feat: add a prefix path to TUF client (#159)
This is to allow us to store new policy files in the production TUF repository under a testing delegation, and for clients to opt-in to using this testing delegation when retrieving policy from TUF. If the prefix path is set, it is prepended to every target path on download with path.Join. For example, if the prefix path is testing and we download the target a/b, the TUF client with actually download testing/a/b. Also get the latest testdata from tuf-dev.
This commit is contained in:
@@ -11,7 +11,7 @@ func NewTUFMirror(ctx context.Context, root []byte, tufPath, metadataURL, target
|
||||
if root == nil {
|
||||
root = tuf.DockerTUFRootDefault.Data
|
||||
}
|
||||
tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, Path: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
|
||||
tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, LocalStorageDir: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create TUF client: %w", err)
|
||||
}
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":""}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-06-12T17:21:13Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
|
||||
@@ -1 +0,0 @@
|
||||
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"}],"signed":{"_type":"timestamp","expires":"2034-06-23T12:47:16Z","meta":{"snapshot.json":{"version":7}},"spec_version":"1.0.31","version":7}}
|
||||
@@ -0,0 +1 @@
|
||||
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-09-04T13:55:23Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":4,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1,92 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"sig": ""
|
||||
},
|
||||
{
|
||||
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb"
|
||||
},
|
||||
{
|
||||
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
|
||||
"sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "root",
|
||||
"consistent_snapshot": true,
|
||||
"expires": "2034-09-04T13:40:46Z",
|
||||
"keys": {
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp384",
|
||||
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
|
||||
},
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@kipz"
|
||||
},
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
|
||||
},
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@jonnystoten"
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"root": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"snapshot": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
},
|
||||
"targets": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"timestamp": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 3,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"}],"signed":{"_type":"timestamp","expires":"2034-09-07T14:41:18Z","meta":{"snapshot.json":{"version":11}},"spec_version":"1.0.31","version":11}}
|
||||
@@ -1 +0,0 @@
|
||||
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"}],"signed":{"_type":"snapshot","expires":"2034-06-23T12:47:16Z","meta":{"targets.json":{"version":8},"test-role.json":{"version":2}},"spec_version":"1.0.31","version":7}}
|
||||
@@ -0,0 +1 @@
|
||||
{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"}],"signed":{"_type":"snapshot","expires":"2034-09-07T14:41:18Z","meta":{"policy.json":{"version":1},"targets.json":{"version":11},"test-role.json":{"version":2},"testing.json":{"version":2}},"spec_version":"1.0.31","version":11}}
|
||||
@@ -1 +0,0 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8"]},"config":{}}
|
||||
@@ -0,0 +1,79 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"sig": "3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"
|
||||
},
|
||||
{
|
||||
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"sig": ""
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "root",
|
||||
"consistent_snapshot": true,
|
||||
"expires": "2034-06-12T17:21:13Z",
|
||||
"keys": {
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp384",
|
||||
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
|
||||
},
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
|
||||
},
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@jonnystoten"
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"root": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"snapshot": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
},
|
||||
"targets": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"timestamp": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 2,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":""}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1},{"keyids":["beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"name":"testing","paths":["testing/*","testing/*/*","testing/*/*/*","testing/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-09-07T14:32:09Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":11,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
|
||||
@@ -1 +0,0 @@
|
||||
