feat: add a prefix path to TUF client (#159)

This is to allow us to store new policy files in the production TUF repository
under a testing delegation, and for clients to opt-in to using this testing
delegation when retrieving policy from TUF.

If the prefix path is set, it is prepended to every target path on download
with path.Join. For example, if the prefix path is testing and we download
the target a/b, the TUF client with actually download testing/a/b.

Also get the latest testdata from tuf-dev.
This commit is contained in:
Jonny Stoten
2024-09-10 17:40:20 +01:00
committed by GitHub
parent 206b33c5d9
commit c029bcfbaa
89 changed files with 1113 additions and 97 deletions

View File

@@ -11,7 +11,7 @@ func NewTUFMirror(ctx context.Context, root []byte, tufPath, metadataURL, target
if root == nil {
root = tuf.DockerTUFRootDefault.Data
}
tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, Path: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, LocalStorageDir: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
if err != nil {
return nil, fmt.Errorf("failed to create TUF client: %w", err)
}

View File

@@ -1 +0,0 @@
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":""}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-06-12T17:21:13Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

View File

@@ -1 +0,0 @@
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"}],"signed":{"_type":"timestamp","expires":"2034-06-23T12:47:16Z","meta":{"snapshot.json":{"version":7}},"spec_version":"1.0.31","version":7}}

View File

@@ -0,0 +1 @@
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-09-04T13:55:23Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":4,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

View File

@@ -0,0 +1,92 @@
{
"signatures": [
{
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"sig": ""
},
{
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb"
},
{
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
"sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce"
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
"expires": "2034-09-04T13:40:46Z",
"keys": {
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp384",
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
},
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@kipz"
},
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
},
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@jonnystoten"
}
},
"roles": {
"root": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
],
"threshold": 1
},
"snapshot": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
},
"targets": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
],
"threshold": 1
},
"timestamp": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
},
"spec_version": "1.0.31",
"version": 3,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
}

View File

@@ -0,0 +1 @@
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"}],"signed":{"_type":"timestamp","expires":"2034-09-07T14:41:18Z","meta":{"snapshot.json":{"version":11}},"spec_version":"1.0.31","version":11}}

View File

@@ -1 +0,0 @@
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"}],"signed":{"_type":"snapshot","expires":"2034-06-23T12:47:16Z","meta":{"targets.json":{"version":8},"test-role.json":{"version":2}},"spec_version":"1.0.31","version":7}}

View File

@@ -0,0 +1 @@
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"}],"signed":{"_type":"snapshot","expires":"2034-09-07T14:41:18Z","meta":{"policy.json":{"version":1},"targets.json":{"version":11},"test-role.json":{"version":2},"testing.json":{"version":2}},"spec_version":"1.0.31","version":11}}

View File

@@ -1 +0,0 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8"]},"config":{}}

View File

@@ -0,0 +1,79 @@
{
"signatures": [
{
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"sig": "3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"
},
{
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"sig": ""
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
"expires": "2034-06-12T17:21:13Z",
"keys": {
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp384",
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
},
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
},
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@jonnystoten"
}
},
"roles": {
"root": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
],
"threshold": 1
},
"snapshot": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
},
"targets": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
],
"threshold": 1
},
"timestamp": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
},
"spec_version": "1.0.31",
"version": 2,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
}

View File

@@ -0,0 +1 @@
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":""}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1},{"keyids":["beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"name":"testing","paths":["testing/*","testing/*/*","testing/*/*/*","testing/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-09-07T14:32:09Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":11,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

View File

@@ -1 +0,0 @@
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-06-23T12:42:15Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":8,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2472,"digest":"sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":412,"digest":"sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","annotations":{"tuf.io/filename":"7.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1746,"digest":"sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","annotations":{"tuf.io/filename":"8.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8","annotations":{"tuf.io/filename":"timestamp.json"}}]}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2856,"digest":"sha256:832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3506,"digest":"sha256:4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502","annotations":{"tuf.io/filename":"3.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3128,"digest":"sha256:3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b","annotations":{"tuf.io/filename":"4.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":473,"digest":"sha256:640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d","annotations":{"tuf.io/filename":"11.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2390,"digest":"sha256:a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869","annotations":{"tuf.io/filename":"11.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":385,"digest":"sha256:5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811","annotations":{"tuf.io/filename":"timestamp.json"}}]}

