shouldContinue, "Should continue when infra flag is set and command succeeded")
+		assert.NotNil(t, infraErr, "Infra error should not be nil")
+		assert.Nil(t, attErr, "Attestor error should be nil")
+		assert.True(t, werrors.IsInfrastructureError(infraErr), "Result should be an infra error")
+
+		// Test with all errors flag
+		ro.ContinueOnInfraError = false
+		ro.ContinueOnAllErrors = true
+		shouldContinue, infraErr, attErr = handleErrorWithContinueFlags(ro, infraError, true)
+		assert.True(t, shouldContinue, "Should continue when all errors flag is set")
+		assert.NotNil(t, infraErr, "Infra error should not be nil")
+		assert.Nil(t, attErr, "Attestor error should be nil")
+	})
+}
@@ -50,6 +50,9 @@ witness run [cmd] [flags]
       --attestor-product-include-glob string          Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. (default "*")
       --attestor-sbom-export                          Export the SBOM predicate in its own attestation
       --attestor-slsa-export                          Export the SLSA provenance predicate in its own attestation
+      --continue-on-attestor-error                    Continue execution even if one or more attestors fail as long as the wrapped command exits successfully
+  -x, --continue-on-errors                            Continue execution even if there are any errors (both attestor and infrastructure) as long as the wrapped command exits successfully
+      --continue-on-infra-error                       Continue execution even if there are infrastructure errors (signing, Fulcio, Archivista) as long as the wrapped command exits successfully
       --dirhash-glob strings                          Dirhash glob can be used to collapse material and product hashes on matching directory matches.
       --enable-archivista                             Use Archivista to store or retrieve attestations
       --env-add-sensitive-key strings                 Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.
 
@@ -0,0 +1,77 @@
+// Copyright 2021 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package errors
+
+import (
+	"errors"
+	"fmt"
+)
+
+// AttestorError represents an error that occurred during attestation generation
+type AttestorError struct {
+	Err error
+	AttestorName string
+}
+
+func (e *AttestorError) Error() string {
+	return fmt.Sprintf("attestor error (%s): %v", e.AttestorName, e.Err)
+}
+
+func (e *AttestorError) Unwrap() error {
+	return e.Err
+}
+
+// NewAttestorError creates a new AttestorError
+func NewAttestorError(attestorName string, err error) *AttestorError {
+	return &AttestorError{
+		Err: err,
+		AttestorName: attestorName,
+	}
+}
+
+// IsAttestorError checks if the given error is or wraps an AttestorError
+func IsAttestorError(err error) bool {
+	var attestorErr *AttestorError
+	return errors.As(err, &attestorErr)
+}
+
+// InfrastructureError represents an error related to infrastructure operations
+// such as signing, storing artifacts, or interacting with external services
+type InfrastructureError struct {
+	Err error
+	Operation string
+}
+
+func (e *InfrastructureError) Error() string {
+	return fmt.Sprintf("infrastructure error (%s): %v", e.Operation, e.Err)
+}
+
+func (e *InfrastructureError) Unwrap() error {
+	return e.Err
+}
+
+// NewInfrastructureError creates a new InfrastructureError
+func NewInfrastructureError(operation string, err error) *InfrastructureError {
+	return &InfrastructureError{
+		Err: err,
+		Operation: operation,
+	}
+}
+
+// IsInfrastructureError checks if the given error is or wraps an InfrastructureError
+func IsInfrastructureError(err error) bool {
+	var infraErr *InfrastructureError
+	return errors.As(err, &infraErr)
+}
@@ -0,0 +1,294 @@
+// Copyright 2021 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package errors
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestAttestorError tests the AttestorError type functionality
+func TestAttestorError(t *testing.T) {
+	// Define test cases with different error scenarios
+	testCases := []struct {
+		name             string
+		attestorName     string
+		originalError    error
+		expectedContains []string
+		testWrapping     bool
+	}{
+		{
+			name:             "basic error",
+			attestorName:     "basic-attestor",
+			originalError:    fmt.Errorf("something failed"),
+			expectedContains: []string{"attestor error", "basic-attestor", "something failed"},
+			testWrapping:     false,
+		},
+		{
+			name:             "empty attestor name",
+			attestorName:     "",
+			originalError:    fmt.Errorf("attestor crashed"),
+			expectedContains: []string{"attestor error", "attestor crashed"},
+			testWrapping:     false,
+		},
+		{
+			name:             "nil original error",
+			attestorName:     "nil-error-attestor",
+			originalError:    nil,
+			expectedContains: []string{"attestor error", "nil-error-attestor", "<nil>"},
+			testWrapping:     false,
+		},
+		{
+			name:             "wrapped error test",
+			attestorName:     "wrapped-attestor",
+			originalError:    fmt.Errorf("root cause"),
