diff --git a/mirror/mirror.go b/mirror/mirror.go index 90d1fcf..5cb3cff 100644 --- a/mirror/mirror.go +++ b/mirror/mirror.go @@ -11,7 +11,7 @@ func NewTUFMirror(ctx context.Context, root []byte, tufPath, metadataURL, target if root == nil { root = tuf.DockerTUFRootDefault.Data } - tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, Path: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker}) + tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, LocalStorageDir: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker}) if err != nil { return nil, fmt.Errorf("failed to create TUF client: %w", err) } diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670 deleted file mode 100644 index 3329b89..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670 +++ /dev/null @@ -1 +0,0 @@ -{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":"3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9"},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":""}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-06-12T17:21:13Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":2,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8 deleted file mode 100644 index 5a993c5..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8 +++ /dev/null @@ -1 +0,0 @@ -{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80"}],"signed":{"_type":"timestamp","expires":"2034-06-23T12:47:16Z","meta":{"snapshot.json":{"version":7}},"spec_version":"1.0.31","version":7}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b new file mode 100644 index 0000000..f8936a3 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b @@ -0,0 +1 @@ +{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":"3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428"}],"signed":{"_type":"root","consistent_snapshot":true,"expires":"2034-09-04T13:55:23Z","keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@kipz"},"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-online-uri":"awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":{"root":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"snapshot":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60},"targets":{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664"],"threshold":1},"timestamp":{"keyids":["bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5"],"threshold":1,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}},"spec_version":"1.0.31","version":4,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502 new file mode 100644 index 0000000..bcf9922 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502 @@ -0,0 +1,92 @@ +{ + "signatures": [ + { + "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "sig": "" + }, + { + "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb" + }, + { + "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664", + "sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2034-09-04T13:40:46Z", + "keys": { + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@mrjoelkamp" + }, + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@kipz" + }, + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61" + }, + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@jonnystoten" + } + }, + "roles": { + "root": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + }, + "targets": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } + }, + "spec_version": "1.0.31", + "version": 3, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811 new file mode 100644 index 0000000..d49fbe3 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811 @@ -0,0 +1 @@ +{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3"}],"signed":{"_type":"timestamp","expires":"2034-09-07T14:41:18Z","meta":{"snapshot.json":{"version":11}},"spec_version":"1.0.31","version":11}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497 deleted file mode 100644 index a93333c..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497 +++ /dev/null @@ -1 +0,0 @@ -{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67"}],"signed":{"_type":"snapshot","expires":"2034-06-23T12:47:16Z","meta":{"targets.json":{"version":8},"test-role.json":{"version":2}},"spec_version":"1.0.31","version":7}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d new file mode 100644 index 0000000..d524e31 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d @@ -0,0 +1 @@ +{"signatures":[{"keyid":"bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5","sig":"3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c"}],"signed":{"_type":"snapshot","expires":"2034-09-07T14:41:18Z","meta":{"policy.json":{"version":1},"targets.json":{"version":11},"test-role.json":{"version":2},"testing.json":{"version":2}},"spec_version":"1.0.31","version":11}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59 deleted file mode 100644 index 9ba9bdf..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59 +++ /dev/null @@ -1 +0,0 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8"]},"config":{}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536 new file mode 100644 index 0000000..9de5be2 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536 @@ -0,0 +1,79 @@ +{ + "signatures": [ + { + "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "sig": "3065023079fce0ddea385d0e5b6eed0da688946f417d1c1bf6397edaa44279bf948d6de41daf5e0852069900f363175abd95959b023100d2b950cb3f39cc4df8140d2ec3c60d81d2811827fbc61034786cd877586f6ab5f9ba03ad95d7de58e9241917d79687a9" + }, + { + "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "sig": "" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2034-06-12T17:21:13Z", + "keys": { + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@mrjoelkamp" + }, + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61" + }, + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@jonnystoten" + } + }, + "roles": { + "root": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + }, + "targets": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } + }, + "spec_version": "1.0.31", + "version": 2, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869 new file mode 100644 index 0000000..75fb87d --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869 @@ -0,0 +1 @@ +{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889"},{"keyid":"81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664","sig":""}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"},"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp256","x-tuf-on-ci-keyowner":"@jonnystoten"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1},{"keyids":["beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72"],"name":"testing","paths":["testing/*","testing/*/*","testing/*/*/*","testing/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-09-07T14:32:09Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":11,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb deleted file mode 100644 index 7fef68c..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb +++ /dev/null @@ -1 +0,0 @@ -{"signatures":[{"keyid":"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221","sig":""},{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3"}],"signed":{"_type":"targets","delegations":{"keys":{"76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221":{"keytype":"ecdsa","keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n"},"scheme":"ecdsa-sha2-nistp384","x-tuf-on-ci-keyowner":"@mrjoelkamp"}},"roles":[{"keyids":["76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221"],"name":"test-role","paths":["test-role/*","test-role/*/*","test-role/*/*/*","test-role/*/*/*/*"],"terminating":true,"threshold":1}]},"expires":"2034-06-23T12:42:15Z","spec_version":"1.0.31","targets":{"always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"mapping.yaml":{"hashes":{"sha256":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"},"length":272},"test.txt":{"hashes":{"sha256":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"},"length":31},"version-constraints":{"hashes":{"sha256":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"},"length":12}},"version":8,"x-tuf-on-ci-expiry-period":3650,"x-tuf-on-ci-signing-period":60}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1 b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1 deleted file mode 100644 index ecf3fc5..