View File

@@ -4,8 +4,9 @@
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 1220,
"digest": "sha256:e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1"
"size": 1608,
"digest": "sha256:e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1"]},"config":{}}
{}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}

View File

@@ -5,7 +5,8 @@
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 444,
"digest": "sha256:6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc"
"digest": "sha256:e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":930,"digest":"sha256:f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6","annotations":{"tuf.io/filename":"2.testing.json"}}]}

View File

@@ -0,0 +1 @@
{"signatures":[{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"}],"signed":{"_type":"targets","expires":"2025-09-09T14:38:32Z","spec_version":"1.0.31","targets":{"testing/always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"testing/jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"testing/mapping.yaml":{"hashes":{"sha256":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"},"length":269},"testing/test-only.rego":{"hashes":{"sha256":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"},"length":467}},"version":2,"x-tuf-on-ci-expiry-period":365,"x-tuf-on-ci-signing-period":60}}

View File

@@ -0,0 +1,12 @@
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 442,
"digest": "sha256:a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -0,0 +1,3 @@
{
"imageLayoutVersion": "1.0.0"
}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"]},"config":{}}
{}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7"},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]}

View File

@@ -5,7 +5,8 @@
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 493,
"digest": "sha256:cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94"
"digest": "sha256:4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d"},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"]},"config":{}}
{}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}

View File

@@ -5,7 +5,8 @@
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 498,
"digest": "sha256:08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f"
"digest": "sha256:f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10"},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"]},"config":{}}
{}

View File

@@ -5,7 +5,8 @@
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 504,
"digest": "sha256:4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315"
"digest": "sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a"},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"]},"config":{}}
{}

View File

@@ -5,7 +5,8 @@
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 504,
"digest": "sha256:3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664"
"digest": "sha256:b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97"},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"]},"config":{}}
{}

View File

@@ -5,7 +5,8 @@
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 502,
"digest": "sha256:1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b"
"digest": "sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac",
"artifactType": "application/vnd.oci.empty.v1+json"
}
]
}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055"},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}

View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0"},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"]},"config":{}}
{}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}

View File

@@ -1 +1 @@
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"]},"config":{}}
{}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}

View File

@@ -1 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"}]}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}

View File

@@ -0,0 +1,21 @@
package attest
import rego.v1
# this file only exists in the testing delegation
violations contains {
"type": "testing_delegation",
"description": "This policy always fails. We'd better not promote this to production.",
}
result := {
"success": false,
"violations": violations,
"summary": {
"subjects": set(),
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
"verifier": "docker-official-images",
"policy_uri": "https://docker.com/official/policy/v0.1",
},
}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":269,"digest":"sha256:d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090","annotations":{"tuf.io/filename":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"}}]}

