From a3921c206a6332c8263e89c97454fbf0b7332dcd Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 18 Jun 2024 09:38:50 -0500 Subject: [PATCH 1/7] fix: ineffectual assign --- pkg/attestation/referrers_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/attestation/referrers_test.go b/pkg/attestation/referrers_test.go index dc5a51a..f8ad8f8 100644 --- a/pkg/attestation/referrers_test.go +++ b/pkg/attestation/referrers_test.go @@ -69,6 +69,7 @@ func TestAttestationReferenceTypes(t *testing.T) { indexName := fmt.Sprintf("%s/repo:root", u.Host) require.NoError(t, err) err = mirror.PushIndexToRegistry(signedIndex, indexName) + require.NoError(t, err) for _, platform := range platforms { // can eval policy in the normal way From 8e3c6a2ec586495c5b84bcb71a74073b9fbce1ed Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 18 Jun 2024 09:39:12 -0500 Subject: [PATCH 2/7] feat: use os.ModePerm --- pkg/mirror/mirror.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/mirror/mirror.go b/pkg/mirror/mirror.go index cd60f8d..6f00602 100644 --- a/pkg/mirror/mirror.go +++ b/pkg/mirror/mirror.go @@ -58,7 +58,7 @@ func PushIndexToRegistry(image v1.ImageIndex, imageName string) error { func SaveImageAsOCILayout(image v1.Image, path string) error { // Save the image to the local filesystem - err := os.MkdirAll(path, os.FileMode(0777)) + err := os.MkdirAll(path, os.ModePerm) if err != nil { return fmt.Errorf("failed to create directory: %w", err) } @@ -72,7 +72,7 @@ func SaveImageAsOCILayout(image v1.Image, path string) error { func SaveIndexAsOCILayout(image v1.ImageIndex, path string) error { // Save the index to the local filesystem - err := os.MkdirAll(path, os.FileMode(0777)) + err := os.MkdirAll(path, os.ModePerm) if err != nil { return fmt.Errorf("failed to create directory: %w", err) } From f611f81ffff078cf3559dcd712b202e685ae2676 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 18 Jun 2024 09:59:04 -0500 Subject: [PATCH 3/7] feat: add support for ecr, gcp, acr authn --- go.mod | 22 ++++++++++++++++++++++ go.sum | 22 ++++++++++++++++++++++ pkg/mirror/mirror.go | 32 +++++++++++++++++++------------- pkg/oci/oci.go | 12 +++++++++++- pkg/oci/types.go | 17 +++++++++++------ pkg/tuf/registry.go | 12 +++++++++++- pkg/tuf/registry_test.go | 23 +++++++++++++++++------ 7 files changed, 113 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index d0ec1e1..1bc88a9 100644 --- a/go.mod +++ b/go.mod @@ -29,8 +29,24 @@ require ( ) require ( + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 + github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 +) + +require ( + cloud.google.com/go/compute v1.25.1 // indirect + cloud.google.com/go/compute/metadata v0.2.3 // indirect dario.cat/mergo v1.0.0 // indirect + github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect + github.com/Azure/go-autorest v14.2.0+incompatible // indirect + github.com/Azure/go-autorest/autorest v0.11.29 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect + github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect + github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect + github.com/Azure/go-autorest/logger v0.2.1 // indirect + github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.12.3 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect @@ -43,6 +59,8 @@ require ( github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 // indirect @@ -63,6 +81,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect + github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/cli v26.1.3+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v26.1.3+incompatible // indirect @@ -88,6 +107,7 @@ require ( github.com/go-openapi/validate v0.24.