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1 +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":669,"digest":"sha256:742736cf58eef752676e9254241b3143779ad66e10707f980b6a477cdc23ad59"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2472,"digest":"sha256:1e6d780fc1967ff3d2d65c01b3614536a1562de0f0e5981718df82f61dc0c670","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":412,"digest":"sha256:5caaed86d85583b60586eff2da6ecff41a35d0ec5b8a603330db791249f7d497","annotations":{"tuf.io/filename":"7.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":1746,"digest":"sha256:ddc840cc61ca4a5cf9b79d683fc81144977f2d95f1734ebf247b3f9da4d644fb","annotations":{"tuf.io/filename":"8.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":383,"digest":"sha256:1f83502e00bf791ad0b4308fed7ba4a2cb099665069585f21f819fb35be140d8","annotations":{"tuf.io/filename":"timestamp.json"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a new file mode 100644 index 0000000..d1cf36a --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/blobs/sha256/e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":2202,"digest":"sha256:5a9f60b64b708d05e4e4da0354529fc7fe5015807b79f0bf7b136207bf952bd7","annotations":{"tuf.io/filename":"1.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2856,"digest":"sha256:832485119c0195acdcd2c7d555f55565be54e658c2e8de3adccf4e2d0c92e536","annotations":{"tuf.io/filename":"2.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3506,"digest":"sha256:4f2b6b008a82518eace3f053d04bd5fbd2059453df992bfda9e5caa46e095502","annotations":{"tuf.io/filename":"3.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":3128,"digest":"sha256:3debf3f541b67760dc37ac1f82a7e0fc86cb5fc3d4f4f9c45ca7d38e55beca7b","annotations":{"tuf.io/filename":"4.root.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":473,"digest":"sha256:640c0d21bbc7c99717feee6c74ff65e7099e4dc21a30f985f18d6e5bd205502d","annotations":{"tuf.io/filename":"11.snapshot.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":2390,"digest":"sha256:a00c1b266ea6b992a8b6fa87ab8a67232f4319d9e3dd0e63365e73114a2c7869","annotations":{"tuf.io/filename":"11.targets.json"}},{"mediaType":"application/vnd.tuf.metadata+json","size":385,"digest":"sha256:5556a0398a04564261ccc7b548d670792f2086c496322c4e95d898686e8b4811","annotations":{"tuf.io/filename":"timestamp.json"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/index.json b/test/testdata/tuf/test-repo-oci/metadata/index.json index 36cd472..bf7cfef 100755 --- a/test/testdata/tuf/test-repo-oci/metadata/index.json +++ b/test/testdata/tuf/test-repo-oci/metadata/index.json @@ -4,8 +4,9 @@ "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", - "size": 1220, - "digest": "sha256:e744131b8e5deec56c893bb4de662fdefa3b82fb8c66a9fa4a039ea543afa5e1" + "size": 1608, + "digest": "sha256:e83d550964be04addfc119b45b8dd80914babd5e5f0529b3106d6f18f74afc3a", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc deleted file mode 100644 index c5dbe3c..0000000 --- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98"},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98 b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98 index 7b9caef..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98 +++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/84fd82cab3086626411db7936836bca343f3f2cb7a9b41846cbc42d6ff64da98 @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3 b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3 new file mode 100644 index 0000000..bbfde8e --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/blobs/sha256/e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":742,"digest":"sha256:ad7b6cdc3c7c0af0f8f05459471074adb6353ff72e65e2ec2629fafcce1603b1","annotations":{"tuf.io/filename":"2.test-role.json"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/test-role/index.json b/test/testdata/tuf/test-repo-oci/metadata/test-role/index.json index 58a3c3a..d41d879 100755 --- a/test/testdata/tuf/test-repo-oci/metadata/test-role/index.json +++ b/test/testdata/tuf/test-repo-oci/metadata/test-role/index.json @@ -5,7 +5,8 @@ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 444, - "digest": "sha256:6536fc6f6e006b674a97c23b28c01e97153533777a48c3de9ff06a20a200dcbc" + "digest": "sha256:e4f3fbc9692b9f500fecd97d33c58bd00e120cecbcdff2279f864dd2832c10e3", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/243420d72b0472394a29ad86a06a05f9b1f6270000ccabfeeba7680e8d27840b b/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/243420d72b0472394a29ad86a06a05f9b1f6270000ccabfeeba7680e8d27840b new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/243420d72b0472394a29ad86a06a05f9b1f6270000ccabfeeba7680e8d27840b @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5 b/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5 new file mode 100644 index 0000000..1aa34ca --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.metadata+json","size":930,"digest":"sha256:f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6","annotations":{"tuf.io/filename":"2.testing.json"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6 b/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6 new file mode 100644 index 0000000..9c2d2c0 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/testing/blobs/sha256/f06ffb8527f121fa950570349ed57f77498ca4ac9a590fb15a0ec97a67a70ea6 @@ -0,0 +1 @@ +{"signatures":[{"keyid":"beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72","sig":"304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0"}],"signed":{"_type":"targets","expires":"2025-09-09T14:38:32Z","spec_version":"1.0.31","targets":{"testing/always-fail.rego":{"hashes":{"sha256":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"},"length":364},"testing/jonnystoten2.rego":{"hashes":{"sha256":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"},"length":5857},"testing/mapping.yaml":{"hashes":{"sha256":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090"},"length":269},"testing/test-only.rego":{"hashes":{"sha256":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374"},"length":467}},"version":2,"x-tuf-on-ci-expiry-period":365,"x-tuf-on-ci-signing-period":60}} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/testing/index.json b/test/testdata/tuf/test-repo-oci/metadata/testing/index.json new file mode 100755 index 0000000..433e4d5 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/testing/index.json @@ -0,0 +1,12 @@ +{ + "schemaVersion": 2, + "mediaType": "application/vnd.oci.image.index.v1+json", + "manifests": [ + { + "mediaType": "application/vnd.oci.image.manifest.v1+json", + "size": 442, + "digest": "sha256:a70a4b054774f728a66a22b05008b505573d850cc942552276a1faec79a6d6a5", + "artifactType": "application/vnd.oci.empty.v1+json" + } + ] +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/metadata/testing/oci-layout b/test/testdata/tuf/test-repo-oci/metadata/testing/oci-layout new file mode 100755 index 0000000..224a869 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/metadata/testing/oci-layout @@ -0,0 +1,3 @@ +{ + "imageLayoutVersion": "1.0.0" +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73 b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73 new file mode 100644 index 0000000..5f67b42 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7 b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7 index 8a2d027..