isUntrustedConfigError flags errors where the plugin's declared FailurePolicy is itself part of the misconfiguration. For these the host MUST abort unconditionally; honouring an FailOpen declaration on a misconfigured Restricts plugin would defeat the whole point of the consistency check.
(err error)
| 96 | // a misconfigured Restricts plugin would defeat the whole point of the |
| 97 | // consistency check. |
| 98 | func isUntrustedConfigError(err error) bool { |
| 99 | var pi *PluginInstallError |
| 100 | if !errors.As(err, &pi) { |
| 101 | return false |
| 102 | } |
| 103 | return pi.ReasonCode == ReasonRestrictsMismatch || |
| 104 | pi.ReasonCode == ReasonInvalidPluginName || |
| 105 | pi.ReasonCode == ReasonPluginNamePanic || |
| 106 | pi.ReasonCode == ReasonDuplicatePluginName || |
| 107 | pi.ReasonCode == ReasonInvalidCapability |
| 108 | } |
| 109 | |
| 110 | // installOne handles a single plugin: build a staging Registrar, call |
| 111 | // Install, run validateSelf, and on success commit to the live |