{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-06-23T12:42:15Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":8,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2472,"digest":"sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":412,"digest":"sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","annotations":{"tuf.io/filename":"7.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1746,"digest":"sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","annotations":{"tuf.io/filename":"8.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8","annotations":{"tuf.io/filename":"timestamp.json"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2856,"digest":"sha256:832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3506,"digest":"sha256:4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502","annotations":{"tuf.io/filename":"3.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3128,"digest":"sha256:3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b","annotations":{"tuf.io/filename":"4.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":473,"digest":"sha256:640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d","annotations":{"tuf.io/filename":"11.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2390,"digest":"sha256:a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869","annotations":{"tuf.io/filename":"11.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":385,"digest":"sha256:5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811","annotations":{"tuf.io/filename":"timestamp.json"}}]}
|
||||
@@ -4,8 +4,9 @@
|
||||
"manifests": [
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 1220,
|
||||
"digest": "sha256:e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1"
|
||||
"size": 1608,
|
||||
"digest": "sha256:e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1"]},"config":{}}
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]}
|
||||
@@ -5,7 +5,8 @@
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 444,
|
||||
"digest": "sha256:6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc"
|
||||
"digest": "sha256:e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":930,"digest":"sha256:f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6","annotations":{"tuf.io/filename":"2.testing.json"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{"signatures":[{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"}],"signed":{"_type":"targets","expires":"2025-09-09T14:38:32Z","spec_version":"1.0.31","targets":{"testing/always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"testing/jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"testing/mapping.yaml":{"hashes":{"sha256":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"},"length":269},"testing/test-only.rego":{"hashes":{"sha256":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"},"length":467}},"version":2,"x-tuf-on-ci-expiry-period":365,"x-tuf-on-ci-signing-period":60}}
|
||||
12
test/testdata/tuf/test-repo-oci/metadata/testing/index.json
vendored
Executable file
12
test/testdata/tuf/test-repo-oci/metadata/testing/index.json
vendored
Executable file
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"schemaVersion": 2,
|
||||
"mediaType": "application/vnd.oci.image.index.v1+json",
|
||||
"manifests": [
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 442,
|
||||
"digest": "sha256:a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
3
test/testdata/tuf/test-repo-oci/metadata/testing/oci-layout
vendored
Executable file
3
test/testdata/tuf/test-repo-oci/metadata/testing/oci-layout
vendored
Executable file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"imageLayoutVersion": "1.0.0"
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"]},"config":{}}
|
||||
{}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7"},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]}
|
||||
@@ -5,7 +5,8 @@
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 493,
|
||||
"digest": "sha256:cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94"
|
||||
"digest": "sha256:4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d"},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"]},"config":{}}
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]}
|
||||
@@ -5,7 +5,8 @@
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 498,
|
||||
"digest": "sha256:08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f"
|
||||
"digest": "sha256:f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10"},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"]},"config":{}}
|
||||
{}
|
||||
@@ -5,7 +5,8 @@
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 504,
|
||||
"digest": "sha256:4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315"
|
||||
"digest": "sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a"},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"]},"config":{}}
|
||||
{}
|
||||
@@ -5,7 +5,8 @@
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 504,
|
||||
"digest": "sha256:3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664"
|
||||
"digest": "sha256:b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97"},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"]},"config":{}}
|
||||
{}
|
||||
@@ -5,7 +5,8 @@
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"size": 502,
|
||||
"digest": "sha256:1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b"
|
||||
"digest": "sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac",
|
||||
"artifactType": "application/vnd.oci.empty.v1+json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055"},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
|
||||
@@ -1 +0,0 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0"},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"]},"config":{}}
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"]},"config":{}}
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
|
||||
@@ -1 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]}
