Skip to content

Commit 075655e

Browse files
refactor(cli): drop dead fallback in validatePolicyEnforcement
Remove the `len(PolicyEvaluations) == 0 && HasPolicyViolations` backward-compatibility fallback from validatePolicyEnforcement. Both fields are always produced together by a single call to getPolicyEvaluations(), so if the evaluations map is empty HasPolicyViolations is always false — the condition is structurally unreachable. Flatten the nested `if MustBlockOnPolicyViolations { if bypassPolicyCheck { ... } }` to a single `if MustBlockOnPolicyViolations && bypassPolicyCheck { ... }` for clarity. Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
1 parent b2ca7e1 commit 075655e

1 file changed

Lines changed: 5 additions & 14 deletions

File tree

app/cli/cmd/attestation_push.go

Lines changed: 5 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -194,20 +194,11 @@ func validatePolicyEnforcement(status *action.AttestationStatusResult, bypassPol
194194
}
195195
}
196196

197-
// Do a final check in case the operator has configured the attestation
198-
// to be blocked on any policy violation.
199-
if status.MustBlockOnPolicyViolations {
200-
if bypassPolicyCheck {
201-
logger.Warn().Msg(exceptionBypassPolicyCheck)
202-
return nil
203-
}
204-
205-
// Effective gate semantics are already resolved in policy evaluations.
206-
// For backwards compatibility, fall back to aggregate status only if
207-
// no evaluations are available.
208-
if len(status.PolicyEvaluations) == 0 && status.HasPolicyViolations {
209-
return ErrBlockedByPolicyViolation
210-
}
197+
// Block on any policy violation only when configured (bypass handled above).
198+
// When we have policy evaluations, gate semantics are already enforced in the loop above.
199+
if status.MustBlockOnPolicyViolations && bypassPolicyCheck {
200+
logger.Warn().Msg(exceptionBypassPolicyCheck)
201+
return nil
211202
}
212203

213204
return nil

0 commit comments

Comments
 (0)