View File

@@ -0,0 +1,200 @@
package attest
import rego.v1
split_digest := split(input.digest, ":")
digest_type := split_digest[0]
digest := split_digest[1]
keys := [{
"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
"from": "2023-12-15T14:00:00Z",
"to": null,
"status": "active",
"signing-format": "dssev1",
}]
verify_opts := {"keys": keys}
verify_attestation(att) := attest.verify(att, verify_opts)
attestations contains att if {
result := attest.fetch("https://slsa.dev/verification_summary/v1")
not result.error
some att in result.value
}
signed_statements contains statement if {
some att in attestations
result := verify_attestation(att)
not result.error
statement := result.value
}
statements_with_subject contains statement if {
some statement in signed_statements
some subject in statement.subject
subject.digest[digest_type] == digest
valid_subject_name(input.isCanonical, subject.name, input.purl)
}
id(statement) := crypto.sha256(json.marshal(statement))
subjects contains subject if {
some statement in statements_with_subject
some subject in statement.subject
}
global_violations contains v if {
count(attestations) == 0
v := {
"type": "missing_attestation",
"description": "No https://slsa.dev/verification_summary/v1 attestation found",
"attestation": null,
"details": {},
}
}
# we need to key this by statement_id rather than statement because we can't
# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
statement_violations[statement_id] contains v if {
some att in attestations
result := verify_attestation(att)
err := result.error
statement := unsafe_statement_from_attestation(att)
statement_id := id(statement)
v := {
"type": "unsigned_statement",
"description": sprintf("Statement is not correctly signed: %v", [err]),
"attestation": statement,
"details": {"error": err},
}
}
statement_violations[statement_id] contains v if {
some statement in signed_statements
statement_id := id(statement)
not statement in statements_with_subject
v := {
"type": "bad_subjects",
"description": "Statement does not have this image as a subject",
"attestation": statement,
"details": {"input": input},
}
}
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
}
# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
# this should match the input.purl, but we really only care about the repo name and the digest
# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
}
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
}
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
}
bad_statements contains statement if {
some statement in statements_with_subject
statement_id := id(statement)
statement_violations[statement_id]
}
good_statements := statements_with_subject - bad_statements
all_violations contains v if {
some v in global_violations
}
all_violations contains v if {
some violations in statement_violations
some v in violations
}
result := {
"success": allow,
"violations": all_violations,
"summary": {
"subjects": subjects,
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
"verifier": "signing-demo-verifier",
"policy_uri": "https://docker.com/official/policy/v0.1",
},
}
default allow := false
allow if {
count(good_statements) > 0
}
# TODO: this should take into account the repo name from the purl
valid_subject_name(true, name, purl)
valid_subject_name(false, name, purl) if {
name == purl
}
field_value_does_not_equal(statement, field, expected, type) := v if {
path := split(field, ".")
actual := object.get(statement.predicate, path, null)
expected != actual
v := is_not_violation(statement, field, expected, actual, type)
}
array_field_does_not_contain(statement, field, expected, type) := v if {
path := split(field, ".")
actual := object.get(statement.predicate, path, null)
not expected in actual
v := not_contains_violation(statement, field, expected, actual, type)
}
is_not_violation(statement, field, expected, actual, type) := {
"type": type,
"description": sprintf("%v is not %v", [field, expected]),
"attestation": statement,
"details": {
"field": field,
"actual": actual,
"expected": expected,
},
}
not_contains_violation(statement, field, expected, actual, type) := {
"type": type,
"description": sprintf("%v does not contain %v", [field, expected]),
"attestation": statement,
"details": {
"field": field,
"actual": actual,
"expected": expected,
},
}
# This is unsafe because we're not checking the signature on the attestation,
# do not call this unless you've already verified the attestation or you need the
# statement for some other reason
unsafe_statement_from_attestation(att) := statement if {
payload := att.payload
statement := json.unmarshal(base64.decode(payload))
}

View File

@@ -0,0 +1,12 @@
version: v1
kind: policy-mapping
policies:
- origin:
domain: docker.io
prefix: jonnystoten2/
id: jonnystoten2
description: jonnystoten2 personal images for testing
attestations:
style: "referrers"
files:
- path: test-only.rego

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":467,"digest":"sha256:93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374","annotations":{"tuf.io/filename":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"}}]}

View File

@@ -0,0 +1,19 @@
package attest
import rego.v1
violations contains {
"type": "always_fail",
"description": "This policy always fails",
}
result := {
"success": false,
"violations": violations,
"summary": {
"subjects": set(),
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
"verifier": "docker-official-images",
"policy_uri": "https://docker.com/official/policy/v0.1",
},
}

View File

@@ -0,0 +1 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":502,"digest":"sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac","annotations":{"tuf.io/filename":"testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":504,"digest":"sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48","annotations":{"tuf.io/filename":"testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":498,"digest":"sha256:b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3","annotations":{"tuf.io/filename":"testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":500,"digest":"sha256:db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79","annotations":{"tuf.io/filename":"testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"},"artifactType":"application/vnd.oci.empty.v1+json"}]}