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7 +++ b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7 @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94 b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94 deleted file mode 100644 index c3dee4b..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/blobs/sha256/cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94 +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:cf0c754e6415fab25e2f59fb6b010dcf0c2369f7a59a45ff29c693c844163ca7"},"layers":[{"mediaType":"application/vnd.tuf.target","size":31,"digest":"sha256:02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b","annotations":{"tuf.io/filename":"02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/index.json b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/index.json index 9a03dcf..62c405d 100755 --- a/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/index.json +++ b/test/testdata/tuf/test-repo-oci/targets/02119a076ec3878c736c3a95e20794f5a8d5bce3d7ecc264681bb7334ca2e24b.test.txt/index.json @@ -5,7 +5,8 @@ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 493, - "digest": "sha256:cf70a3b91fd7dfaa30952dfa9f094809e6cd9bd7364942c7f067c747bc535f94" + "digest": "sha256:4b0cc6119d25a34299b24d86095f21f667378aadf3c493c2d92f134869fd2c73", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f deleted file mode 100644 index 672490f..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d"},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d index cb1d601..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d +++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/518931eb24f93aa58c711c77e59d63171462133141ba9c6f8b6bc99a8daaab4d @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1 b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1 new file mode 100644 index 0000000..843fa97 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/blobs/sha256/f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":272,"digest":"sha256:baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1","annotations":{"tuf.io/filename":"baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json index 9c566b7..6d3381e 100755 --- a/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json +++ b/test/testdata/tuf/test-repo-oci/targets/baad1a9d61afa5d6f8717f576b57b9749e5549da4b826746fd73a5a914ac5be1.mapping.yaml/index.json @@ -5,7 +5,8 @@ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 498, - "digest": "sha256:08fcd920e5ff68ff16601b7952c58b05a947e007ebf4cc8898c43b71a375604f" + "digest": "sha256:f6c752a7909493c7aaee73c51f174a2ca9b2edd2dc3868c8306b80b0e7f489e1", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48 b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48 new file mode 100644 index 0000000..6a70b73 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315 b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315 deleted file mode 100644 index 098edc0..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315 +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10"},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 index 2156479..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 +++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json index 9f4abe5..eaf44e7 100755 --- a/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json +++ b/test/testdata/tuf/test-repo-oci/targets/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego/index.json @@ -5,7 +5,8 @@ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 504, - "digest": "sha256:4f6f31200d0a02278381a1c3c54e4a45e24ce0e36698ad73f5e067cf7b986315" + "digest": "sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664 b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664 deleted file mode 100644 index 5ed14a9..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664 +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a"},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f new file mode 100644 index 0000000..ca7d18f --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":12,"digest":"sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3","annotations":{"tuf.io/filename":"bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a index 47a5ce1..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a +++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/blobs/sha256/d8be98f75d88fafaf2195e64474570f79d918741cf0e90603304b4035e86200a @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json index cd94e8c..4385725 100755 --- a/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json +++ b/test/testdata/tuf/test-repo-oci/targets/bd6394a08afc1edfe5512fc14e63025a337e25ca0013c1068ec879742fc3a3c3.version-constraints/index.json @@ -5,7 +5,8 @@ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 504, - "digest": "sha256:3367ba9d6820ec214f616be99d8b2e7be302d9eab8d258aed8d723e3dd696664" + "digest": "sha256:b197e563dc2e6961628f2d9543da7555b50fdd78877ef34917d642a60e6bd73f", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac new file mode 100644 index 0000000..46e686e --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b deleted file mode 100644 index d814a6b..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97"},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 index db3ef81..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 +++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json index 59a5742..0e27c79 100755 --- a/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json +++ b/test/testdata/tuf/test-repo-oci/targets/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego/index.json @@ -5,7 +5,8 @@ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 502, - "digest": "sha256:1ec0122bb46783966623e1c099362eaf0bd06d476142d9c9b9c328ecd07f365b" + "digest": "sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac", + "artifactType": "application/vnd.oci.empty.v1+json" } ] } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2 b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2 deleted file mode 100644 index cdcc345..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2 +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055"},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa deleted file mode 100644 index 0595e95..0000000 --- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa +++ /dev/null @@ -1 +0,0 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0"},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0 b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0 index 53f98a4..