Merge branch '16-12-25' into containers-from-image

Author: DomAyre

src/confcom/HISTORY.rst

@@ -3,6 +3,12 @@
 Release History
 ===============
 
+1.5.0
+++++++
+* restored the behaviour of --upload-fragment in acifragmentgen to attach to first image in input
+* added --push-fragment-to flag to acifragmentgen to allow explicit uploading of standalone fragments
+* added --attach-fragment-to flag to acifragmentgen to allow explicit uploading of image attached fragments
+
 1.4.5
 ++++++
 * Drop the dependency on OPA

src/confcom/azext_confcom/_params.py

@@ -5,6 +5,8 @@
 # pylint: disable=line-too-long
 
 import json
+import argparse
+import sys
 from knack.arguments import CLIArgumentType
 from azext_confcom._validators import (
     validate_params_file,
@@ -44,6 +46,32 @@ def load_arguments(self, _):
         c.argument("tags", tags_type)
         c.argument("confcom_name", confcom_name_type, options_list=["--name", "-n"])
 
+    with self.argument_context("confcom fragment attach") as c:
+        c.positional(
+            "signed_fragment",
+            nargs='?',
+            type=argparse.FileType('rb'),
+            default=sys.stdin.buffer,
+            help="Signed fragment to attach",
+        )
+        c.argument(
+            "manifest_tag",
+            help="Manifest tag for the fragment",
+        )
+
+    with self.argument_context("confcom fragment push") as c:
+        c.positional(
+            "signed_fragment",
+            nargs='?',
+            type=argparse.FileType('rb'),
+            default=sys.stdin.buffer,
+            help="Signed fragment to push",
+        )
+        c.argument(
+            "manifest_tag",
+            help="Manifest tag for the fragment",
+        )
+
     with self.argument_context("confcom acipolicygen") as c:
         c.argument(
             "input_path",
@@ -362,6 +390,13 @@ def load_arguments(self, _):
             type=json.loads,
             help='Container definitions to include in the policy'
         )
+        c.argument(
+            "out_signed_fragment",
+            action="store_true",
+            default=False,
+            required=False,
+            help="Emit only the signed fragment bytes",
+        )
 
     with self.argument_context("confcom katapolicygen") as c:
         c.argument(

src/confcom/azext_confcom/command/fragment_attach.py

@@ -0,0 +1,46 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import os
+import subprocess
+import tempfile
+from typing import BinaryIO
+
+
+def oras_attach(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+    subprocess.run(
+        [
+            "oras",
+            "attach",
+            "--artifact-type", "application/x-ms-ccepolicy-frag",
+            manifest_tag,
+            os.path.relpath(signed_fragment.name, start=os.getcwd()),
+        ],
+        check=True,
+        timeout=120,
+    )
+
+
+def fragment_attach(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+
+    if signed_fragment.name == "<stdin>":
+        with tempfile.NamedTemporaryFile(delete=True) as temp_signed_fragment:
+            temp_signed_fragment.write(signed_fragment.read())
+            temp_signed_fragment.flush()
+            oras_attach(
+                signed_fragment=temp_signed_fragment,
+                manifest_tag=manifest_tag,
+            )
+    else:
+        oras_attach(
+            signed_fragment=signed_fragment,
+            manifest_tag=manifest_tag,
+        )

src/confcom/azext_confcom/command/fragment_push.py

@@ -0,0 +1,46 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import os
+import subprocess
+import tempfile
+from typing import BinaryIO
+
+
+def oras_push(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+    subprocess.run(
+        [
+            "oras",
+            "push",
+            "--artifact-type", "application/x-ms-ccepolicy-frag",
+            manifest_tag,
+            os.path.relpath(signed_fragment.name, start=os.getcwd()),
+        ],
+        check=True,
+        timeout=120,
+    )
+
+
+def fragment_push(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+
+    if signed_fragment.name == "<stdin>":
+        with tempfile.NamedTemporaryFile(delete=True) as temp_signed_fragment:
+            temp_signed_fragment.write(signed_fragment.read())
+            temp_signed_fragment.flush()
+            oras_push(
+                signed_fragment=temp_signed_fragment,
+                manifest_tag=manifest_tag,
+            )
+    else:
+        oras_push(
+            signed_fragment=signed_fragment,
+            manifest_tag=manifest_tag,
+        )

src/confcom/azext_confcom/commands.py

@@ -11,6 +11,10 @@ def load_command_table(self, _):
         g.custom_command("acifragmentgen", "acifragmentgen_confcom")
         g.custom_command("katapolicygen", "katapolicygen_confcom")
 
+    with self.command_group("confcom fragment") as g:
+        g.custom_command("attach", "fragment_attach", is_preview=True)
+        g.custom_command("push", "fragment_push", is_preview=True)
+
     with self.command_group("confcom"):
         pass
 

src/confcom/azext_confcom/custom.py

@@ -258,6 +258,7 @@ def acifragmentgen_confcom(
     upload_fragment: bool = False,
     no_print: bool = False,
     fragments_json: str = "",
+    out_signed_fragment: bool = False,
 ):
     if container_definitions is None:
         container_definitions = []
@@ -364,24 +365,39 @@ def acifragmentgen_confcom(
 
     fragment_text = policy.generate_fragment(namespace, svn, output_type, omit_id=omit_id)
 
-    if output_type != security_policy.OutputType.DEFAULT and not no_print:
+    if output_type != security_policy.OutputType.DEFAULT and not no_print and not out_signed_fragment:
         print(fragment_text)
 
     # take ".rego" off the end of the filename if it's there, it'll get added back later
     output_filename = output_filename.replace(".rego", "")
     filename = f"{output_filename or namespace}.rego"
+
+    if out_signed_fragment:
+        filename = os.path.join("/tmp", filename)
+
     os_util.write_str_to_file(filename, fragment_text)
 
     if key:
         cose_proxy = CoseSignToolProxy()
         iss = cose_proxy.create_issuer(chain)
         out_path = filename + ".cose"
 
+        if out_signed_fragment:
+            out_path = os.path.join("/tmp", os.path.basename(out_path))
+
         cose_proxy.cose_sign(filename, key, chain, feed, iss, algo, out_path)
-        if upload_fragment and image_target:
-            oras_proxy.attach_fragment_to_image(image_target, out_path)
-        elif upload_fragment:
-            oras_proxy.push_fragment_to_registry(feed, out_path)
+
+        # Preserve default behaviour established since version 1.1.0 of attaching
+        # the fragment to the first image specified in input
+        # (or --image-target if specified)
+        if upload_fragment:
+            oras_proxy.attach_fragment_to_image(
+                image_name=image_target or policy_images[0].containerImage,
+                filename=out_path,
+            )
+
+        if out_signed_fragment:
+            sys.stdout.buffer.write(open(out_path, "rb").read())
 
 
 def katapolicygen_confcom(