openshift
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 4 deletions b/‎go.sum‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎pkg/certs/utils.go‎
Lines changed: 2 additions & 56 deletions b/‎pkg/certs/utils.go‎
Lines changed: 2 additions & 56 deletions
diff --git a/‎pkg/cmd/update-tls-artifacts/ensure-no-violation-regression/ensure_no_violation_regression.go‎
Lines changed: 53 additions & 0 deletions b/‎pkg/cmd/update-tls-artifacts/ensure-no-violation-regression/ensure_no_violation_regression.go‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎pkg/cmd/update-tls-artifacts/generate-owners/generate_owners_flags.go‎
Lines changed: 13 additions & 23 deletions b/‎pkg/cmd/update-tls-artifacts/generate-owners/generate_owners_flags.go‎
Lines changed: 13 additions & 23 deletions
@@ -24,11 +24,11 @@ require (
 	github.com/onsi/ginkgo/v2 v2.9.2
 	github.com/onsi/gomega v1.27.6
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/openshift/api v0.0.0-20231101131954-24085c95a7a2
+	github.com/openshift/api v0.0.0-20231129134630-a782d1c1541c
 	github.com/openshift/apiserver-library-go v0.0.0-20230915134751-5c71e94d6f05
 	github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
 	github.com/openshift/client-go v0.0.0-20230926161409-848405da69e1
-	github.com/openshift/library-go v0.0.0-20231115163822-d5b04e8d5cab
+	github.com/openshift/library-go v0.0.0-20231130204458-653f82d961a1
 	github.com/pborman/uuid v1.2.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
 
@@ -655,8 +655,8 @@ github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78 h1:R
 github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=
 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/openshift/api v0.0.0-20231101131954-24085c95a7a2 h1:zGTMgBHP7e5Jm91zM0xfGArBOPR3zVv+m8sE7BWGAnY=
-github.com/openshift/api v0.0.0-20231101131954-24085c95a7a2/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
+github.com/openshift/api v0.0.0-20231129134630-a782d1c1541c h1:XvPqb9JIZI40qKpdIDLUyoNXvgr4Ob3XHQeQacQN3jg=
+github.com/openshift/api v0.0.0-20231129134630-a782d1c1541c/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
 github.com/openshift/apiserver-library-go v0.0.0-20230915134751-5c71e94d6f05 h1:FuFc6HV3MuhxAGcslIkLOXhOjvBjioloKbSD3cWMzeo=
 github.com/openshift/apiserver-library-go v0.0.0-20230915134751-5c71e94d6f05/go.mod h1:x2CP20tBy7PnNCy0N6LxwnNHwsiPBlmAqG4xemgemZ8=
 github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d h1:RR4ah7FfaPR1WePizm0jlrsbmPu91xQZnAsVVreQV1k=
@@ -711,8 +711,8 @@ github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0
 github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20230926120034-e3ba6d9fbe72/go.mod h1:oLJ4FetmCVvyDXVnFb66XAdf9DXcnR4v3EE6ENVzDQI=
 github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20230926120034-e3ba6d9fbe72 h1:W8NL1MiHFYzofXMtXE7ma2zH/wAzlj87crc9l/J8QzU=
 github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20230926120034-e3ba6d9fbe72/go.mod h1:WYbrwAJFfUVjC8ddXYCLss7gvvlmZULpvn9aVcaZZME=
-github.com/openshift/library-go v0.0.0-20231115163822-d5b04e8d5cab h1:xiHWBSTcsnpjRR/vPvvfklxuVwPrkm4d8eCo9o5nSP0=
-github.com/openshift/library-go v0.0.0-20231115163822-d5b04e8d5cab/go.mod h1:8UzmrBMCn7+GzouL8DVYkL9COBQTB1Ggd13/mHJQCUg=
+github.com/openshift/library-go v0.0.0-20231130204458-653f82d961a1 h1:Sj0Oyn6aooVg7eHQ0zBbq6e7ERxXTadFHH5TEfmiuso=
+github.com/openshift/library-go v0.0.0-20231130204458-653f82d961a1/go.mod h1:0q1UIvboZXfSlUaK+08wsXYw4N6OUo2b/z3a1EWNGyw=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20230811135323-13a5964cc98e h1:WgaylNSIB4uff7ieewaqIiEG3mP6jSMER8LCkoOEkys=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20230811135323-13a5964cc98e/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 
@@ -2,66 +2,12 @@ package certs
 
