*Breaking* Parse platform earlier (#43)

* *Breaking* Parse platform earlier * Use constructors and hide fields to avoid confusion
2024-05-30 17:38:58 +01:00
parent e81016fc31
commit a334599635
7 changed files with 70 additions and 60 deletions
--- a/pkg/attest/example_verify_test.go
+++ b/pkg/attest/example_verify_test.go
@@ -39,9 +39,11 @@ func ExampleVerify_remote() {
 	// create a resolver for remote attestations
 	image := "registry-1.docker.io/library/notary:server"
 	platform := "linux/amd64"
-	resolver := &oci.RegistryResolver{
-		Image:    image,    // path to image index in OCI registry containing image attestations
-		Platform: platform, // platform of subject image (image that attestations are being verified against)
+	resolver, err := oci.NewRegistryAttestationResolver(
+		image,    // path to image index in OCI registry containing image attestations
+		platform) // platform of subject image (image that attestations are being verified against)
+	if err != nil {
+		panic(err)
 	}
 	// example using a local resolver
 	// path := "/myimage"
--- a/pkg/attest/sign_test.go
+++ b/pkg/attest/sign_test.go
@@ -73,11 +73,8 @@ func TestSignVerifyOCILayout(t *testing.T) {
 			})
 			_, err = layout.Write(outputLayout, idx)
 			require.NoError(t, err)
-
-			resolver := &oci.OCILayoutResolver{
-				Path:     outputLayout,
-				Platform: "",
-			}
+			resolver, err := oci.NewOCILayoutAttestationResolver(outputLayout, "")
+			require.NoError(t, err)
 			policy, err := Verify(ctx, policyResolver, resolver)
 			require.NoError(t, err)
 			assert.Equalf(t, OutcomeSuccess, policy.Outcome, "Policy should have been found")
--- a/pkg/attest/verify.go
+++ b/pkg/attest/verify.go
@@ -89,7 +89,11 @@ func VerifyAttestations(ctx context.Context, resolver oci.AttestationResolver, p
 	if err != nil {
 		return nil, fmt.Errorf("failed to get image name: %w", err)
 	}
-	purl, canonical, err := oci.RefToPURL(name, resolver.ImagePlatformStr())
+	platform, err := resolver.ImagePlatform()
+	if err != nil {
+		return nil, err
+	}
+	purl, canonical, err := oci.RefToPURL(name, platform)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert ref to purl: %w", err)
 	}
--- a/pkg/attest/verify_test.go
+++ b/pkg/attest/verify_test.go
@@ -95,10 +95,8 @@ func TestVSA(t *testing.T) {
 	assert.NoError(t, err)

 	//verify (without vsa should fail)
-	resolver := &oci.OCILayoutResolver{
-		Path:     outputLayout,
-		Platform: "linux/amd64",
-	}
+	resolver, err := oci.NewOCILayoutAttestationResolver(outputLayout, "linux/amd64")
+	require.NoError(t, err)

 	// mocked vsa query should pass
 	policyOpts := &policy.PolicyOptions{
@@ -150,10 +148,8 @@ func TestVerificationFailure(t *testing.T) {
 	assert.NoError(t, err)

 	//verify (without vsa should fail)
-	resolver := &oci.OCILayoutResolver{
-		Path:     outputLayout,
-		Platform: "linux/amd64",
-	}
+	resolver, err := oci.NewOCILayoutAttestationResolver(outputLayout, "linux/amd64")
+	require.NoError(t, err)

 	// mocked vsa query should pass
 	policyOpts := &policy.PolicyOptions{
--- a/pkg/oci/oci.go
+++ b/pkg/oci/oci.go
@@ -38,7 +38,7 @@ func parsePlatform(platformStr string) (*v1.Platform, error) {
 	}
 }

