feat: added oci registry pull and cosign verify mechanism

Author: mahendraintelops

cmd/artifacts/cosign/verifier.go

@@ -0,0 +1,25 @@
+package cosign
+
+import (
+	"context"
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"os/exec"
+)
+
+func VerifyImage(ctx context.Context) error {
+	artifactURL := ctx.Value("artifactURL").(string)
+	//publicKeyPath := ctx.Value("publicKeyPath").(string)
+	publicKeyPath := "/Users/mahendrabagul/DevEnv/intelops/cosign-keys/cosign.pub"
+	// Construct the command to verify the image
+	cmd := exec.Command("cosign", "verify", "--key", publicKeyPath, artifactURL)
+
+	// Capture the output and error if any
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("verification failed: %w\nOutput: %s", err, output)
+	}
+
+	log.Infof("Verification succeeded:\n%s", output)
+	return nil
+}

cmd/git-checker/git-commands.go renamed to cmd/artifacts/git/commit.go

@@ -1,4 +1,4 @@
-package git_checker
+package git
 
 import (
 	"errors"
@@ -7,24 +7,39 @@ import (
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/storage/memory"
 	log "github.com/sirupsen/logrus"
+	"os"
 )
 
-func CheckIfSHACommitSimilar(repoPath, repoURL, branchName string) (bool, error) {
+func GetRepositoryURLByLanguage(language, version string) (string, string, error) {
+	userHomeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", "", err
+	}
+	repositoryPath := userHomeDir + "/.compage/templates/compage-template-" + language + "/" + version
+	repositoryURL := "https://github.com/intelops/compage-template-" + language + ".git"
+	if language == "common" {
+		repositoryPath = userHomeDir + "/.compage/templates/common-templates/" + version
+		return "https://github.com/intelops/common-templates.git", repositoryPath, nil
+	}
+	return repositoryURL, repositoryPath, nil
+}
+
+func CheckIfSHACommitSimilar(repositoryURL, repositoryPath, version string) (bool, error) {
 	// Get local commit SHA
-	localSHA, err := GetLocalGitCommitSHA(repoPath)
+	localSHA, err := GetLocalGitCommitSHA(repositoryPath)
 	if err != nil {
 		log.Error("Error fetching local Git commit SHA:", err)
 		return false, err
 	}
 
 	// Get remote commit SHA
-	remoteSHA, err := GetRemoteGitCommitSHA(repoURL, branchName)
+	remoteSHA, err := GetRemoteGitCommitSHA(repositoryURL, version)
 	if err != nil {
 		log.Errorf("Error fetching remote Git commit SHA: %s", err)
 		return false, err
 	}
 
-	isDirty, err := IsRepoDirty(repoPath)
+	isDirty, err := IsRepositoryDirty(repositoryPath)
 	if err != nil {
 		log.Errorf("Error checking if repository is dirty: %s", err)
 		return false, err
@@ -37,10 +52,9 @@ func CheckIfSHACommitSimilar(repoPath, repoURL, branchName string) (bool, error)
 	return localSHA == remoteSHA, nil
 }
 
-func GetLocalGitCommitSHA(repoPath string) (string, error) {
-	log.Debugf("repoPath: %s", repoPath)
+func GetLocalGitCommitSHA(repositoryPath string) (string, error) {
 	// Open the given repository
-	r, err := git.PlainOpen(repoPath)
+	r, err := git.PlainOpen(repositoryPath)
 	if err != nil {
 		log.Errorf("Error opening repository: %s", err)
 		return "", err
@@ -59,11 +73,11 @@ func GetLocalGitCommitSHA(repoPath string) (string, error) {
 	return commitSHA, nil
 }
 
-func GetRemoteGitCommitSHA(repoURL, branchName string) (string, error) {
+func GetRemoteGitCommitSHA(repositoryURL, version string) (string, error) {
 	// List remote references
 	references, err := git.NewRemote(memory.NewStorage(), &config.RemoteConfig{
 		Name: "origin",
-		URLs: []string{repoURL},
+		URLs: []string{repositoryURL},
 	}).List(&git.ListOptions{})
 	if err != nil {
 		log.Errorf("Error listing remote references: %s", err)
@@ -72,24 +86,24 @@ func GetRemoteGitCommitSHA(repoURL, branchName string) (string, error) {
 
