Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
23849c1c2e | ||
|
|
bada1df262 |
14
go.mod
14
go.mod
@@ -24,7 +24,7 @@ require (
|
|||||||
github.com/stretchr/testify v1.9.0
|
github.com/stretchr/testify v1.9.0
|
||||||
github.com/testcontainers/testcontainers-go/modules/registry v0.33.0
|
github.com/testcontainers/testcontainers-go/modules/registry v0.33.0
|
||||||
github.com/theupdateframework/go-tuf/v2 v2.0.0
|
github.com/theupdateframework/go-tuf/v2 v2.0.0
|
||||||
google.golang.org/api v0.194.0
|
google.golang.org/api v0.195.0
|
||||||
sigs.k8s.io/yaml v1.4.0
|
sigs.k8s.io/yaml v1.4.0
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -36,9 +36,9 @@ require (
|
|||||||
cloud.google.com/go/auth v0.9.1 // indirect
|
cloud.google.com/go/auth v0.9.1 // indirect
|
||||||
cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
|
cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
|
||||||
cloud.google.com/go/compute/metadata v0.5.0 // indirect
|
cloud.google.com/go/compute/metadata v0.5.0 // indirect
|
||||||
cloud.google.com/go/iam v1.1.12 // indirect
|
cloud.google.com/go/iam v1.1.13 // indirect
|
||||||
cloud.google.com/go/kms v1.18.4 // indirect
|
cloud.google.com/go/kms v1.18.5 // indirect
|
||||||
cloud.google.com/go/longrunning v0.5.11 // indirect
|
cloud.google.com/go/longrunning v0.5.12 // indirect
|
||||||
dario.cat/mergo v1.0.0 // indirect
|
dario.cat/mergo v1.0.0 // indirect
|
||||||
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
|
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
|
||||||
github.com/Microsoft/go-winio v0.6.2 // indirect
|
github.com/Microsoft/go-winio v0.6.2 // indirect
|
||||||
@@ -191,9 +191,9 @@ require (
|
|||||||
golang.org/x/term v0.23.0 // indirect
|
golang.org/x/term v0.23.0 // indirect
|
||||||
golang.org/x/text v0.17.0 // indirect
|
golang.org/x/text v0.17.0 // indirect
|
||||||
golang.org/x/time v0.6.0 // indirect
|
golang.org/x/time v0.6.0 // indirect
|
||||||
google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142 // indirect
|
google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c // indirect
|
||||||
google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf // indirect
|
google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
|
||||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
|
google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c // indirect
|
||||||
google.golang.org/grpc v1.65.0 // indirect
|
google.golang.org/grpc v1.65.0 // indirect
|
||||||
google.golang.org/protobuf v1.34.2 // indirect
|
google.golang.org/protobuf v1.34.2 // indirect
|
||||||
gopkg.in/ini.v1 v1.67.0 // indirect
|
gopkg.in/ini.v1 v1.67.0 // indirect
|
||||||
|
|||||||
28
go.sum
28
go.sum
@@ -7,12 +7,12 @@ cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy
|
|||||||
cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc=
|
cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc=
|
||||||
cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
|
cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
|
||||||
cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
|
cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
|
||||||
cloud.google.com/go/iam v1.1.12 h1:JixGLimRrNGcxvJEQ8+clfLxPlbeZA6MuRJ+qJNQ5Xw=
|
cloud.google.com/go/iam v1.1.13 h1:7zWBXG9ERbMLrzQBRhFliAV+kjcRToDTgQT3CTwYyv4=
|
||||||
cloud.google.com/go/iam v1.1.12/go.mod h1:9LDX8J7dN5YRyzVHxwQzrQs9opFFqn0Mxs9nAeB+Hhg=
|