View File

@@ -0,0 +1,3 @@
{
"imageLayoutVersion": "1.0.0"
}

View File

@@ -0,0 +1,28 @@
{
"signatures": [
{
"keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
"sig": "3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"
}
],
"signed": {
"_type": "snapshot",
"expires": "2034-09-07T14:41:18Z",
"meta": {
"policy.json": {
"version": 1
},
"targets.json": {
"version": 11
},
"test-role.json": {
"version": 2
},
"testing.json": {
"version": 2
}
},
"spec_version": "1.0.31",
"version": 11
}
}

View File

@@ -6,7 +6,11 @@
},
{
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"sig": "304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"
"sig": "304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"
},
{
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
"sig": ""
}
],
"signed": {
@@ -20,6 +24,14 @@
},
"scheme": "ecdsa-sha2-nistp384",
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
},
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@jonnystoten"
}
},
"roles": [
@@ -36,10 +48,24 @@
],
"terminating": true,
"threshold": 1
},
{
"keyids": [
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
],
"name": "testing",
"paths": [
"testing/*",
"testing/*/*",
"testing/*/*/*",
"testing/*/*/*/*"
],
"terminating": true,
"threshold": 1
}
]
},
"expires": "2034-06-23T12:42:15Z",
"expires": "2034-09-07T14:32:09Z",
"spec_version": "1.0.31",
"targets": {
"always-fail.rego": {
@@ -73,7 +99,7 @@
"length": 12
}
},
"version": 8,
"version": 11,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}

View File

@@ -0,0 +1,42 @@
{
"signatures": [
{
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"sig": "304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"
}
],
"signed": {
"_type": "targets",
"expires": "2025-09-09T14:38:32Z",
"spec_version": "1.0.31",
"targets": {
"testing/always-fail.rego": {
"hashes": {
"sha256": "e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"
},
"length": 364
},
"testing/jonnystoten2.rego": {
"hashes": {
"sha256": "bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"
},
"length": 5857
},
"testing/mapping.yaml": {
"hashes": {
"sha256": "d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"
},
"length": 269
},
"testing/test-only.rego": {
"hashes": {
"sha256": "93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"
},
"length": 467
}
},
"version": 2,
"x-tuf-on-ci-expiry-period": 365,
"x-tuf-on-ci-signing-period": 60
}
}

View File

@@ -0,0 +1,92 @@
{
"signatures": [
{
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"sig": ""
},
{
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb"
},
{
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
"sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce"
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
"expires": "2034-09-04T13:40:46Z",
"keys": {
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp384",
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
},
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@kipz"
},
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
},
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@jonnystoten"
}
},
"roles": {
"root": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
],
"threshold": 1
},
"snapshot": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
},
"targets": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
],
"threshold": 1
},
"timestamp": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
},
"spec_version": "1.0.31",
"version": 3,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
}

View File

@@ -0,0 +1,93 @@
{
"signatures": [
{
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"sig": ""
},
{
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"sig": "3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"
},
{
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
"sig": "3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
"expires": "2034-09-04T13:55:23Z",
"keys": {
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp384",
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
},
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@kipz"
},
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
},
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@jonnystoten"
}
},
"roles": {
"root": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
],
"threshold": 1
},
"snapshot": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
},
"targets": {
"keyids": [
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
],
"threshold": 1
},
"timestamp": {
"keyids": [
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
},
"spec_version": "1.0.31",
"version": 4,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 60
}
}

View File

@@ -1,22 +0,0 @@
{
"signatures": [
{
"keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
"sig": "3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"
}
],
"signed": {
"_type": "snapshot",
"expires": "2034-06-23T12:47:16Z",
"meta": {
"targets.json": {
"version": 8
},
"test-role.json": {
"version": 2
}
},
"spec_version": "1.0.31",
"version": 7
}
}

View File

@@ -2,18 +2,18 @@
"signatures": [
{
"keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
"sig": "304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"
"sig": "3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"
}
],
"signed": {
"_type": "timestamp",
"expires": "2034-06-23T12:47:16Z",
"expires": "2034-09-07T14:41:18Z",
"meta": {
"snapshot.json": {
"version": 7
"version": 11
}
},
"spec_version": "1.0.31",
"version": 7
"version": 11
}
}