 	// Look for the branch reference
 	for _, ref := range references {
-		if ref.Name().String() == "refs/heads/"+branchName {
+		if ref.Name().String() == "refs/tags/"+version {
 			return ref.Hash().String(), nil
 		}
 	}
 
-	return "", fmt.Errorf("branch %s not found", branchName)
+	return "", fmt.Errorf("branch %s not found", version)
 }
 
-func IsRepoDirty(repoPath string) (bool, error) {
+func IsRepositoryDirty(repositoryPath string) (bool, error) {
 	// Open the given repository
-	repo, err := git.PlainOpen(repoPath)
+	repository, err := git.PlainOpen(repositoryPath)
 	if err != nil {
 		log.Errorf("Error opening repository: %s", err)
 		return false, err
 	}
 
 	// Get the working directory for the repository
-	worktree, err := repo.Worktree()
+	worktree, err := repository.Worktree()
 	if err != nil {
 		log.Errorf("Error getting working directory: %s", err)
 		return false, err
@@ -105,3 +119,16 @@ func IsRepoDirty(repoPath string) (bool, error) {
 	// The repository is dirty if there are any changes in the status
 	return !status.IsClean(), nil
 }
+
+func IsCommitSimilar(repositoryURL, repositoryPath, version string) bool {
+	commitSimilar, err := CheckIfSHACommitSimilar(repositoryURL, repositoryPath, version)
+	if err != nil {
+		log.Errorf("error while checking the commit sha [" + err.Error() + "]")
+		return false
+	}
+	if !commitSimilar {
+		log.Errorf("the templates are not matching with the latest commit, please pull the latest templates")
+		return false
+	}
+	return true
+}

