attest/example_verify_test.go

package attest_test

import (
	"context"
	"fmt"
	"os"
	"path/filepath"

	"github.com/docker/attest"
	"github.com/docker/attest/oci"
	"github.com/docker/attest/policy"
	"github.com/docker/attest/tuf"
)

func ExampleVerify_remote() {
	// create a tuf client
	home, err := os.UserHomeDir()
	if err != nil {
		panic(err)
	}
	tufOutputPath := filepath.Join(home, ".docker", "tuf")
	tufClientOpts := tuf.NewDockerDefaultClientOptions(tufOutputPath)

	// create a resolver for remote attestations
	image := "registry-1.docker.io/library/notary:server"
	platform := "linux/amd64"

	// configure policy options
	opts := &policy.Options{
		TUFClientOptions: tufClientOpts,
		LocalTargetsDir:  filepath.Join(home, ".docker", "policy"), // location to store policy files downloaded from TUF
		LocalPolicyDir:   "",                                       // overrides TUF policy for local policy files if set
		PolicyID:         "",                                       // set to ignore policy mapping and select a policy by id
		DisableTUF:       false,                                    // set to disable TUF and rely on local policy files
	}

	src, err := oci.ParseImageSpec(image, oci.WithPlatform(platform))
	if err != nil {
		panic(err)
	}
	// verify attestations
	result, err := attest.Verify(context.Background(), src, opts)
	if err != nil {
		panic(err)
	}
	switch result.Outcome {
	case attest.OutcomeSuccess:
		fmt.Println("policy passed")
	case attest.OutcomeNoPolicy:
		fmt.Println("no policy for image")
	case attest.OutcomeFailure:
		fmt.Println("policy failed")
	}
}
docs: update examples in README.md 2024-05-02 13:42:35 -05:00			`package attest_test`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00
			`import (`
			`"context"`
Don't use builtin print function 2024-05-08 13:12:40 +01:00			`"fmt"`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`"os"`
			`"path/filepath"`

refactor! remove pkg directory (#145) * refactor!: remove pkg directory * chore: include breaking changes in draft 2024-09-02 16:17:50 +01:00			`"github.com/docker/attest"`
			`"github.com/docker/attest/oci"`
			`"github.com/docker/attest/policy"`
			`"github.com/docker/attest/tuf"`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`)`

			`func ExampleVerify_remote() {`
			`// create a tuf client`
			`home, err := os.UserHomeDir()`
			`if err != nil {`
			`panic(err)`
			`}`
			`tufOutputPath := filepath.Join(home, ".docker", "tuf")`
fix: use a client pointing at Docker's TUF by default (#104) `policy.Options` now contains the arguments to `tuf.Client`'s constructor rather than an actual Client. If these arguments are not provided, defaults pointing at Docker's TUF repo will be used. An actual TUF client can be passed in on the context (which is useful for testing). If this is not provided `attest.Verify` will create a TUF client using the options on `policy.Options`. --------- Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-08-23 09:33:30 +01:00			`tufClientOpts := tuf.NewDockerDefaultClientOptions(tufOutputPath)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00
			`// create a resolver for remote attestations`
Update pkg/attest/example_verify_test.go Co-authored-by: David Dooling <141646279+whalelines@users.noreply.github.com> 2024-05-02 15:57:19 -05:00			`image := "registry-1.docker.io/library/notary:server"`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`platform := "linux/amd64"`

			`// configure policy options`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`opts := &policy.Options{`
fix: use a client pointing at Docker's TUF by default (#104) `policy.Options` now contains the arguments to `tuf.Client`'s constructor rather than an actual Client. If these arguments are not provided, defaults pointing at Docker's TUF repo will be used. An actual TUF client can be passed in on the context (which is useful for testing). If this is not provided `attest.Verify` will create a TUF client using the options on `policy.Options`. --------- Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-08-23 09:33:30 +01:00			`TUFClientOptions: tufClientOpts,`
			`LocalTargetsDir: filepath.Join(home, ".docker", "policy"), // location to store policy files downloaded from TUF`
			`LocalPolicyDir: "", // overrides TUF policy for local policy files if set`
			`PolicyID: "", // set to ignore policy mapping and select a policy by id`
feat!: remove MockTUFClient (#135) * feat! remove MockTUFClient Breaking - use LocalPolicyDir and nil TUFClient instead Other: - add stateful Verifier 2024-08-28 09:53:52 +01:00			`DisableTUF: false, // set to disable TUF and rely on local policy files`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`}`