View File

@@ -0,0 +1,21 @@
package attest
import rego.v1
# this file only exists in the testing delegation
violations contains {
"type": "testing_delegation",
"description": "This policy always fails. We'd better not promote this to production.",
}
result := {
"success": false,
"violations": violations,
"summary": {
"subjects": set(),
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
"verifier": "docker-official-images",
"policy_uri": "https://docker.com/official/policy/v0.1",
},
}

View File

@@ -0,0 +1,200 @@
package attest
import rego.v1
split_digest := split(input.digest, ":")
digest_type := split_digest[0]
digest := split_digest[1]
keys := [{
"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
"from": "2023-12-15T14:00:00Z",
"to": null,
"status": "active",
"signing-format": "dssev1",
}]
verify_opts := {"keys": keys}
verify_attestation(att) := attest.verify(att, verify_opts)
attestations contains att if {
result := attest.fetch("https://slsa.dev/verification_summary/v1")
not result.error
some att in result.value
}
signed_statements contains statement if {
some att in attestations
result := verify_attestation(att)
not result.error
statement := result.value
}
statements_with_subject contains statement if {
some statement in signed_statements
some subject in statement.subject
subject.digest[digest_type] == digest
valid_subject_name(input.isCanonical, subject.name, input.purl)
}
id(statement) := crypto.sha256(json.marshal(statement))
subjects contains subject if {
some statement in statements_with_subject
some subject in statement.subject
}
global_violations contains v if {
count(attestations) == 0
v := {
"type": "missing_attestation",
"description": "No https://slsa.dev/verification_summary/v1 attestation found",
"attestation": null,
"details": {},
}
}
# we need to key this by statement_id rather than statement because we can't
# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
statement_violations[statement_id] contains v if {
some att in attestations
result := verify_attestation(att)
err := result.error
statement := unsafe_statement_from_attestation(att)
statement_id := id(statement)
v := {
"type": "unsigned_statement",
"description": sprintf("Statement is not correctly signed: %v", [err]),
"attestation": statement,
"details": {"error": err},
}
}
statement_violations[statement_id] contains v if {
some statement in signed_statements
statement_id := id(statement)
not statement in statements_with_subject
v := {
"type": "bad_subjects",
"description": "Statement does not have this image as a subject",
"attestation": statement,
"details": {"input": input},
}
}
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
}
# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
# this should match the input.purl, but we really only care about the repo name and the digest
# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
}
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
}
statement_violations[statement_id] contains v if {
some statement in statements_with_subject
statement_id := id(statement)
v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
}
bad_statements contains statement if {
some statement in statements_with_subject
statement_id := id(statement)
statement_violations[statement_id]
}
good_statements := statements_with_subject - bad_statements
all_violations contains v if {
some v in global_violations
}
all_violations contains v if {
some violations in statement_violations
some v in violations
}
result := {
"success": allow,
"violations": all_violations,
"summary": {
"subjects": subjects,
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
"verifier": "signing-demo-verifier",
"policy_uri": "https://docker.com/official/policy/v0.1",
},
}
default allow := false
allow if {
count(good_statements) > 0
}
# TODO: this should take into account the repo name from the purl
valid_subject_name(true, name, purl)
valid_subject_name(false, name, purl) if {
name == purl
}
field_value_does_not_equal(statement, field, expected, type) := v if {
path := split(field, ".")
actual := object.get(statement.predicate, path, null)
expected != actual
v := is_not_violation(statement, field, expected, actual, type)
}
array_field_does_not_contain(statement, field, expected, type) := v if {
path := split(field, ".")
actual := object.get(statement.predicate, path, null)
not expected in actual
v := not_contains_violation(statement, field, expected, actual, type)
}
is_not_violation(statement, field, expected, actual, type) := {
"type": type,
"description": sprintf("%v is not %v", [field, expected]),
"attestation": statement,
"details": {
"field": field,
"actual": actual,
"expected": expected,
},
}
not_contains_violation(statement, field, expected, actual, type) := {
"type": type,
"description": sprintf("%v does not contain %v", [field, expected]),
"attestation": statement,
"details": {
"field": field,
"actual": actual,
"expected": expected,
},
}
# This is unsafe because we're not checking the signature on the attestation,
# do not call this unless you've already verified the attestation or you need the
# statement for some other reason
unsafe_statement_from_attestation(att) := statement if {
payload := att.payload
statement := json.unmarshal(base64.decode(payload))
}