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0 +++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/1691cdc848fa42fceb9f97f195c4e2372fba2cbe2984801f5296d26032d822b0 @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640 b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640 new file mode 100644 index 0000000..90a0952 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":46,"digest":"sha256:bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465","annotations":{"tuf.io/filename":"bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055 b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055 index f87a003..9e26dfe 100644 --- a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055 +++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/d9941355ca037d7e878e04c1bc7cbf9c71a5d8035b6e27be0d9e5d9087599055 @@ -1 +1 @@ -{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2"]},"config":{}} \ No newline at end of file +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8 b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8 new file mode 100644 index 0000000..d43f098 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/test-role/blobs/sha256/f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":32,"digest":"sha256:d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2","annotations":{"tuf.io/filename":"d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/test-role/index.json b/test/testdata/tuf/test-repo-oci/targets/test-role/index.json index 44127da..2456b49 100755 --- a/test/testdata/tuf/test-repo-oci/targets/test-role/index.json +++ b/test/testdata/tuf/test-repo-oci/targets/test-role/index.json @@ -1 +1 @@ -{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0d097261f1f5e01d310d34d8da4343ffa574fb44cb5010a0bca5a50568cda7aa","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:0a4afcdad291941327b070ab4feaf052425fbf4ded864bc55c18cfefec8be6e2","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"}}]} \ No newline at end of file +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:46ad77c669b6b5b015e4b164ad66624d0c7704dfae8752e7844a632d8e3df640","annotations":{"tuf.io/filename":"test-role/dir1/dir2/dir3/bb8fcf06f6c067dcbcb394d7d9ced788316fc02b715fe679097281108a4bd465.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":493,"digest":"sha256:f1558403107419b9a79ce371bba1425c123daf3f77437ba42c77b9dd0f26d6f8","annotations":{"tuf.io/filename":"test-role/d1bb6181284970ae43fbbc88b5e72f9a5942ebac20588aa0c4bf78ba621e1ee2.test.txt"},"artifactType":"application/vnd.oci.empty.v1+json"}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac new file mode 100644 index 0000000..46e686e --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":364,"digest":"sha256:e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac","annotations":{"tuf.io/filename":"e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0ee29b1aba4bf2259b76066c170aeeb923b2d96db3c46a8fe3d1475e9ccf320b b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0ee29b1aba4bf2259b76066c170aeeb923b2d96db3c46a8fe3d1475e9ccf320b new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/0ee29b1aba4bf2259b76066c170aeeb923b2d96db3c46a8fe3d1475e9ccf320b @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48 new file mode 100644 index 0000000..6a70b73 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":5857,"digest":"sha256:bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1","annotations":{"tuf.io/filename":"bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374 new file mode 100644 index 0000000..55e4f46 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374 @@ -0,0 +1,21 @@ +package attest + +import rego.v1 + +# this file only exists in the testing delegation + +violations contains { + "type": "testing_delegation", + "description": "This policy always fails. We'd better not promote this to production.", +} + +result := { + "success": false, + "violations": violations, + "summary": { + "subjects": set(), + "slsa_levels": ["SLSA_BUILD_LEVEL_3"], + "verifier": "docker-official-images", + "policy_uri": "https://docker.com/official/policy/v0.1", + }, +} diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/9ecff174eabe9768063a2686be1ef45185c5932916e4e108f4f9fde20f6d3f97 @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b3ed84cbb194e472b365c914d6551e2420167022e156409e10701c0ec9418b10 @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3 new file mode 100644 index 0000000..209c62f --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":269,"digest":"sha256:d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090","annotations":{"tuf.io/filename":"d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1 new file mode 100644 index 0000000..3e7069f --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1 @@ -0,0 +1,200 @@ +package attest + +import rego.v1 + +split_digest := split(input.digest, ":") + +digest_type := split_digest[0] + +digest := split_digest[1] + +keys := [{ + "id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4", + "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----", + "from": "2023-12-15T14:00:00Z", + "to": null, + "status": "active", + "signing-format": "dssev1", +}] + +verify_opts := {"keys": keys} + +verify_attestation(att) := attest.verify(att, verify_opts) + +attestations contains att if { + result := attest.fetch("https://slsa.dev/verification_summary/v1") + not result.error + some att in result.value +} + +signed_statements contains statement if { + some att in attestations + result := verify_attestation(att) + not result.error + statement := result.value +} + +statements_with_subject contains statement if { + some statement in signed_statements + some subject in statement.subject + subject.digest[digest_type] == digest + valid_subject_name(input.isCanonical, subject.name, input.purl) +} + +id(statement) := crypto.sha256(json.marshal(statement)) + +subjects contains subject if { + some statement in statements_with_subject + some subject in statement.subject +} + +global_violations contains v if { + count(attestations) == 0 + v := { + "type": "missing_attestation", + "description": "No https://slsa.dev/verification_summary/v1 attestation found", + "attestation": null, + "details": {}, + } +} + +# we need to key this by statement_id rather than statement because we can't +# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736 +statement_violations[statement_id] contains v if { + some att in attestations + result := verify_attestation(att) + err := result.error + statement := unsafe_statement_from_attestation(att) + statement_id := id(statement) + v := { + "type": "unsigned_statement", + "description": sprintf("Statement is not correctly signed: %v", [err]), + "attestation": statement, + "details": {"error": err}, + } +} + +statement_violations[statement_id] contains v if { + some statement in signed_statements + statement_id := id(statement) + not statement in statements_with_subject + v := { + "type": "bad_subjects", + "description": "Statement does not have this image as a subject", + "attestation": statement, + "details": {"input": input}, + } +} + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result") +} + +# TODO: add to statement_violations if there are statements that have an incorrect resource_uri +# this should match the input.purl, but we really only care about the repo name and the digest +# we need to receive the input.purl as a parsed object so we can compare only the parts we care about + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier") +} + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri") +} + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels") +} + +bad_statements contains statement if { + some statement in statements_with_subject + statement_id := id(statement) + statement_violations[statement_id] +} + +good_statements := statements_with_subject - bad_statements + +all_violations contains v if { + some v in global_violations +} + +all_violations contains v if { + some violations in statement_violations + some v in violations +} + +result := { + "success": allow, + "violations": all_violations, + "summary": { + "subjects": subjects, + "slsa_levels": ["SLSA_BUILD_LEVEL_3"], + "verifier": "signing-demo-verifier", + "policy_uri": "https://docker.com/official/policy/v0.1", + }, +} + +default allow := false + +allow if { + count(good_statements) > 0 +} + +# TODO: this should take into account the repo name from the purl +valid_subject_name(true, name, purl) + +valid_subject_name(false, name, purl) if { + name == purl +} + +field_value_does_not_equal(statement, field, expected, type) := v if { + path := split(field, ".") + actual := object.get(statement.predicate, path, null) + expected != actual + v := is_not_violation(statement, field, expected, actual, type) +} + +array_field_does_not_contain(statement, field, expected, type) := v if { + path := split(field, ".") + actual := object.get(statement.predicate, path, null) + not expected in actual + v := not_contains_violation(statement, field, expected, actual, type) +} + +is_not_violation(statement, field, expected, actual, type) := { + "type": type, + "description": sprintf("%v is not %v", [field, expected]), + "attestation": statement, + "details": { + "field": field, + "actual": actual, + "expected": expected, + }, +} + +not_contains_violation(statement, field, expected, actual, type) := { + "type": type, + "description": sprintf("%v does not contain %v", [field, expected]), + "attestation": statement, + "details": { + "field": field, + "actual": actual, + "expected": expected, + }, +} + +# This is unsafe because we're not checking the signature on the attestation, +# do not call this unless you've already verified the attestation or you need the +# statement for some other reason +unsafe_statement_from_attestation(att) := statement if { + payload := att.payload + statement := json.unmarshal(base64.decode(payload)) +} diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090 new file mode 100644 index 0000000..51dbe74 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090 @@ -0,0 +1,12 @@ +version: v1 +kind: policy-mapping +policies: + - origin: + domain: docker.io + prefix: jonnystoten2/ + id: jonnystoten2 + description: jonnystoten2 personal images for testing + attestations: + style: "referrers" + files: + - path: test-only.rego diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79 b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79 new file mode 100644 index 0000000..9e46472 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79 @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.empty.v1+json","size":2,"digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","data":"e30="},"layers":[{"mediaType":"application/vnd.tuf.target","size":467,"digest":"sha256:93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374","annotations":{"tuf.io/filename":"93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"}}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac new file mode 100644 index 0000000..e16ec55 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac @@ -0,0 +1,19 @@ +package attest + +import rego.v1 + +violations contains { + "type": "always_fail", + "description": "This policy always fails", +} + +result := { + "success": false, + "violations": violations, + "summary": { + "subjects": set(), + "slsa_levels": ["SLSA_BUILD_LEVEL_3"], + "verifier": "docker-official-images", + "policy_uri": "https://docker.com/official/policy/v0.1", + }, +} diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/f7c51ae1304af943cc66cf88fb043c1e463fe245793752c463312581dd4a1f9a b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/f7c51ae1304af943cc66cf88fb043c1e463fe245793752c463312581dd4a1f9a new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/blobs/sha256/f7c51ae1304af943cc66cf88fb043c1e463fe245793752c463312581dd4a1f9a @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/index.json b/test/testdata/tuf/test-repo-oci/targets/testing/index.json new file mode 100755 index 0000000..0240bb4 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/index.json @@ -0,0 +1 @@ +{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":502,"digest":"sha256:0d9f576776df40330e2f646eca34a51f4a092bd23409b19824ed36c1e8ed70ac","annotations":{"tuf.io/filename":"testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":504,"digest":"sha256:39be48096573b49cb30ce5479d25c49a3405e8495daa9066e813e96338a17f48","annotations":{"tuf.io/filename":"testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":498,"digest":"sha256:b846de84908dbf583e3b7e7fbd95cf2c5ffc3c0c92e19ef7be6859df3c5397a3","annotations":{"tuf.io/filename":"testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml"},"artifactType":"application/vnd.oci.empty.v1+json"},{"mediaType":"application/vnd.oci.image.manifest.v1+json","size":500,"digest":"sha256:db3d6f0ce76f0fa388b83f4928620a7d532ab386a954dd997bdf9318aa5d0b79","annotations":{"tuf.io/filename":"testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego"},"artifactType":"application/vnd.oci.empty.v1+json"}]} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo-oci/targets/testing/oci-layout b/test/testdata/tuf/test-repo-oci/targets/testing/oci-layout new file mode 100755 index 0000000..224a869 --- /dev/null +++ b/test/testdata/tuf/test-repo-oci/targets/testing/oci-layout @@ -0,0 +1,3 @@ +{ + "imageLayoutVersion": "1.0.0" +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/metadata/11.snapshot.json b/test/testdata/tuf/test-repo/metadata/11.snapshot.json new file mode 100644 index 0000000..94aa9e6 --- /dev/null +++ b/test/testdata/tuf/test-repo/metadata/11.snapshot.json @@ -0,0 +1,28 @@ +{ + "signatures": [ + { + "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5", + "sig": "3046022100aeac20924d8a674836e298773a4bb728559cf0acfbae5b6bf1b9c8e29b1a1d1c022100a00c2d981a6ae8b530d213433946216604bcab34bb85435beed63a0e8b0f837c" + } + ], + "signed": { + "_type": "snapshot", + "expires": "2034-09-07T14:41:18Z", + "meta": { + "policy.json": { + "version": 1 + }, + "targets.json": { + "version": 11 + }, + "test-role.json": { + "version": 2 + }, + "testing.json": { + "version": 2 + } + }, + "spec_version": "1.0.31", + "version": 11 + } +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/metadata/8.targets.json b/test/testdata/tuf/test-repo/metadata/11.targets.json similarity index 65% rename from test/testdata/tuf/test-repo/metadata/8.targets.json rename to test/testdata/tuf/test-repo/metadata/11.targets.json index 2931bc7..63a2f33 100644 --- a/test/testdata/tuf/test-repo/metadata/8.targets.json +++ b/test/testdata/tuf/test-repo/metadata/11.targets.json @@ -6,7 +6,11 @@ }, { "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", - "sig": "304602210086552ad4ffddd7e60f2b80d095b4dfad9d2836cfce5d6b12dfb2aec0786240df02210097807190a1f64c615798b74068e8c9f19a29f495566bc1f16d296c7edd9343b3" + "sig": "304402200ea43fe1e416994188eb928b097a2cdf4760de5ce1a5803ccd7f032fb043d5f00220201b346fbe41c44422426a5715eff90b09dfcc8a2b791f3b0471376a43c22889" + }, + { + "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664", + "sig": "" } ], "signed": { @@ -20,6 +24,14 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@mrjoelkamp" + }, + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@jonnystoten" } }, "roles": [ @@ -36,10 +48,24 @@ ], "terminating": true, "threshold": 1 + }, + { + "keyids": [ + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72" + ], + "name": "testing", + "paths": [ + "testing/*", + "testing/*/*", + "testing/*/*/*", + "testing/*/*/*/*" + ], + "terminating": true, + "threshold": 1 } ] }, - "expires": "2034-06-23T12:42:15Z", + "expires": "2034-09-07T14:32:09Z", "spec_version": "1.0.31", "targets": { "always-fail.rego": { @@ -73,7 +99,7 @@ "length": 12 } }, - "version": 8, + "version": 11, "x-tuf-on-ci-expiry-period": 3650, "x-tuf-on-ci-signing-period": 60 } diff --git a/test/testdata/tuf/test-repo/metadata/2.testing.json b/test/testdata/tuf/test-repo/metadata/2.testing.json new file mode 100644 index 0000000..88f1eed --- /dev/null +++ b/test/testdata/tuf/test-repo/metadata/2.testing.json @@ -0,0 +1,42 @@ +{ + "signatures": [ + { + "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "sig": "304502207ffc26ed83118f9aa0e0c7d6cad1cbcca7ffedc1cdfa7d1c5d6bc589ee1586c502210091bf85dfbe58b300af02922e28878a135767a07a7ed93e3f169d418e5b03dcd0" + } + ], + "signed": { + "_type": "targets", + "expires": "2025-09-09T14:38:32Z", + "spec_version": "1.0.31", + "targets": { + "testing/always-fail.rego": { + "hashes": { + "sha256": "e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac" + }, + "length": 