Merge pull request #158 from lcarva/consolidate-login

Use consistent mechanism for registry login

Author: lcarva

rhtap/buildah-rhtap.sh

@@ -5,9 +5,8 @@ SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 # buildah-rhtap
 source $SCRIPTDIR/common.sh
 
-function build() {
-    echo "Running $TASK_NAME:build"
-    echo "Running Login"
+function login() {
+    echo "Running $TASK_NAME:login"
     IMAGE_REGISTRY="${IMAGE%%/*}"
     prepare-registry-user-pass $IMAGE_REGISTRY
     buildah login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $IMAGE_REGISTRY
@@ -16,6 +15,10 @@ function build() {
         echo "Failed buildah login $IMAGE_REGISTRY for user $IMAGE_REGISTRY_USER "
         exit $ERR
     fi
+}
+
+function build() {
+    echo "Running $TASK_NAME:build"
 
     # Check if the Dockerfile exists
     SOURCE_CODE_DIR=.
@@ -69,18 +72,15 @@ function generate-sboms() {
 
 function upload-sbom() {
     echo "Running $TASK_NAME:upload-sbom"
-    cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $IMAGE_REGISTRY
-    ERR=$?
-    if [ $ERR != 0 ]; then
-        echo "Failed cosign login $IMAGE_REGISTRY for user $IMAGE_REGISTRY_USER"
-        exit $ERR
-    fi
     cosign attach sbom --sbom $TEMP_DIR/files/sbom-cyclonedx.json --type cyclonedx "$IMAGE"
 }
 function delim() {
     printf '=%.0s' {1..8}
 }
 # Task Steps
+delim
+login
+delim
 build
 delim
 generate-sboms

rhtap/common.sh

@@ -49,6 +49,22 @@ prepare-registry-user-pass() {
     fi
 }
 
+# Performs an image registry login. It takes a single parameter which could be either an image
+# registry, e.g. quay.io, or a full image reference, e.g. quay.io/spam/bacon:crispy.
+function registry-login() {
+    local image_ref="$1"
+    local image_registry="${image_ref/\/*/}"
+    prepare-registry-user-pass "${image_registry}"
+    # There are different tools that we can use to login to a registry. Here we choose to use cosign
+    # because it's commonly used across the different tasks.
+    cosign login --username="${IMAGE_REGISTRY_USER}" --password="${IMAGE_REGISTRY_PASSWORD}" "${image_registry}"
+    ERR=$?
+    if [ $ERR != 0 ]; then
+        echo "Failed registry login ${image_registry} for user ${IMAGE_REGISTRY_USER}"
+        exit $ERR
+    fi
+}
+
 DIR=$(pwd)
 export TASK_NAME=$(basename $0 .sh)
 export BASE_RESULTS=$DIR/results

rhtap/cosign-sign-attest.sh

@@ -16,24 +16,6 @@ function full-image-ref() {
     echo "$url@$digest"
 }
 
-# For example quay.io
-function image-registry() {
-    local url=$(cat $BASE_RESULTS/buildah-rhtap/IMAGE_URL)
-    echo "${url/\/*/}"
-}
-
-# Cosign can use the same credentials as buildah
-function cosign-login() {
-    local image_registry="$(image-registry)"
-    prepare-registry-user-pass $image_registry
-    cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" "$image_registry"
-    ERR=$?
-    if [ $ERR != 0 ]; then
-        echo "Failed cosign login $image_registry for user $IMAGE_REGISTRY_USER"
-        exit $ERR
-    fi
-}
-
 # A wrapper for running cosign used for both sign and attest.
 # Handles the password, the key, the rekor options, etc.
 function cosign-cmd() {
@@ -75,12 +57,18 @@ function create-att-predicate() {
     source "$SCRIPTDIR/att-predicate-$CI_TYPE.sh"
 }
 