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"}]}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1,21 @@
|
||||
package attest
|
||||
|
||||
import rego.v1
|
||||
|
||||
# this file only exists in the testing delegation
|
||||
|
||||
violations contains {
|
||||
"type": "testing_delegation",
|
||||
"description": "This policy always fails. We'd better not promote this to production.",
|
||||
}
|
||||
|
||||
result := {
|
||||
"success": false,
|
||||
"violations": violations,
|
||||
"summary": {
|
||||
"subjects": set(),
|
||||
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
|
||||
"verifier": "docker-official-images",
|
||||
"policy_uri": "https://docker.com/official/policy/v0.1",
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":269,"digest":"sha256:d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090","annotations":{"tuf.io/filename":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"}}]}
|
||||
@@ -0,0 +1,200 @@
|
||||
package attest
|
||||
|
||||
import rego.v1
|
||||
|
||||
split_digest := split(input.digest, ":")
|
||||
|
||||
digest_type := split_digest[0]
|
||||
|
||||
digest := split_digest[1]
|
||||
|
||||
keys := [{
|
||||
"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
|
||||
"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
|
||||
"from": "2023-12-15T14:00:00Z",
|
||||
"to": null,
|
||||
"status": "active",
|
||||
"signing-format": "dssev1",
|
||||
}]
|
||||
|
||||
verify_opts := {"keys": keys}
|
||||
|
||||
verify_attestation(att) := attest.verify(att, verify_opts)
|
||||
|
||||
attestations contains att if {
|
||||
result := attest.fetch("https://slsa.dev/verification_summary/v1")
|
||||
not result.error
|
||||
some att in result.value
|
||||
}
|
||||
|
||||
signed_statements contains statement if {
|
||||
some att in attestations
|
||||
result := verify_attestation(att)
|
||||
not result.error
|
||||
statement := result.value
|
||||
}
|
||||
|
||||
statements_with_subject contains statement if {
|
||||
some statement in signed_statements
|
||||
some subject in statement.subject
|
||||
subject.digest[digest_type] == digest
|
||||
valid_subject_name(input.isCanonical, subject.name, input.purl)
|
||||
}
|
||||
|
||||
id(statement) := crypto.sha256(json.marshal(statement))
|
||||
|
||||
subjects contains subject if {
|
||||
some statement in statements_with_subject
|
||||
some subject in statement.subject
|
||||
}
|
||||
|
||||
global_violations contains v if {
|
||||
count(attestations) == 0
|
||||
v := {
|
||||
"type": "missing_attestation",
|
||||
"description": "No https://slsa.dev/verification_summary/v1 attestation found",
|
||||
"attestation": null,
|
||||
"details": {},
|
||||
}
|
||||
}
|
||||
|
||||
# we need to key this by statement_id rather than statement because we can't
|
||||
# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
|
||||
statement_violations[statement_id] contains v if {
|
||||
some att in attestations
|
||||
result := verify_attestation(att)
|
||||
err := result.error
|
||||
statement := unsafe_statement_from_attestation(att)
|
||||
statement_id := id(statement)
|
||||
v := {
|
||||
"type": "unsigned_statement",
|
||||
"description": sprintf("Statement is not correctly signed: %v", [err]),
|
||||
"attestation": statement,
|
||||
"details": {"error": err},
|
||||
}
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in signed_statements
|
||||
statement_id := id(statement)
|
||||
not statement in statements_with_subject
|
||||
v := {
|
||||
"type": "bad_subjects",
|
||||
"description": "Statement does not have this image as a subject",
|
||||
"attestation": statement,
|
||||
"details": {"input": input},
|
||||
}
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
|
||||
}
|
||||
|
||||
# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
|
||||
# this should match the input.purl, but we really only care about the repo name and the digest
|
||||
# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
|
||||
}
|
||||
|
||||
bad_statements contains statement if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
statement_violations[statement_id]
|
||||
}
|
||||
|
||||
good_statements := statements_with_subject - bad_statements
|
||||
|
||||
all_violations contains v if {
|
||||
some v in global_violations
|
||||
}
|
||||
|
||||
all_violations contains v if {
|
||||
some violations in statement_violations
|
||||
some v in violations
|
||||
}
|
||||
|
||||
result := {
|
||||
"success": allow,
|
||||
"violations": all_violations,
|
||||
"summary": {
|
||||
"subjects": subjects,
|
||||
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
|
||||
"verifier": "signing-demo-verifier",
|
||||
"policy_uri": "https://docker.com/official/policy/v0.1",
|
||||
},
|
||||
}
|
||||
|
||||
default allow := false
|
||||
|
||||
allow if {
|
||||
count(good_statements) > 0
|
||||
}
|
||||
|
||||
# TODO: this should take into account the repo name from the purl
|
||||
valid_subject_name(true, name, purl)
|
||||
|
||||
valid_subject_name(false, name, purl) if {
|
||||
name == purl
|
||||
}
|
||||
|
||||
field_value_does_not_equal(statement, field, expected, type) := v if {
|
||||
path := split(field, ".")
|
||||
actual := object.get(statement.predicate, path, null)
|
||||
expected != actual
|
||||
v := is_not_violation(statement, field, expected, actual, type)
|
||||
}
|
||||
|
||||
array_field_does_not_contain(statement, field, expected, type) := v if {
|
||||
path := split(field, ".")
|
||||
actual := object.get(statement.predicate, path, null)
