-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathbundle.go
172 lines (147 loc) · 5.53 KB
/
bundle.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
package webhook
import (
"crypto/x509"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"strings"
"github.com/google/go-containerregistry/pkg/name"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/sigstore/sigstore-go/pkg/bundle"
"github.com/sigstore/sigstore-go/pkg/root"
"github.com/sigstore/sigstore-go/pkg/verify"
)
type noncompliantRegistryTransport struct{}
/*
RoundTrip will check if a request and associated response fulfill the following:
1. The response returns a 406 status code and the request path contains /referrers/
2. The response content type is not application/vnd.oci.image.index.v1+json
If either condition is met, the response's status code will be overwritten to 404.
This is a temporary solution to handle non compliant registries that either:
1. return an unexpected status code 406 when the go-containerregistry library used
by this code attempts to make a request to the referrers API.
The go-containerregistry library can handle 404 response but not a 406 response.
See the related go-containerregistry issue: https://github.com/google/go-containerregistry/issues/1962
2. Do not return a response with the required application/vnd.oci.image.index.v1+json Content-Type header.
If https://github.com/google/go-containerregistry/pull/1968 is merged,
we can remove the Content-Type check.
*/
func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) {
resp, err := http.DefaultTransport.RoundTrip(req)
respContentType := resp.Header.Get("Content-Type")
if (resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/")) || respContentType != string(types.OCIImageIndex) {
resp.StatusCode = http.StatusNotFound
}
return resp, err
}
type VerifiedBundle struct {
SGBundle *bundle.ProtobufBundle
Result *verify.VerificationResult
Hash v1.Hash
}
// VerifiedBundle implements Signature
var _ Signature = &VerifiedBundle{}
func (vb *VerifiedBundle) Digest() (v1.Hash, error) {
return vb.Hash, nil
}
func (vb *VerifiedBundle) Payload() ([]byte, error) {
// todo: this should return the json-serialized dsse envelope
envelope := vb.SGBundle.GetDsseEnvelope()
if envelope == nil {
return nil, fmt.Errorf("no dsse envelope found")
}
return json.Marshal(envelope)
}
func (vb *VerifiedBundle) Signature() ([]byte, error) {
// TODO: implement this
return []byte{}, nil
}
func (vb *VerifiedBundle) Cert() (*x509.Certificate, error) {
vc, err := vb.SGBundle.VerificationContent()
if err != nil {
return nil, err
}
if cert, ok := vc.HasCertificate(); ok {
return &cert, nil
}
return nil, errors.New("bundle does not contain a certificate")
}
func VerifiedBundles(ref name.Reference, trustedMaterial root.TrustedMaterial, remoteOpts []remote.Option, policyOptions []verify.PolicyOption, verifierOptions []verify.VerifierOption) ([]Signature, error) {
sev, err := verify.NewSignedEntityVerifier(trustedMaterial, verifierOptions...)
if err != nil {
return nil, err
}
bundles, hash, err := getBundles(ref, remoteOpts)
if err != nil {
return nil, err
}
digestBytes, err := hex.DecodeString(hash.Hex)
if err != nil {
return nil, err
}
artifactPolicy := verify.WithArtifactDigest(hash.Algorithm, digestBytes)
policy := verify.NewPolicy(artifactPolicy, policyOptions...)
verifiedBundles := make([]Signature, 0)
for _, b := range bundles {
// TODO: should these be done in parallel? (as is done in cosign?)
result, err := sev.Verify(b, policy)
if err == nil {
verifiedBundles = append(verifiedBundles, &VerifiedBundle{SGBundle: b, Result: result, Hash: *hash})
}
}
return verifiedBundles, nil
}
func getBundles(ref name.Reference, remoteOpts []remote.Option) ([]*bundle.ProtobufBundle, *v1.Hash, error) {
desc, err := remote.Get(ref, remoteOpts...)
if err != nil {
return nil, nil, fmt.Errorf("error getting image descriptor: %w", err)
}
digest := ref.Context().Digest(desc.Digest.String())
transportOpts := []remote.Option{remote.WithTransport(&noncompliantRegistryTransport{})}
transportOpts = append(transportOpts, remoteOpts...)
referrers, err := remote.Referrers(digest, transportOpts...)
if err != nil {
return nil, nil, fmt.Errorf("error getting referrers: %w", err)
}
refManifest, err := referrers.IndexManifest()
if err != nil {
return nil, nil, fmt.Errorf("error getting referrers manifest: %w", err)
}
bundles := make([]*bundle.ProtobufBundle, 0)
for _, refDesc := range refManifest.Manifests {
if !strings.HasPrefix(refDesc.ArtifactType, "application/vnd.dev.sigstore.bundle") {
continue
}
refImg, err := remote.Image(ref.Context().Digest(refDesc.Digest.String()), remoteOpts...)
if err != nil {
return nil, nil, fmt.Errorf("error getting referrer image: %w", err)
}
layers, err := refImg.Layers()
if err != nil {
return nil, nil, fmt.Errorf("error getting referrer image: %w", err)
}
layer0, err := layers[0].Uncompressed()
if err != nil {
return nil, nil, fmt.Errorf("error getting referrer image: %w", err)
}
bundleBytes, err := io.ReadAll(layer0)
if err != nil {
return nil, nil, fmt.Errorf("error getting referrer image: %w", err)
}
b := &bundle.ProtobufBundle{}
err = b.UnmarshalJSON(bundleBytes)
if err != nil {
return nil, nil, fmt.Errorf("error unmarshalling bundle: %w", err)
}
bundles = append(bundles, b)
}
if len(bundles) == 0 {
return nil, nil, fmt.Errorf("no bundle found in referrers")
}
return bundles, &desc.Digest, nil
}