docker/attest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add platform filtering support to mapping.yml (#167)

Browse Source 
* chore!: rename package config -> mapping
* feat: add platform filtering support to mapping.yml
This commit is contained in:
James Carnegie
2024-09-18 21:11:55 +01:00
committed by GitHub
parent 05caa959c4
commit 4a70e5ae36
26 changed files with 421 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
verify.go
View File

@@ -10,7 +10,7 @@ import (
"github.com/distribution/reference"
"github.com/docker/attest/attestation"
"github.com/docker/attest/config"
"github.com/docker/attest/mapping"
"github.com/docker/attest/oci"
"github.com/docker/attest/policy"
"github.com/docker/attest/tuf"
@@ -60,7 +60,12 @@ func (verifier *ImageVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (
return nil, fmt.Errorf("failed to resolve image name: %w", err)
}
policyResolver := policy.NewResolver(verifier.tufClient, verifier.opts)
resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName)
platform, err := detailsResolver.ImagePlatform(ctx)
if err != nil {
return nil, fmt.Errorf("failed to get image platform: %w", err)
}
resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName, platform)
if err != nil {
return nil, fmt.Errorf("failed to resolve policy: %w", err)
}
@@ -72,14 +77,14 @@ func (verifier *ImageVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (
}
// this is overriding the mapping with a referrers config. Useful for testing if nothing else
if verifier.opts.ReferrersRepo != "" {
resolvedPolicy.Mapping.Attestations = &config.AttestationConfig{
resolvedPolicy.Mapping.Attestations = &mapping.AttestationConfig{
Repo: verifier.opts.ReferrersRepo,
Style: config.AttestationStyleReferrers,
Style: mapping.AttestationStyleReferrers,
}
} else if verifier.opts.AttestationStyle == config.AttestationStyleAttached {
resolvedPolicy.Mapping.Attestations = &config.AttestationConfig{
} else if verifier.opts.AttestationStyle == mapping.AttestationStyleAttached {
resolvedPolicy.Mapping.Attestations = &mapping.AttestationConfig{
Repo: verifier.opts.ReferrersRepo,
Style: config.AttestationStyleAttached,
Style: mapping.AttestationStyleAttached,
}
}
// because we have a mapping now, we can select a resolver based on its contents (ie. referrers or attached)
@@ -120,9 +125,9 @@ func populateDefaultOptions(opts *policy.Options) (err error) {
}
if opts.AttestationStyle == "" {
opts.AttestationStyle = config.AttestationStyleReferrers
opts.AttestationStyle = mapping.AttestationStyleReferrers
}
if opts.ReferrersRepo != "" && opts.AttestationStyle != config.AttestationStyleReferrers {
if opts.ReferrersRepo != "" && opts.AttestationStyle != mapping.AttestationStyleReferrers {
return fmt.Errorf("referrers repo specified but attestation source not set to referrers")
}
return nil