cloud.google.com/go/iam v1.1.13/go.mod h1:K8mY0uSXwEXS30KrnVb+j54LB/ntfZu1dr+4zFMNbus=
|
||||||
cloud.google.com/go/kms v1.18.4 h1:dYN3OCsQ6wJLLtOnI8DGUwQ5shMusXsWCCC+s09ATsk=
|
cloud.google.com/go/kms v1.18.5 h1:75LSlVs60hyHK3ubs2OHd4sE63OAMcM2BdSJc2bkuM4=
|
||||||
cloud.google.com/go/kms v1.18.4/go.mod h1:SG1bgQ3UWW6/KdPo9uuJnzELXY5YTTMJtDYvajiQ22g=
|
cloud.google.com/go/kms v1.18.5/go.mod h1:yXunGUGzabH8rjUPImp2ndHiGolHeWJJ0LODLedicIY=
|
||||||
cloud.google.com/go/longrunning v0.5.11 h1:Havn1kGjz3whCfoD8dxMLP73Ph5w+ODyZB9RUsDxtGk=
|
cloud.google.com/go/longrunning v0.5.12 h1:5LqSIdERr71CqfUsFlJdBpOkBH8FBCFD7P1nTWy3TYE=
|
||||||
cloud.google.com/go/longrunning v0.5.11/go.mod h1:rDn7//lmlfWV1Dx6IB4RatCPenTwwmqXuiP0/RgoEO4=
|
cloud.google.com/go/longrunning v0.5.12/go.mod h1:S5hMV8CDJ6r50t2ubVJSKQVv5u0rmik5//KgLO3k4lU=
|
||||||
cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w=
|
cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w=
|
||||||
cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
|
cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
|
||||||
cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs=
|
cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs=
|
||||||
@@ -807,19 +807,19 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
|
|||||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
|
golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
|
||||||
google.golang.org/api v0.194.0 h1:dztZKG9HgtIpbI35FhfuSNR/zmaMVdxNlntHj1sIS4s=
|
google.golang.org/api v0.195.0 h1:Ude4N8FvTKnnQJHU48RFI40jOBgIrL8Zqr3/QeST6yU=
|
||||||
google.golang.org/api v0.194.0/go.mod h1:AgvUFdojGANh3vI+P7EVnxj3AISHllxGCJSFmggmnd0=
|
google.golang.org/api v0.195.0/go.mod h1:DOGRWuv3P8TU8Lnz7uQc4hyNqrBpMtD9ppW3wBJurgc=
|
||||||
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
|
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
|
||||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||||
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
||||||
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
|
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
|
||||||
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
|
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
|
||||||
google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142 h1:oLiyxGgE+rt22duwci1+TG7bg2/L1LQsXwfjPlmuJA0=
|
google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c h1:TYOEhrQMrNDTAd2rX9m+WgGr8Ku6YNuj1D7OX6rWSok=
|
||||||
google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142/go.mod h1:G11eXq53iI5Q+kyNOmCvnzBaxEA2Q/Ik5Tj7nqBE8j4=
|
google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c/go.mod h1:2rC5OendXvZ8wGEo/cSLheztrZDZaSoHanUcd1xtZnw=
|
||||||
google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf h1:GillM0Ef0pkZPIB+5iO6SDK+4T9pf6TpaYR6ICD5rVE=
|
google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 h1:wKguEg1hsxI2/L3hUYrpo1RVi48K+uTyzKqprwLXsb8=
|
||||||
google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:OFMYQFHJ4TM3JRlWDZhJbZfra2uqc3WLBZiaaqP4DtU=
|
google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo=
|
||||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs=
|
google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c h1:Kqjm4WpoWvwhMPcrAczoTyMySQmYa9Wy2iL6Con4zn8=
|
||||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
|
google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
|
||||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||||