|
||||
not expected in actual
|
||||
v := not_contains_violation(statement, field, expected, actual, type)
|
||||
}
|
||||
|
||||
is_not_violation(statement, field, expected, actual, type) := {
|
||||
"type": type,
|
||||
"description": sprintf("%v is not %v", [field, expected]),
|
||||
"attestation": statement,
|
||||
"details": {
|
||||
"field": field,
|
||||
"actual": actual,
|
||||
"expected": expected,
|
||||
},
|
||||
}
|
||||
|
||||
not_contains_violation(statement, field, expected, actual, type) := {
|
||||
"type": type,
|
||||
"description": sprintf("%v does not contain %v", [field, expected]),
|
||||
"attestation": statement,
|
||||
"details": {
|
||||
"field": field,
|
||||
"actual": actual,
|
||||
"expected": expected,
|
||||
},
|
||||
}
|
||||
|
||||
# This is unsafe because we're not checking the signature on the attestation,
|
||||
# do not call this unless you've already verified the attestation or you need the
|
||||
# statement for some other reason
|
||||
unsafe_statement_from_attestation(att) := statement if {
|
||||
payload := att.payload
|
||||
statement := json.unmarshal(base64.decode(payload))
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
version: v1
|
||||
kind: policy-mapping
|
||||
policies:
|
||||
- origin:
|
||||
domain: docker.io
|
||||
prefix: jonnystoten2/
|
||||
id: jonnystoten2
|
||||
description: jonnystoten2 personal images for testing
|
||||
attestations:
|
||||
style: "referrers"
|
||||
files:
|
||||
- path: test-only.rego
|
||||
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":467,"digest":"sha256:93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374","annotations":{"tuf.io/filename":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"}}]}
|
||||
@@ -0,0 +1,19 @@
|
||||
package attest
|
||||
|
||||
import rego.v1
|
||||
|
||||
violations contains {
|
||||
"type": "always_fail",
|
||||
"description": "This policy always fails",
|
||||
}
|
||||
|
||||
result := {
|
||||
"success": false,
|
||||
"violations": violations,
|
||||
"summary": {
|
||||
"subjects": set(),
|
||||
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
|
||||
"verifier": "docker-official-images",
|
||||
"policy_uri": "https://docker.com/official/policy/v0.1",
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{}
|
||||
1
test/testdata/tuf/test-repo-oci/targets/testing/index.json
vendored
Executable file
1
test/testdata/tuf/test-repo-oci/targets/testing/index.json
vendored
Executable file
@@ -0,0 +1 @@
|
||||
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":502,"digest":"sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac","annotations":{"tuf.io/filename":"testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":504,"digest":"sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48","annotations":{"tuf.io/filename":"testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":498,"digest":"sha256:b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3","annotations":{"tuf.io/filename":"testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":500,"digest":"sha256:db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79","annotations":{"tuf.io/filename":"testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"},"artifactType":"application/vnd.oci.empty.v1+json"}]}
|
||||
3
test/testdata/tuf/test-repo-oci/targets/testing/oci-layout
vendored
Executable file
3
test/testdata/tuf/test-repo-oci/targets/testing/oci-layout
vendored
Executable file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"imageLayoutVersion": "1.0.0"
|
||||
}
|
||||
28
test/testdata/tuf/test-repo/metadata/11.snapshot.json
vendored
Normal file
28
test/testdata/tuf/test-repo/metadata/11.snapshot.json
vendored
Normal file
@@ -0,0 +1,28 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
|
||||
"sig": "3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "snapshot",
|
||||
"expires": "2034-09-07T14:41:18Z",
|
||||
"meta": {
|
||||
"policy.json": {
|
||||
"version": 1
|
||||
},
|
||||
"targets.json": {
|
||||
"version": 11
|
||||
},
|
||||
"test-role.json": {
|
||||
"version": 2
|
||||
},
|
||||
"testing.json": {
|
||||
"version": 2
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 11
|
||||
}
|
||||
}
|
||||
@@ -6,7 +6,11 @@
|
||||
},
|
||||
{
|
||||
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"sig": "304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"
|
||||
"sig": "304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"
|
||||
},
|
||||
{
|
||||
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
|
||||
"sig": ""
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
@@ -20,6 +24,14 @@
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp384",
|
||||
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
|
||||
},
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@jonnystoten"
|
||||
}
|
||||
},
|
||||
"roles": [
|
||||
@@ -36,10 +48,24 @@
|
||||
],
|
||||
"terminating": true,
|
||||
"threshold": 1
|
||||
},
|
||||
{
|
||||
"keyids": [
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
|
||||
],
|
||||
"name": "testing",
|
||||
"paths": [
|
||||
"testing/*",
|
||||
"testing/*/*",
|
||||
"testing/*/*/*",
|
||||
"testing/*/*/*/*"
|
||||
],
|
||||
"terminating": true,
|
||||
"threshold": 1
|
||||
}
|
||||
]
|
||||
},
|
||||
"expires": "2034-06-23T12:42:15Z",
|
||||
"expires": "2034-09-07T14:32:09Z",
|
||||
"spec_version": "1.0.31",
|
||||
"targets": {
|
||||
"always-fail.rego": {
|
||||
@@ -73,7 +99,7 @@
|
||||
"length": 12
|
||||
}
|