View File

@@ -0,0 +1,12 @@
version: v1
kind: policy-mapping
policies:
- origin:
domain: docker.io
prefix: jonnystoten2/
id: jonnystoten2
description: jonnystoten2 personal images for testing
attestations:
style: "referrers"
files:
- path: test-only.rego

View File

@@ -0,0 +1,19 @@
package attest
import rego.v1
violations contains {
"type": "always_fail",
"description": "This policy always fails",
}
result := {
"success": false,
"violations": violations,
"summary": {
"subjects": set(),
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
"verifier": "docker-official-images",
"policy_uri": "https://docker.com/official/policy/v0.1",
},
}

View File

@@ -17,11 +17,8 @@ func ExampleNewClient_registry() {
}
tufOutputPath := filepath.Join(home, ".docker", "tuf")
// using oci tuf metadata and targets
metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
targetsURI := "registry-1.docker.io/docker/tuf-targets"
registryClient, err := tuf.NewClient(context.Background(), &tuf.ClientOptions{tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker()})
opts := tuf.NewDockerDefaultClientOptions(tufOutputPath)
registryClient, err := tuf.NewClient(context.Background(), opts)
if err != nil {
panic(err)
}

View File

@@ -419,8 +419,8 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL,
if err != nil {
t.Fatal(err)
}
switch len(mf.Manifests) {
case 1:
switch {
case len(mf.Manifests) == 1:
// top-level target
img, err := tIdx.Image(mf.Manifests[0].Digest)
if err != nil {
@@ -430,7 +430,7 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL,
if err != nil {
t.Fatal(err)
}
case 2:
case len(mf.Manifests) > 1:
// delegated target
err = remote.WriteIndex(ref, tIdx, oci.WithOptions(ctx, nil)...)
if err != nil {

View File

@@ -7,7 +7,9 @@ import (
"io/fs"
"net/url"
"os"
"path"
"path/filepath"
"regexp"
"strconv"
"strings"
"time"
@@ -46,8 +48,9 @@ type Downloader interface {
}
type Client struct {
updater *updater.Updater
cfg *config.UpdaterConfig
updater *updater.Updater
cfg *config.UpdaterConfig
pathPrefix string
}
type TargetFile struct {
@@ -57,26 +60,41 @@ type TargetFile struct {
Data []byte
}
// ClientOptions contains the options for creating a new TUF client.
type ClientOptions struct {
InitialRoot []byte
Path string
// InitialRoot is the initial root.json file to use for the TUF client.
InitialRoot []byte
// LocalStorageDir is the directory where the TUF client will cache any downloaded metadata and target files.
LocalStorageDir string
// MetadataSource is the source of the metadata files.
MetadataSource string
TargetsSource string
// TargetsSource is the source of the target files.
TargetsSource string
// VersionChecker checks if the current version of this library meets the constraints from the TUF repo.
VersionChecker VersionChecker
// PathPrefix is the prefix to prepend to all target paths before downloading.
PathPrefix string
}
func NewDockerDefaultClientOptions(tufPath string) *ClientOptions {
return &ClientOptions{
InitialRoot: DockerTUFRootDefault.Data,
Path: tufPath,
MetadataSource: defaultMetadataSource,
TargetsSource: defaultTargetsSource,
VersionChecker: NewDefaultVersionChecker(),
InitialRoot: DockerTUFRootDefault.Data,
LocalStorageDir: tufPath,
MetadataSource: defaultMetadataSource,
TargetsSource: defaultTargetsSource,
VersionChecker: NewDefaultVersionChecker(),
}
}
var validPathPrefix = regexp.MustCompile("^[a-z0-9_-]*$")
// NewClient creates a new TUF client.
func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
pathPrefix := opts.PathPrefix
if !validPathPrefix.MatchString(pathPrefix) {
return nil, fmt.Errorf("invalid path prefix: %s", pathPrefix)
}
var tufSource Source
if strings.HasPrefix(opts.MetadataSource, "https://") || strings.HasPrefix(opts.MetadataSource, "http://") {
tufSource = HTTPSource
@@ -87,7 +105,7 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
tufRootDigest := util.SHA256Hex(opts.InitialRoot)
// create a directory for each initial root.json
metadataPath := filepath.Join(opts.Path, tufRootDigest)
metadataPath := filepath.Join(opts.LocalStorageDir, tufRootDigest)
err := os.MkdirAll(metadataPath, os.ModePerm)
if err != nil {
return nil, fmt.Errorf("failed to create directory '%s': %w", metadataPath, err)
@@ -139,8 +157,9 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
}
client := &Client{
updater: up,
cfg: cfg,
pathPrefix: pathPrefix,
updater: up,
cfg: cfg,
}
err = opts.VersionChecker.CheckVersion(client)
@@ -181,6 +200,9 @@ func (t *Client) generateTargetURI(target *metadata.TargetFiles, digest string)
// information, verifies if the target is already cached, and if it is not cached,
// downloads the target file.
func (t *Client) DownloadTarget(target string, filePath string) (file *TargetFile, err error) {
// before we do anything, prepend the path prefix to the target
target = path.Join(t.pathPrefix, target)
// search if the desired target is available
targetInfo, err := t.updater.GetTargetInfo(target)
if err != nil {