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
|
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
|
||||||
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
|
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
|
||||||
|
|||||||
@@ -10,12 +10,14 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/distribution/reference"
|
||||||
"github.com/docker/attest/pkg/oci"
|
"github.com/docker/attest/pkg/oci"
|
||||||
"github.com/google/go-containerregistry/pkg/authn"
|
"github.com/google/go-containerregistry/pkg/authn"
|
||||||
"github.com/google/go-containerregistry/pkg/crane"
|
"github.com/google/go-containerregistry/pkg/crane"
|
||||||
v1 "github.com/google/go-containerregistry/pkg/v1"
|
v1 "github.com/google/go-containerregistry/pkg/v1"
|
||||||
"github.com/google/go-containerregistry/pkg/v1/types"
|
"github.com/google/go-containerregistry/pkg/v1/types"
|
||||||
"github.com/theupdateframework/go-tuf/v2/metadata"
|
"github.com/theupdateframework/go-tuf/v2/metadata"
|
||||||
|
"github.com/theupdateframework/go-tuf/v2/metadata/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@@ -34,6 +36,7 @@ type RegistryFetcher struct {
|
|||||||
targetsRepo string
|
targetsRepo string
|
||||||
cache *ImageCache
|
cache *ImageCache
|
||||||
timeout time.Duration
|
timeout time.Duration
|
||||||
|
cfg *config.UpdaterConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
type ImageCache struct {
|
type ImageCache struct {
|
||||||
@@ -67,13 +70,31 @@ type Layers struct {
|
|||||||
MediaType string `json:"mediaType"`
|
MediaType string `json:"mediaType"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewRegistryFetcher(metadataRepo, metadataTag, targetsRepo string) *RegistryFetcher {
|
func NewRegistryFetcher(cfg *config.UpdaterConfig) (*RegistryFetcher, error) {
|
||||||
|
ref, err := reference.ParseNormalizedNamed(cfg.RemoteMetadataURL)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse metadata repo: %w", err)
|
||||||
|
}
|
||||||
|
// add latest tag
|
||||||
|
metadataTag := LatestTag
|
||||||
|
if tag, ok := ref.(reference.Tagged); ok {
|
||||||
|
metadataTag = tag.Tag()
|
||||||
|
}
|
||||||
|
metadataRepo := ref.Name()
|
||||||
|
|
||||||
|
targetsRef, err := reference.ParseNormalizedNamed(cfg.RemoteTargetsURL)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse targets repo: %w", err)
|
||||||
|
}
|
||||||
|
targetsRepo := targetsRef.Name()
|
||||||
return &RegistryFetcher{
|
return &RegistryFetcher{
|
||||||
|
// we need to keep these reference so that we can unmangle the URL paths when downloading files
|
||||||
|
cfg: cfg,
|
||||||
metadataRepo: metadataRepo,
|
metadataRepo: metadataRepo,
|
||||||
metadataTag: metadataTag,
|
metadataTag: metadataTag,
|
||||||
targetsRepo: targetsRepo,
|
targetsRepo: targetsRepo,
|
||||||
cache: NewImageCache(),
|
cache: NewImageCache(),
|
||||||
}
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DownloadFile downloads a file from an OCI registry, errors out if it failed,
|
// DownloadFile downloads a file from an OCI registry, errors out if it failed,
|
||||||
@@ -188,17 +209,17 @@ func getDataFromLayer(fileLayer v1.Layer, maxLength int64) ([]byte, error) {
|
|||||||
// parseImgRef maintains the Fetcher interface by parsing a URL path to an image reference and file name.
|
// parseImgRef maintains the Fetcher interface by parsing a URL path to an image reference and file name.