cmd/artifacts/oci-registry/pull.go

@@ -0,0 +1,195 @@
+package oci_registry
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	spec "github.com/opencontainers/image-spec/specs-go/v1"
+	log "github.com/sirupsen/logrus"
+	"oras.land/oras-go/v2"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/content/file"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote"
+	"os"
+	"path/filepath"
+)
+
+func GetOCIArtifactURLAndPathByLanguage(language, version string) (string, string, error) {
+	userHomeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", "", err
+	}
+	artifactPath := userHomeDir + "/.compage/templates/compage-template-" + language + "/" + version
+	artifactURL := "ghcr.io/intelops/compage-template-" + language + ":" + version
+	if language == "common" {
+		artifactPath = userHomeDir + "/.compage/templates/common-templates/" + version
+		return "ghcr.io/intelops/common-templates:" + version, artifactPath, nil
+	}
+	return artifactURL, artifactPath, nil
+}
+
+// Pull pulls an OCI image from a registry.
+func Pull(requestCtx context.Context, disableTLS bool) (template *string, err error) {
+	ociName := requestCtx.Value("artifactURL").(string)
+	ref, err := registry.ParseReference(ociName)
+	if err != nil {
+		log.Errorf("parse reference: %v", err)
+		return nil, fmt.Errorf("parse reference: %w", err)
+	}
+
+	if ref.Reference == ociLatestTag || ref.Reference == "" {
+		ref.Reference, err = getLatestTagSortedBySemver(ref.Registry+"/"+ref.Repository, disableTLS)
+		if err != nil {
+			return nil, fmt.Errorf("get latest tag sorted by semver: %w", err)
+		}
+	}
+
+	// Connect to a remote repository
+	ctx := context.Background()
+
+	repository, err := remote.NewRepository(ociName)
+	if err != nil {
+		log.Errorf("new repository: %v", err)
+		return nil, fmt.Errorf("new repository: %w", err)
+	}
+
+	if disableTLS {
+		log.Debugln("TLS connection is disabled")
+		repository.PlainHTTP = true
+	}
+
+	// Get credentials from the docker credential store
+	if err = getCredentialsFromDockerStore(repository); err != nil {
+		log.Errorf("credstore from docker: %v", err)
+		return nil, fmt.Errorf("credstore from docker: %w", err)
+	}
+
+	// Get remote manifest digest
+	remoteManifestSpec, remoteManifestReader, err := oras.Fetch(ctx, repository, ref.String(), oras.DefaultFetchOptions)
+	if err != nil {
+		log.Errorf("fetch: %v", err)
+		return nil, fmt.Errorf("fetch: %w", err)
+	}
+
+	remoteManifestData, err := content.ReadAll(remoteManifestReader, remoteManifestSpec)
+	if err != nil {
+		log.Errorf("fetch remote content: %v", err)
+		return nil, fmt.Errorf("fetch remote content: %w", err)
+	}
+
+	// Create the template root directory
+	templateRootDir := requestCtx.Value("artifactPath").(string)
+
+	fs, err := file.New(templateRootDir)
+	if err != nil {
+		log.Errorf("create file store: %v", err)
+		return nil, fmt.Errorf("create file store: %w", err)
+	}
+	defer func(fs *file.Store) {
+		_ = fs.Close()
+	}(fs)
+
+	// Copy from the remote repository to the file store
+	// Fetch the remote manifest
+	remoteTemplate, err := getCompageTemplateFromManifestLayers(remoteManifestData, templateRootDir)
+
+	template = remoteTemplate
+
+	manifestDescriptor, err := oras.Copy(ctx, repository, ref.Reference, fs, ref.Reference, oras.DefaultCopyOptions)
+	if err != nil {
+		log.Errorf("copy: %v", err)
+		return nil, fmt.Errorf("copy: %w", err)
+	}
+
+	manifestData, err := content.FetchAll(ctx, fs, manifestDescriptor)
+	if err != nil {
+		log.Errorf("fetch manifest: %v", err)
+		return nil, fmt.Errorf("fetch manifest: %w", err)
+	}
+
+	if doTemplateFilesExistLocally(templateRootDir, remoteTemplate) {
+		log.Debugf("Template %q already available in: %s\n", ociName, templateRootDir)
+	} else {
+		log.Infof("Pulling compage template %q\n", ociName)
+		template, err = getCompageTemplateFromManifestLayers(manifestData, templateRootDir)
+		if err != nil {
+			return nil, fmt.Errorf("get media types from layers: %w", err)
+		}
+	}
+	log.Debugf("template successfully pulled in %s", templateRootDir)
+
+	return template, nil
+}
+
+// getCompageTemplateFromManifestLayers returns the list of templates from an OCI manifest
+func getCompageTemplateFromManifestLayers(manifestData []byte, templateRootDir string) (
+	*string, error) {
+	specification := spec.Manifest{}
+	err := json.Unmarshal(manifestData, &specification)
+	if err != nil {
+		log.Errorf("unmarshal manifest: %v", err)
+		return nil, fmt.Errorf("unmarshal manifest: %w", err)
+	}
+
+	for _, layer := range specification.Layers {
+		switch layer.MediaType {
+		case commonTemplatesMediaType:
+			fallthrough
+		case compageTemplateGoMediaType:
+			if title, ok := layer.Annotations["org.opencontainers.image.title"]; ok && title != "" {
+				template := filepath.Join(templateRootDir, title)
+				return &template, nil
+			}
+		default:
+			log.Warningf("unknown media type: %q\n", layer.MediaType)
+		}
+	}
+
+	return nil, nil
+}
+
+/*
+doTemplateFilesExistLocally returns true if the template folder/directory is already available locally.
+One more check is to see if the template has been tampered locally.
+*/
+func doTemplateFilesExistLocally(templateRootDir string, template *string) bool {
+	var errs []error
+	templateRootDirFileInfo, err := os.Stat(templateRootDir)
+	// If store path exist and is a directory then we do nothing
+	if err == nil {
+		if !templateRootDirFileInfo.IsDir() {
+			errs = append(errs, fmt.Errorf("template root dir %s already exist and is not a directory", templateRootDir))
+		}
+	} else {
+		if !errors.Is(err, os.ErrNotExist) {
+			errs = append(errs, fmt.Errorf("getting information about %s: %w", templateRootDir, err))
+		}
+	}
+
+	isFileExist := func(file *string) {
+		_, err = os.Stat(*file)
+		if err == nil {
+			return
+		}
+		if errors.Is(err, os.ErrNotExist) {
+			errs = append(errs, fmt.Errorf("%s does not exist locally", *file))
+		} else {
+			errs = append(errs, fmt.Errorf("something went wrong while checking if %s exist: %w", *file, err))
+		}
+	}
+
+	isFileExist(template)
+
+	if len(errs) > 0 {
+		for i := range errs {
+			log.Debugln(errs[i])
+		}
+		return false
+	}
+
+	// check if the template has been tampered locally
+	//todo: implement this
+	return true
+}