View File

@@ -8,6 +8,7 @@ import (
"net/url"
"os"
"path/filepath"
"strings"
"testing"
"github.com/docker/attest/internal/test"
@@ -65,18 +66,21 @@ func TestRootInit(t *testing.T) {
{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
}
for _, tc := range testCases {
_, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
_, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
assert.NoErrorf(t, err, "Failed to create TUF client: %v", err)
// recreation should work with same root
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
assert.NoErrorf(t, err, "Failed to recreate TUF client: %v", err)
_, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
_, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
assert.Errorf(t, err, "Expected error recreating TUF client with broken root: %v", err)
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker})
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker, ""})
assert.Errorf(t, err, "Expected error recreating TUF client with bad version checker")
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, "../.."})
assert.Errorf(t, err, "Expected error recreating TUF client with bad path prefix")
}
}
@@ -104,15 +108,17 @@ func TestDownloadTarget(t *testing.T) {
name string
metadataSource string
targetsSource string
pathPrefix string
}{
{"http", server.URL + "/metadata", server.URL + "/targets"},
{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
{"http, download before init", server.URL + "/metadata", server.URL + "/targets"},
{"http", server.URL + "/metadata", server.URL + "/targets", ""},
{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", ""},
{"http, with path prefix", server.URL + "/metadata", server.URL + "/targets", "testing"},
{"oci, with path prefix", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", "testing"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, tc.pathPrefix})
require.NoErrorf(t, err, "Failed to create TUF client: %v", err)
require.NotNil(t, tufClient.updater, "Failed to create updater")
@@ -121,18 +127,30 @@ func TestDownloadTarget(t *testing.T) {
assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata")
// download top-level target files
targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
var roleName string
if tc.pathPrefix != "" {
// get target info for non-existent target, just to trigger a load of the delegated targets metadata
_, err = tufClient.updater.GetTargetInfo(tc.pathPrefix + "/fakefile")
assert.Error(t, err) // expect error for non-existent target
roleName = tc.pathPrefix
} else {
roleName = metadata.TARGETS
}
targets := trustedMetadata.Targets[roleName].Signed.Targets
for _, target := range targets {
path := strings.TrimPrefix(target.Path, tufClient.pathPrefix)
// download target files
_, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download"))
_, err := tufClient.DownloadTarget(path, filepath.Join(tufPath, "download"))
assert.NoErrorf(t, err, "Failed to download target: %v", err)
}
// download delegated target
targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
require.NoError(t, err)
_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
assert.NoError(t, err)
if tc.pathPrefix == "" {
// download delegated target, only if not using a path prefix
targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
require.NoError(t, err)
_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
assert.NoError(t, err)
}
})
}
}