|
||||||
func (d *RegistryFetcher) parseImgRef(urlPath string) (imgRef, fileName string, err error) {
|
func (d *RegistryFetcher) parseImgRef(urlPath string) (imgRef, fileName string, err error) {
|
||||||
// Check if repo is target or metadata
|
// Check if repo is target or metadata
|
||||||
if strings.Contains(urlPath, d.targetsRepo) {
|
if strings.HasPrefix(urlPath, d.cfg.RemoteTargetsURL) {
|
||||||
// determine if the target path contains subdirectories and set image name accordingly
|
// determine if the target path contains subdirectories and set image name accordingly
|
||||||
// <repo>/<filename> -> image = <repo>:<filename>, layer = <filename>
|
// <repo>/<filename> -> image = <repo>:<filename>, layer = <filename>
|
||||||
// <repo>/<subdir>/<filename> -> index = <repo>:<subdir> , image = <filename> -> layer = <filename>
|
// <repo>/<subdir>/<filename> -> index = <repo>:<subdir> , image = <filename> -> layer = <filename>
|
||||||
target := strings.TrimPrefix(urlPath, d.targetsRepo+"/")
|
target := strings.TrimPrefix(urlPath, d.cfg.RemoteTargetsURL+"/")
|
||||||
subdir, name, found := strings.Cut(target, "/")
|
subdir, name, found := strings.Cut(target, "/")
|
||||||
if found {
|
if found {
|
||||||
return fmt.Sprintf("%s:%s", d.targetsRepo, subdir), fmt.Sprintf("%s/%s", subdir, name), nil
|
return fmt.Sprintf("%s:%s", d.targetsRepo, subdir), fmt.Sprintf("%s/%s", subdir, name), nil
|
||||||
}
|
}
|
||||||
return fmt.Sprintf("%s:%s", d.targetsRepo, target), target, nil
|
return fmt.Sprintf("%s:%s", d.targetsRepo, target), target, nil
|
||||||
} else if strings.Contains(urlPath, d.metadataRepo) {
|
} else if strings.HasPrefix(urlPath, d.cfg.RemoteMetadataURL) {
|
||||||
// build the metadata image name
|
// build the metadata image name
|
||||||
// determine if role is a delegated role and set the tag accordingly
|
// determine if role is a delegated role and set the tag accordingly
|
||||||
fileName = path.Base(urlPath)
|
fileName = path.Base(urlPath)
|
||||||
|
|||||||
@@ -48,7 +48,6 @@ func TestRegistryFetcher(t *testing.T) {
|
|||||||
LoadRegistryTestData(t, regAddr, OCITUFTestDataPath)
|
LoadRegistryTestData(t, regAddr, OCITUFTestDataPath)
|
||||||
|
|
||||||
metadataRepo := regAddr.Host + metadataPath
|
metadataRepo := regAddr.Host + metadataPath
|
||||||
metadataImgTag := LatestTag
|
|
||||||
targetsRepo := regAddr.Host + targetsPath
|
targetsRepo := regAddr.Host + targetsPath
|
||||||
targetFile := "test.txt"
|
targetFile := "test.txt"
|
||||||
delegatedRole := testRole
|
delegatedRole := testRole
|
||||||
@@ -59,12 +58,12 @@ func TestRegistryFetcher(t *testing.T) {
|
|||||||
// note - url is ignored here - needed to make http url parsing happy even when using oci
|
// note - url is ignored here - needed to make http url parsing happy even when using oci
|
||||||
cfg, err := config.New("", DockerTUFRootDev.Data)
|
cfg, err := config.New("", DockerTUFRootDev.Data)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
cfg.Fetcher = NewRegistryFetcher(metadataRepo, metadataImgTag, targetsRepo)
|
|
||||||
cfg.LocalMetadataDir = dir
|
cfg.LocalMetadataDir = dir
|
||||||
cfg.LocalTargetsDir = dir
|
cfg.LocalTargetsDir = dir
|
||||||
cfg.RemoteTargetsURL = targetsRepo
|
cfg.RemoteTargetsURL = targetsRepo
|
||||||
cfg.RemoteMetadataURL = metadataRepo
|
cfg.RemoteMetadataURL = metadataRepo
|
||||||
|
cfg.Fetcher, err = NewRegistryFetcher(cfg)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
// create a new Updater instance
|
// create a new Updater instance
|
||||||
up, err := updater.New(cfg)
|
up, err := updater.New(cfg)
|
||||||
@@ -190,28 +189,59 @@ func TestParseImgRef(t *testing.T) {
|
|||||||
metadataRepo := "test" + metadataPath
|
metadataRepo := "test" + metadataPath
|
||||||
metadataTag := LatestTag
|
metadataTag := LatestTag
|
||||||
delegatedRole := testRole
|
delegatedRole := testRole
|
||||||
|
