Cleanup

.github/dependabot.yml

@@ -9,6 +9,7 @@ updates:
         update-types:
           - "minor"
           - "patch"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -18,3 +19,8 @@ updates:
         update-types:
           - "minor"
           - "patch"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -23,3 +23,17 @@ jobs:
       - name: Build
         run: |
           make build
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install Go
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: go.mod
+      - name: Test
+        run: |
+          make test

.github/workflows/docker.yaml

@@ -0,0 +1,38 @@
+name: Build and push Docker image
+
+on:
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@v5.0.0
+        with:
+          context: .
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -1,3 +1,4 @@
+# v3.21.3
 FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c as builder
 
 RUN apk add go make
@@ -11,6 +12,7 @@ RUN go env -w GOMODCACHE=/gomod-cache
 COPY . .
 RUN --mount=type=cache,target=/gomod-cache --mount=type=cache,target=/go-cache make build
 
+ # v3.21.3
 FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
 
 WORKDIR /

Makefile

@@ -1,6 +1,6 @@
 REPOSITORY ?= github/artifact-attestations-opa-provider
-IMG := $(REPOSITORY):dev
-CLUSTER = kind # or gatekeeper
+TAG ?= dev
+IMG := $(REPOSITORY):$(TAG)
 
 all: aaop
 
@@ -11,36 +11,22 @@ build: aaop
 aaop:
 	go build -o $@ cmd/aaop/$@.go
 
+.PHONY: tidy
 tidy:
 	go mod tidy
 
+.PHONY: lint
 lint:
 	golangci-lint run
 
+.PHONY: test
 test:
 	go test ./... -race
 
-snapshot:
-	goreleaser release --clean --snapshot --skip-sign --skip-publish
-
-release:
-	goreleaser release --clean
-
+.PHONY: fmt
 fmt:
 	go fmt ./...
 
-.PHONY: cver
-cver:
-	go build -o $@ cmd/cver/$@.go
-
 .PHONY: docker
 docker:
-	docker build --platform linux/arm64 -t ${IMG} .
-
-.PHONY: docker-arm
-docker-arm:
-	docker build --platform linux/arm64 -t ${IMG_ARM} -f Dockerfile.arm .
-
-.PHONY: kind-load-image-arm
-kind-load-image:
-	kind load docker-image ${IMG} --name ${CLUSTER}
+	docker build -t ${IMG} .

cmd/aaop/aaop.go

@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -38,6 +39,10 @@ type transport struct {
 	p *provider.Provider
 }
 
+func init() {
+	log.SetFlags(log.LstdFlags | log.Lshortfile | log.LUTC)
+}
+
 func main() {
 	var kc *authn.KeyChainProvider
 	var v provider.Verifier
@@ -46,9 +51,15 @@ func main() {
 	flag.Parse()
 
 	if *tufRepo != "" && *tufRoot != "" {
-		v = loadCustomVerifier(*tufRepo, *tufRoot, *trustDomain)
+		if v, err = loadCustomVerifier(*tufRepo,
+			*tufRoot,
+			*trustDomain); err != nil {
+			log.Fatal(err)
+		}
 	} else {
-		v = loadVerifier(!*noPGI, *trustDomain)
+		if v, err = loadVerifiers(!*noPGI, *trustDomain); err != nil {
+			log.Fatal(err)
+		}
 	}
 
 	kc = authn.NewKeyChainProvider(*ns, []string{*ips})
@@ -68,16 +79,16 @@ func main() {
 	var cf = filepath.Join(*certsDir, certName)
 	var kf = filepath.Join(*certsDir, keyName)
 
-	fmt.Println("starting server...")
+	log.Println("starting server...")
 	if err = srv.ListenAndServeTLS(cf, kf); err != nil {
-		panic(err)
+		log.Fatalf("failed to start HTTP server: %v", err)
 	}
 }
 
 // loadCustomVerifier loads a user provided TUF root.
 // Currently only verificatoin options with RFC3161 signed timestamps
 // are supported.
-func loadCustomVerifier(repo, root, td string) provider.Verifier {
+func loadCustomVerifier(repo, root, td string) (provider.Verifier, error) {
 	var rb []byte
 	var v *verifier.Verifier
 	var vo = []verify.VerifierOption{
@@ -86,21 +97,21 @@ func loadCustomVerifier(repo, root, td string) provider.Verifier {
 	var err error
 
 	if rb, err = os.ReadFile(root); err != nil {
-		panic(err)
+		return nil, fmt.Errorf("failed to load verifier: %w", err)
 	}
 
 	if v, err = verifier.New(rb, repo, td, vo); err != nil {
-		panic(err)
+		return nil, fmt.Errorf("failed to create verifier: %w", err)
 	}
 
