Skip to content

Commit

Permalink
Avoid breaking change for provenanceRepository cli option
Browse files Browse the repository at this point in the history
Signed-off-by: saisatishkarra <[email protected]>
  • Loading branch information
saisatishkarra committed Jan 22, 2024
1 parent c475cc5 commit 2a5a666
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 98 deletions.
19 changes: 8 additions & 11 deletions cli/slsa-verifier/verify/verify_image.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,13 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
}

provenanceOpts := &options.ProvenanceOpts{
ExpectedSourceURI: c.SourceURI,
ExpectedBranch: c.SourceBranch,
ExpectedDigest: digest,
ExpectedVersionedTag: c.SourceVersionTag,
ExpectedTag: c.SourceTag,
ExpectedWorkflowInputs: c.BuildWorkflowInputs,
ExpectedSourceURI: c.SourceURI,
ExpectedBranch: c.SourceBranch,
ExpectedDigest: digest,
ExpectedVersionedTag: c.SourceVersionTag,
ExpectedTag: c.SourceTag,
ExpectedProvenanceRepository: c.ProvenanceRepository,
ExpectedWorkflowInputs: c.BuildWorkflowInputs,
}

builderOpts := &options.BuilderOpts{
Expand All @@ -74,11 +75,7 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
var verifiedProvenance []byte
var outBuilderID *utils.TrustedBuilderID

if c.ProvenanceRepository != nil {
verifiedProvenance, outBuilderID, err = verifiers.VerifyImageProvenanceRepo(ctx, artifacts[0], provenance, *c.ProvenanceRepository, provenanceOpts, builderOpts)
} else {
verifiedProvenance, outBuilderID, err = verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)
}
verifiedProvenance, outBuilderID, err = verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)

if err != nil {
return nil, err
Expand Down
3 changes: 3 additions & 0 deletions options/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ type ProvenanceOpts struct {
ExpectedPackageName *string

ExpectedPackageVersion *string

// ExpectedProvenanceRepository is the provenance repository that is passed from user and not verified
ExpectedProvenanceRepository *string
}

// BuildOpts are the options for checking the builder.
Expand Down
7 changes: 0 additions & 7 deletions register/register.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,6 @@ type SLSAVerifier interface {
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

// VerifyImageProvenanceRepo verifies a provenance stored in a separate repository for a supplied OCI image.
VerifyImageProvenanceRepo(ctx context.Context,
provenance []byte, provenanceRepository string,
artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

VerifyNpmPackage(ctx context.Context,
attestations []byte, tarballHash string,
provenanceOpts *options.ProvenanceOpts,
Expand Down
109 changes: 42 additions & 67 deletions verifiers/internal/gha/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,48 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
utils.MergeMaps(defaultArtifactTrustedReusableWorkflows, defaultBYOBReusableWorkflows))
}

// verifyImageWithOptions abstracts the cosign options and returns verified provenance for an artifact.
func verifyImageWithOptions(ctx context.Context, artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts, opts *cosign.CheckOpts) ([]byte, *utils.TrustedBuilderID, error) {
// VerifyImage verifies provenance for an OCI image.
func (v *GHAVerifier) VerifyImage(ctx context.Context,
provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
trustedRoot, err := TrustedRootSingleton(ctx)
if err != nil {
return nil, nil, err
}

var provenanceTargetRepository name.Repository
// Consume input for --provenance-repository when set
if *provenanceOpts.ExpectedProvenanceRepository != "" {
provenanceTargetRepository, err = name.NewRepository(*provenanceOpts.ExpectedProvenanceRepository)
if err != nil {
return nil, nil, err
}
} else {
// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
if err != nil {
return nil, nil, err
}
}

registryClientOpts := []ociremote.Option{}

// Append target repository to OCI Registry opts
// Must be authenticated against the specified target repository externally
if provenanceTargetRepository.Name() != "" {
registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
}

opts := &cosign.CheckOpts{
RegistryClientOpts: registryClientOpts,
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
}

atts, _, err := container.RunCosignImageVerification(ctx,
artifactImage, opts)
if err != nil {
Expand Down Expand Up @@ -293,70 +332,6 @@ func verifyImageWithOptions(ctx context.Context, artifactImage string, provenanc
return nil, nil, fmt.Errorf("%w", serrors.ErrorNoValidSignature)
}

// VerifyImage verifies provenance for an OCI image.
func (v *GHAVerifier) VerifyImage(ctx context.Context,
provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
trustedRoot, err := TrustedRootSingleton(ctx)
if err != nil {
return nil, nil, err
}
opts := &cosign.CheckOpts{
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
}
return verifyImageWithOptions(ctx, artifactImage, provenanceOpts, builderOpts, opts)
}

// VerifyImageProvenanceRepo verifies provenance from a separate store for an OCI image.
func (v *GHAVerifier) VerifyImageProvenanceRepo(ctx context.Context,
provenance []byte, provenanceRepository string,
artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
trustedRoot, err := TrustedRootSingleton(ctx)
if err != nil {
return nil, nil, err
}

var provenanceTargetRepository name.Repository
// Consume input for --provenance-repository when set
if provenanceRepository != "" {
provenanceTargetRepository, err = name.NewRepository(provenanceRepository)
if err != nil {
return nil, nil, err
}
} else {
// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
if err != nil {
return nil, nil, err
}
}

registryClientOpts := []ociremote.Option{}

// Append target repository to OCI Registry opts
// Must be authenticated against the specified target repository externally
if provenanceTargetRepository.Name() != "" {
registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
}

opts := &cosign.CheckOpts{
RegistryClientOpts: registryClientOpts,
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
}
return verifyImageWithOptions(ctx, artifactImage, provenanceOpts, builderOpts, opts)
}

// VerifyNpmPackage verifies an npm package tarball.
func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
attestations []byte, tarballHash string,
Expand Down
13 changes: 0 additions & 13 deletions verifiers/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,19 +47,6 @@ func VerifyImage(ctx context.Context, artifactImage string,
return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
}

func VerifyImageProvenanceRepo(ctx context.Context, artifactImage string,
provenance []byte,
provenanceRepository string,
provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
verifier, err := getVerifier(builderOpts)
if err != nil {
return nil, nil, err
}
return verifier.VerifyImageProvenanceRepo(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts)
}

func VerifyArtifact(ctx context.Context,
provenance []byte, artifactHash string,
provenanceOpts *options.ProvenanceOpts,
Expand Down

0 comments on commit 2a5a666

Please sign in to comment.