||||
},
|
||||
"version": 8,
|
||||
"version": 11,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
42
test/testdata/tuf/test-repo/metadata/2.testing.json
vendored
Normal file
42
test/testdata/tuf/test-repo/metadata/2.testing.json
vendored
Normal file
@@ -0,0 +1,42 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"sig": "304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "targets",
|
||||
"expires": "2025-09-09T14:38:32Z",
|
||||
"spec_version": "1.0.31",
|
||||
"targets": {
|
||||
"testing/always-fail.rego": {
|
||||
"hashes": {
|
||||
"sha256": "e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"
|
||||
},
|
||||
"length": 364
|
||||
},
|
||||
"testing/jonnystoten2.rego": {
|
||||
"hashes": {
|
||||
"sha256": "bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"
|
||||
},
|
||||
"length": 5857
|
||||
},
|
||||
"testing/mapping.yaml": {
|
||||
"hashes": {
|
||||
"sha256": "d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"
|
||||
},
|
||||
"length": 269
|
||||
},
|
||||
"testing/test-only.rego": {
|
||||
"hashes": {
|
||||
"sha256": "93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"
|
||||
},
|
||||
"length": 467
|
||||
}
|
||||
},
|
||||
"version": 2,
|
||||
"x-tuf-on-ci-expiry-period": 365,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
}
|
||||
92
test/testdata/tuf/test-repo/metadata/3.root.json
vendored
Normal file
92
test/testdata/tuf/test-repo/metadata/3.root.json
vendored
Normal file
@@ -0,0 +1,92 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"sig": ""
|
||||
},
|
||||
{
|
||||
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb"
|
||||
},
|
||||
{
|
||||
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
|
||||
"sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "root",
|
||||
"consistent_snapshot": true,
|
||||
"expires": "2034-09-04T13:40:46Z",
|
||||
"keys": {
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp384",
|
||||
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
|
||||
},
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@kipz"
|
||||
},
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
|
||||
},
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@jonnystoten"
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"root": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"snapshot": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
},
|
||||
"targets": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"timestamp": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 3,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
}
|
||||
93
test/testdata/tuf/test-repo/metadata/4.root.json
vendored
Normal file
93
test/testdata/tuf/test-repo/metadata/4.root.json
vendored
Normal file
@@ -0,0 +1,93 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"sig": ""
|
||||
},
|
||||
{
|
||||
"keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"sig": "3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"
|
||||
},
|
||||
{
|
||||
"keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664",
|
||||
"sig": "3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "root",
|
||||
"consistent_snapshot": true,
|
||||
"expires": "2034-09-04T13:55:23Z",
|
||||
"keys": {
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp384",
|
||||
"x-tuf-on-ci-keyowner": "@mrjoelkamp"
|
||||
},
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@kipz"
|
||||
},
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"
|
||||
},
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": {
|
||||
"keytype": "ecdsa",
|
||||
"keyval": {
|
||||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"
|
||||
},
|
||||
"scheme": "ecdsa-sha2-nistp256",
|
||||
"x-tuf-on-ci-keyowner": "@jonnystoten"
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"root": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"snapshot": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
},
|
||||
"targets": {
|
||||
"keyids": [
|
||||
"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221",
|
||||
"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72",
|
||||
"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"
|
||||
],
|
||||
"threshold": 1
|
||||
},
|
||||
"timestamp": {
|
||||
"keyids": [
|
||||
"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"
|
||||
],
|
||||
"threshold": 1,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 4,
|
||||
"x-tuf-on-ci-expiry-period": 3650,
|
||||
"x-tuf-on-ci-signing-period": 60
|
||||
}
|
||||
}
|
||||
@@ -1,22 +0,0 @@
|
||||
{
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
|
||||
"sig": "3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "snapshot",
|
||||
"expires": "2034-06-23T12:47:16Z",
|
||||
"meta": {
|
||||
"targets.json": {
|
||||
"version": 8
|
||||
},
|
||||
"test-role.json": {
|
||||
"version": 2
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 7
|
||||
}
|
||||
}
|
||||
@@ -2,18 +2,18 @@
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5",
|
||||
"sig": "304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"
|
||||
"sig": "3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"
|
||||
}
|
||||
],
|
||||
"signed": {
|
||||
"_type": "timestamp",
|
||||
"expires": "2034-06-23T12:47:16Z",
|
||||
"expires": "2034-09-07T14:41:18Z",
|
||||
"meta": {
|
||||
"snapshot.json": {
|
||||
"version": 7
|
||||
"version": 11
|
||||
}
|
||||
},
|
||||
"spec_version": "1.0.31",
|
||||
"version": 7
|
||||
"version": 11
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
package attest