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/certificate-transparency-go v1.1.8 // indirect github.com/google/uuid v1.6.0 // indirect @@ -97,6 +117,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jellydator/ttlcache/v3 v3.2.0 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/klauspost/compress v1.17.8 // indirect github.com/letsencrypt/boulder v0.0.0-20240515153123-6ae6aa8e9055 // indirect @@ -162,6 +183,7 @@ require ( golang.org/x/crypto v0.23.0 // indirect golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect golang.org/x/mod v0.17.0 // indirect + golang.org/x/oauth2 v0.19.0 // indirect golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.20.0 // indirect golang.org/x/term v0.20.0 // indirect diff --git a/go.sum b/go.sum index cd1c699..aa7845e 100644 --- a/go.sum +++ b/go.sum @@ -37,16 +37,23 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= +github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8= github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk= github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc= github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= +github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= @@ -97,6 +104,7 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.53.10 h1:3enP5l5WtezT9Ql+XZqs56JBf5YUd/FEzTCg///OIGY= github.com/aws/aws-sdk-go v1.53.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8= github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk= @@ -105,8 +113,10 @@ github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9a github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= @@ -127,6 +137,7 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCf github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os= github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk= github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk= +github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= @@ -286,6 +297,8 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= @@ -318,6 +331,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -385,6 +399,8 @@ github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++ github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -572,6 +588,7 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= @@ -658,7 +675,10 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= @@ -678,6 +698,7 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -791,6 +812,7 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= diff --git a/pkg/mirror/mirror.go b/pkg/mirror/mirror.go index 6f00602..30ad287 100644 --- a/pkg/mirror/mirror.go +++ b/pkg/mirror/mirror.go @@ -5,12 +5,15 @@ import ( "log" "os" + ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" + acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/docker/attest/internal/embed" "github.com/docker/attest/pkg/tuf" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" + "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/remote" ) @@ -27,18 +30,19 @@ func NewTufMirror(root []byte, tufPath, metadataURL, targetsURL string, versionC } func PushImageToRegistry(image v1.Image, imageName string) error { - // Parse the image name ref, err := name.ParseReference(imageName) if err != nil { log.Fatalf("Failed to parse image name: %v", err) } - // Get the authenticator from the default Docker keychain - auth, err := authn.DefaultKeychain.Resolve(ref.Context()) - if err != nil { - log.Fatalf("Failed to get authenticator: %v", err) - } + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + keychain := authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) // Push the image to the registry - return remote.Write(ref, image, remote.WithAuth(auth)) + return remote.Write(ref, image, remote.WithAuthFromKeychain(keychain)) } func PushIndexToRegistry(image v1.ImageIndex, imageName string) error { @@ -47,13 +51,15 @@ func PushIndexToRegistry(image v1.ImageIndex, imageName string) error { if err != nil { log.Fatalf("Failed to parse image name: %v", err) } - // Get the authenticator from the default Docker keychain - auth, err := authn.DefaultKeychain.Resolve(ref.Context()) - if err != nil { - log.Fatalf("Failed to get authenticator: %v", err) - } + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + keychain := authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) // Push the index to the registry - return remote.WriteIndex(ref, image, remote.WithAuth(auth)) + return remote.WriteIndex(ref, image, remote.WithAuthFromKeychain(keychain)) } func SaveImageAsOCILayout(image v1.Image, path string) error { diff --git a/pkg/oci/oci.go b/pkg/oci/oci.go index 54b663e..73c89e7 100644 --- a/pkg/oci/oci.go +++ b/pkg/oci/oci.go @@ -6,12 +6,15 @@ import ( "fmt" "strings" + ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" + acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/containerd/containerd/platforms" "github.com/distribution/reference" att "github.com/docker/attest/pkg/attestation" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" @@ -456,7 +459,14 @@ func FetchAttestationManifest(ctx context.Context, image string, platform *v1.Pl func WithOptions(ctx context.Context, platform *v1.Platform) []remote.Option { // prepare options - options := []remote.Option{remote.WithAuthFromKeychain(authn.DefaultKeychain), remote.WithTransport(HttpTransport()), remote.WithContext(ctx)} + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + keychain := authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) + options := []remote.Option{remote.WithAuthFromKeychain(keychain), remote.WithTransport(HttpTransport()), remote.WithContext(ctx)} // add in platform into remote Get operation; this might conflict with an explicit digest, but we are trying anyway if platform != nil { diff --git a/pkg/oci/types.go b/pkg/oci/types.go index 91a4880..02b673e 100644 --- a/pkg/oci/types.go +++ b/pkg/oci/types.go @@ -4,9 +4,12 @@ import ( "fmt" "log" + ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" + acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/remote" ) @@ -50,13 +53,15 @@ func SubjectIndexFromRemote(image string) (*SubjectIndex, error) { if err != nil { log.Fatalf("Failed to parse image name: %v", err) } - // Get the authenticator from the default Docker keychain - auth, err := authn.DefaultKeychain.Resolve(ref.Context()) - if err != nil { - log.Fatalf("Failed to get authenticator: %v", err) - } + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + keychain := authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) // Pull the image from the registry - idx, err := remote.Index(ref, remote.WithAuth(auth)) + idx, err := remote.Index(ref, remote.WithAuthFromKeychain(keychain)) if err != nil { return nil, fmt.Errorf("failed to pull image %s: %w", image, err) } diff --git a/pkg/tuf/registry.go b/pkg/tuf/registry.go index 153618b..6a4520a 100644 --- a/pkg/tuf/registry.go +++ b/pkg/tuf/registry.go @@ -10,9 +10,12 @@ import ( "strings" "time" + ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" + acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/crane" v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/types" "github.com/theupdateframework/go-tuf/v2/metadata" ) @@ -118,13 +121,20 @@ func (d *RegistryFetcher) getManifest(ref string) ([]byte, error) { var err error var found bool var mf []byte + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + keychain := authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) // Check cache for manifest and only pull if not found if mf, found = d.cache.Get(ref); !found { mf, err = crane.Manifest(ref, crane.WithUserAgent(d.httpUserAgent), crane.WithTransport(transportWithTimeout(d.timeout)), crane.WithAuth(authn.Anonymous), - crane.WithAuthFromKeychain(authn.DefaultKeychain)) + crane.WithAuthFromKeychain(keychain)) if err != nil { return nil, err } diff --git a/pkg/tuf/registry_test.go b/pkg/tuf/registry_test.go index cb8311a..7facd7a 100644 --- a/pkg/tuf/registry_test.go +++ b/pkg/tuf/registry_test.go @@ -9,6 +9,8 @@ import ( "strings" "testing" + ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" + acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/docker/attest/internal/embed" "github.com/docker/attest/internal/util" "github.com/google/go-containerregistry/pkg/authn" @@ -16,6 +18,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" + "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/remote" @@ -368,14 +371,22 @@ func LoadRegistryTestData(t *testing.T, registry *url.URL, path string) { TARGETS_REPO := "tuf-targets" DELEGATED_ROLE := "test-role" + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + keychain := authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) + // push top-level metadata -> metadata:latest - err := LoadMetadata(filepath.Join(path, "metadata"), registry.Host, METADATA_REPO, METADATA_TAG) + err := LoadMetadata(filepath.Join(path, "metadata"), registry.Host, METADATA_REPO, METADATA_TAG, keychain) if err != nil { t.Fatal(err) } // push delegated metadata -> metadata: - err = LoadMetadata(filepath.Join(path, "metadata", DELEGATED_ROLE), registry.Host, METADATA_REPO, DELEGATED_ROLE) + err = LoadMetadata(filepath.Join(path, "metadata", DELEGATED_ROLE), registry.Host, METADATA_REPO, DELEGATED_ROLE, keychain) if err != nil { t.Fatal(err) } @@ -407,13 +418,13 @@ func LoadRegistryTestData(t *testing.T, registry *url.URL, path string) { if err != nil { t.Fatal(err) } - err = remote.Write(ref, img, remote.WithAuthFromKeychain(authn.DefaultKeychain)) + err = remote.Write(ref, img, remote.WithAuthFromKeychain(keychain)) if err != nil { t.Fatal(err) } } else if len(mf.Manifests) > 1 { // delegated target - err = remote.WriteIndex(ref, tIdx, remote.WithAuthFromKeychain(authn.DefaultKeychain)) + err = remote.WriteIndex(ref, tIdx, remote.WithAuthFromKeychain(keychain)) if err != nil { t.Fatal(err) } @@ -424,7 +435,7 @@ func LoadRegistryTestData(t *testing.T, registry *url.URL, path string) { } // LoadMetadata loads TUF metadata from a local path and pushes to a registry -func LoadMetadata(path, host, repo, tag string) error { +func LoadMetadata(path, host, repo, tag string, keychain authn.Keychain) error { mIdx, err := layout.ImageIndexFromPath(path) if err != nil { return err @@ -441,5 +452,5 @@ func LoadMetadata(path, host, repo, tag string) error { if err != nil { return err } - return remote.Write(ref, img, remote.WithAuthFromKeychain(authn.DefaultKeychain)) + return remote.Write(ref, img, remote.WithAuthFromKeychain(keychain)) } From f95760d8b290b24654ea761b078721c2f17f19b2 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 18 Jun 2024 10:04:38 -0500 Subject: [PATCH 4/7] chore: fmt go.mod --- go.mod | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 1bc88a9..f5714c2 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,8 @@ go 1.22.1 require ( github.com/Masterminds/semver/v3 v3.2.1 github.com/aws/aws-sdk-go-v2/config v1.27.18 + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 + github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/containerd/containerd v1.7.18 github.com/distribution/reference v0.6.0 github.com/go-openapi/runtime v0.28.0 @@ -28,11 +30,6 @@ require ( sigs.k8s.io/yaml v1.4.0 ) -require ( - github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 - github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 -) - require ( cloud.google.com/go/compute v1.25.1 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect From 08e823e05bfcca23a572cc65c36c71c0ddb2e469 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 18 Jun 2024 11:55:30 -0500 Subject: [PATCH 5/7] refactor: make common authn function --- pkg/mirror/mirror.go | 24 ++++-------------------- pkg/oci/authn.go | 23 +++++++++++++++++++++++ pkg/oci/oci.go | 16 ++++------------ pkg/oci/types.go | 13 +------------ pkg/tuf/registry.go | 15 +++------------ pkg/tuf/registry_test.go | 25 +++++++------------------ 6 files changed, 42 insertions(+), 74 deletions(-) create mode 100644 pkg/oci/authn.go diff --git a/pkg/mirror/mirror.go b/pkg/mirror/mirror.go index 30ad287..a821f20 100644 --- a/pkg/mirror/mirror.go +++ b/pkg/mirror/mirror.go @@ -5,15 +5,12 @@ import ( "log" "os" - ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" - acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/docker/attest/internal/embed" + "github.com/docker/attest/pkg/oci" "github.com/docker/attest/pkg/tuf" - "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" - "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/remote" ) @@ -34,15 +31,9 @@ func PushImageToRegistry(image v1.Image, imageName string) error { if err != nil { log.Fatalf("Failed to parse image name: %v", err) } - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain - keychain := authn.NewMultiKeychain( - authn.DefaultKeychain, - google.Keychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), - ) + // Push the image to the registry - return remote.Write(ref, image, remote.WithAuthFromKeychain(keychain)) + return remote.Write(ref, image, oci.MultiKeychainOption()) } func PushIndexToRegistry(image v1.ImageIndex, imageName string) error { @@ -51,15 +42,8 @@ func PushIndexToRegistry(image v1.ImageIndex, imageName string) error { if err != nil { log.Fatalf("Failed to parse image name: %v", err) } - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain - keychain := authn.NewMultiKeychain( - authn.DefaultKeychain, - google.Keychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), - ) // Push the index to the registry - return remote.WriteIndex(ref, image, remote.WithAuthFromKeychain(keychain)) + return remote.WriteIndex(ref, image, oci.MultiKeychainOption()) } func SaveImageAsOCILayout(image v1.Image, path string) error { diff --git a/pkg/oci/authn.go b/pkg/oci/authn.go new file mode 100644 index 0000000..0c7457a --- /dev/null +++ b/pkg/oci/authn.go @@ -0,0 +1,23 @@ +package oci + +import ( + ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" + acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/v1/google" + "github.com/google/go-containerregistry/pkg/v1/remote" +) + +func MultiKeychainOption() remote.Option { + return remote.WithAuthFromKeychain(MultiKeychainAll()) +} + +func MultiKeychainAll() authn.Keychain { + // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + return authn.NewMultiKeychain( + authn.DefaultKeychain, + google.Keychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), + ) +} diff --git a/pkg/oci/oci.go b/pkg/oci/oci.go index 73c89e7..a1b72fa 100644 --- a/pkg/oci/oci.go +++ b/pkg/oci/oci.go @@ -6,15 +6,11 @@ import ( "fmt" "strings" - ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" - acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/containerd/containerd/platforms" "github.com/distribution/reference" att "github.com/docker/attest/pkg/attestation" - "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" @@ -245,6 +241,9 @@ func (r *ReferrersResolver) resolveAttestations(ctx context.Context) error { return fmt.Errorf("failed to parse reference: %w", err) } subjectDigest, err := r.ImageDigest(ctx) + if err != nil { + return fmt.Errorf("failed to get image digest: %w", err) + } var referrersSubjectRef name.Digest if r.referrersRepo != "" { @@ -459,14 +458,7 @@ func FetchAttestationManifest(ctx context.Context, image string, platform *v1.Pl func WithOptions(ctx context.Context, platform *v1.Platform) []remote.Option { // prepare options - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain - keychain := authn.NewMultiKeychain( - authn.DefaultKeychain, - google.Keychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), - ) - options := []remote.Option{remote.WithAuthFromKeychain(keychain), remote.WithTransport(HttpTransport()), remote.WithContext(ctx)} + options := []remote.Option{MultiKeychainOption(), remote.WithTransport(HttpTransport()), remote.WithContext(ctx)} // add in platform into remote Get operation; this might conflict with an explicit digest, but we are trying anyway if platform != nil { diff --git a/pkg/oci/types.go b/pkg/oci/types.go index 02b673e..af7407a 100644 --- a/pkg/oci/types.go +++ b/pkg/oci/types.go @@ -4,12 +4,8 @@ import ( "fmt" "log" - ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" - acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" - "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/remote" ) @@ -53,15 +49,8 @@ func SubjectIndexFromRemote(image string) (*SubjectIndex, error) { if err != nil { log.Fatalf("Failed to parse image name: %v", err) } - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain - keychain := authn.NewMultiKeychain( - authn.DefaultKeychain, - google.Keychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), - ) // Pull the image from the registry - idx, err := remote.Index(ref, remote.WithAuthFromKeychain(keychain)) + idx, err := remote.Index(ref, MultiKeychainOption()) if err != nil { return nil, fmt.Errorf("failed to pull image %s: %w", image, err) } diff --git a/pkg/tuf/registry.go b/pkg/tuf/registry.go index 6a4520a..3aad2bd 100644 --- a/pkg/tuf/registry.go +++ b/pkg/tuf/registry.go @@ -10,12 +10,10 @@ import ( "strings" "time" - ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" - acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" + "github.com/docker/attest/pkg/oci" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/crane" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/types" "github.com/theupdateframework/go-tuf/v2/metadata" ) @@ -121,20 +119,13 @@ func (d *RegistryFetcher) getManifest(ref string) ([]byte, error) { var err error var found bool var mf []byte - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain - keychain := authn.NewMultiKeychain( - authn.DefaultKeychain, - google.Keychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), - ) // Check cache for manifest and only pull if not found if mf, found = d.cache.Get(ref); !found { mf, err = crane.Manifest(ref, crane.WithUserAgent(d.httpUserAgent), crane.WithTransport(transportWithTimeout(d.timeout)), crane.WithAuth(authn.Anonymous), - crane.WithAuthFromKeychain(keychain)) + crane.WithAuthFromKeychain(oci.MultiKeychainAll())) if err != nil { return nil, err } @@ -154,7 +145,7 @@ func (d *RegistryFetcher) pullFileLayer(ref string, maxLength int64) ([]byte, er crane.WithUserAgent(d.httpUserAgent), crane.WithTransport(transportWithTimeout(d.timeout)), crane.WithAuth(authn.Anonymous), - crane.WithAuthFromKeychain(authn.DefaultKeychain)) + crane.WithAuthFromKeychain(oci.MultiKeychainAll())) if err != nil { return nil, err } diff --git a/pkg/tuf/registry_test.go b/pkg/tuf/registry_test.go index 7facd7a..31787b7 100644 --- a/pkg/tuf/registry_test.go +++ b/pkg/tuf/registry_test.go @@ -9,16 +9,13 @@ import ( "strings" "testing" - ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" - acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/docker/attest/internal/embed" "github.com/docker/attest/internal/util" - "github.com/google/go-containerregistry/pkg/authn" + "github.com/docker/attest/pkg/oci" "github.com/google/go-containerregistry/pkg/crane" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" - "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/remote" @@ -371,22 +368,14 @@ func LoadRegistryTestData(t *testing.T, registry *url.URL, path string) { TARGETS_REPO := "tuf-targets" DELEGATED_ROLE := "test-role" - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain - keychain := authn.NewMultiKeychain( - authn.DefaultKeychain, - google.Keychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), - ) - // push top-level metadata -> metadata:latest - err := LoadMetadata(filepath.Join(path, "metadata"), registry.Host, METADATA_REPO, METADATA_TAG, keychain) + err := LoadMetadata(filepath.Join(path, "metadata"), registry.Host, METADATA_REPO, METADATA_TAG) if err != nil { t.Fatal(err) } // push delegated metadata -> metadata: - err = LoadMetadata(filepath.Join(path, "metadata", DELEGATED_ROLE), registry.Host, METADATA_REPO, DELEGATED_ROLE, keychain) + err = LoadMetadata(filepath.Join(path, "metadata", DELEGATED_ROLE), registry.Host, METADATA_REPO, DELEGATED_ROLE) if err != nil { t.Fatal(err) } @@ -418,13 +407,13 @@ func LoadRegistryTestData(t *testing.T, registry *url.URL, path string) { if err != nil { t.Fatal(err) } - err = remote.Write(ref, img, remote.WithAuthFromKeychain(keychain)) + err = remote.Write(ref, img, oci.MultiKeychainOption()) if err != nil { t.Fatal(err) } } else if len(mf.Manifests) > 1 { // delegated target - err = remote.WriteIndex(ref, tIdx, remote.WithAuthFromKeychain(keychain)) + err = remote.WriteIndex(ref, tIdx, oci.MultiKeychainOption()) if err != nil { t.Fatal(err) } @@ -435,7 +424,7 @@ func LoadRegistryTestData(t *testing.T, registry *url.URL, path string) { } // LoadMetadata loads TUF metadata from a local path and pushes to a registry -func LoadMetadata(path, host, repo, tag string, keychain authn.Keychain) error { +func LoadMetadata(path, host, repo, tag string) error { mIdx, err := layout.ImageIndexFromPath(path) if err != nil { return err @@ -452,5 +441,5 @@ func LoadMetadata(path, host, repo, tag string, keychain authn.Keychain) error { if err != nil { return err } - return remote.Write(ref, img, remote.WithAuthFromKeychain(keychain)) + return remote.Write(ref, img, oci.MultiKeychainOption()) } From abb3163628ae8c586b609ba772d509d50b0690d3 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 25 Jun 2024 11:49:58 -0500 Subject: [PATCH 6/7] fix: update aws-sdk-go-v2 --- go.mod | 12 +++++++++--- go.sum | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e834fcb..42c8de9 100644 --- a/go.mod +++ b/go.mod @@ -51,16 +51,22 @@ require ( github.com/agnivade/levenshtein v1.1.