validRef := fmt.Sprintf("%s/2.root.json", metadataRepo)
|
||||||
|
expectedRef := fmt.Sprintf("docker.io/%s:%s", metadataRepo, metadataTag)
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
name string
|
name string
|
||||||
ref string
|
ref string
|
||||||
expectedRef string
|
expectedRef string
|
||||||
expectedFile string
|
expectedFile string
|
||||||
|
metadataRepo string
|
||||||
|
metadataTag string
|
||||||
|
expectedRefError string
|
||||||
|
expectedConstructorError string
|
||||||
|
targetsRepo string
|
||||||
}{
|
}{
|
||||||
{"top-level metadata", fmt.Sprintf("%s/2.root.json", metadataRepo), fmt.Sprintf("%s:%s", metadataRepo, metadataTag), "2.root.json"},
|
{name: "top-level metadata", ref: validRef, expectedRef: expectedRef, expectedFile: "2.root.json"},
|
||||||
{"delegated metadata", fmt.Sprintf("%s/%s/5.test-role.json", metadataRepo, delegatedRole), fmt.Sprintf("%s:%s", metadataRepo, delegatedRole), "5.test-role.json"},
|
{name: "short metdata repo", ref: validRef, metadataRepo: "test" + metadataPath, expectedRef: expectedRef, expectedFile: "2.root.json"},
|
||||||
{"top-level target", fmt.Sprintf("%s/policy.yaml", targetsRepo), fmt.Sprintf("%s:policy.yaml", targetsRepo), "policy.yaml"},
|
{name: "library path", ref: fmt.Sprintf("test%s/2.root.json", metadataPath), metadataRepo: "test" + metadataPath, expectedRef: "docker.io/test/tuf-metadata:latest", expectedFile: "2.root.json"},
|
||||||
{"delegated target", fmt.Sprintf("%s/%s/policy.yaml", targetsRepo, delegatedRole), fmt.Sprintf("%s:%s", targetsRepo, delegatedRole), fmt.Sprintf("%s/policy.yaml", delegatedRole)},
|
{name: "short targets repo", ref: validRef, targetsRepo: "test" + targetsPath, expectedRef: expectedRef, expectedFile: "2.root.json"},
|
||||||
|
{name: "delegated metadata", ref: fmt.Sprintf("%s/%s/5.test-role.json", metadataRepo, delegatedRole), expectedRef: fmt.Sprintf("docker.io/%s:%s", metadataRepo, delegatedRole), expectedFile: "5.test-role.json"},
|
||||||
|
{name: "top-level target", ref: fmt.Sprintf("%s/policy.yaml", targetsRepo), expectedRef: fmt.Sprintf("docker.io/%s:policy.yaml", targetsRepo), expectedFile: "policy.yaml"},
|
||||||
|
{name: "delegated target", ref: fmt.Sprintf("%s/%s/policy.yaml", targetsRepo, delegatedRole), expectedRef: fmt.Sprintf("docker.io/%s:%s", targetsRepo, delegatedRole), expectedFile: fmt.Sprintf("%s/policy.yaml", delegatedRole)},
|
||||||
|
{name: "docker/targets", ref: fmt.Sprintf("%s/2.root.json", "docker.io/docker/targets"), expectedRef: "docker.io/docker/targets:latest", expectedFile: "2.root.json", metadataRepo: "docker.io/docker/targets"},
|
||||||
|
{name: "malformed ref", ref: fmt.Sprintf("%s/2.root.json", "@broken"), expectedRefError: "urlPath: @broken/2.root.json must be in metadata or targets repo"},
|
||||||
|
{name: "malformed metadataRepo", ref: validRef, metadataRepo: "@broken", expectedConstructorError: "failed to parse metadata repo: invalid reference format"},
|
||||||
|
{name: "malformed targetsRepo", ref: validRef, targetsRepo: "@broken", expectedConstructorError: "failed to parse targets repo: invalid reference format"},
|
||||||
}
|
}
|
||||||
for _, tc := range testCases {
|
for _, tc := range testCases {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
d := &RegistryFetcher{
|
repo := metadataRepo
|
||||||
metadataRepo: metadataRepo,
|
if tc.metadataRepo != "" {
|
||||||
metadataTag: LatestTag,
|
repo = tc.metadataRepo
|
||||||
targetsRepo: targetsRepo,
|
}
|
||||||
|
targets := targetsRepo
|
||||||
|
if tc.targetsRepo != "" {
|
||||||
|
targets = tc.targetsRepo
|
||||||
|
}
|
||||||
|
cfg := &config.UpdaterConfig{
|
||||||
|
RemoteMetadataURL: repo,
|
||||||
|
RemoteTargetsURL: targets,
|
||||||
|
}
|
||||||
|
d, err := NewRegistryFetcher(cfg)
|
||||||
|
if tc.expectedConstructorError != "" {
|
||||||
|
assert.ErrorContains(t, err, tc.expectedConstructorError)
|
||||||
|
} else {
|
||||||
|
require.NoError(t, err)
|
||||||
