diff --git a/pkg/attest/example_verify_test.go b/pkg/attest/example_verify_test.go index 1cf52c2..cb71f67 100644 --- a/pkg/attest/example_verify_test.go +++ b/pkg/attest/example_verify_test.go @@ -39,9 +39,11 @@ func ExampleVerify_remote() { // create a resolver for remote attestations image := "registry-1.docker.io/library/notary:server" platform := "linux/amd64" - resolver := &oci.RegistryResolver{ - Image: image, // path to image index in OCI registry containing image attestations - Platform: platform, // platform of subject image (image that attestations are being verified against) + resolver, err := oci.NewRegistryAttestationResolver( + image, // path to image index in OCI registry containing image attestations + platform) // platform of subject image (image that attestations are being verified against) + if err != nil { + panic(err) } // example using a local resolver // path := "/myimage" diff --git a/pkg/attest/sign_test.go b/pkg/attest/sign_test.go index 07cf9dc..56d5e2b 100644 --- a/pkg/attest/sign_test.go +++ b/pkg/attest/sign_test.go @@ -73,11 +73,8 @@ func TestSignVerifyOCILayout(t *testing.T) { }) _, err = layout.Write(outputLayout, idx) require.NoError(t, err) - - resolver := &oci.OCILayoutResolver{ - Path: outputLayout, - Platform: "", - } + resolver, err := oci.NewOCILayoutAttestationResolver(outputLayout, "") + require.NoError(t, err) policy, err := Verify(ctx, policyResolver, resolver) require.NoError(t, err) assert.Equalf(t, OutcomeSuccess, policy.Outcome, "Policy should have been found") diff --git a/pkg/attest/verify.go b/pkg/attest/verify.go index 10c5f5d..77124c6 100644 --- a/pkg/attest/verify.go +++ b/pkg/attest/verify.go @@ -89,7 +89,11 @@ func VerifyAttestations(ctx context.Context, resolver oci.AttestationResolver, p if err != nil { return nil, fmt.Errorf("failed to get image name: %w", err) } - purl, canonical, err := oci.RefToPURL(name, resolver.ImagePlatformStr()) + platform, err := resolver.ImagePlatform() + if err != nil { + return nil, err + } + purl, canonical, err := oci.RefToPURL(name, platform) if err != nil { return nil, fmt.Errorf("failed to convert ref to purl: %w", err) } diff --git a/pkg/attest/verify_test.go b/pkg/attest/verify_test.go index 889841a..c181cab 100644 --- a/pkg/attest/verify_test.go +++ b/pkg/attest/verify_test.go @@ -95,10 +95,8 @@ func TestVSA(t *testing.T) { assert.NoError(t, err) //verify (without vsa should fail) - resolver := &oci.OCILayoutResolver{ - Path: outputLayout, - Platform: "linux/amd64", - } + resolver, err := oci.NewOCILayoutAttestationResolver(outputLayout, "linux/amd64") + require.NoError(t, err) // mocked vsa query should pass policyOpts := &policy.PolicyOptions{ @@ -150,10 +148,8 @@ func TestVerificationFailure(t *testing.T) { assert.NoError(t, err) //verify (without vsa should fail) - resolver := &oci.OCILayoutResolver{ - Path: outputLayout, - Platform: "linux/amd64", - } + resolver, err := oci.NewOCILayoutAttestationResolver(outputLayout, "linux/amd64") + require.NoError(t, err) // mocked vsa query should pass policyOpts := &policy.PolicyOptions{ diff --git a/pkg/oci/oci.go b/pkg/oci/oci.go index 0d49308..98aad3d 100644 --- a/pkg/oci/oci.go +++ b/pkg/oci/oci.go @@ -38,7 +38,7 @@ func parsePlatform(platformStr string) (*v1.Platform, error) { } } -func attestationManifestFromOCILayout(path string, platformStr string) (*AttestationManifest, error) { +func attestationManifestFromOCILayout(path string, platform *v1.Platform) (*AttestationManifest, error) { idx, err := layout.ImageIndexFromPath(path) if err != nil { return nil, fmt.Errorf("failed to load image index: %w", err) @@ -61,10 +61,6 @@ func attestationManifestFromOCILayout(path string, platformStr string) (*Attesta if err != nil { return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err) } - platform, err := parsePlatform(platformStr) - if