Remove VerifyImage from runtime interface (#767)

dmjb · web-flow · commit f85ad0735dea · 2025-06-18T17:18:10.000+01:00
Both implementations of the runtime interface do the same thing - namely creating an instance of another type, and passing the arguments directly to it. Furthermore, it is only used in one place.

Remove the method, and alter the sole caller to create the verifier type directly.
diff --git a/cmd/thv/app/run.go b/cmd/thv/app/run.go
@@ -297,7 +297,7 @@ func runCmdFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	// Verify the image against the expected provenance info (if applicable)
-	if err := verifyImage(ctx, runConfig.Image, rt, server, runVerifyImage); err != nil {
+	if err := verifyImage(runConfig.Image, server, runVerifyImage); err != nil {
 		return err
 	}
 
@@ -369,19 +369,26 @@ func pullImage(ctx context.Context, image string, rt runtime.Runtime) error {
 }
 
 // verifyImage verifies the image using the specified verification setting (warn, enabled, or disabled)
-func verifyImage(ctx context.Context, image string, rt runtime.Runtime, server *registry.Server, verifySetting string) error {
+func verifyImage(image string, server *registry.Server, verifySetting string) error {
 	switch verifySetting {
 	case verifyImageDisabled:
 		logger.Warn("Image verification is disabled")
 	case verifyImageWarn, verifyImageEnabled:
-		isSafe, err := rt.VerifyImage(ctx, server, image)
+		// Create a new verifier
+		v, err := verifier.New(server)
 		if err != nil {
 			// This happens if we have no provenance entry in the registry for this server.
 			// Not finding provenance info in the registry is not a fatal error if the setting is "warn".
 			if errors.Is(err, verifier.ErrProvenanceServerInformationNotSet) && verifySetting == verifyImageWarn {
 				logger.Warnf("⚠️  MCP server %s has no provenance information set, skipping image verification", image)
 				return nil
 			}
+			return err
+		}
+
+		// Verify the image passing the server info
+		isSafe, err := v.VerifyServer(image, server)
+		if err != nil {
 			return fmt.Errorf("❌ image verification failed: %v", err)
 		}
 		if !isSafe {
diff --git a/pkg/container/docker/client.go b/pkg/container/docker/client.go
@@ -26,11 +26,9 @@ import (
 	"github.com/docker/go-connections/nat"
 
 	"github.com/stacklok/toolhive/pkg/container/runtime"
-	"github.com/stacklok/toolhive/pkg/container/verifier"
 	lb "github.com/stacklok/toolhive/pkg/labels"
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/permissions"
-	"github.com/stacklok/toolhive/pkg/registry"
 )
 
 // Common socket paths
@@ -943,18 +941,6 @@ func (c *Client) PullImage(ctx context.Context, imageName string) error {
 	return nil
 }
 
-// VerifyImage verifies a container image
-func (*Client) VerifyImage(_ context.Context, serverInfo *registry.Server, imageRef string) (bool, error) {
-	// Create a new verifier
-	v, err := verifier.New(serverInfo)
-	if err != nil {
-		return false, err
-	}
-
-	// Verify the image passing the server info
-	return v.VerifyServer(imageRef, serverInfo)
-}
-
 // BuildImage builds a Docker image from a Dockerfile in the specified context directory
 func (c *Client) BuildImage(ctx context.Context, contextDir, imageName string) error {
 	logger.Infof("Building image %s from context directory %s", imageName, contextDir)
diff --git a/pkg/container/kubernetes/client.go b/pkg/container/kubernetes/client.go
@@ -29,10 +29,8 @@ import (
 	"k8s.io/client-go/tools/watch"
 
 	"github.com/stacklok/toolhive/pkg/container/runtime"
-	"github.com/stacklok/toolhive/pkg/container/verifier"
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/permissions"
-	"github.com/stacklok/toolhive/pkg/registry"
 	transtypes "github.com/stacklok/toolhive/pkg/transport/types"
 )
 
@@ -525,18 +523,6 @@ func (*Client) PullImage(_ context.Context, imageName string) error {
 	return nil
 }
 
-// VerifyImage verifies a container image
-func (*Client) VerifyImage(_ context.Context, serverInfo *registry.Server, imageRef string) (bool, error) {
-	// Create a new verifier
-	v, err := verifier.New(serverInfo)
-	if err != nil {
-		return false, err
-	}
-
-	// Verify the image passing the server info
-	return v.VerifyServer(imageRef, serverInfo)
-}
-
 // BuildImage implements runtime.Runtime.
 func (*Client) BuildImage(_ context.Context, _, _ string) error {
 	// In Kubernetes, we don't build images directly within the cluster.
diff --git a/pkg/container/runtime/types.go b/pkg/container/runtime/types.go
@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/stacklok/toolhive/pkg/permissions"
-	"github.com/stacklok/toolhive/pkg/registry"
 )
 
 // ContainerInfo represents information about a container
@@ -127,9 +126,6 @@ type Runtime interface {
 	// PullImage pulls an image from a registry
 	PullImage(ctx context.Context, image string) error
 
-	// VerifyImage verifies a container image
-	VerifyImage(ctx context.Context, server *registry.Server, image string) (bool, error)
-
 	// BuildImage builds a Docker image from a Dockerfile in the specified context directory
 	BuildImage(ctx context.Context, contextDir, imageName string) error
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@ import (`
`8`	`8`	`"time"`
`9`	`9`
`10`	`10`	`"github.com/stacklok/toolhive/pkg/permissions"`
`11`		`- "github.com/stacklok/toolhive/pkg/registry"`
`12`	`11`	`)`
`13`	`12`
`14`	`13`	`// ContainerInfo represents information about a container`
`@@ -127,9 +126,6 @@ type Runtime interface {`
`127`	`126`	`// PullImage pulls an image from a registry`
`128`	`127`	`PullImage(ctx context.Context, image string) error`
`129`	`128`
`130`		`- // VerifyImage verifies a container image`
`131`		`- VerifyImage(ctx context.Context, server *registry.Server, image string) (bool, error)`
`132`		`-`
`133`	`129`	`// BuildImage builds a Docker image from a Dockerfile in the specified context directory`
`134`	`130`	`BuildImage(ctx context.Context, contextDir, imageName string) error`
`135`	`131`	`}`