Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ updates:
update-types:
- "minor"
- "patch"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
Expand All @@ -18,3 +19,8 @@ updates:
update-types:
- "minor"
- "patch"

- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
14 changes: 14 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,17 @@ jobs:
- name: Build
run: |
make build

test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Go
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: go.mod
- name: Test
run: |
make test
38 changes: 38 additions & 0 deletions .github/workflows/docker.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Build and push Docker image

on:
push:
branches:
- main

permissions: {}

jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
packages: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Build and push image
id: push
uses: docker/build-push-action@v5.0.0
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Attest
uses: actions/attest-build-provenance@v2
id: attest
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
2 changes: 2 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# v3.21.3
FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c as builder

RUN apk add go make
Expand All @@ -11,6 +12,7 @@ RUN go env -w GOMODCACHE=/gomod-cache
COPY . .
RUN --mount=type=cache,target=/gomod-cache --mount=type=cache,target=/go-cache make build

# v3.21.3
FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c

WORKDIR /
Expand Down
28 changes: 7 additions & 21 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
REPOSITORY ?= github/artifact-attestations-opa-provider
IMG := $(REPOSITORY):dev
CLUSTER = kind # or gatekeeper
TAG ?= dev
IMG := $(REPOSITORY):$(TAG)

all: aaop

Expand All @@ -11,36 +11,22 @@ build: aaop
aaop:
go build -o $@ cmd/aaop/$@.go

.PHONY: tidy
tidy:
go mod tidy

.PHONY: lint
lint:
golangci-lint run

.PHONY: test
test:
go test ./... -race

snapshot:
goreleaser release --clean --snapshot --skip-sign --skip-publish

release:
goreleaser release --clean

.PHONY: fmt
fmt:
go fmt ./...

.PHONY: cver
cver:
go build -o $@ cmd/cver/$@.go

.PHONY: docker
docker:
docker build --platform linux/arm64 -t ${IMG} .

.PHONY: docker-arm
docker-arm:
docker build --platform linux/arm64 -t ${IMG_ARM} -f Dockerfile.arm .

.PHONY: kind-load-image-arm
kind-load-image:
kind load docker-image ${IMG} --name ${CLUSTER}
docker build -t ${IMG} .
48 changes: 31 additions & 17 deletions cmd/aaop/aaop.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"flag"
"fmt"
"io"
"log"
"net/http"
"os"
"path/filepath"
Expand Down Expand Up @@ -38,6 +39,10 @@ type transport struct {
p *provider.Provider
}

func init() {
log.SetFlags(log.LstdFlags | log.Lshortfile | log.LUTC)
}

func main() {
var kc *authn.KeyChainProvider
var v provider.Verifier
Expand All @@ -46,9 +51,15 @@ func main() {
flag.Parse()

if *tufRepo != "" && *tufRoot != "" {
v = loadCustomVerifier(*tufRepo, *tufRoot, *trustDomain)
if v, err = loadCustomVerifier(*tufRepo,
*tufRoot,
*trustDomain); err != nil {
log.Fatal(err)
}
} else {
v = loadVerifier(!*noPGI, *trustDomain)
if v, err = loadVerifiers(!*noPGI, *trustDomain); err != nil {
log.Fatal(err)
}
}

kc = authn.NewKeyChainProvider(*ns, []string{*ips})
Expand All @@ -68,16 +79,16 @@ func main() {
var cf = filepath.Join(*certsDir, certName)
var kf = filepath.Join(*certsDir, keyName)

fmt.Println("starting server...")
log.Println("starting server...")
if err = srv.ListenAndServeTLS(cf, kf); err != nil {
panic(err)
log.Fatalf("failed to start HTTP server: %v", err)
}
}

// loadCustomVerifier loads a user provided TUF root.
// Currently only verificatoin options with RFC3161 signed timestamps
// are supported.
func loadCustomVerifier(repo, root, td string) provider.Verifier {
func loadCustomVerifier(repo, root, td string) (provider.Verifier, error) {
var rb []byte
var v *verifier.Verifier
var vo = []verify.VerifierOption{
Expand All @@ -86,21 +97,21 @@ func loadCustomVerifier(repo, root, td string) provider.Verifier {
var err error

if rb, err = os.ReadFile(root); err != nil {
panic(err)
return nil, fmt.Errorf("failed to load verifier: %w", err)
}

if v, err = verifier.New(rb, repo, td, vo); err != nil {
panic(err)
return nil, fmt.Errorf("failed to create verifier: %w", err)
}