 import (
 	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
-	"reflect"
 	"sort"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
-func GetPKIInfoFromRawData(rawTLSInfoDir string) (*certgraphapi.PKIRegistryInfo, error) {
-	certs := SecretInfoByNamespaceName{}
-	caBundles := ConfigMapInfoByNamespaceName{}
-
-	err := filepath.WalkDir(rawTLSInfoDir, func(path string, d os.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-		if d.IsDir() {
-			return nil
-		}
-
-		filename := filepath.Join(rawTLSInfoDir, d.Name())
-		currBytes, err := os.ReadFile(filename)
-		if err != nil {
-			return err
-		}
-		currPKI := &certgraphapi.PKIList{}
-		err = json.Unmarshal(currBytes, currPKI)
-		if err != nil {
-			return err
-		}
-
-		for i := range currPKI.InClusterResourceData.CertKeyPairs {
-			currCert := currPKI.InClusterResourceData.CertKeyPairs[i]
-			existing, ok := certs[currCert.SecretLocation]
-			if ok && !reflect.DeepEqual(existing, currCert.CertKeyInfo) {
-				return fmt.Errorf("mismatch of certificate info")
-			}
-
-			certs[currCert.SecretLocation] = currCert.CertKeyInfo
-		}
-		for i := range currPKI.InClusterResourceData.CertificateAuthorityBundles {
-			currCert := currPKI.InClusterResourceData.CertificateAuthorityBundles[i]
-			existing, ok := caBundles[currCert.ConfigMapLocation]
-			if ok && !reflect.DeepEqual(existing, currCert.CABundleInfo) {
-				return fmt.Errorf("mismatch of certificate info")
-			}
-
-			caBundles[currCert.ConfigMapLocation] = currCert.CABundleInfo
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return certsToRegistryInfo(certs, caBundles), nil
-}
-
 func GetPKIInfoFromEmbeddedOwnership(ownershipFile []byte) (*certgraphapi.PKIRegistryInfo, error) {
 	certs := SecretInfoByNamespaceName{}
 	caBundles := ConfigMapInfoByNamespaceName{}
@@ -78,10 +24,10 @@ func GetPKIInfoFromEmbeddedOwnership(ownershipFile []byte) (*certgraphapi.PKIReg
 	for _, currCABundle := range currPKI.CertificateAuthorityBundles {
 		caBundles[currCABundle.ConfigMapLocation] = currCABundle.CABundleInfo
 	}
-	return certsToRegistryInfo(certs, caBundles), nil
+	return CertsToRegistryInfo(certs, caBundles), nil
 }
 
-func certsToRegistryInfo(certs SecretInfoByNamespaceName, caBundles ConfigMapInfoByNamespaceName) *certgraphapi.PKIRegistryInfo {
+func CertsToRegistryInfo(certs SecretInfoByNamespaceName, caBundles ConfigMapInfoByNamespaceName) *certgraphapi.PKIRegistryInfo {
 	result := &certgraphapi.PKIRegistryInfo{}
 
 	certKeys := sets.KeySet[certgraphapi.InClusterSecretLocation, certgraphapi.PKIRegistryCertKeyPairInfo](certs).UnsortedList()
 
