From 5a772633b0e22bdba72dadca0715c24d824f37a3 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 12 Aug 2024 16:43:42 -0500 Subject: [PATCH] feat: use EmptyConfigImage for mirror --- pkg/mirror/metadata.go | 7 ++++--- pkg/mirror/metadata_test.go | 15 ++++++++++----- pkg/mirror/targets.go | 6 ++++-- pkg/mirror/targets_test.go | 6 +++--- pkg/mirror/types.go | 3 ++- 5 files changed, 23 insertions(+), 14 deletions(-) diff --git a/pkg/mirror/metadata.go b/pkg/mirror/metadata.go index 7f84b89..780212b 100644 --- a/pkg/mirror/metadata.go +++ b/pkg/mirror/metadata.go @@ -4,6 +4,7 @@ import ( "fmt" "strconv" + "github.com/docker/attest/pkg/oci" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/mutate" @@ -17,7 +18,7 @@ import ( // ----------------- // GetMetadataManifest returns an image with TUF root metadata as layers. -func (m *TUFMirror) GetMetadataManifest(metadataURL string) (v1.Image, error) { +func (m *TUFMirror) GetMetadataManifest(metadataURL string) (*oci.EmptyConfigImage, error) { metadata, err := m.getMetadataMirror(metadataURL) if err != nil { return nil, fmt.Errorf("failed to get metadata: %w", err) @@ -26,7 +27,7 @@ func (m *TUFMirror) GetMetadataManifest(metadataURL string) (v1.Image, error) { if err != nil { return nil, fmt.Errorf("failed to build metadata manifest: %w", err) } - return manifest, nil + return &oci.EmptyConfigImage{Image: manifest}, nil } // getMetadataMirror returns a TufMetadata struct with TUF metadata as map of file names to bytes. @@ -183,7 +184,7 @@ func (m *TUFMirror) buildDelegatedMetadataManifests(delegated []DelegatedTargetM if err != nil { return nil, fmt.Errorf("failed to append delegated targets layer to image: %w", err) } - manifests = append(manifests, &Image{Image: img, Tag: role.Name}) + manifests = append(manifests, &Image{Image: &oci.EmptyConfigImage{Image: img}, Tag: role.Name}) } return manifests, nil } diff --git a/pkg/mirror/metadata_test.go b/pkg/mirror/metadata_test.go index 98f5983..ee5417e 100644 --- a/pkg/mirror/metadata_test.go +++ b/pkg/mirror/metadata_test.go @@ -16,15 +16,20 @@ import ( "github.com/theupdateframework/go-tuf/v2/metadata" ) +const ( + metadataPath = "/metadata" + targetsPath = "/targets" +) + func TestGetTufMetadataMirror(t *testing.T) { server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo")))) defer server.Close() path := test.CreateTempDir(t, "", "tuf_temp") - m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker()) + m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker()) assert.NoError(t, err) - tufMetadata, err := m.getMetadataMirror(server.URL + "/metadata") + tufMetadata, err := m.getMetadataMirror(server.URL + metadataPath) assert.NoError(t, err) // check that all roles are not empty @@ -39,10 +44,10 @@ func TestGetMetadataManifest(t *testing.T) { defer server.Close() path := test.CreateTempDir(t, "", "tuf_temp") - m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker()) + m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker()) assert.NoError(t, err) - img, err := m.GetMetadataManifest(server.URL + "/metadata") + img, err := m.GetMetadataManifest(server.URL + metadataPath) assert.NoError(t, err) assert.NotNil(t, img) @@ -78,7 +83,7 @@ func TestGetDelegatedMetadataMirrors(t *testing.T) { defer server.Close() path := test.CreateTempDir(t, "", "tuf_temp") - m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker()) + m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker()) assert.NoError(t, err) delegations, err := m.GetDelegatedMetadataMirrors() diff --git a/pkg/mirror/targets.go b/pkg/mirror/targets.go index 3a73411..df09e4c 100644 --- a/pkg/mirror/targets.go +++ b/pkg/mirror/targets.go @@ -5,6 +5,7 @@ import ( "path/filepath" "strings" + "github.com/docker/attest/pkg/oci" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/mutate" @@ -42,7 +43,7 @@ func (m *TUFMirror) GetTUFTargetMirrors() ([]*Image, error) { if err != nil { return nil, fmt.Errorf("failed to append role layer to image: %w", err) } - targetMirrors = append(targetMirrors, &Image{Image: img, Tag: name}) + targetMirrors = append(targetMirrors, &Image{Image: &oci.EmptyConfigImage{Image: img}, Tag: name}) } return targetMirrors, nil } @@ -93,9 +94,10 @@ func (m *TUFMirror) GetDelegatedTargetMirrors() ([]*Index, error) { if err != nil { return nil, fmt.Errorf("failed to append role layer to image: %w", err) } + emptyConfigImage := &oci.EmptyConfigImage{Image: img} // append image to index with annotation index = mutate.AppendManifests(index, mutate.IndexAddendum{ - Add: img, + Add: emptyConfigImage, Descriptor: v1.Descriptor{ Annotations: map[string]string{ tufFileAnnotation: fmt.Sprintf("%s/%s", subdir, name), diff --git a/pkg/mirror/targets_test.go b/pkg/mirror/targets_test.go index aa785ef..c2b3ec5 100644 --- a/pkg/mirror/targets_test.go +++ b/pkg/mirror/targets_test.go @@ -27,7 +27,7 @@ func TestGetTufTargetsMirror(t *testing.T) { defer server.Close() path := test.CreateTempDir(t, "", "tuf_temp") - m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker()) + m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker()) assert.NoError(t, err) targets, err := m.GetTUFTargetMirrors() @@ -61,7 +61,7 @@ func TestTargetDelegationMetadata(t *testing.T) { defer server.Close() path := test.CreateTempDir(t, "", "tuf_temp") - tm, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker()) + tm, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker()) assert.NoError(t, err) targets, err := tm.TUFClient.LoadDelegatedTargets("test-role", "targets") @@ -74,7 +74,7 @@ func TestGetDelegatedTargetMirrors(t *testing.T) { defer server.Close() path := test.CreateTempDir(t, "", "tuf_temp") - m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker()) + m, err := NewTUFMirror(embed.RootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker()) assert.NoError(t, err) mirrors, err := m.GetDelegatedTargetMirrors() diff --git a/pkg/mirror/types.go b/pkg/mirror/types.go index b064c6c..41f933b 100644 --- a/pkg/mirror/types.go +++ b/pkg/mirror/types.go @@ -1,6 +1,7 @@ package mirror import ( + "github.com/docker/attest/pkg/oci" "github.com/docker/attest/pkg/tuf" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/theupdateframework/go-tuf/v2/metadata" @@ -32,7 +33,7 @@ type DelegatedTargetMetadata struct { } type Image struct { - Image v1.Image + Image *oci.EmptyConfigImage Tag string }