|
||||
|
||||
import rego.v1
|
||||
|
||||
# this file only exists in the testing delegation
|
||||
|
||||
violations contains {
|
||||
"type": "testing_delegation",
|
||||
"description": "This policy always fails. We'd better not promote this to production.",
|
||||
}
|
||||
|
||||
result := {
|
||||
"success": false,
|
||||
"violations": violations,
|
||||
"summary": {
|
||||
"subjects": set(),
|
||||
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
|
||||
"verifier": "docker-official-images",
|
||||
"policy_uri": "https://docker.com/official/policy/v0.1",
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,200 @@
|
||||
package attest
|
||||
|
||||
import rego.v1
|
||||
|
||||
split_digest := split(input.digest, ":")
|
||||
|
||||
digest_type := split_digest[0]
|
||||
|
||||
digest := split_digest[1]
|
||||
|
||||
keys := [{
|
||||
"id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
|
||||
"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
|
||||
"from": "2023-12-15T14:00:00Z",
|
||||
"to": null,
|
||||
"status": "active",
|
||||
"signing-format": "dssev1",
|
||||
}]
|
||||
|
||||
verify_opts := {"keys": keys}
|
||||
|
||||
verify_attestation(att) := attest.verify(att, verify_opts)
|
||||
|
||||
attestations contains att if {
|
||||
result := attest.fetch("https://slsa.dev/verification_summary/v1")
|
||||
not result.error
|
||||
some att in result.value
|
||||
}
|
||||
|
||||
signed_statements contains statement if {
|
||||
some att in attestations
|
||||
result := verify_attestation(att)
|
||||
not result.error
|
||||
statement := result.value
|
||||
}
|
||||
|
||||
statements_with_subject contains statement if {
|
||||
some statement in signed_statements
|
||||
some subject in statement.subject
|
||||
subject.digest[digest_type] == digest
|
||||
valid_subject_name(input.isCanonical, subject.name, input.purl)
|
||||
}
|
||||
|
||||
id(statement) := crypto.sha256(json.marshal(statement))
|
||||
|
||||
subjects contains subject if {
|
||||
some statement in statements_with_subject
|
||||
some subject in statement.subject
|
||||
}
|
||||
|
||||
global_violations contains v if {
|
||||
count(attestations) == 0
|
||||
v := {
|
||||
"type": "missing_attestation",
|
||||
"description": "No https://slsa.dev/verification_summary/v1 attestation found",
|
||||
"attestation": null,
|
||||
"details": {},
|
||||
}
|
||||
}
|
||||
|
||||
# we need to key this by statement_id rather than statement because we can't
|
||||
# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736
|
||||
statement_violations[statement_id] contains v if {
|
||||
some att in attestations
|
||||
result := verify_attestation(att)
|
||||
err := result.error
|
||||
statement := unsafe_statement_from_attestation(att)
|
||||
statement_id := id(statement)
|
||||
v := {
|
||||
"type": "unsigned_statement",
|
||||
"description": sprintf("Statement is not correctly signed: %v", [err]),
|
||||
"attestation": statement,
|
||||
"details": {"error": err},
|
||||
}
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in signed_statements
|
||||
statement_id := id(statement)
|
||||
not statement in statements_with_subject
|
||||
v := {
|
||||
"type": "bad_subjects",
|
||||
"description": "Statement does not have this image as a subject",
|
||||
"attestation": statement,
|
||||
"details": {"input": input},
|
||||
}
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result")
|
||||
}
|
||||
|
||||
# TODO: add to statement_violations if there are statements that have an incorrect resource_uri
|
||||
# this should match the input.purl, but we really only care about the repo name and the digest
|
||||
# we need to receive the input.purl as a parsed object so we can compare only the parts we care about
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier")
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri")
|
||||
}
|
||||
|
||||
statement_violations[statement_id] contains v if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels")
|
||||
}
|
||||
|
||||
bad_statements contains statement if {
|
||||
some statement in statements_with_subject
|
||||
statement_id := id(statement)
|
||||
statement_violations[statement_id]
|
||||
}
|
||||
|
||||
good_statements := statements_with_subject - bad_statements
|
||||
|
||||
all_violations contains v if {
|
||||
some v in global_violations
|
||||
}
|
||||
|
||||
all_violations contains v if {
|
||||
some violations in statement_violations
|
||||
some v in violations
|
||||
}
|
||||
|
||||
result := {
|
||||
"success": allow,
|
||||
"violations": all_violations,
|
||||
"summary": {
|
||||
"subjects": subjects,
|
||||
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
|
||||
"verifier": "signing-demo-verifier",
|
||||
"policy_uri": "https://docker.com/official/policy/v0.1",
|
||||
},
|
||||
}
|
||||
|
||||
default allow := false
|
||||
|
||||
allow if {
|
||||
count(good_statements) > 0
|
||||
}
|
||||
|
||||
# TODO: this should take into account the repo name from the purl
|
||||
valid_subject_name(true, name, purl)
|
||||
|
||||
valid_subject_name(false, name, purl) if {
|
||||
name == purl
|
||||
}
|
||||
|
||||
field_value_does_not_equal(statement, field, expected, type) := v if {
|
||||
path := split(field, ".")
|
||||
actual := object.get(statement.predicate, path, null)
|
||||
expected != actual
|
||||
v := is_not_violation(statement, field, expected, actual, type)
|
||||
}
|
||||
|
||||
array_field_does_not_contain(statement, field, expected, type) := v if {