+# Login to registry using cosign.
+function login() {
+    echo "Running $TASK_NAME:login"
+    local url=$(cat $BASE_RESULTS/buildah-rhtap/IMAGE_URL)
+    registry-login "${url}"
+}
+
 # Sign the image using cosign.
 # Signing secret key and password should be base64 encoded in environment
 # vars COSIGN_SECRET_PASSWORD and COSIGN_SECRET_KEY.
 function sign() {
     echo "Running $TASK_NAME:sign"
-    cosign-login
     cosign-cmd sign
 }
 
@@ -108,6 +96,7 @@ function show-public-key() {
 }
 
 # Task Steps
+login
 sign
 attest
 show-rekor-url

rhtap/download-sbom-from-url-in-attestation.sh

@@ -121,11 +121,8 @@ fi
 jq -r '.components[].containerImage' <<< "$IMAGES" | while read -r image; do
     echo "Getting attestation for $image"
 
-    image_registry="${image/\/*/}"
     # If the repo is not publicly accessible we need to authenticate so ec can access it
-    prepare-registry-user-pass $image_registry
-    echo "cosign login to registry $image_registry"
-    cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
+    registry-login "${image}"
 
     mkdir -p "$WORKDIR/$image"
     cosign_verify_multiple_attestation_types \

rhtap/show-sbom-rhdh.sh

@@ -4,6 +4,12 @@ SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 # show-sbom-rhdh
 source $SCRIPTDIR/common.sh
 
+function login() {
+    echo "Running $TASK_NAME:show-sbom"
+    # If the repo is not publicly accessible we need to authenticate so ec can access it
+    registry-login "${IMAGE_URL}"
+}
+
 function show-sbom() {
     echo "Running $TASK_NAME:show-sbom"
     #!/bin/bash
@@ -14,11 +20,7 @@ function show-sbom() {
         echo -n "."
         status=0
         echo
-        image_registry="${IMAGE_URL/\/*/}"
-        # If the repo is not publicly accessible we need to authenticate so ec can access it
-        prepare-registry-user-pass $image_registry
-        echo "cosign login to registry $image_registry"
-        cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
+
         echo "SBOM_EYECATCHER_BEGIN"
         cosign download sbom $IMAGE_URL 2>> $RESULTS/err
         status=$?
@@ -42,5 +44,6 @@ function show-sbom() {
 }
 
 # Task Steps
+login
 show-sbom
 exit_with_success_result

rhtap/summary.sh

@@ -29,11 +29,8 @@ function showTree() {
 }
 function cosignTree() {
     URL=$1
-    image_registry="${URL/\/*/}"
     # If the repo is not publicly accessible we need to authenticate so ec can access it
-    prepare-registry-user-pass $image_registry
-    echo "cosign login to registry $image_registry"
-    cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
+    registry-login "${URL}"
     cosign tree $URL
 }
 

rhtap/verify-enterprise-contract.sh

@@ -22,6 +22,16 @@ function initialize-tuf() {
     fi
 }
 
+function login() {
+    echo "Running $TASK_NAME:login"
+
+    IMAGES=$(cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY)
+    # Assume the oci registry is the same for each component
+    local first_image_ref=$(jq -r '.components[0].containerImage' <<< "$IMAGES")
+    # If the repo is not publicly accessible we need to authenticate so ec can access it
+    registry-login "$first_image_ref"
+}
+
 function validate() {
     echo "Running $TASK_NAME:validate"
 
@@ -41,15 +51,6 @@ function validate() {
 
     PUBLIC_KEY=$(base64 -d <<< "$COSIGN_PUBLIC_KEY")
 
-    # Assume the oci registry is the same for each component
-    local first_image_ref=$(jq -r '.components[0].containerImage' <<< "$IMAGES")
-    # Strip off everything after the first / char. It's likely $image_registry will be "quay.io"
-    local image_registry="${first_image_ref/\/*/}"
-    # If the repo is not publicly accessible we need to authenticate so ec can access it
-    prepare-registry-user-pass $image_registry
-    echo "cosign login to registry $image_registry"
-    cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
-
     ec validate image \
         "--images" \
         "$IMAGES" \
@@ -99,6 +100,7 @@ function assert() {
 # Task Steps
 version
 initialize-tuf
+login
 validate
 report
 report-json