return v
return v, nil
}

// loadVerfier returns the default verifiers. If pgi is true and tr is
// loadVerifiers returns the default verifiers. If pgi is true and tr is
// the empty string, pgi and gh verifiers are returned.
// if the provided trust domain is set, only gh verifier is returend,
// with the set trust domain.
func loadVerifier(pgi bool, td string) provider.Verifier {
func loadVerifiers(pgi bool, td string) (provider.Verifier, error) {
var mv = verifier.Multi{
V: map[string]*verifier.Verifier{},
}
Expand All @@ -110,19 +121,22 @@ func loadVerifier(pgi bool, td string) provider.Verifier {
// only load PGI if no tenant's trust domain is selected
if pgi && td == "" {
if v, err = verifier.PGIVerifier(); err != nil {
panic(err)
return nil, fmt.Errorf("failed to load PGI verifier: %w", err)
}
mv.V[verifier.PublicGoodIssuer] = v
fmt.Println("loaded verfier for public good Sigstore")
log.Println("loaded verifier for public good Sigstore")
}

if v, err = verifier.GHVerifier(td); err != nil {
panic(err)
return nil, fmt.Errorf("failed to load GitHub verifier: %w", err)
}
mv.V[verifier.GitHubIssuer] = v
fmt.Println("loaded verfier for GitHub Sigstore")
if td == "" {
td = "dotcom"
}
log.Printf("loaded verifier for GitHub Sigstore: %s", td)

return &mv
return &mv, nil
}

// validate intercepts an external data request from OPA Gatekeeper to
Expand Down Expand Up @@ -163,10 +177,10 @@ func sendResponse(w http.ResponseWriter, r *externaldata.ProviderResponse) {
msg,
r.Response.SystemError)
}
fmt.Printf("%s\n", msg)
log.Print(msg)

w.WriteHeader(http.StatusOK)
if err := json.NewEncoder(w).Encode(r); err != nil {
panic(err)
log.Printf("ERROR: failed to write response: %v", err)
}
}
Binary file added cmd/cver/cver
Binary file not shown.
63 changes: 63 additions & 0 deletions cmd/cver/cver.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
package main

import (
"flag"
"fmt"
"log"

"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/sigstore/sigstore-go/pkg/bundle"
"github.com/sigstore/sigstore-go/pkg/verify"

"github.com/github/artifact-attestations-opa-provider/pkg/fetcher"
"github.com/github/artifact-attestations-opa-provider/pkg/verifier"
)

var (
img = flag.String("i", "", "image to verify")
)

func main() {
var mv = &verifier.Multi{
V: map[string]*verifier.Verifier{},
}
var v *verifier.Verifier
var res []*verify.VerificationResult
var ref name.Reference
var remoteOpts = []remote.Option{}
var b []*bundle.Bundle
var h *v1.Hash
var err error

flag.Parse()

if *img == "" {
fmt.Println("no image provided")
}

if v, err = verifier.PGIVerifier(); err != nil {
log.Print(err)
}

mv.V[verifier.PublicGoodIssuer] = v

if v, err = verifier.GHVerifier(""); err != nil {
log.Print(err)
}
mv.V[verifier.GitHubIssuer] = v

if ref, err = name.ParseReference(*img); err != nil {
log.Print(err)
}
if b, h, err = fetcher.BundleFromName(ref, remoteOpts); err != nil {
log.Print(err)
}
if res, err = mv.Verify(b, h); err != nil {
log.Print(err)
}
for _, r := range res {
log.Printf("%+v\n", r)
}
}
2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,6 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
Expand Down
8 changes: 4 additions & 4 deletions pkg/authn/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ package authn

import (
"context"
"fmt"
"log"

"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/authn/k8schain"
Expand All @@ -22,7 +22,7 @@ type KeyChainProvider struct {
// references are provided, the default keychain is will be used for further
// requests to get a key chain.
func NewKeyChainProvider(ns string, ips []string) *KeyChainProvider {
fmt.Printf("configure authn with image pull secrets %+v for namespace %s\n",
log.Printf("configure authn with image pull secrets %+v for namespace %s",
ips, ns)

return &KeyChainProvider{
Expand All @@ -45,7 +45,7 @@ func (k *KeyChainProvider) KeyChain(ctx context.Context) (authn.Keychain, error)
ImagePullSecrets: k.imagePullSecrets,
})
if err != nil {
fmt.Printf("can't add kubernetes key chain: %s\n", err)
log.Printf("WARN: can't add kubernetes key chain: %s", err)
} else {
kcs = append(kcs, kc)
}
Expand All @@ -55,7 +55,7 @@ func (k *KeyChainProvider) KeyChain(ctx context.Context) (authn.Keychain, error)
Namespace: k.namespace,
})
if err != nil {
fmt.Printf("can't add k8schain key chain: %s\n", err)
log.Printf("WARN: can't add k8schain key chain: %s", err)
} else {
kcs = append(kcs, kc)
}
Expand Down
Loading
Loading