|
||||
path := split(field, ".")
|
||||
actual := object.get(statement.predicate, path, null)
|
||||
not expected in actual
|
||||
v := not_contains_violation(statement, field, expected, actual, type)
|
||||
}
|
||||
|
||||
is_not_violation(statement, field, expected, actual, type) := {
|
||||
"type": type,
|
||||
"description": sprintf("%v is not %v", [field, expected]),
|
||||
"attestation": statement,
|
||||
"details": {
|
||||
"field": field,
|
||||
"actual": actual,
|
||||
"expected": expected,
|
||||
},
|
||||
}
|
||||
|
||||
not_contains_violation(statement, field, expected, actual, type) := {
|
||||
"type": type,
|
||||
"description": sprintf("%v does not contain %v", [field, expected]),
|
||||
"attestation": statement,
|
||||
"details": {
|
||||
"field": field,
|
||||
"actual": actual,
|
||||
"expected": expected,
|
||||
},
|
||||
}
|
||||
|
||||
# This is unsafe because we're not checking the signature on the attestation,
|
||||
# do not call this unless you've already verified the attestation or you need the
|
||||
# statement for some other reason
|
||||
unsafe_statement_from_attestation(att) := statement if {
|
||||
payload := att.payload
|
||||
statement := json.unmarshal(base64.decode(payload))
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
version: v1
|
||||
kind: policy-mapping
|
||||
policies:
|
||||
- origin:
|
||||
domain: docker.io
|
||||
prefix: jonnystoten2/
|
||||
id: jonnystoten2
|
||||
description: jonnystoten2 personal images for testing
|
||||
attestations:
|
||||
style: "referrers"
|
||||
files:
|
||||
- path: test-only.rego
|
||||
@@ -0,0 +1,19 @@
|
||||
package attest
|
||||
|
||||
import rego.v1
|
||||
|
||||
violations contains {
|
||||
"type": "always_fail",
|
||||
"description": "This policy always fails",
|
||||
}
|
||||
|
||||
result := {
|
||||
"success": false,
|
||||
"violations": violations,
|
||||
"summary": {
|
||||
"subjects": set(),
|
||||
"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
|
||||
"verifier": "docker-official-images",
|
||||
"policy_uri": "https://docker.com/official/policy/v0.1",
|
||||
},
|
||||
}
|
||||
@@ -17,11 +17,8 @@ func ExampleNewClient_registry() {
|
||||
}
|
||||
tufOutputPath := filepath.Join(home, ".docker", "tuf")
|
||||
|
||||
// using oci tuf metadata and targets
|
||||
metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
|
||||
targetsURI := "registry-1.docker.io/docker/tuf-targets"
|
||||
|
||||
registryClient, err := tuf.NewClient(context.Background(), &tuf.ClientOptions{tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker()})
|
||||
opts := tuf.NewDockerDefaultClientOptions(tufOutputPath)
|
||||
registryClient, err := tuf.NewClient(context.Background(), opts)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
@@ -419,8 +419,8 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL,
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
switch len(mf.Manifests) {
|
||||
case 1:
|
||||
switch {
|
||||
case len(mf.Manifests) == 1:
|
||||
// top-level target
|
||||
img, err := tIdx.Image(mf.Manifests[0].Digest)
|
||||
if err != nil {
|
||||
@@ -430,7 +430,7 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL,
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
case 2:
|
||||
case len(mf.Manifests) > 1:
|
||||
// delegated target
|
||||
err = remote.WriteIndex(ref, tIdx, oci.WithOptions(ctx, nil)...)
|
||||
if err != nil {
|
||||
|
||||
48
tuf/tuf.go
48
tuf/tuf.go
@@ -7,7 +7,9 @@ import (
|
||||
"io/fs"
|
||||
"net/url"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
@@ -46,8 +48,9 @@ type Downloader interface {
|
||||
}
|
||||
|
||||
type Client struct {
|
||||
updater *updater.Updater
|
||||
cfg *config.UpdaterConfig
|
||||
updater *updater.Updater
|
||||
cfg *config.UpdaterConfig
|
||||
pathPrefix string
|
||||
}
|
||||
|
||||
type TargetFile struct {
|
||||
@@ -57,26 +60,41 @@ type TargetFile struct {
|
||||
Data []byte
|
||||
}
|
||||
|
||||
// ClientOptions contains the options for creating a new TUF client.
|
||||
type ClientOptions struct {
|
||||
InitialRoot []byte
|
||||
Path string
|
||||
// InitialRoot is the initial root.json file to use for the TUF client.
|
||||
InitialRoot []byte
|
||||
// LocalStorageDir is the directory where the TUF client will cache any downloaded metadata and target files.
|
||||
LocalStorageDir string
|
||||
// MetadataSource is the source of the metadata files.
|
||||
MetadataSource string
|
||||
TargetsSource string
|
||||
// TargetsSource is the source of the target files.
|
||||
TargetsSource string
|
||||
// VersionChecker checks if the current version of this library meets the constraints from the TUF repo.
|
||||
VersionChecker VersionChecker
|
||||
// PathPrefix is the prefix to prepend to all target paths before downloading.
|
||||
PathPrefix string
|
||||
}
|
||||
|
||||
func NewDockerDefaultClientOptions(tufPath string) *ClientOptions {
|
||||
return &ClientOptions{
|
||||
InitialRoot: DockerTUFRootDefault.Data,
|
||||
Path: tufPath,
|
||||
MetadataSource: defaultMetadataSource,
|
||||
TargetsSource: defaultTargetsSource,
|
||||
VersionChecker: NewDefaultVersionChecker(),
|
||||
InitialRoot: DockerTUFRootDefault.Data,
|
||||
LocalStorageDir: tufPath,
|
||||
MetadataSource: defaultMetadataSource,
|
||||
TargetsSource: defaultTargetsSource,
|
||||
VersionChecker: NewDefaultVersionChecker(),
|
||||
}
|
||||
}
|
||||
|
||||
var validPathPrefix = regexp.MustCompile("^[a-z0-9_-]*$")
|
||||
|
||||
// NewClient creates a new TUF client.
