Skip to content

Commit

Permalink
refactor: fix auth error handling (aquasecurity#7615)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <[email protected]>
  • Loading branch information
knqyf263 authored and fhielpos committed Dec 20, 2024
1 parent e30e667 commit 26e99bd
Show file tree
Hide file tree
Showing 9 changed files with 33 additions and 73 deletions.
5 changes: 1 addition & 4 deletions internal/dbtest/fake.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,7 @@ func NewFakeDB(t *testing.T, dbPath string, opts FakeDBOptions) *oci.Artifact {
opt := ftypes.RegistryOptions{
Insecure: false,
}
art, err := oci.NewArtifact("dummy", true, opt, oci.WithImage(img))
require.NoError(t, err)

return art
return oci.NewArtifact("dummy", true, opt, oci.WithImage(img))
}

func ArchiveDir(t *testing.T, dir string) string {
Expand Down
43 changes: 17 additions & 26 deletions pkg/db/db.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,16 +153,23 @@ func (c *Client) Download(ctx context.Context, dst string, opt types.RegistryOpt
log.Debug("No metadata file")
}

art, err := c.initOCIArtifact(opt)
if err != nil {
return xerrors.Errorf("OCI artifact error: %w", err)
}

if err = art.Download(ctx, dst, oci.DownloadOption{MediaType: dbMediaType}); err != nil {
art := c.initOCIArtifact(opt)
if err := art.Download(ctx, dst, oci.DownloadOption{MediaType: dbMediaType}); err != nil {
var terr *transport.Error
if errors.As(err, &terr) {
for _, diagnostic := range terr.Errors {
// For better user experience
if diagnostic.Code == transport.DeniedErrorCode || diagnostic.Code == transport.UnauthorizedErrorCode {
// e.g. https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/#db
log.Warnf("See %s", doc.URL("/docs/references/troubleshooting/", "db"))
break
}
}
}
return xerrors.Errorf("database download error: %w", err)
}

if err = c.updateDownloadedAt(ctx, dst); err != nil {
if err := c.updateDownloadedAt(ctx, dst); err != nil {
return xerrors.Errorf("failed to update downloaded_at: %w", err)
}
return nil
Expand Down Expand Up @@ -194,27 +201,11 @@ func (c *Client) updateDownloadedAt(ctx context.Context, dbDir string) error {
return nil
}

func (c *Client) initOCIArtifact(opt types.RegistryOptions) (*oci.Artifact, error) {
func (c *Client) initOCIArtifact(opt types.RegistryOptions) *oci.Artifact {
if c.artifact != nil {
return c.artifact, nil
}

art, err := oci.NewArtifact(c.dbRepository.String(), c.quiet, opt)
if err != nil {
var terr *transport.Error
if errors.As(err, &terr) {
for _, diagnostic := range terr.Errors {
// For better user experience
if diagnostic.Code == transport.DeniedErrorCode || diagnostic.Code == transport.UnauthorizedErrorCode {
// e.g. https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/#db
log.Warnf("See %s", doc.URL("/docs/references/troubleshooting/", "db"))
break
}
}
}
return nil, xerrors.Errorf("OCI artifact error: %w", err)
return c.artifact
}
return art, nil
return oci.NewArtifact(c.dbRepository.String(), c.quiet, opt)
}

func (c *Client) ShowInfo() error {
Expand Down
5 changes: 1 addition & 4 deletions pkg/fanal/artifact/image/remote_sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,6 @@ func (a Artifact) inspectOCIReferrerSBOM(ctx context.Context) (artifact.Referenc
func (a Artifact) parseReferrer(ctx context.Context, repo string, desc v1.Descriptor) (artifact.Reference, error) {
const fileName string = "referrer.sbom"
repoName := fmt.Sprintf("%s@%s", repo, desc.Digest)
referrer, err := oci.NewArtifact(repoName, true, a.artifactOption.ImageOption.RegistryOptions)
if err != nil {
return artifact.Reference{}, xerrors.Errorf("OCI error: %w", err)
}

tmpDir, err := os.MkdirTemp("", "trivy-sbom-*")
if err != nil {
Expand All @@ -99,6 +95,7 @@ func (a Artifact) parseReferrer(ctx context.Context, repo string, desc v1.Descri
defer os.RemoveAll(tmpDir)

// Download SBOM to local filesystem
referrer := oci.NewArtifact(repoName, true, a.artifactOption.ImageOption.RegistryOptions)
if err = referrer.Download(ctx, tmpDir, oci.DownloadOption{
MediaType: desc.ArtifactType,
Filename: fileName,
Expand Down
7 changes: 2 additions & 5 deletions pkg/javadb/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,8 @@ func (u *Updater) Update() error {
log.Info("Downloading the Java DB...")