Add support for separate attestation storage repo (#62) * Add support for separate attestation storage repo * Move mapping file types and parsing to config package * Change signature of Verify to take image/platform * Separate Attestation Resolvers to their own files (registry, layout and referrers) * Add support configuring referrers resolution style in mapping.yaml * Add registry test 2024-06-21 11:29:16 +01:00			`src, err := oci.ParseImageSpec(image, oci.WithPlatform(platform))`
			`if err != nil {`
			`panic(err)`
			`}`
docs: first cut of a new README (#99) Lots of this is taken from image-signer-verifier's README. The stuff on policy is all new. Co-authored-by: James Carnegie <kipz@users.noreply.github.com> 2024-07-29 16:43:31 +01:00			`// verify attestations`
Add support for separate attestation storage repo (#62) * Add support for separate attestation storage repo * Move mapping file types and parsing to config package * Change signature of Verify to take image/platform * Separate Attestation Resolvers to their own files (registry, layout and referrers) * Add support configuring referrers resolution style in mapping.yaml * Add registry test 2024-06-21 11:29:16 +01:00			`result, err := attest.Verify(context.Background(), src, opts)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`if err != nil {`
Return VSA and rich errors from verification (#38) * Start of richer results from verification * Pull out VSA code from signing * Expose attestation signing fns * Add VSA test * Notes for policy result * Require separate policy for VSA creation * Load test signing key from tests * Return rich object from policy * Add result object schema and fix tests * Ensure example test runs * Remove data.yaml files from mock policies * Don't run example - TUF policy isn't compatible * Add attestation to manifests for all subjects * Ensure adding attestation doesn't touch statements * Don't export sign function * Remove attestations from VerificationResult * Change bool to Outcome enum in result * Use outputLayout directly * Make clearer that Outcome strings are for VSA * Return multiple SLSA levels from policy * Fix unmarshalling of policy-id (#39) * Rename function * Rename policy.VerificationResult -> policy.Result * Re-add test for canonical input --------- Co-authored-by: James Carnegie <james.carnegie@docker.com> Co-authored-by: James Carnegie <kipz@users.noreply.github.com> 2024-05-22 14:49:23 +01:00			`panic(err)`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`}`
Return VSA and rich errors from verification (#38) * Start of richer results from verification * Pull out VSA code from signing * Expose attestation signing fns * Add VSA test * Notes for policy result * Require separate policy for VSA creation * Load test signing key from tests * Return rich object from policy * Add result object schema and fix tests * Ensure example test runs * Remove data.yaml files from mock policies * Don't run example - TUF policy isn't compatible * Add attestation to manifests for all subjects * Ensure adding attestation doesn't touch statements * Don't export sign function * Remove attestations from VerificationResult * Change bool to Outcome enum in result * Use outputLayout directly * Make clearer that Outcome strings are for VSA * Return multiple SLSA levels from policy * Fix unmarshalling of policy-id (#39) * Rename function * Rename policy.VerificationResult -> policy.Result * Re-add test for canonical input --------- Co-authored-by: James Carnegie <james.carnegie@docker.com> Co-authored-by: James Carnegie <kipz@users.noreply.github.com> 2024-05-22 14:49:23 +01:00			`switch result.Outcome {`
			`case attest.OutcomeSuccess:`
			`fmt.Println("policy passed")`
			`case attest.OutcomeNoPolicy:`
			`fmt.Println("no policy for image")`
			`case attest.OutcomeFailure:`
			`fmt.Println("policy failed")`
docs: update examples in README.md 2024-05-02 13:35:57 -05:00			`}`
			`}`