364 + }, + "testing/jonnystoten2.rego": { + "hashes": { + "sha256": "bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1" + }, + "length": 5857 + }, + "testing/mapping.yaml": { + "hashes": { + "sha256": "d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090" + }, + "length": 269 + }, + "testing/test-only.rego": { + "hashes": { + "sha256": "93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374" + }, + "length": 467 + } + }, + "version": 2, + "x-tuf-on-ci-expiry-period": 365, + "x-tuf-on-ci-signing-period": 60 + } +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/metadata/3.root.json b/test/testdata/tuf/test-repo/metadata/3.root.json new file mode 100644 index 0000000..bcf9922 --- /dev/null +++ b/test/testdata/tuf/test-repo/metadata/3.root.json @@ -0,0 +1,92 @@ +{ + "signatures": [ + { + "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "sig": "" + }, + { + "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "sig": "304402202e636803c93298a350f2528d7e67394e0f12f94a1dfbb28794b65a77d85fe2a50220027570e8005a8ea9e3b78e579f4fda99a0adfeefd824de15d8aef29b29e493eb" + }, + { + "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664", + "sig": "304502207167ef72bd1ca241b8f62e69f8d2e1bec2b129ce534c4884a2ac620aa607f307022100dd49ca6bc5715af869932629d68fff4cf74879000cfc60a31374118f901c04ce" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2034-09-04T13:40:46Z", + "keys": { + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@mrjoelkamp" + }, + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@kipz" + }, + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61" + }, + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@jonnystoten" + } + }, + "roles": { + "root": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + }, + "targets": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } + }, + "spec_version": "1.0.31", + "version": 3, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/metadata/4.root.json b/test/testdata/tuf/test-repo/metadata/4.root.json new file mode 100644 index 0000000..4ddb218 --- /dev/null +++ b/test/testdata/tuf/test-repo/metadata/4.root.json @@ -0,0 +1,93 @@ +{ + "signatures": [ + { + "keyid": "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "sig": "" + }, + { + "keyid": "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "sig": "3046022100a474191d8cf56aa84453b2bb9365db31e8d01cbb19026677f2bf70ace72a9ee002210089277a98e2a3792e864378d270e5861c72e5944a95a15bb03aef5963142edd0c" + }, + { + "keyid": "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664", + "sig": "3046022100c828959aa78fcabf565207a204e5033bf1266a2574cad62431f9c83283c1f1b4022100d6ac4850924c78e27a41c9d94b66bb3e076e69615dd981ac9612b9748ea90428" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2034-09-04T13:55:23Z", + "keys": { + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3+asmp2GD6UijwWvMezwVG/BwFLuQa3o\nT6eRxFvkILGpVDbZ92ZYWidHl9LZ/eJUjhIjuVEkNVKoenw5KjKl8veP3MthZrQA\nSkYytOIwkidZo9Rk2dczbDcFSJvLGsmd\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@mrjoelkamp" + }, + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmhpAfB7Q53UNluMhpkDxXXup4E0\n2Hh4PSgHC1Yh6brGl6Akq9a4io55LtZTk5mnCTqxuB+rc5cI/yaNUeWEqQ==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@kipz" + }, + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgDpP6O0sEt2R+l84WlfmqPBsFSby\nxJsJ6YmeUVgDk/wk9++8IAR6YBYewaKye56gMnIYjTFbyOI8WomA2NQFBw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:175142243308:key/fbd8dab6-5677-4b57-87e6-8369c45b3b61" + }, + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEERet/8hs3WHIXyOXNzhLpTOz6DBx\n7zzHnenJgV/TB0dRMAx6j9UVRvlEkh5OcYuktNeqnLpHce1rLjLjpiRPVg==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@jonnystoten" + } + }, + "roles": { + "root": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + }, + "targets": { + "keyids": [ + "76d0a7e1ff8617ce99627d0fa5c9809f2c0f0d52e0bf65c7b84c031608d25221", + "beac53949c4cf075824edede7d41715941f524db247d1b455a2389d7490ecd72", + "81cf5a78d6ea2cd904256b9d814b340289b765e6f75ec4397e4ebb7586cab664" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } + }, + "spec_version": "1.0.31", + "version": 4, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 60 + } +} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/metadata/7.snapshot.json b/test/testdata/tuf/test-repo/metadata/7.snapshot.json deleted file mode 100644 index 8de2ace..0000000 --- a/test/testdata/tuf/test-repo/metadata/7.snapshot.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "signatures": [ - { - "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5", - "sig": "3045022018e31a2e743b21054939262706520be10375829fb93dec7f3042e48ed8eb9cec0221008c2765ee9e49d49c12a6b9a5124c984d414b8d86452cdbcc2fc2f2ca10a11e67" - } - ], - "signed": { - "_type": "snapshot", - "expires": "2034-06-23T12:47:16Z", - "meta": { - "targets.json": { - "version": 8 - }, - "test-role.json": { - "version": 2 - } - }, - "spec_version": "1.0.31", - "version": 7 - } -} \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/metadata/timestamp.json b/test/testdata/tuf/test-repo/metadata/timestamp.json index 82d1759..34464d0 100644 --- a/test/testdata/tuf/test-repo/metadata/timestamp.json +++ b/test/testdata/tuf/test-repo/metadata/timestamp.json @@ -2,18 +2,18 @@ "signatures": [ { "keyid": "bdd1703ecbde8812614b112a6551d58de3ad681048fd90fca2a3e491edd8afe5", - "sig": "304502204019c08b30b7525b95c4010e5c1420c5618c18d5b0719fb1d9392ef93322ca4e022100924ec18242ba21edcc2c7ad92ee13a38a6f4a8e1315c588eb9eb2d0bce0a1a80" + "sig": "3045022042bb3075239d8d3676fe0990b9cfbb6c1629204d599d61e8805b5057cfecd20c022100da3e16fe5c2259c8a4847f3be8b5d8686f444cdffb2d94da83d71c9707b1cad3" } ], "signed": { "_type": "timestamp", - "expires": "2034-06-23T12:47:16Z", + "expires": "2034-09-07T14:41:18Z", "meta": { "snapshot.json": { - "version": 7 + "version": 11 } }, "spec_version": "1.0.31", - "version": 7 + "version": 11 } } \ No newline at end of file diff --git a/test/testdata/tuf/test-repo/targets/testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego b/test/testdata/tuf/test-repo/targets/testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego new file mode 100644 index 0000000..55e4f46 --- /dev/null +++ b/test/testdata/tuf/test-repo/targets/testing/93a0c6a57652e182f3e04fed6e3bd0eedeb98c624af12668bc9e2741c7443374.test-only.rego @@ -0,0 +1,21 @@ +package attest + +import rego.v1 + +# this file only exists in the testing delegation + +violations contains { + "type": "testing_delegation", + "description": "This policy always fails. We'd better not promote this to production.", +} + +result := { + "success": false, + "violations": violations, + "summary": { + "subjects": set(), + "slsa_levels": ["SLSA_BUILD_LEVEL_3"], + "verifier": "docker-official-images", + "policy_uri": "https://docker.com/official/policy/v0.1", + }, +} diff --git a/test/testdata/tuf/test-repo/targets/testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego b/test/testdata/tuf/test-repo/targets/testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego new file mode 100644 index 0000000..3e7069f --- /dev/null +++ b/test/testdata/tuf/test-repo/targets/testing/bc46e8c31646f166a9efbd14fef154dd84cf07efc95c96be3a201c84470dcbc1.jonnystoten2.rego @@ -0,0 +1,200 @@ +package attest + +import rego.v1 + +split_digest := split(input.digest, ":") + +digest_type := split_digest[0] + +digest := split_digest[1] + +keys := [{ + "id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4", + "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----", + "from": "2023-12-15T14:00:00Z", + "to": null, + "status": "active", + "signing-format": "dssev1", +}] + +verify_opts := {"keys": keys} + +verify_attestation(att) := attest.verify(att, verify_opts) + +attestations contains att if { + result := attest.fetch("https://slsa.dev/verification_summary/v1") + not result.error + some att in result.value +} + +signed_statements contains statement if { + some att in attestations + result := verify_attestation(att) + not result.error + statement := result.value +} + +statements_with_subject contains statement if { + some statement in signed_statements + some subject in statement.subject + subject.digest[digest_type] == digest + valid_subject_name(input.isCanonical, subject.name, input.purl) +} + +id(statement) := crypto.sha256(json.marshal(statement)) + +subjects contains subject if { + some statement in statements_with_subject + some subject in statement.subject +} + +global_violations contains v if { + count(attestations) == 0 + v := { + "type": "missing_attestation", + "description": "No https://slsa.dev/verification_summary/v1 attestation found", + "attestation": null, + "details": {}, + } +} + +# we need to key this by statement_id rather than statement because we can't +# use an object as a key due to a bug(?) in OPA: https://github.com/open-policy-agent/opa/issues/6736 +statement_violations[statement_id] contains v if { + some att in attestations + result := verify_attestation(att) + err := result.error + statement := unsafe_statement_from_attestation(att) + statement_id := id(statement) + v := { + "type": "unsigned_statement", + "description": sprintf("Statement is not correctly signed: %v", [err]), + "attestation": statement, + "details": {"error": err}, + } +} + +statement_violations[statement_id] contains v if { + some statement in signed_statements + statement_id := id(statement) + not statement in statements_with_subject + v := { + "type": "bad_subjects", + "description": "Statement does not have this image as a subject", + "attestation": statement, + "details": {"input": input}, + } +} + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := field_value_does_not_equal(statement, "verificationResult", "PASSED", "wrong_verification_result") +} + +# TODO: add to statement_violations if there are statements that have an incorrect resource_uri +# this should match the input.purl, but we really only care about the repo name and the digest +# we need to receive the input.purl as a parsed object so we can compare only the parts we care about + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := field_value_does_not_equal(statement, "verifier.id", "signing-demo-verifier", "wrong_verifier") +} + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := field_value_does_not_equal(statement, "policy.uri", "https://docker.com/official/policy/v0.1", "wrong_policy_uri") +} + +statement_violations[statement_id] contains v if { + some statement in statements_with_subject + statement_id := id(statement) + v := array_field_does_not_contain(statement, "verifiedLevels", "SLSA_BUILD_LEVEL_3", "wrong_verified_levels") +} + +bad_statements contains statement if { + some statement in statements_with_subject + statement_id := id(statement) + statement_violations[statement_id] +} + +good_statements := statements_with_subject - bad_statements + +all_violations contains v if { + some v in global_violations +} + +all_violations contains v if { + some violations in statement_violations + some v in violations +} + +result := { + "success": allow, + "violations": all_violations, + "summary": { + "subjects": subjects, + "slsa_levels": ["SLSA_BUILD_LEVEL_3"], + "verifier": "signing-demo-verifier", + "policy_uri": "https://docker.com/official/policy/v0.1", + }, +} + +default allow := false + +allow if { + count(good_statements) > 0 +} + +# TODO: this should take into account the repo name from the purl +valid_subject_name(true, name, purl) + +valid_subject_name(false, name, purl) if { + name == purl +} + +field_value_does_not_equal(statement, field, expected, type) := v if { + path := split(field, ".") + actual := object.get(statement.predicate, path, null) + expected != actual + v := is_not_violation(statement, field, expected, actual, type) +} + +array_field_does_not_contain(statement, field, expected, type) := v if { + path := split(field, ".") + actual := object.get(statement.predicate, path, null) + not expected in actual + v := not_contains_violation(statement, field, expected, actual, type) +} + +is_not_violation(statement, field, expected, actual, type) := { + "type": type, + "description": sprintf("%v is not %v", [field, expected]), + "attestation": statement, + "details": { + "field": field, + "actual": actual, + "expected": expected, + }, +} + +not_contains_violation(statement, field, expected, actual, type) := { + "type": type, + "description": sprintf("%v does not contain %v", [field, expected]), + "attestation": statement, + "details": { + "field": field, + "actual": actual, + "expected": expected, + }, +} + +# This is unsafe because we're not checking the signature on the attestation, +# do not call this unless you've already verified the attestation or you need the +# statement for some other reason +unsafe_statement_from_attestation(att) := statement if { + payload := att.payload + statement := json.unmarshal(base64.decode(payload)) +} diff --git a/test/testdata/tuf/test-repo/targets/testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml b/test/testdata/tuf/test-repo/targets/testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml new file mode 100644 index 0000000..51dbe74 --- /dev/null +++ b/test/testdata/tuf/test-repo/targets/testing/d3b20bd505b925e6b4b73dd875e9c5839e1797061049e243bdb0d70d62f6d090.mapping.yaml @@ -0,0 +1,12 @@ +version: v1 +kind: policy-mapping +policies: + - origin: + domain: docker.io + prefix: jonnystoten2/ + id: jonnystoten2 + description: jonnystoten2 personal images for testing + attestations: + style: "referrers" + files: + - path: test-only.rego diff --git a/test/testdata/tuf/test-repo/targets/testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego b/test/testdata/tuf/test-repo/targets/testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego new file mode 100644 index 0000000..e16ec55 --- /dev/null +++ b/test/testdata/tuf/test-repo/targets/testing/e8a5b75ac27a28056d2155ff63acc1ffd76c30ed8558011c54708f4832f073ac.always-fail.rego @@ -0,0 +1,19 @@ +package attest + +import rego.v1 + +violations contains { + "type": "always_fail", + "description": "This policy always fails", +} + +result := { + "success": false, + "violations": violations, + "summary": { + "subjects": set(), + "slsa_levels": ["SLSA_BUILD_LEVEL_3"], + "verifier": "docker-official-images", + "policy_uri": "https://docker.com/official/policy/v0.1", + }, +} diff --git a/tuf/example_registry_test.go b/tuf/example_registry_test.go index 900c1f1..d67880b 100644 --- a/tuf/example_registry_test.go +++ b/tuf/example_registry_test.go @@ -17,11 +17,8 @@ func ExampleNewClient_registry() { } tufOutputPath := filepath.Join(home, ".docker", "tuf") - // using oci tuf metadata and targets - metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest" - targetsURI := "registry-1.docker.io/docker/tuf-targets" - - registryClient, err := tuf.NewClient(context.Background(), &tuf.ClientOptions{tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker()}) + opts := tuf.NewDockerDefaultClientOptions(tufOutputPath) + registryClient, err := tuf.NewClient(context.Background(), opts) if err != nil { panic(err) } diff --git a/tuf/registry_test.go b/tuf/registry_test.go index 1148297..f7b4094 100644 --- a/tuf/registry_test.go +++ b/tuf/registry_test.go @@ -419,8 +419,8 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL, if err != nil { t.Fatal(err) } - switch