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.17.21 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.1 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.12 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.14 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.12 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 // indirect + github.com/aws/aws-sdk-go-v2/service/s3 v1.56.1 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 // indirect diff --git a/go.sum b/go.sum index b705424..e565706 100644 --- a/go.sum +++ b/go.sum @@ -107,12 +107,16 @@ github.com/aws/aws-sdk-go v1.53.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3Tj github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA= github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg= github.com/aws/aws-sdk-go-v2/config v1.27.21 h1:yPX3pjGCe2hJsetlmGNB4Mngu7UPmvWPzzWCv1+boeM= github.com/aws/aws-sdk-go-v2/config v1.27.21/go.mod h1:4XtlEU6DzNai8RMbjSF5MgGZtYvrhBP/aKZcRtZAVdM= github.com/aws/aws-sdk-go-v2/credentials v1.17.21 h1:pjAqgzfgFhTv5grc7xPHtXCAaMapzmwA7aU+c/SZQGw= github.com/aws/aws-sdk-go-v2/credentials v1.17.21/go.mod h1:nhK6PtBlfHTUDVmBLr1dg+WHCOCK+1Fu/WQyVHPsgNQ= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.1 h1:D9VqWMuw7lJAX6d5eINfRQ/PkvtcJAK3Qmd6f6xEeUw= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.1/go.mod h1:ckvBx7codI4wzc5inOfDp5ZbK7TjMFa7eXwmLvXQrRk= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo= @@ -121,16 +125,30 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.12 h1:DXFWyt7ymx/l1ygdyTTS0X923e+Q2wXIxConJzrgwc0= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.12/go.mod h1:mVOr/LbvaNySK1/BTy4cBOCjhCNY2raWBwK4v+WR5J4= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= +github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 h1:ywNLJrn/Qn4enDsz/XnKlvpnLqvJxFGQV2BltWltbis= +github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1/go.mod h1:WadVIk+UrTvWuAsCp6BKGX4i2snurpz8mPWhJQnS7Dg= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 h1:Eq9i/mvOlGghiKe9NtsmeD9Wlwg8p4fbsqrMb3nWirM= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1/go.mod h1:VtOgEoLEPV1YADuq+Z2XOK6/wKkGW2YK6DjChZ/GvDs= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.14 h1:oWccitSnByVU74rQRHac4gLfDqjB6Z1YQGOY/dXKedI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.14/go.mod h1:8SaZBlQdCLrc/2U3CEO48rYj9uR8qRsPRkmzwNM52pM= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.12 h1:tzha+v1SCEBpXWEuw6B/+jm4h5z8hZbTpXz0zRZqTnw= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.12/go.mod h1:n+nt2qjHGoseWeLHt1vEr6ZRCCxIN2KcNpJxBcYQSwI= github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 h1:FARrQLRQXpCFYylIUVF1dRij6YbPCmtwudq9NBk4kFc= github.com/aws/aws-sdk-go-v2/service/kms v1.32.1/go.mod h1:8lETO9lelSG2B6KMXFh2OwPPqGV6WQM3RqLAEjP1xaU= +github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 h1:VsKBn6WADI3Nn3WjBMzeRww9WHXeVLi7zyuSrqjRCBQ= +github.com/aws/aws-sdk-go-v2/service/kms v1.34.1/go.mod h1:5F6kXrPBxv0l1t8EO44GuG4W82jGJwaRE0B+suEGnNY= +github.com/aws/aws-sdk-go-v2/service/s3 v1.56.1 h1:wsg9Z/vNnCmxWikfGIoOlnExtEU459cR+2d+iDJ8elo= +github.com/aws/aws-sdk-go-v2/service/s3 v1.56.1/go.mod h1:8rDw3mVwmvIWWX/+LWY3PPIMZuwnQdJMCt0iVFVT3qw= github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 h1:sd0BsnAvLH8gsp2e3cbaIr+9D7T1xugueQ7V/zUAsS4= github.com/aws/aws-sdk-go-v2/service/sso v1.21.1/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 h1:1uEFNNskK/I1KoZ9Q8wJxMz5V9jyBlsiaNrM7vA3YUQ= From e37f7888651079e2dabc68f6d966176a2f6b57eb Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Tue, 25 Jun 2024 13:44:18 -0500 Subject: [PATCH 7/7] refactor: drop ACR support for now --- pkg/oci/authn.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/oci/authn.go b/pkg/oci/authn.go index 0c7457a..ee36fbf 100644 --- a/pkg/oci/authn.go +++ b/pkg/oci/authn.go @@ -2,7 +2,6 @@ package oci import ( ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" - acr "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/v1/google" "github.com/google/go-containerregistry/pkg/v1/remote" @@ -13,11 +12,10 @@ func MultiKeychainOption() remote.Option { } func MultiKeychainAll() authn.Keychain { - // Create a multi-keychain that will use the default Docker, Google, ECR or ACR keychain + // Create a multi-keychain that will use the default Docker, Google, or ECR keychain return authn.NewMultiKeychain( authn.DefaultKeychain, google.Keychain, authn.NewKeychainFromHelper(ecr.NewECRHelper()), - authn.NewKeychainFromHelper(acr.NewACRCredentialsHelper()), ) }