From 5faf0801eeeb13a641291ad225f5f89cbc72bcad Mon Sep 17 00:00:00 2001 From: James Carnegie Date: Tue, 9 Jul 2024 13:36:33 +0100 Subject: [PATCH] Remove AttestationImage field from AttestationManifest --- pkg/attest/sign.go | 2 +- pkg/attest/sign_test.go | 8 +++----- pkg/attest/verify.go | 4 +--- pkg/attestation/attestation.go | 14 ++++++-------- pkg/attestation/types.go | 11 +++-------- pkg/oci/layout.go | 4 ++-- pkg/oci/oci.go | 2 +- pkg/oci/referrers.go | 2 +- pkg/oci/registry.go | 2 +- 9 files changed, 19 insertions(+), 30 deletions(-) diff --git a/pkg/attest/sign.go b/pkg/attest/sign.go index c671767..15d0b98 100644 --- a/pkg/attest/sign.go +++ b/pkg/attest/sign.go @@ -18,7 +18,7 @@ func SignStatements(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVe } // sign every attestation layer in each manifest for _, manifest := range attestationManifests { - for _, layer := range manifest.AttestationImage.OriginalLayers { + for _, layer := range manifest.OriginalLayers { err = manifest.AddAttestation(ctx, signer, layer.Statement, opts) if err != nil { return nil, fmt.Errorf("failed to sign attestation layer %w", err) diff --git a/pkg/attest/sign_test.go b/pkg/attest/sign_test.go index 9392ff9..89e0dc7 100644 --- a/pkg/attest/sign_test.go +++ b/pkg/attest/sign_test.go @@ -134,10 +134,8 @@ func TestAddSignedLayerAnnotations(t *testing.T) { OriginalDescriptor: &v1.Descriptor{ MediaType: mediaType, }, - AttestationImage: &attestation.AttestationImage{ - OriginalLayers: []*attestation.AttestationLayer{ - originalLayer, - }, + OriginalLayers: []*attestation.AttestationLayer{ + originalLayer, }, SubjectDescriptor: &v1.Descriptor{}, } @@ -200,7 +198,7 @@ func TestSimpleStatementSigning(t *testing.T) { require.NoError(t, err) // fake that the manfifest was loaded from a real image - manifest.AttestationImage.OriginalLayers = manifest.AttestationImage.SignedLayers + manifest.OriginalLayers = manifest.SignedLayers envelopes, err := oci.ExtractEnvelopes(manifest, attestation.VSAPredicateType) require.NoError(t, err) assert.Len(t, envelopes, 2) diff --git a/pkg/attest/verify.go b/pkg/attest/verify.go index 42f3efc..e0b8dc5 100644 --- a/pkg/attest/verify.go +++ b/pkg/attest/verify.go @@ -175,9 +175,7 @@ func NewAttestationManifest(subject *v1.Descriptor) (*attestation.AttestationMan OriginalDescriptor: &v1.Descriptor{ MediaType: "application/vnd.oci.image.manifest.v1+json", }, - AttestationImage: &attestation.AttestationImage{ - OriginalLayers: []*attestation.AttestationLayer{}, - }, + OriginalLayers: []*attestation.AttestationLayer{}, SubjectDescriptor: subject, }, nil } diff --git a/pkg/attestation/attestation.go b/pkg/attestation/attestation.go index f2f35a0..5447c99 100644 --- a/pkg/attestation/attestation.go +++ b/pkg/attestation/attestation.go @@ -47,8 +47,7 @@ func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*AttestationManife &AttestationManifest{ OriginalDescriptor: &desc, SubjectDescriptor: subject, - AttestationImage: &AttestationImage{ - OriginalLayers: attestationLayers}}) + OriginalLayers: attestationLayers}) } } return attestationManifests, nil @@ -96,7 +95,7 @@ func (manifest *AttestationManifest) AddAttestation(ctx context.Context, signer if err != nil { return fmt.Errorf("failed to create signed layer: %w", err) } - manifest.AttestationImage.SignedLayers = append(manifest.AttestationImage.SignedLayers, layer) + manifest.SignedLayers = append(manifest.SignedLayers, layer) return nil } @@ -202,15 +201,14 @@ func WithReplacedLayers(replaceLayers bool) func(*AttestationManifestImageOption // build an image with signed attestations, optionally replacing existing layers with signed layers func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*AttestationManifestImageOptions) error) (v1.Image, error) { - // always create a new image from all the layers opts, err := newOptions(options...) if err != nil { return nil, fmt.Errorf("failed to create options: %w", err) } - resultLayers := manifest.AttestationImage.SignedLayers - for _, existingLayer := range manifest.AttestationImage.OriginalLayers { + resultLayers := manifest.SignedLayers + for _, existingLayer := range manifest.OriginalLayers { var found bool - for _, signedLayer := range manifest.AttestationImage.SignedLayers { + for _, signedLayer := range manifest.SignedLayers { if existingLayer.Statement == signedLayer.Statement { found = true // copy over original annotations @@ -236,7 +234,7 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte // build an image per attestation (layer) suitable for use as Referrers func (manifest *AttestationManifest) BuildReferringArtifacts() ([]v1.Image, error) { var images []v1.Image - for _, layer := range manifest.AttestationImage.SignedLayers { + for _, layer := range manifest.SignedLayers { opts := &AttestationManifestImageOptions{ strictReferrers: true, } diff --git a/pkg/attestation/types.go b/pkg/attestation/types.go index 8f37032..f6848cc 100644 --- a/pkg/attestation/types.go +++ b/pkg/attestation/types.go @@ -30,17 +30,12 @@ type AttestationLayer struct { Annotations map[string]string } -type AttestationImage struct { - OriginalLayers []*AttestationLayer - SignedLayers []*AttestationLayer -} - type AttestationManifest struct { OriginalDescriptor *v1.Descriptor - // kept up to date during signing - - AttestationImage *AttestationImage + OriginalLayers []*AttestationLayer + // accumulated during signing + SignedLayers []*AttestationLayer // details of subect image SubjectName string SubjectDescriptor *v1.Descriptor diff --git a/pkg/oci/layout.go b/pkg/oci/layout.go index 966f23a..4793ecb 100644 --- a/pkg/oci/layout.go +++ b/pkg/oci/layout.go @@ -44,7 +44,7 @@ func (r *OCILayoutResolver) fetchAttestationManifest() (*attestation.Attestation func (r *OCILayoutResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) { var envs []*att.Envelope - for _, attestationLayer := range r.AttestationManifest.AttestationImage.OriginalLayers { + for _, attestationLayer := range r.AttestationManifest.OriginalLayers { if attestationLayer.Annotations[attestation.InTotoPredicateType] != predicateType { continue } @@ -134,7 +134,7 @@ func attestationManifestFromOCILayout(path string, platform *v1.Platform) (*atte return nil, fmt.Errorf("failed to get attestations from image: %w", err) } attest := &attestation.AttestationManifest{ - AttestationImage: &att.AttestationImage{OriginalLayers: layers}, + OriginalLayers: layers, OriginalDescriptor: &mf, SubjectName: name, SubjectDescriptor: subjectDescriptor, diff --git a/pkg/oci/oci.go b/pkg/oci/oci.go index 54070c2..f5f051c 100644 --- a/pkg/oci/oci.go +++ b/pkg/oci/oci.go @@ -49,7 +49,7 @@ func WithOptions(ctx context.Context, platform *v1.Platform) []remote.Option { func ExtractEnvelopes(manifest *attestation.AttestationManifest, predicateType string) ([]*att.Envelope, error) { var envs []*att.Envelope - for _, attestationLayer := range manifest.AttestationImage.OriginalLayers { + for _, attestationLayer := range manifest.OriginalLayers { mt, err := attestationLayer.Layer.MediaType() if err != nil { return nil, fmt.Errorf("failed to get layer media type: %w", err) diff --git a/pkg/oci/referrers.go b/pkg/oci/referrers.go index aa1dad0..2269c5e 100644 --- a/pkg/oci/referrers.go +++ b/pkg/oci/referrers.go @@ -86,7 +86,7 @@ func (r *ReferrersResolver) resolveAttestations(ctx context.Context) error { } attest := &attestation.AttestationManifest{ SubjectName: r.Identifier, - AttestationImage: &attestation.AttestationImage{OriginalLayers: layers}, + OriginalLayers: layers, OriginalDescriptor: &m, SubjectDescriptor: desc, } diff --git a/pkg/oci/registry.go b/pkg/oci/registry.go index afad7c8..4e766c7 100644 --- a/pkg/oci/registry.go +++ b/pkg/oci/registry.go @@ -132,7 +132,7 @@ func FetchAttestationManifest(ctx context.Context, image string, platform *v1.Pl return nil, fmt.Errorf("failed to get attestations from image: %w", err) } attest := &attestation.AttestationManifest{ - AttestationImage: &att.AttestationImage{OriginalLayers: layers}, + OriginalLayers: layers, OriginalDescriptor: &remoteDescriptor.Descriptor, SubjectName: image, SubjectDescriptor: subjectDescriptor,