+			expectedContains: []string{"attestor error", "wrapped-attestor", "root cause"},
+			testWrapping:     true,
+		},
+	}
+
+	// Run test cases
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create attestor error
+			attestorErr := NewAttestorError(tc.attestorName, tc.originalError)
+			
+			// Test error message format contains expected strings
+			errMsg := attestorErr.Error()
+			for _, expected := range tc.expectedContains {
+				assert.Contains(t, errMsg, expected, "Error message should contain: %s", expected)
+			}
+			
+			// Test Unwrap returns the original error
+			unwrapped := attestorErr.Unwrap()
+			assert.Equal(t, tc.originalError, unwrapped, "Unwrapped error should equal original error")
+			
+			// Test IsAttestorError detection works on the error
+			assert.True(t, IsAttestorError(attestorErr), "IsAttestorError should return true for an AttestorError")
+			
+			// Test error wrapping if required
+			if tc.testWrapping {
+				// Test single level of wrapping
+				singleWrapped := fmt.Errorf("level one: %w", attestorErr)
+				assert.True(t, IsAttestorError(singleWrapped), 
+					"IsAttestorError should detect AttestorError through one level of wrapping")
+				
+				// Test multiple levels of wrapping
+				doubleWrapped := fmt.Errorf("level two: %w", singleWrapped)
+				assert.True(t, IsAttestorError(doubleWrapped), 
+					"IsAttestorError should detect AttestorError through multiple levels of wrapping")
+				
+				// Check errors.Is still works through wrapping
+				if tc.originalError != nil {
+					assert.True(t, errors.Is(doubleWrapped, tc.originalError), 
+						"errors.Is should find original error through multiple wrappings")
+				}
+			}
+		})
+	}
+	
+	// Test that IsAttestorError returns false for non-attestor errors
+	t.Run("detection of non-attestor errors", func(t *testing.T) {
+		nonAttestorErr := fmt.Errorf("regular error")
+		assert.False(t, IsAttestorError(nonAttestorErr), 
+			"IsAttestorError should return false for regular errors")
+		
+		infraErr := NewInfrastructureError("test-operation", fmt.Errorf("infra error"))
+		assert.False(t, IsAttestorError(infraErr), 
+			"IsAttestorError should return false for InfrastructureError")
+	})
+}
+
+// TestInfrastructureError tests the InfrastructureError type functionality
+func TestInfrastructureError(t *testing.T) {
+	// Define test cases with different error scenarios
+	testCases := []struct {
+		name             string
+		operationName    string
+		originalError    error
+		expectedContains []string
+		testWrapping     bool
+	}{
+		{
+			name:             "basic error",
+			operationName:    "basic-operation",
+			originalError:    fmt.Errorf("something failed"),
+			expectedContains: []string{"infrastructure error", "basic-operation", "something failed"},
+			testWrapping:     false,
+		},
+		{
+			name:             "empty operation name",
+			operationName:    "",
+			originalError:    fmt.Errorf("system crashed"),
+			expectedContains: []string{"infrastructure error", "system crashed"},
+			testWrapping:     false,
+		},
+		{
+			name:             "nil original error",
+			operationName:    "nil-error-operation",
+			originalError:    nil,
+			expectedContains: []string{"infrastructure error", "nil-error-operation", "<nil>"},
+			testWrapping:     false,
+		},
+		{
+			name:             "wrapped error test",
+			operationName:    "wrapped-operation",
+			originalError:    fmt.Errorf("root cause"),
+			expectedContains: []string{"infrastructure error", "wrapped-operation", "root cause"},
+			testWrapping:     true,
+		},
+	}
+
+	// Run test cases
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create infrastructure error
+			infraErr := NewInfrastructureError(tc.operationName, tc.originalError)
+			
+			// Test error message format contains expected strings
+			errMsg := infraErr.Error()
+			for _, expected := range tc.expectedContains {
+				assert.Contains(t, errMsg, expected, "Error message should contain: %s", expected)
+			}
+			
+			// Test Unwrap returns the original error
+			unwrapped := infraErr.Unwrap()
+			assert.Equal(t, tc.originalError, unwrapped, "Unwrapped error should equal original error")
+			
+			// Test IsInfrastructureError detection works on the error
+			assert.True(t, IsInfrastructureError(infraErr), "IsInfrastructureError should return true for an InfrastructureError")
+			
+			// Test error wrapping if required
+			if tc.testWrapping {
+				// Test single level of wrapping
+				singleWrapped := fmt.Errorf("level one: %w", infraErr)
+				assert.True(t, IsInfrastructureError(singleWrapped), 
+					"IsInfrastructureError should detect InfrastructureError through one level of wrapping")
+				
+				// Test multiple levels of wrapping
+				doubleWrapped := fmt.Errorf("level two: %w", singleWrapped)
+				assert.True(t, IsInfrastructureError(doubleWrapped), 
+					"IsInfrastructureError should detect InfrastructureError through multiple levels of wrapping")
+				
+				// Check errors.Is still works through wrapping
+				if tc.originalError != nil {
+					assert.True(t, errors.Is(doubleWrapped, tc.originalError), 