len(mf.Manifests) { - case 1: + switch { + case len(mf.Manifests) == 1: // top-level target img, err := tIdx.Image(mf.Manifests[0].Digest) if err != nil { @@ -430,7 +430,7 @@ func LoadRegistryTestData(ctx context.Context, t *testing.T, registry *url.URL, if err != nil { t.Fatal(err) } - case 2: + case len(mf.Manifests) > 1: // delegated target err = remote.WriteIndex(ref, tIdx, oci.WithOptions(ctx, nil)...) if err != nil { diff --git a/tuf/tuf.go b/tuf/tuf.go index 03cb6c0..e54911c 100644 --- a/tuf/tuf.go +++ b/tuf/tuf.go @@ -7,7 +7,9 @@ import ( "io/fs" "net/url" "os" + "path" "path/filepath" + "regexp" "strconv" "strings" "time" @@ -46,8 +48,9 @@ type Downloader interface { } type Client struct { - updater *updater.Updater - cfg *config.UpdaterConfig + updater *updater.Updater + cfg *config.UpdaterConfig + pathPrefix string } type TargetFile struct { @@ -57,26 +60,41 @@ type TargetFile struct { Data []byte } +// ClientOptions contains the options for creating a new TUF client. type ClientOptions struct { - InitialRoot []byte - Path string + // InitialRoot is the initial root.json file to use for the TUF client. + InitialRoot []byte + // LocalStorageDir is the directory where the TUF client will cache any downloaded metadata and target files. + LocalStorageDir string + // MetadataSource is the source of the metadata files. MetadataSource string - TargetsSource string + // TargetsSource is the source of the target files. + TargetsSource string + // VersionChecker checks if the current version of this library meets the constraints from the TUF repo. VersionChecker VersionChecker + // PathPrefix is the prefix to prepend to all target paths before downloading. + PathPrefix string } func NewDockerDefaultClientOptions(tufPath string) *ClientOptions { return &ClientOptions{ - InitialRoot: DockerTUFRootDefault.Data, - Path: tufPath, - MetadataSource: defaultMetadataSource, - TargetsSource: defaultTargetsSource, - VersionChecker: NewDefaultVersionChecker(), + InitialRoot: DockerTUFRootDefault.Data, + LocalStorageDir: tufPath, + MetadataSource: defaultMetadataSource, + TargetsSource: defaultTargetsSource, + VersionChecker: NewDefaultVersionChecker(), } } +var validPathPrefix = regexp.MustCompile("^[a-z0-9_-]*$") + // NewClient creates a new TUF client. func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) { + pathPrefix := opts.PathPrefix + if !validPathPrefix.MatchString(pathPrefix) { + return nil, fmt.Errorf("invalid path prefix: %s", pathPrefix) + } + var tufSource Source if strings.HasPrefix(opts.MetadataSource, "https://") || strings.HasPrefix(opts.MetadataSource, "http://") { tufSource = HTTPSource @@ -87,7 +105,7 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) { tufRootDigest := util.SHA256Hex(opts.InitialRoot) // create a directory for each initial root.json - metadataPath := filepath.Join(opts.Path, tufRootDigest) + metadataPath := filepath.Join(opts.LocalStorageDir, tufRootDigest) err := os.MkdirAll(metadataPath, os.ModePerm) if err != nil { return nil, fmt.Errorf("failed to create directory '%s': %w", metadataPath, err) @@ -139,8 +157,9 @@ func NewClient(ctx context.Context, opts *ClientOptions) (*Client, error) { } client := &Client{ - updater: up, - cfg: cfg, + pathPrefix: pathPrefix, + updater: up, + cfg: cfg, } err = opts.VersionChecker.CheckVersion(client) @@ -181,6 +200,9 @@ func (t *Client) generateTargetURI(target *metadata.TargetFiles, digest string) // information, verifies if the target is already cached, and if it is not cached, // downloads the target file. func (t *Client) DownloadTarget(target string, filePath string) (file *TargetFile, err error) { + // before we do anything, prepend the path prefix to the target + target = path.Join(t.pathPrefix, target) + // search if the desired target is available targetInfo, err := t.updater.GetTargetInfo(target) if err != nil { diff --git a/tuf/tuf_test.go b/tuf/tuf_test.go index ef4a697..9edb784 100644 --- a/tuf/tuf_test.go +++ b/tuf/tuf_test.go @@ -8,6 +8,7 @@ import ( "net/url" "os" "path/filepath" + "strings" "testing" "github.com/docker/attest/internal/test" @@ -65,18 +66,21 @@ func TestRootInit(t *testing.T) { {"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"}, } for _, tc := range testCases { - _, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker}) + _, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""}) assert.NoErrorf(t, err, "Failed to create TUF client: %v", err) // recreation should work with same root - _, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker}) + _, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""}) assert.NoErrorf(t, err, "Failed to recreate TUF client: %v", err) - _, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker}) + _, err = NewClient(ctx, &ClientOptions{[]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, ""}) assert.Errorf(t, err, "Expected error recreating TUF client with broken root: %v", err) - _, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker}) + _, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker, ""}) assert.Errorf(t, err, "Expected error recreating TUF client with bad version checker") + + _, err = NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, "../.."}) + assert.Errorf(t, err, "Expected error recreating TUF client with bad path prefix") } } @@ -104,15 +108,17 @@ func TestDownloadTarget(t *testing.T) { name string metadataSource string targetsSource string + pathPrefix string }{ - {"http", server.URL + "/metadata", server.URL + "/targets"}, - {"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"}, - {"http, download before init", server.URL + "/metadata", server.URL + "/targets"}, + {"http", server.URL + "/metadata", server.URL + "/targets", ""}, + {"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", ""}, + {"http, with path prefix", server.URL + "/metadata", server.URL + "/targets", "testing"}, + {"oci, with path prefix", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets", "testing"}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker}) + tufClient, err := NewClient(ctx, &ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker, tc.pathPrefix}) require.NoErrorf(t, err, "Failed to create TUF client: %v", err) require.NotNil(t, tufClient.updater, "Failed to create updater") @@ -121,18 +127,30 @@ func TestDownloadTarget(t *testing.T) { assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata") // download top-level target files - targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets + var roleName string + if tc.pathPrefix != "" { + // get target info for non-existent target, just to trigger a load of the delegated targets metadata + _, err = tufClient.updater.GetTargetInfo(tc.pathPrefix + "/fakefile") + assert.Error(t, err) // expect error for non-existent target + roleName = tc.pathPrefix + } else { + roleName = metadata.TARGETS + } + targets := trustedMetadata.Targets[roleName].Signed.Targets for _, target := range targets { + path := strings.TrimPrefix(target.Path, tufClient.pathPrefix) // download target files - _, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download")) + _, err := tufClient.DownloadTarget(path, filepath.Join(tufPath, "download")) assert.NoErrorf(t, err, "Failed to download target: %v", err) } - // download delegated target - targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile) - require.NoError(t, err) - _, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path)) - assert.NoError(t, err) + if tc.pathPrefix == "" { + // download delegated target, only if not using a path prefix + targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile) + require.NoError(t, err) + _, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path)) + assert.NoError(t, err) + } }) } }