-func attestationManifestFromOCILayout(path string, platformStr string) (*AttestationManifest, error) {
+func attestationManifestFromOCILayout(path string, platform *v1.Platform) (*AttestationManifest, error) {
 	idx, err := layout.ImageIndexFromPath(path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load image index: %w", err)
@@ -61,10 +61,6 @@ func attestationManifestFromOCILayout(path string, platformStr string) (*Attesta
 	if err != nil {
 		return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err)
 	}
-	platform, err := parsePlatform(platformStr)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse platform: %w", err)
-	}
 	var imageDigest string
 	for _, mf := range mfs2.Manifests {
 		if mf.Platform.Equals(*platform) {
@@ -104,17 +100,28 @@ func attestationManifestFromOCILayout(path string, platformStr string) (*Attesta

 // implementation of AttestationResolver that closes over attestations from an oci layout
 type OCILayoutResolver struct {
-	Path     string
-	Platform string
+	path     string
+	platform *v1.Platform
 	*AttestationManifest
 }

-func (r *OCILayoutResolver) ImagePlatformStr() string {
-	return r.Platform
+func NewOCILayoutAttestationResolver(path string, platform string) (*OCILayoutResolver, error) {
+	p, err := parsePlatform(platform)
+	if err != nil {
+		return nil, err
+	}
+	return &OCILayoutResolver{
+		path:     path,
+		platform: p,
+	}, nil
+}
+
+func (r *OCILayoutResolver) ImagePlatform() (*v1.Platform, error) {
+	return r.platform, nil
 }
 func (r *OCILayoutResolver) fetchAttestationManifest() (*AttestationManifest, error) {
 	if r.AttestationManifest == nil {
-		m, err := attestationManifestFromOCILayout(r.Path, r.Platform)
+		m, err := attestationManifestFromOCILayout(r.path, r.platform)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get attestation manifest: %w", err)
 		}
@@ -189,22 +196,33 @@ func (r *OCILayoutResolver) ImageDigest(ctx context.Context) (string, error) {
 }

 type RegistryResolver struct {
-	Image    string
-	Platform string
+	image    string
+	platform *v1.Platform
 	*AttestationManifest
 }

-func (r *RegistryResolver) ImageName(ctx context.Context) (string, error) {
-	return r.Image, nil
+func NewRegistryAttestationResolver(image string, platform string) (*RegistryResolver, error) {
+	p, err := parsePlatform(platform)
+	if err != nil {
+		return nil, err
+	}
+	return &RegistryResolver{
+		image:    image,
+		platform: p,
+	}, nil
 }

-func (r *RegistryResolver) ImagePlatformStr() string {
-	return r.Platform
+func (r *RegistryResolver) ImageName(ctx context.Context) (string, error) {
+	return r.image, nil
+}
+
+func (r *RegistryResolver) ImagePlatform() (*v1.Platform, error) {
+	return r.platform, nil
 }

 func (r *RegistryResolver) ImageDigest(ctx context.Context) (string, error) {
 	if r.AttestationManifest == nil {
-		attest, err := FetchAttestationManifest(ctx, r.Image, r.Platform)
+		attest, err := FetchAttestationManifest(ctx, r.image, r.platform)
 		if err != nil {
 			return "", fmt.Errorf("failed to get attestation manifest: %w", err)
 		}
@@ -215,7 +233,7 @@ func (r *RegistryResolver) ImageDigest(ctx context.Context) (string, error) {

 func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) {
 	if r.AttestationManifest == nil {
-		attest, err := FetchAttestationManifest(ctx, r.Image, r.Platform)
+		attest, err := FetchAttestationManifest(ctx, r.image, r.platform)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get attestation manifest: %w", err)
 		}
@@ -224,19 +242,13 @@ func (r *RegistryResolver) Attestations(ctx context.Context, predicateType strin
 	return ExtractEnvelopes(r.AttestationManifest, predicateType)
 }