|
imgRef, file, err := d.parseImgRef(tc.ref)
|
||||||
|
if tc.expectedRefError != "" {
|
||||||
|
assert.ErrorContains(t, err, tc.expectedRefError)
|
||||||
|
} else {
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.Equal(t, tc.expectedRef, imgRef, "ref mismatch")
|
||||||
|
assert.Equal(t, tc.expectedFile, file, "file mismatch")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
imgRef, file, err := d.parseImgRef(tc.ref)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Equal(t, tc.expectedRef, imgRef)
|
|
||||||
assert.Equal(t, tc.expectedFile, file)
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,7 +11,6 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/distribution/reference"
|
|
||||||
"github.com/docker/attest/internal/embed"
|
"github.com/docker/attest/internal/embed"
|
||||||
"github.com/docker/attest/internal/util"
|
"github.com/docker/attest/internal/util"
|
||||||
"github.com/theupdateframework/go-tuf/v2/metadata"
|
"github.com/theupdateframework/go-tuf/v2/metadata"
|
||||||
@@ -120,17 +119,10 @@ func NewClient(opts *ClientOptions) (*Client, error) {
|
|||||||
cfg.RemoteTargetsURL = opts.TargetsSource
|
cfg.RemoteTargetsURL = opts.TargetsSource
|
||||||
|
|
||||||
if tufSource == OCISource {
|
if tufSource == OCISource {
|
||||||
ref, err := reference.ParseNormalizedNamed(opts.MetadataSource)
|
cfg.Fetcher, err = NewRegistryFetcher(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to parse metadata source: %w", err)
|
return nil, fmt.Errorf("failed to create registry fetcher: %w", err)
|
||||||
}
|
}
|
||||||
// add latest tag
|
|
||||||
metadataTag := LatestTag
|
|
||||||
if tag, ok := ref.(reference.Tagged); ok {
|
|
||||||
metadataTag = tag.Tag()
|
|
||||||
}
|
|
||||||
metadataRepo := ref.Name()
|
|
||||||
cfg.Fetcher = NewRegistryFetcher(metadataRepo, metadataTag, opts.TargetsSource)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// create a new Updater instance
|
// create a new Updater instance
|
||||||
|
|||||||
@@ -112,27 +112,29 @@ func TestDownloadTarget(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, tc := range testCases {
|
for _, tc := range testCases {
|
||||||
tufClient, err := NewClient(&ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
require.NoErrorf(t, err, "Failed to create TUF client: %v", err)
|
tufClient, err := NewClient(&ClientOptions{DockerTUFRootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker})
|
||||||
require.NotNil(t, tufClient.updater, "Failed to create updater")
|
require.NoErrorf(t, err, "Failed to create TUF client: %v", err)
|
||||||
|
require.NotNil(t, tufClient.updater, "Failed to create updater")
|
||||||
|
|
||||||
// get trusted tuf metadata
|
// get trusted tuf metadata
|
||||||
trustedMetadata := tufClient.updater.GetTrustedMetadataSet()
|
trustedMetadata := tufClient.updater.GetTrustedMetadataSet()
|
||||||
assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata")
|
assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata")
|
||||||
|
|
||||||
// download top-level target files
|
// download top-level target files
|
||||||
targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
|
targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
|
||||||
for _, target := range targets {
|
for _, target := range targets {
|
||||||
// download target files
|
// download target files
|
||||||
_, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download"))
|
_, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download"))
|
||||||
assert.NoErrorf(t, err, "Failed to download target: %v", err)
|
assert.NoErrorf(t, err, "Failed to download target: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// download delegated target
|
// download delegated target
|
||||||
targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
|
targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
|
_, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user