err != nil { - return nil, fmt.Errorf("failed to parse platform: %w", err) - } var imageDigest string for _, mf := range mfs2.Manifests { if mf.Platform.Equals(*platform) { @@ -104,17 +100,28 @@ func attestationManifestFromOCILayout(path string, platformStr string) (*Attesta // implementation of AttestationResolver that closes over attestations from an oci layout type OCILayoutResolver struct { - Path string - Platform string + path string + platform *v1.Platform *AttestationManifest } -func (r *OCILayoutResolver) ImagePlatformStr() string { - return r.Platform +func NewOCILayoutAttestationResolver(path string, platform string) (*OCILayoutResolver, error) { + p, err := parsePlatform(platform) + if err != nil { + return nil, err + } + return &OCILayoutResolver{ + path: path, + platform: p, + }, nil +} + +func (r *OCILayoutResolver) ImagePlatform() (*v1.Platform, error) { + return r.platform, nil } func (r *OCILayoutResolver) fetchAttestationManifest() (*AttestationManifest, error) { if r.AttestationManifest == nil { - m, err := attestationManifestFromOCILayout(r.Path, r.Platform) + m, err := attestationManifestFromOCILayout(r.path, r.platform) if err != nil { return nil, fmt.Errorf("failed to get attestation manifest: %w", err) } @@ -189,22 +196,33 @@ func (r *OCILayoutResolver) ImageDigest(ctx context.Context) (string, error) { } type RegistryResolver struct { - Image string - Platform string + image string + platform *v1.Platform *AttestationManifest } -func (r *RegistryResolver) ImageName(ctx context.Context) (string, error) { - return r.Image, nil +func NewRegistryAttestationResolver(image string, platform string) (*RegistryResolver, error) { + p, err := parsePlatform(platform) + if err != nil { + return nil, err + } + return &RegistryResolver{ + image: image, + platform: p, + }, nil } -func (r *RegistryResolver) ImagePlatformStr() string { - return r.Platform +func (r *RegistryResolver) ImageName(ctx context.Context) (string, error) { + return r.image, nil +} + +func (r *RegistryResolver) ImagePlatform() (*v1.Platform, error) { + return r.platform, nil } func (r *RegistryResolver) ImageDigest(ctx context.Context) (string, error) { if r.AttestationManifest == nil { - attest, err := FetchAttestationManifest(ctx, r.Image, r.Platform) + attest, err := FetchAttestationManifest(ctx, r.image, r.platform) if err != nil { return "", fmt.Errorf("failed to get attestation manifest: %w", err) } @@ -215,7 +233,7 @@ func (r *RegistryResolver) ImageDigest(ctx context.Context) (string, error) { func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*att.Envelope, error) { if r.AttestationManifest == nil { - attest, err := FetchAttestationManifest(ctx, r.Image, r.Platform) + attest, err := FetchAttestationManifest(ctx, r.image, r.platform) if err != nil { return nil, fmt.Errorf("failed to get attestation manifest: %w", err) } @@ -224,19 +242,13 @@ func (r *RegistryResolver) Attestations(ctx context.Context, predicateType strin return ExtractEnvelopes(r.AttestationManifest, predicateType) } -func FetchAttestationManifest(ctx context.Context, image, platformStr string) (*AttestationManifest, error) { - platform, err := parsePlatform(platformStr) - if err != nil { - return nil, fmt.Errorf("failed to parse platform %s: %w", platform, err) - } - +func FetchAttestationManifest(ctx context.Context, image string, platform *v1.Platform) (*AttestationManifest, error) { // we want to get to the image index, so ignoring platform for now options := withOptions(ctx, nil) ref, err := name.ParseReference(image) if err != nil { return nil, fmt.Errorf("failed to parse reference: %w", err) } - desc, err := remote.Index(ref, options...) if err != nil { return nil, fmt.Errorf("failed to obtain index manifest: %w", err) @@ -348,7 +360,7 @@ func attestationDigestForDigest(ix *v1.IndexManifest, imageDigest string, attest return "", errors.New(fmt.Sprintf("no attestation found for image %s", imageDigest)) } -func RefToPURL(ref string, platform string) (string, bool, error) { +func RefToPURL(ref string, platform *v1.Platform) (string, bool, error) { var isCanonical bool named, err := reference.ParseNormalizedNamed(ref) if err != nil { @@ -380,14 +392,10 @@ func RefToPURL(ref string, platform string) (string, bool, error) { } name = parts[len(parts)-1] - pf, err := parsePlatform(platform) - if err != nil { - return "", false, fmt.Errorf("failed to parse platform %q: %w", platform, err) - } - if pf != nil { + if platform != nil { qualifiers = append(qualifiers, packageurl.Qualifier{ Key: "platform", - Value: pf.String(), + Value: platform.String(), }) } diff --git a/pkg/oci/oci_test.go b/pkg/oci/oci_test.go index ad41a0b..a920331 100644 --- a/pkg/oci/oci_test.go +++ b/pkg/oci/oci_test.go @@ -6,45 +6,48 @@ import ( "github.com/google/go-containerregistry/pkg/v1/layout" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestRefToPurl(t *testing.T) { - purl, canonical, err := RefToPURL("alpine", "arm64/linux") + arm, err := parsePlatform("arm64/linux") + require.NoError(t, err) + purl, canonical, err := RefToPURL("alpine", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/alpine@latest?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("alpine:123", "arm64/linux") + purl, canonical, err = RefToPURL("alpine:123", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("google/alpine:123", "arm64/linux") + purl, canonical, err = RefToPURL("google/alpine:123", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/google/alpine@123?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("library/alpine:123", "arm64/linux") + purl, canonical, err = RefToPURL("library/alpine:123", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("docker.io/library/alpine:123", "arm64/linux") + purl, canonical, err = RefToPURL("docker.io/library/alpine:123", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/alpine@123?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("localhost:5001/library/alpine:123", "arm64/linux") + purl, canonical, err = RefToPURL("localhost:5001/library/alpine:123", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/localhost%3A5001/library/alpine@123?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("localhost:5001/alpine:123", "arm64/linux") + purl, canonical, err = RefToPURL("localhost:5001/alpine:123", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/localhost%3A5001/alpine@123?platform=arm64%2Flinux", purl) assert.False(t, canonical) - purl, canonical, err = RefToPURL("localhost:5001/alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b", "arm64/linux") + purl, canonical, err = RefToPURL("localhost:5001/alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b", arm) assert.NoError(t, err) assert.Equal(t, "pkg:docker/localhost%3A5001/alpine?digest=sha256%3Ac5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b&platform=arm64%2Flinux", purl) assert.True(t, canonical) diff --git a/pkg/oci/resolver.go b/pkg/oci/resolver.go index 8dfd7d9..595eeec 100644 --- a/pkg/oci/resolver.go +++ b/pkg/oci/resolver.go @@ -20,7 +20,7 @@ type AttestationManifest struct { type AttestationResolver interface { ImageName(ctx context.Context) (string, error) - ImagePlatformStr() string + ImagePlatform() (*v1.Platform, error) ImageDigest(ctx context.Context) (string, error) Attestations(ctx context.Context, mediaType string) ([]*att.Envelope, error) } @@ -41,6 +41,6 @@ func (r MockResolver) ImageDigest(ctx context.Context) (string, error) { return "sha256:test-digest", nil } -func (r MockResolver) ImagePlatformStr() string { - return "linux/amd64" +func (r MockResolver) ImagePlatform() (*v1.Platform, error) { + return parsePlatform("linux/amd64") }