forked from ratify-project/ratify
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add certStoreManager interface to wrap operations on namespaced…
… certStores
- Loading branch information
Showing
9 changed files
with
246 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
/* | ||
Copyright The Ratify Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package utils | ||
|
||
import ( | ||
"context" | ||
"crypto/x509" | ||
|
||
ctxUtils "github.com/deislabs/ratify/internal/context" | ||
"github.com/deislabs/ratify/pkg/controllers" | ||
) | ||
|
||
// returns the internal certificate map | ||
// TODO: returns certificates from both cluster-wide and given namespace as namespaced verifier could access both. | ||
func GetCertificatesMap(ctx context.Context) map[string][]*x509.Certificate { | ||
return controllers.CertificatesMap.GetCertStores(ctxUtils.GetNamespace(ctx)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
/* | ||
Copyright The Ratify Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package utils | ||
|
||
import ( | ||
"context" | ||
"crypto/x509" | ||
"testing" | ||
|
||
"github.com/deislabs/ratify/pkg/controllers" | ||
|
||
ctxUtils "github.com/deislabs/ratify/internal/context" | ||
cs "github.com/deislabs/ratify/pkg/customresources/certificatestores" | ||
) | ||
|
||
func TestGetCertificatesMap(t *testing.T) { | ||
controllers.CertificatesMap = cs.NewActiveCertStores() | ||
controllers.CertificatesMap.AddStore("default", "default/certStore", []*x509.Certificate{}) | ||
ctx := ctxUtils.SetContextWithNamespace(context.Background(), "default") | ||
|
||
if certs := GetCertificatesMap(ctx); len(certs) != 1 { | ||
t.Fatalf("Expected 1 certificate store, got %d", len(certs)) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
/* | ||
Copyright The Ratify Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package certificatestores | ||
|
||
import "crypto/x509" | ||
|
||
// CertStoreManager is an interface that defines the methods for managing certificate stores across different scopes. | ||
type CertStoreManager interface { | ||
// GetCertStores returns certificates for the given scope. | ||
GetCertStores(scope string) map[string][]*x509.Certificate | ||
|
||
// AddStore adds the given certificate under the given scope. | ||
AddStore(scope, storeName string, cert []*x509.Certificate) | ||
|
||
// DeleteStore deletes the certificate from the given scope. | ||
DeleteStore(scope, storeName string) | ||
|
||
// IsEmpty returns true if there are no certificates. | ||
IsEmpty() bool | ||
} |
85 changes: 85 additions & 0 deletions
85
pkg/customresources/certificatestores/certificatestores.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
/* | ||
Copyright The Ratify Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package certificatestores | ||
|
||
import ( | ||
"crypto/x509" | ||
|
||
"github.com/deislabs/ratify/internal/constants" | ||
) | ||
|
||
// ActiveCertStores implements the CertStoreManager interface | ||
type ActiveCertStores struct { | ||
// TODO: Implement concurrent safety using sync.Map | ||
// The structure of the map is as follows: | ||
// The first level maps from scope to certificate stores. | ||
// The second level maps from certificate store name to certificates. | ||
// The certificate store name is prefixed with the namespace. | ||
// Example: | ||
// { | ||
// "namespace1": { | ||
// "namespace1/store1": []*x509.Certificate, | ||
// "namespace1/store2": []*x509.Certificate | ||
// }, | ||
// "namespace2": { | ||
// "namespace2/store1": []*x509.Certificate, | ||
// "namespace2/store2": []*x509.Certificate | ||
// } | ||
// } | ||
// Note: Scope is utilized for organizing and isolating cert stores. In a Kubernetes (K8s) environment, the scope can be either a namespace or an empty string ("") for cluster-wide cert stores. | ||
ScopedCertStores map[string]map[string][]*x509.Certificate | ||
} | ||
|
||
func NewActiveCertStores() CertStoreManager { | ||
return &ActiveCertStores{ | ||
ScopedCertStores: make(map[string]map[string][]*x509.Certificate), | ||
} | ||
} | ||
|
||
// GetCertStores fulfills the CertStoreManager interface. | ||
// It returns a list of cert stores for the given scope. If no cert stores are found for the given scope, it returns cluster-wide cert stores. | ||
// TODO: Current implementation always fetches cluster-wide cert stores. Will support actual namespaced certStores in future. | ||
func (c *ActiveCertStores) GetCertStores(_ string) map[string][]*x509.Certificate { | ||
return c.ScopedCertStores[constants.EmptyNamespace] | ||
} | ||
|
||
// AddStore fulfills the CertStoreManager interface. | ||
// It adds the given certificate under the given scope. | ||
// TODO: Current implementation always adds the given certificate to cluster-wide cert store. Will support actual namespaced certStores in future. | ||
func (c *ActiveCertStores) AddStore(_, storeName string, certs []*x509.Certificate) { | ||
scope := constants.EmptyNamespace | ||
if c.ScopedCertStores[scope] == nil { | ||
c.ScopedCertStores[scope] = make(map[string][]*x509.Certificate) | ||
} | ||
c.ScopedCertStores[scope][storeName] = certs | ||
} | ||
|
||
// DeleteStore fulfills the CertStoreManager interface. | ||
// It deletes the certificate from the given scope. | ||
// TODO: Current implementation always deletes the cluster-wide cert store. Will support actual namespaced certStores in future. | ||
func (c *ActiveCertStores) DeleteStore(_, storeName string) { | ||
if store, ok := c.ScopedCertStores[constants.EmptyNamespace]; ok { | ||
delete(store, storeName) | ||
} | ||
} | ||
|
||
// IsEmpty fulfills the CertStoreManager interface. | ||
// It returns true if there are no certificates. | ||
func (c *ActiveCertStores) IsEmpty() bool { | ||
count := 0 | ||
for _, certStores := range c.ScopedCertStores { | ||
count += len(certStores) | ||
} | ||
return count == 0 | ||
} |
55 changes: 55 additions & 0 deletions
55
pkg/customresources/certificatestores/certificatestores_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
/* | ||
Copyright The Ratify Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package certificatestores | ||
|
||
import ( | ||
"crypto/x509" | ||
"testing" | ||
) | ||
|
||
const ( | ||
namespace1 = "namespace1" | ||
namespace2 = "namespace2" | ||
name1 = "name1" | ||
name2 = "name2" | ||
) | ||
|
||
func TestCertStoresOperations(t *testing.T) { | ||
activeCertStores := NewActiveCertStores() | ||
|
||
if !activeCertStores.IsEmpty() { | ||
t.Errorf("Expected activeCertStores to be empty") | ||
} | ||
|
||
certStore1 := []*x509.Certificate{} | ||
certStore2 := []*x509.Certificate{} | ||
|
||
activeCertStores.AddStore(namespace1, name1, certStore1) | ||
activeCertStores.AddStore(namespace2, name2, certStore2) | ||
|
||
if activeCertStores.IsEmpty() { | ||
t.Errorf("Expected activeCertStores to not be empty") | ||
} | ||
|
||
if len(activeCertStores.GetCertStores(namespace1)) != 2 { | ||
t.Errorf("Expected activeCertStores to have 2 cert store") | ||
} | ||
|
||
activeCertStores.DeleteStore(namespace1, name1) | ||
activeCertStores.DeleteStore(namespace2, name2) | ||
|
||
if !activeCertStores.IsEmpty() { | ||
t.Errorf("Expected activeCertStores to be empty") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters