Add cosign for handling image functionality. (#134)

* pull back in ocil * updates to OCIL funcs to handle cosign changes * add cosign logic * adjust Makefile to be a little more generic * cli updates to accomodate the cosign additions * add cosign drop-in funcs * impl for cosign functions for images & store copy * fixes and logging for cosign verify <iamge> * fix cosign verify logging * update go.mod Signed-off-by: Adam Martin <[email protected]>
hauler-dev · Nov 3, 2023 · 4772657 · 4772657
1 parent 337494c
commit 4772657
Show file tree

Hide file tree

Showing 43 changed files with 2,613 additions and 75 deletions.
diff --git a/Makefile b/Makefile
@@ -11,13 +11,13 @@ all: fmt vet install test
 
 build:
 	mkdir bin;\
-	$(GO_BUILD_ENV) go build -o bin ./cmd/...;\
+	GOENV=GOARCH=$(uname -m) CGO_ENABLED=0 go build -o bin ./cmd/...;\
 
 build-all: fmt vet
 	goreleaser build --rm-dist --snapshot
 
 install:
-	$(GO_BUILD_ENV) go install
+	GOENV=GOARCH=$(uname -m) CGO_ENABLED=0 go install ./cmd/...;\
 
 vet:
 	go vet $(GO_FILES)

diff --git a/cmd/hauler/cli/download/download.go b/cmd/hauler/cli/download/download.go
@@ -11,7 +11,7 @@ import (
 	"oras.land/oras-go/pkg/content"
 	"oras.land/oras-go/pkg/oras"
 
-	"github.com/rancherfederal/ocil/pkg/consts"
+	"github.com/rancherfederal/hauler/pkg/consts"
 
 	"github.com/rancherfederal/hauler/internal/mapper"
 	"github.com/rancherfederal/hauler/pkg/log"

diff --git a/cmd/hauler/cli/serve/registry.go b/cmd/hauler/cli/serve/registry.go
@@ -74,6 +74,7 @@ func (o *RegistryOpts) defaultConfig() *configuration.Configuration {
 	cfg.HTTP.Addr = fmt.Sprintf(":%d", o.Port)
 	cfg.HTTP.Headers = http.Header{
 		"X-Content-Type-Options": []string{"nosniff"},
+		"Accept": []string{"application/vnd.dsse.envelope.v1+json, application/json"},
 	}
 
 	return cfg

diff --git a/cmd/hauler/cli/store/add.go b/cmd/hauler/cli/store/add.go
@@ -4,17 +4,17 @@ import (
 	"context"
 
 	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/rancherfederal/ocil/pkg/artifacts/file/getter"
+	"github.com/rancherfederal/hauler/pkg/artifacts/file/getter"
 	"github.com/spf13/cobra"
 	"helm.sh/helm/v3/pkg/action"
 
-	"github.com/rancherfederal/ocil/pkg/artifacts/file"
-	"github.com/rancherfederal/ocil/pkg/artifacts/image"
+	"github.com/rancherfederal/hauler/pkg/artifacts/file"
 
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/store"
 
 	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
 	"github.com/rancherfederal/hauler/pkg/content/chart"
+	"github.com/rancherfederal/hauler/pkg/cosign"
 	"github.com/rancherfederal/hauler/pkg/log"
 	"github.com/rancherfederal/hauler/pkg/reference"
 )
@@ -62,40 +62,48 @@ func storeFile(ctx context.Context, s *store.Layout, fi v1alpha1.File) error {
 type AddImageOpts struct {
 	*RootOpts
 	Name string
+	Key  string
 }
 
 func (o *AddImageOpts) AddFlags(cmd *cobra.Command) {
 	f := cmd.Flags()
-	_ = f
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for digital signature verification")
 }
 
 func AddImageCmd(ctx context.Context, o *AddImageOpts, s *store.Layout, reference string) error {
+	l := log.FromContext(ctx)
 	cfg := v1alpha1.Image{
 		Name: reference,
 	}
 
+	// Check if the user provided a key.
+	if o.Key != "" {
+		// verify signature using the provided key.
+		err := cosign.VerifySignature(ctx, s, o.Key, cfg.Name)
+		if err != nil {
+			return err
+		}
+		l.Infof("signature verified for image [%s]", cfg.Name)
+	}
+
 	return storeImage(ctx, s, cfg)
 }
 
 func storeImage(ctx context.Context, s *store.Layout, i v1alpha1.Image) error {
 	l := log.FromContext(ctx)
 
-	img, err := image.NewImage(i.Name)
-	if err != nil {
-		return err
-	}
-
 	r, err := name.ParseReference(i.Name)
 	if err != nil {
 		return err
 	}
 
-	desc, err := s.AddOCI(ctx, img, r.Name())
+	err = cosign.SaveImage(ctx, s, r.Name())
+	//desc, err := s.AddOCI(ctx, img, r.Name())
 	if err != nil {
 		return err
 	}
 
-	l.Infof("added 'image' to store at [%s], with digest [%s]", r.Name(), desc.Digest.String())
+	l.Infof("added 'image' to store at [%s]", r.Name())
 	return nil
 }
 

diff --git a/cmd/hauler/cli/store/copy.go b/cmd/hauler/cli/store/copy.go
@@ -5,14 +5,13 @@ import (
 	"fmt"
 	"strings"
 
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
 	"oras.land/oras-go/pkg/content"
 
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/cosign"
+	"github.com/rancherfederal/hauler/pkg/store"
 
 	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/reference"
 )
 
 type CopyOpts struct {
@@ -36,19 +35,17 @@ func (o *CopyOpts) AddFlags(cmd *cobra.Command) {
 func CopyCmd(ctx context.Context, o *CopyOpts, s *store.Layout, targetRef string) error {
 	l := log.FromContext(ctx)
 
-	var descs []ocispec.Descriptor
 	components := strings.SplitN(targetRef, "://", 2)
 	switch components[0] {
 	case "dir":
 		l.Debugf("identified directory target reference")
 		fs := content.NewFile(components[1])
 		defer fs.Close()
 
-		ds, err := s.CopyAll(ctx, fs, nil)
+		_, err := s.CopyAll(ctx, fs, nil)
 		if err != nil {
 			return err
 		}
-		descs = ds
 
 	case "registry":
 		l.Debugf("identified registry target reference")
@@ -58,29 +55,16 @@ func CopyCmd(ctx context.Context, o *CopyOpts, s *store.Layout, targetRef string
 			Insecure:  o.Insecure,
 			PlainHTTP: o.PlainHTTP,
 		}
-		r, err := content.NewRegistry(ropts)
-		if err != nil {
-			return err
-		}
-
-		mapperFn := func(ref string) (string, error) {
-			r, err := reference.Relocate(ref, components[1])
-			if err != nil {
-				return "", err
-			}
-			return r.Name(), nil
-		}
 
-		ds, err := s.CopyAll(ctx, r, mapperFn)
+		err := cosign.LoadImage(ctx, s, components[1], ropts)
 		if err != nil {
 			return err
 		}
-		descs = ds
 
 	default:
 		return fmt.Errorf("detecting protocol from [%s]", targetRef)
 	}
 
-	l.Infof("Copied [%d] artifacts to [%s]", len(descs), components[1])
+	l.Infof("Copied artifacts to [%s]", components[1])
 	return nil
 }
diff --git a/cmd/hauler/cli/store/extract.go b/cmd/hauler/cli/store/extract.go
@@ -2,13 +2,14 @@ package store
 
 import (
 	"context"
+	"strings"
 	"encoding/json"
 	"fmt"
 
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
 
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/store"
 
 	"github.com/rancherfederal/hauler/internal/mapper"
 	"github.com/rancherfederal/hauler/pkg/log"
@@ -36,7 +37,8 @@ func ExtractCmd(ctx context.Context, o *ExtractOpts, s *store.Layout, ref string
 
 	found := false
 	if err := s.Walk(func(reference string, desc ocispec.Descriptor) error {
-		if reference != r.Name() {
+
+		if !strings.Contains(reference, r.Name()) {
 			return nil
 		}
 		found = true
@@ -57,7 +59,7 @@ func ExtractCmd(ctx context.Context, o *ExtractOpts, s *store.Layout, ref string
 			return err
 		}
 
-		pushedDesc, err := s.Copy(ctx, r.Name(), mapperStore, "")
+		pushedDesc, err := s.Copy(ctx, reference, mapperStore, "")
 		if err != nil {
 			return err
 		}

diff --git a/cmd/hauler/cli/store/flags.go b/cmd/hauler/cli/store/flags.go
@@ -6,8 +6,8 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/rancherfederal/ocil/pkg/layer"
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/layer"
+	"github.com/rancherfederal/hauler/pkg/store"
 	"github.com/spf13/cobra"
 
 	"github.com/rancherfederal/hauler/pkg/log"

diff --git a/cmd/hauler/cli/store/info.go b/cmd/hauler/cli/store/info.go
@@ -10,9 +10,9 @@ import (
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
 
-	"github.com/rancherfederal/ocil/pkg/consts"
+	"github.com/rancherfederal/hauler/pkg/consts"
 
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/store"
 
 	"github.com/rancherfederal/hauler/pkg/reference"
 )
@@ -78,9 +78,11 @@ func buildTable(items ...item) string {
 	fmt.Fprintf(tw, "---------\t----\t--------\t----\n")
 
 	for _, i := range items {
-		fmt.Fprintf(tw, "%s\t%s\t%d\t%s\n",
-			i.Reference, i.Type, i.Layers, i.Size,
-		)
+		if i.Type != "unknown" {
+			fmt.Fprintf(tw, "%s\t%s\t%d\t%s\n",
+				i.Reference, i.Type, i.Layers, i.Size,
+			)
+		}
 	}
 	tw.Flush()
 	return b.String()

diff --git a/cmd/hauler/cli/store/load.go b/cmd/hauler/cli/store/load.go
@@ -5,8 +5,8 @@ import (
 	"os"
 