-func FetchAttestationManifest(ctx context.Context, image, platformStr string) (*AttestationManifest, error) {
-	platform, err := parsePlatform(platformStr)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse platform %s: %w", platform, err)
-	}
-
+func FetchAttestationManifest(ctx context.Context, image string, platform *v1.Platform) (*AttestationManifest, error) {
 	// we want to get to the image index, so ignoring platform for now
 	options := withOptions(ctx, nil)
 	ref, err := name.ParseReference(image)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse reference: %w", err)
 	}
-
 	desc, err := remote.Index(ref, options...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to obtain index manifest: %w", err)
@@ -348,7 +360,7 @@ func attestationDigestForDigest(ix *v1.IndexManifest, imageDigest string, attest
 	return "", errors.New(fmt.Sprintf("no attestation found for image %s", imageDigest))
 }

-func RefToPURL(ref string, platform string) (string, bool, error) {
+func RefToPURL(ref string, platform *v1.Platform) (string, bool, error) {
 	var isCanonical bool
 	named, err := reference.ParseNormalizedNamed(ref)
 	if err != nil {
@@ -380,14 +392,10 @@ func RefToPURL(ref string, platform string) (string, bool, error) {
 	}
 	name = parts[len(parts)-1]

-	pf, err := parsePlatform(platform)
-	if err != nil {
-		return "", false, fmt.Errorf("failed to parse platform %q: %w", platform, err)
-	}
-	if pf != nil {
+	if platform != nil {
 		qualifiers = append(qualifiers, packageurl.Qualifier{
 			Key:   "platform",
-			Value: pf.String(),
+			Value: platform.String(),
 		})
 	}

--- a/pkg/oci/oci_test.go
+++ b/pkg/oci/oci_test.go
@@ -6,45 +6,48 @@ import (

 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestRefToPurl(t *testing.T) {
-	purl, canonical, err := RefToPURL("alpine", "arm64/linux")
+	arm, err := parsePlatform("arm64/linux")
+	require.NoError(t, err)
+	purl, canonical, err := RefToPURL("alpine", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/alpine@latest?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("alpine:123", "arm64/linux")
+	purl, canonical, err = RefToPURL("alpine:123", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("google/alpine:123", "arm64/linux")
+	purl, canonical, err = RefToPURL("google/alpine:123", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/google/alpine@123?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("library/alpine:123", "arm64/linux")
+	purl, canonical, err = RefToPURL("library/alpine:123", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("docker.io/library/alpine:123", "arm64/linux")
+	purl, canonical, err = RefToPURL("docker.io/library/alpine:123", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("localhost:5001/library/alpine:123", "arm64/linux")
+	purl, canonical, err = RefToPURL("localhost:5001/library/alpine:123", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/localhost%3A5001/library/alpine@123?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("localhost:5001/alpine:123", "arm64/linux")
+	purl, canonical, err = RefToPURL("localhost:5001/alpine:123", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/localhost%3A5001/alpine@123?platform=arm64%2Flinux", purl)
 	assert.False(t, canonical)

-	purl, canonical, err = RefToPURL("localhost:5001/alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b", "arm64/linux")
+	purl, canonical, err = RefToPURL("localhost:5001/alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b", arm)
 	assert.NoError(t, err)
 	assert.Equal(t, "pkg:docker/localhost%3A5001/alpine?digest=sha256%3Ac5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b&platform=arm64%2Flinux", purl)
 	assert.True(t, canonical)
--- a/pkg/oci/resolver.go
+++ b/pkg/oci/resolver.go
@@ -20,7 +20,7 @@ type AttestationManifest struct {

 type AttestationResolver interface {
 	ImageName(ctx context.Context) (string, error)
-	ImagePlatformStr() string
+	ImagePlatform() (*v1.Platform, error)
 	ImageDigest(ctx context.Context) (string, error)
 	Attestations(ctx context.Context, mediaType string) ([]*att.Envelope, error)
 }
@@ -41,6 +41,6 @@ func (r MockResolver) ImageDigest(ctx context.Context) (string, error) {
 	return "sha256:test-digest", nil
 }

-func (r MockResolver) ImagePlatformStr() string {
-	return "linux/amd64"
+func (r MockResolver) ImagePlatform() (*v1.Platform, error) {
+	return parsePlatform("linux/amd64")
 }