+						"errors.Is should find original error through multiple wrappings")
+				}
+			}
+		})
+	}
+	
+	// Test that IsInfrastructureError returns false for non-infrastructure errors
+	t.Run("detection of non-infrastructure errors", func(t *testing.T) {
+		nonInfraErr := fmt.Errorf("regular error")
+		assert.False(t, IsInfrastructureError(nonInfraErr), 
+			"IsInfrastructureError should return false for regular errors")
+		
+		attestorErr := NewAttestorError("test-attestor", fmt.Errorf("attestor error"))
+		assert.False(t, IsInfrastructureError(attestorErr), 
+			"IsInfrastructureError should return false for AttestorError")
+	})
+}
+
+// TestErrorTypeDistinction tests that the error types are properly distinguished from each other
+func TestErrorTypeDistinction(t *testing.T) {
+	// Test cases covering different error types and complex wrapping scenarios
+	testCases := []struct {
+		name            string
+		error           error
+		isAttestor      bool
+		isInfra         bool
+		wrappingLevels  int // how many levels of wrapping to apply
+		originalMessage string
+	}{
+		{
+			name:            "simple attestor error",
+			error:           NewAttestorError("test-attestor", fmt.Errorf("problem")),
+			isAttestor:      true,
+			isInfra:         false,
+			wrappingLevels:  0,
+			originalMessage: "problem",
+		},
+		{
+			name:            "simple infrastructure error",
+			error:           NewInfrastructureError("test-operation", fmt.Errorf("failure")),
+			isAttestor:      false,
+			isInfra:         true,
+			wrappingLevels:  0,
+			originalMessage: "failure",
+		},
+		// In Go's error wrapping, errors.As traverses the entire chain
+		// which means embedded errors are detectable
+		{
+			name:            "deeply wrapped error",
+			error:           fmt.Errorf("outer: %w", fmt.Errorf("middle: %w", NewAttestorError("inner", fmt.Errorf("core")))),
+			isAttestor:      true,
+			isInfra:         false,
+			wrappingLevels:  2,
+			originalMessage: "core",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Test error type detection
+			assert.Equal(t, tc.isAttestor, IsAttestorError(tc.error), 
+				"IsAttestorError detection incorrect for %s", tc.name)
+			assert.Equal(t, tc.isInfra, IsInfrastructureError(tc.error), 
+				"IsInfrastructureError detection incorrect for %s", tc.name)
+			
+			// Test error unwrapping to find original message
+			var err error = tc.error
+			if tc.originalMessage != "" {
+				// Apply additional wrapping as specified
+				for i := 0; i < tc.wrappingLevels; i++ {
+					err = fmt.Errorf("wrap%d: %w", i, err)
+				}
+				
+				// Check if we can still detect the type
+				assert.Equal(t, tc.isAttestor, IsAttestorError(err), 
+					"IsAttestorError detection incorrect after wrapping for %s", tc.name)
+				assert.Equal(t, tc.isInfra, IsInfrastructureError(err), 
+					"IsInfrastructureError detection incorrect after wrapping for %s", tc.name)
+				
+				// Try to find the original message through the wrappings
+				found := false
+				for err != nil {
+					if err.Error() == tc.originalMessage || (err.Error() != "" && 
+						(len(err.Error()) >= len(tc.originalMessage) && 
+						err.Error()[len(err.Error())-len(tc.originalMessage):] == tc.originalMessage)) {
+						found = true
+						break
+					}
+					unwrapErr := errors.Unwrap(err)
+					if unwrapErr == nil {
+						break
+					}
+					err = unwrapErr
+				}
+				
+				if !found && tc.originalMessage != "" {
+					assert.Fail(t, "Could not find original message in error chain", 
+						"Original message '%s' not found in error chain for %s", 
+						tc.originalMessage, tc.name)
+				}
+			}
+		})
+	}
+}
@@ -39,6 +39,9 @@ type RunOptions struct {
 	EnvDisableSensitiveVars  bool
 	EnvAddSensitiveKeys      []string
 	EnvExcludeSensitiveKeys  []string
+	ContinueOnInfraError     bool
+	ContinueOnAttestorError  bool
+	ContinueOnAllErrors      bool
 }
 
 var RequiredRunFlags = []string{
@@ -69,6 +72,11 @@ func (ro *RunOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringSliceVar(&ro.EnvAddSensitiveKeys, "env-add-sensitive-key", []string{}, "Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.")
 	cmd.Flags().StringSliceVar(&ro.EnvExcludeSensitiveKeys, "env-exclude-sensitive-key", []string{}, "Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.")
 
+	// Error handling flags
+	cmd.Flags().BoolVar(&ro.ContinueOnInfraError, "continue-on-infra-error", false, "Continue execution even if there are infrastructure errors (signing, Fulcio, Archivista) as long as the wrapped command exits successfully")
+	cmd.Flags().BoolVar(&ro.ContinueOnAttestorError, "continue-on-attestor-error", false, "Continue execution even if one or more attestors fail as long as the wrapped command exits successfully")
+	cmd.Flags().BoolVarP(&ro.ContinueOnAllErrors, "continue-on-errors", "x", false, "Continue execution even if there are any errors (both attestor and infrastructure) as long as the wrapped command exits successfully")
+
 	cmd.MarkFlagsRequiredTogether(RequiredRunFlags...)
 
 	attestationRegistrations := attestation.RegistrationEntries()