 	"github.com/mholt/archiver/v3"
-	"github.com/rancherfederal/ocil/pkg/content"
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/content"
+	"github.com/rancherfederal/hauler/pkg/store"
 	"github.com/spf13/cobra"
 
 	"github.com/rancherfederal/hauler/pkg/log"

diff --git a/cmd/hauler/cli/store/serve.go b/cmd/hauler/cli/store/serve.go
@@ -14,7 +14,7 @@ import (
 	"github.com/distribution/distribution/v3/version"
 	"github.com/spf13/cobra"
 
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/store"
 
 	"github.com/rancherfederal/hauler/internal/server"
 )

diff --git a/cmd/hauler/cli/store/sync.go b/cmd/hauler/cli/store/sync.go
@@ -11,25 +11,28 @@ import (
 	"helm.sh/helm/v3/pkg/action"
 	"k8s.io/apimachinery/pkg/util/yaml"
 
-	"github.com/rancherfederal/ocil/pkg/store"
+	"github.com/rancherfederal/hauler/pkg/store"
 
 	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
 	tchart "github.com/rancherfederal/hauler/pkg/collection/chart"
 	"github.com/rancherfederal/hauler/pkg/collection/imagetxt"
 	"github.com/rancherfederal/hauler/pkg/collection/k3s"
 	"github.com/rancherfederal/hauler/pkg/content"
+	"github.com/rancherfederal/hauler/pkg/cosign"
 	"github.com/rancherfederal/hauler/pkg/log"
 )
 
 type SyncOpts struct {
 	*RootOpts
 	ContentFiles []string
+	Key          string
 }
 
 func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
 	f := cmd.Flags()
 
 	f.StringSliceVarP(&o.ContentFiles, "files", "f", []string{}, "Path to content files")
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for digital signature verification")
 }
 
 func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error {
@@ -94,7 +97,18 @@ func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error {
 				}
 
 				for _, i := range cfg.Spec.Images {
-					err := storeImage(ctx, s, i)
+
+					// Check if the user provided a key.
+					if o.Key != "" {
+						// verify signature using the provided key.
+						err := cosign.VerifySignature(ctx, s, o.Key, i.Name)
+						if err != nil {
+							return err
+						}
+						l.Infof("signature verified for image [%s]", i.Name)
+					}
+
+					err = storeImage(ctx, s, i)
 					if err != nil {
 						return err
 					}

diff --git a/go.mod b/go.mod
@@ -10,12 +10,14 @@ require (
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
 	github.com/mholt/archiver/v3 v3.5.1
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/pkg/errors v0.9.1
-	github.com/rancherfederal/ocil v0.1.9
 	github.com/rs/zerolog v1.31.0
 	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/afero v1.10.0
 	github.com/spf13/cobra v1.7.0
+	golang.org/x/sync v0.4.0
 	helm.sh/helm/v3 v3.13.0
 	k8s.io/apimachinery v0.28.2
 	k8s.io/client-go v0.28.2
@@ -110,7 +112,6 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nwaples/rardecode v1.1.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.2 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
@@ -123,7 +124,6 @@ require (
 	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/spf13/afero v1.10.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/ulikunitz/xz v0.5.9 // indirect
@@ -140,7 +140,6 @@ require (
 	golang.org/x/crypto v0.13.0 // indirect
 	golang.org/x/net v0.13.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.12.0 // indirect
 	golang.org/x/term v0.12.0 // indirect
 	golang.org/x/text v0.13.0 // indirect

diff --git a/go.sum b/go.sum
@@ -454,8 +454,6 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
 github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
 github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
-github.com/rancherfederal/ocil v0.1.9 h1:pmiUQCh2HTIMDD9tDj/UqBAAxq4yloLFgd2WnrZnQgc=
-github.com/rancherfederal/ocil v0.1.9/go.mod h1:l4d1cHHfdXDGtio32AYDjG6n1i1JxQK+kAom0cVf0SY=
 github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
 github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U=
 github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc=

diff --git a/internal/mapper/mappers.go b/internal/mapper/mappers.go
@@ -6,7 +6,7 @@ import (
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"oras.land/oras-go/pkg/target"
 
-	"github.com/rancherfederal/ocil/pkg/consts"
+	"github.com/rancherfederal/hauler/pkg/consts"
 )
 
 type Fn func(desc ocispec.Descriptor) (string, error)
@@ -39,7 +39,7 @@ func Images() map[string]Fn {
 		return "manifest.json", nil
 	})
 
-	for _, l := range []string{consts.DockerManifestSchema2, consts.OCIManifestSchema1} {
+	for _, l := range []string{consts.DockerManifestSchema2, consts.DockerManifestListSchema2, consts.OCIManifestSchema1} {
 		m[l] = manifestMapperFn
 	}