// TODO: support remote options
var a *oci.Artifact
if a, err = oci.NewArtifact(u.repo.String(), u.quiet, u.registryOption); err != nil {
return xerrors.Errorf("oci error: %w", err)
}
if err = a.Download(context.Background(), dbDir, oci.DownloadOption{MediaType: mediaType}); err != nil {
art := oci.NewArtifact(u.repo.String(), u.quiet, u.registryOption)
if err = art.Download(context.Background(), dbDir, oci.DownloadOption{MediaType: mediaType}); err != nil {
return xerrors.Errorf("DB download error: %w", err)
}

Expand Down
8 changes: 2 additions & 6 deletions pkg/module/command.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,11 @@ func Install(ctx context.Context, dir, repo string, quiet bool, opt types.Regist
}

log.Info("Installing the module from the repository...", log.String("repo", repo))
artifact, err := oci.NewArtifact(repo, quiet, opt)
if err != nil {
return xerrors.Errorf("module initialize error: %w", err)
}
art := oci.NewArtifact(repo, quiet, opt)

dst := filepath.Join(dir, ref.Context().Name())
log.Debug("Installing the module...", log.String("dst", dst))

if err = artifact.Download(ctx, dst, oci.DownloadOption{MediaType: mediaType}); err != nil {
if err = art.Download(ctx, dst, oci.DownloadOption{MediaType: mediaType}); err != nil {
return xerrors.Errorf("module download error: %w", err)
}

Expand Down
4 changes: 2 additions & 2 deletions pkg/oci/artifact.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ type Artifact struct {
}

// NewArtifact returns a new artifact
func NewArtifact(repo string, quiet bool, registryOpt types.RegistryOptions, opts ...Option) (*Artifact, error) {
func NewArtifact(repo string, quiet bool, registryOpt types.RegistryOptions, opts ...Option) *Artifact {
art := &Artifact{
repository: repo,
quiet: quiet,
Expand All @@ -67,7 +67,7 @@ func NewArtifact(repo string, quiet bool, registryOpt types.RegistryOptions, opt
for _, o := range opts {
o(art)
}
return art, nil
return art
}

func (a *Artifact) populate(ctx context.Context, opt types.RegistryOptions) error {
Expand Down
4 changes: 1 addition & 3 deletions pkg/oci/artifact_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,7 @@ func TestArtifact_Download(t *testing.T) {
},
}, nil)

artifact, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
require.NoError(t, err)

artifact := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
err = artifact.Download(context.Background(), tempDir, oci.DownloadOption{
MediaType: tt.mediaType,
})
Expand Down
18 changes: 4 additions & 14 deletions pkg/policy/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,23 +89,16 @@ func NewClient(cacheDir string, quiet bool, checkBundleRepo string, opts ...Opti
}, nil
}

func (c *Client) populateOCIArtifact(registryOpts types.RegistryOptions) error {
func (c *Client) populateOCIArtifact(registryOpts types.RegistryOptions) {
if c.artifact == nil {
log.Debug("Loading check bundle", log.String("repository", c.checkBundleRepo))
art, err := oci.NewArtifact(c.checkBundleRepo, c.quiet, registryOpts)
if err != nil {
return xerrors.Errorf("OCI artifact error: %w", err)
}
c.artifact = art
c.artifact = oci.NewArtifact(c.checkBundleRepo, c.quiet, registryOpts)
}
return nil
}

// DownloadBuiltinPolicies download default policies from GitHub Pages
func (c *Client) DownloadBuiltinPolicies(ctx context.Context, registryOpts types.RegistryOptions) error {
if err := c.populateOCIArtifact(registryOpts); err != nil {
return xerrors.Errorf("OPA bundle error: %w", err)
}
c.populateOCIArtifact(registryOpts)

dst := c.contentDir()
if err := c.artifact.Download(ctx, dst, oci.DownloadOption{MediaType: policyMediaType}); err != nil {
Expand Down Expand Up @@ -165,10 +158,7 @@ func (c *Client) NeedsUpdate(ctx context.Context, registryOpts types.RegistryOpt
return false, nil
}

if err = c.populateOCIArtifact(registryOpts); err != nil {
return false, xerrors.Errorf("OPA bundle error: %w", err)
}

c.populateOCIArtifact(registryOpts)
digest, err := c.artifact.Digest(ctx)
if err != nil {
return false, xerrors.Errorf("digest error: %w", err)
Expand Down
12 changes: 3 additions & 9 deletions pkg/policy/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,7 @@ func TestClient_LoadBuiltinPolicies(t *testing.T) {
}, nil)

// Mock OCI artifact
art, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
require.NoError(t, err)

art := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
c, err := policy.NewClient(tt.cacheDir, true, "", policy.WithOCIArtifact(art))
require.NoError(t, err)

Expand Down Expand Up @@ -257,9 +255,7 @@ func TestClient_NeedsUpdate(t *testing.T) {
require.NoError(t, err)
}

art, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
require.NoError(t, err)

art := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
c, err := policy.NewClient(tmpDir, true, "", policy.WithOCIArtifact(art), policy.WithClock(tt.clock))
require.NoError(t, err)

Expand Down Expand Up @@ -361,9 +357,7 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) {
}, nil)

// Mock OCI artifact
art, err := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
require.NoError(t, err)

art := oci.NewArtifact("repo", true, ftypes.RegistryOptions{}, oci.WithImage(img))
c, err := policy.NewClient(tempDir, true, "", policy.WithClock(tt.clock), policy.WithOCIArtifact(art))
require.NoError(t, err)

Expand Down

0 comments on commit 26e99bd

Please sign in to comment.