-	return v
+	return v, nil
 }
 
-// loadVerfier returns the default verifiers. If pgi is true and tr is
+// loadVerifiers returns the default verifiers. If pgi is true and tr is
 // the empty string, pgi and gh verifiers are returned.
 // if the provided trust domain is set, only gh verifier is returend,
 // with the set trust domain.
-func loadVerifier(pgi bool, td string) provider.Verifier {
+func loadVerifiers(pgi bool, td string) (provider.Verifier, error) {
 	var mv = verifier.Multi{
 		V: map[string]*verifier.Verifier{},
 	}
@@ -110,19 +121,22 @@ func loadVerifier(pgi bool, td string) provider.Verifier {
 	// only load PGI if no tenant's trust domain is selected
 	if pgi && td == "" {
 		if v, err = verifier.PGIVerifier(); err != nil {
-			panic(err)
+			return nil, fmt.Errorf("failed to load PGI verifier: %w", err)
 		}
 		mv.V[verifier.PublicGoodIssuer] = v
-		fmt.Println("loaded verfier for public good Sigstore")
+		log.Println("loaded verifier for public good Sigstore")
 	}
 
 	if v, err = verifier.GHVerifier(td); err != nil {
-		panic(err)
+		return nil, fmt.Errorf("failed to load GitHub verifier: %w", err)
 	}
 	mv.V[verifier.GitHubIssuer] = v
-	fmt.Println("loaded verfier for GitHub Sigstore")
+	if td == "" {
+		td = "dotcom"
+	}
+	log.Printf("loaded verifier for GitHub Sigstore: %s", td)
 
-	return &mv
+	return &mv, nil
 }
 
 // validate intercepts an external data request from OPA Gatekeeper to
@@ -163,10 +177,10 @@ func sendResponse(w http.ResponseWriter, r *externaldata.ProviderResponse) {
 			msg,
 			r.Response.SystemError)
 	}
-	fmt.Printf("%s\n", msg)
+	log.Print(msg)
 
 	w.WriteHeader(http.StatusOK)
 	if err := json.NewEncoder(w).Encode(r); err != nil {
-		panic(err)
+		log.Printf("ERROR: failed to write response: %v", err)
 	}
 }

cmd/cver/cver.go

@@ -0,0 +1,63 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sigstore/sigstore-go/pkg/bundle"
+	"github.com/sigstore/sigstore-go/pkg/verify"
+
+	"github.com/github/artifact-attestations-opa-provider/pkg/fetcher"
+	"github.com/github/artifact-attestations-opa-provider/pkg/verifier"
+)
+
+var (
+	img = flag.String("i", "", "image to verify")
+)
+
+func main() {
+	var mv = &verifier.Multi{
+		V: map[string]*verifier.Verifier{},
+	}
+	var v *verifier.Verifier
+	var res []*verify.VerificationResult
+	var ref name.Reference
+	var remoteOpts = []remote.Option{}
+	var b []*bundle.Bundle
+	var h *v1.Hash
+	var err error
+
+	flag.Parse()
+
+	if *img == "" {
+		fmt.Println("no image provided")
+	}
+
+	if v, err = verifier.PGIVerifier(); err != nil {
+		log.Print(err)
+	}
+
+	mv.V[verifier.PublicGoodIssuer] = v
+
+	if v, err = verifier.GHVerifier(""); err != nil {
+		log.Print(err)
+	}
+	mv.V[verifier.GitHubIssuer] = v
+
+	if ref, err = name.ParseReference(*img); err != nil {
+		log.Print(err)
+	}
+	if b, h, err = fetcher.BundleFromName(ref, remoteOpts); err != nil {
+		log.Print(err)
+	}
+	if res, err = mv.Verify(b, h); err != nil {
+		log.Print(err)
+	}
+	for _, r := range res {
+		log.Printf("%+v\n", r)
+	}
+}

go.sum

@@ -186,8 +186,6 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=

pkg/authn/provider.go

@@ -2,7 +2,7 @@ package authn
 
 import (
 	"context"
-	"fmt"
+	"log"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/authn/k8schain"
@@ -22,7 +22,7 @@ type KeyChainProvider struct {
 // references are provided, the default keychain is will be used for further
 // requests to get a key chain.
 func NewKeyChainProvider(ns string, ips []string) *KeyChainProvider {
-	fmt.Printf("configure authn with image pull secrets %+v for namespace %s\n",
+	log.Printf("configure authn with image pull secrets %+v for namespace %s",
 		ips, ns)
 
 	return &KeyChainProvider{
@@ -45,7 +45,7 @@ func (k *KeyChainProvider) KeyChain(ctx context.Context) (authn.Keychain, error)
 		ImagePullSecrets: k.imagePullSecrets,
 	})
 	if err != nil {
-		fmt.Printf("can't add kubernetes key chain: %s\n", err)
+		log.Printf("WARN: can't add kubernetes key chain: %s", err)
 	} else {
 		kcs = append(kcs, kc)
 	}
@@ -55,7 +55,7 @@ func (k *KeyChainProvider) KeyChain(ctx context.Context) (authn.Keychain, error)
 		Namespace: k.namespace,
 	})
 	if err != nil {
-		fmt.Printf("can't add k8schain key chain: %s\n", err)
+		log.Printf("WARN: can't add k8schain key chain: %s", err)
 	} else {
 		kcs = append(kcs, kc)
 	}