@@ -0,0 +1,53 @@
+package ensure_no_violation_regression
+
+import (
+	"embed"
+	"fmt"
+
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatadefaults"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+
+	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
+
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
+
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+type EnsureNoViolationRegressionOptions struct {
+	ViolationsFS embed.FS
+	Requirements []tlsmetadatainterfaces.Requirement
+
+	genericclioptions.IOStreams
+}
+
+func NewEnsureNoViolationRegressionOptions(allViolations embed.FS, streams genericclioptions.IOStreams) *EnsureNoViolationRegressionOptions {
+	return &EnsureNoViolationRegressionOptions{
+		ViolationsFS: allViolations,
+		Requirements: tlsmetadatadefaults.GetDefaultTLSRequirements(),
+		IOStreams:    streams,
+	}
+}
+
+func (o *EnsureNoViolationRegressionOptions) HaveViolationsRegressed(rawData []*certgraphapi.PKIList) ([]string, bool, error) {
+	regressions := []string{}
+	overallNoRegressions := false
+	errs := []error{}
+	for _, requirement := range o.Requirements {
+		result, err := requirement.InspectRequirement(rawData)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failure inspecting for %v: %w", requirement.GetName(), err))
+			continue
+		}
+
+		descriptions, ok, err := result.HaveViolationsRegressed(o.ViolationsFS)
+		regressions = append(regressions, descriptions...)
+		if err != nil {
+			errs = append(errs, err)
+		}
+		overallNoRegressions = overallNoRegressions || ok
+	}
+
+	return regressions, overallNoRegressions, utilerrors.NewAggregate(errs)
+}
@@ -3,6 +3,8 @@ package generate_owners
 import (
 	"fmt"
 
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatadefaults"
+
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
@@ -11,10 +13,8 @@ import (
 // GenerateOwnersFlags gets bound to cobra commands and arguments.  It is used to validate input and then produce
 // the Options struct.  Options struct is intended to be embeddable and re-useable without cobra.
 type GenerateOwnersFlags struct {
-	RawTLSInfoDir       string
-	TLSOwnershipInfoDir string
-	ViolationDir        string
-	Verify              bool
+	TLSInfoDir string
+	Verify     bool
 
 	genericclioptions.IOStreams
 }
@@ -48,39 +48,29 @@ func NewGenerateOwnershipCommand(streams genericclioptions.IOStreams) *cobra.Com
 
 func NewGenerateOwnersFlags(streams genericclioptions.IOStreams) *GenerateOwnersFlags {
 	return &GenerateOwnersFlags{
-		RawTLSInfoDir:       "tls/raw-data",
-		TLSOwnershipInfoDir: "tls/ownership",
-		ViolationDir:        "tls/violations/ownership",
-		IOStreams:           streams,
+		TLSInfoDir: "tls",
+		IOStreams:  streams,
 	}
 }
 
 func (f *GenerateOwnersFlags) BindFlags(flags *pflag.FlagSet) {
-	flags.StringVar(&f.RawTLSInfoDir, "raw-tls-dir", f.RawTLSInfoDir, "The directory where the raw TLS info is located.")
-	flags.StringVar(&f.TLSOwnershipInfoDir, "ownership-dir", f.TLSOwnershipInfoDir, "The directory where the  TLS ownership info is should be written.")
-	flags.StringVar(&f.ViolationDir, "violation-dir", f.ViolationDir, "The directory where the  TLS ownership info is should be written.")
+	flags.StringVar(&f.TLSInfoDir, "ownership-dir", f.TLSInfoDir, "The directory where the  TLS ownership info is should be written.")
 	flags.BoolVar(&f.Verify, "verify", f.Verify, "Verify content, don't mutate.")
 }
 
 func (f *GenerateOwnersFlags) Validate() error {
-	if len(f.RawTLSInfoDir) == 0 {
-		return fmt.Errorf("--raw-tls-dir must be specified")
-	}
-	if len(f.TLSOwnershipInfoDir) == 0 {
+	if len(f.TLSInfoDir) == 0 {
 		return fmt.Errorf("--ownership-dir must be specified")
 	}
-	if len(f.ViolationDir) == 0 {
-		return fmt.Errorf("--violation-dir must be specified")
-	}
 	return nil
 }
 
 func (f *GenerateOwnersFlags) ToOptions() (*GenerateOwnersOptions, error) {
 	return &GenerateOwnersOptions{
-		RawTLSInfoDir:       f.RawTLSInfoDir,
-		TLSOwnershipInfoDir: f.TLSOwnershipInfoDir,
-		ViolationDir:        f.ViolationDir,
-		Verify:              f.Verify,
-		IOStreams:           f.IOStreams,
+		TLSInfoDir:   f.TLSInfoDir,
+		Verify:       f.Verify,
+		Requirements: tlsmetadatadefaults.GetDefaultTLSRequirements(),
+
+		IOStreams: f.IOStreams,
 	}, nil
 }