|
||||
func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
|
||||
pathPrefix := opts.PathPrefix
|
||||
if !validPathPrefix.MatchString(pathPrefix) {
|
||||
return nil, fmt.Errorf("invalid path prefix: %s", pathPrefix)
|
||||
}
|
||||
|
||||
var tufSource Source
|
||||
if strings.HasPrefix(opts.MetadataSource, "https://") || strings.HasPrefix(opts.MetadataSource, "http://") {
|
||||
tufSource = HTTPSource
|
||||
@@ -87,7 +105,7 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
|
||||
tufRootDigest := util.SHA256Hex(opts.InitialRoot)
|
||||
|
||||
// create a directory for each initial root.json
|
||||
metadataPath := filepath.Join(opts.Path, tufRootDigest)
|
||||
metadataPath := filepath.Join(opts.LocalStorageDir, tufRootDigest)
|
||||
err := os.MkdirAll(metadataPath, os.ModePerm)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create directory '%s': %w", metadataPath, err)
|
||||
@@ -139,8 +157,9 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) {
|
||||
}
|
||||
|
||||
client := &Client{
|
||||
updater: up,
|
||||
cfg: cfg,
|
||||
pathPrefix: pathPrefix,
|
||||
updater: up,
|
||||
cfg: cfg,
|
||||
}
|
||||
|
||||
err = opts.VersionChecker.CheckVersion(client)
|
||||
@@ -181,6 +200,9 @@ func (t *Client) generateTargetURI(target *metadata.TargetFiles, digest string)
|
||||
// information, verifies if the target is already cached, and if it is not cached,
|
||||
// downloads the target file.
|
||||
func (t *Client) DownloadTarget(target string, filePath string) (file *TargetFile, err error) {
|
||||
// before we do anything, prepend the path prefix to the target
|
||||
target = path.Join(t.pathPrefix, target)
|
||||
|
||||
// search if the desired target is available
|
||||
targetInfo, err := t.updater.GetTargetInfo(target)
|
||||
if err != nil {
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
"net/url"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/docker/attest/internal/test"
|
||||
@@ -65,18 +66,21 @@ func TestRootInit(t *testing.T) {
|
||||
{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
_, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
|
||||
_, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
|
||||
assert.NoErrorf(t, err, "Failed to create TUF client: %v", err)
|
||||
|
||||
// recreation should work with same root
|
||||
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
|
||||
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
|
||||
assert.NoErrorf(t, err, "Failed to recreate TUF client: %v", err)
|
||||
|
||||
_, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
|
||||
_, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""})
|
||||
assert.Errorf(t, err, "Expected error recreating TUF client with broken root: %v", err)
|
||||
|
||||
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker})
|
||||
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker, ""})
|
||||
assert.Errorf(t, err, "Expected error recreating TUF client with bad version checker")
|
||||
|
||||
_, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, "../.."})
|
||||
assert.Errorf(t, err, "Expected error recreating TUF client with bad path prefix")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -104,15 +108,17 @@ func TestDownloadTarget(t *testing.T) {
|
||||
name string
|
||||
metadataSource string
|
||||
targetsSource string
|
||||
pathPrefix string
|
||||
}{
|
||||
{"http", server.URL + "/metadata", server.URL + "/targets"},
|
||||
{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
|
||||
{"http, download before init", server.URL + "/metadata", server.URL + "/targets"},
|
||||
{"http", server.URL + "/metadata", server.URL + "/targets", ""},
|
||||
{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", ""},
|
||||
{"http, with path prefix", server.URL + "/metadata", server.URL + "/targets", "testing"},
|
||||
{"oci, with path prefix", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", "testing"},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
|
||||
tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, tc.pathPrefix})
|
||||
require.NoErrorf(t, err, "Failed to create TUF client: %v", err)
|
||||
require.NotNil(t, tufClient.updater, "Failed to create updater")
|
||||
|
||||
@@ -121,18 +127,30 @@ func TestDownloadTarget(t *testing.T) {
|
||||
assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata")
|
||||
|
||||
// download top-level target files
|
||||
targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
|
||||
var roleName string
|
||||
if tc.pathPrefix != "" {
|
||||
// get target info for non-existent target, just to trigger a load of the delegated targets metadata
|
||||
_, err = tufClient.updater.GetTargetInfo(tc.pathPrefix + "/fakefile")
|
||||
assert.Error(t, err) // expect error for non-existent target
|
||||
roleName = tc.pathPrefix
|
||||
} else {
|
||||
roleName = metadata.TARGETS
|
||||
}
|
||||
targets := trustedMetadata.Targets[roleName].Signed.Targets
|
||||
for _, target := range targets {
|
||||
path := strings.TrimPrefix(target.Path, tufClient.pathPrefix)
|
||||
// download target files
|
||||
_, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download"))
|
||||
_, err := tufClient.DownloadTarget(path, filepath.Join(tufPath, "download"))
|
||||
assert.NoErrorf(t, err, "Failed to download target: %v", err)
|
||||
}
|
||||
|
||||
// download delegated target
|
||||
targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
|
||||
require.NoError(t, err)
|
||||
_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
|
||||
assert.NoError(t, err)
|
||||
if tc.pathPrefix == "" {
|
||||
// download delegated target, only if not using a path prefix
|
||||
targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
|
||||
require.NoError(t, err)
|
||||
_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user