storing different tokens inside keychain based on assetName

l3montree-dev · Nov 24, 2024 · 5b186f5 · 5b186f5
1 parent 521fd46
commit 5b186f5
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 17 deletions.
diff --git a/cmd/devguard-scanner/commands/intoto/intoto.go b/cmd/devguard-scanner/commands/intoto/intoto.go
@@ -32,8 +32,8 @@ import (
 	"github.com/zalando/go-keyring"
 )
 
-func getTokenFromKeyring() (string, error) {
-	service := "devguard"
+func getTokenFromKeyring(assetName string) (string, error) {
+	service := "devguard/" + assetName
 	user := "devguard"
 
 	token, err := keyring.Get(service, user)
@@ -44,8 +44,8 @@ func getTokenFromKeyring() (string, error) {
 	return token, nil
 }
 
-func storeTokenInKeyring(token string) error {
-	service := "devguard"
+func storeTokenInKeyring(assetName, token string) error {
+	service := "devguard/" + assetName
 	user := "devguard"
 
 	// set password
@@ -197,7 +197,7 @@ func newInTotoSetupCommand() *cobra.Command {
 			}
 
 			// set the token to the keyring
-			err = storeTokenInKeyring(token)
+			err = storeTokenInKeyring(assetName, token)
 			if err != nil {
 				return err
 			}
@@ -254,6 +254,9 @@ func NewInTotoCommand() *cobra.Command {
 		Short: "InToto commands",
 	}
 
+	cmd.PersistentFlags().String("assetName", "", "The asset name to use")
+	cmd.PersistentFlags().String("apiUrl", "", "The devguard api url")
+
 	// add the token to both commands as needed flag
 	cmd.PersistentFlags().String("token", "", "The token to use for in-toto")
 	cmd.PersistentFlags().String("step", "", "The name of the in-toto link")
@@ -266,6 +269,9 @@ func NewInTotoCommand() *cobra.Command {
 
 	cmd.PersistentFlags().String("supplyChainId", "", "The supply chain id to use. If empty, tries to extract the current commit hash.")
 
+	panicOnError(cmd.MarkPersistentFlagRequired("apiUrl"))
+	panicOnError(cmd.MarkPersistentFlagRequired("assetName"))
+
 	cmd.AddCommand(
 		NewInTotoRecordStartCommand(),
 		NewInTotoRecordStopCommand(),

diff --git a/cmd/devguard-scanner/commands/intoto/intoto_record.go b/cmd/devguard-scanner/commands/intoto/intoto_record.go
@@ -32,9 +32,14 @@ func getTokenFromCommandOrKeyring(cmd *cobra.Command) (string, error) {
 		return "", err
 	}
 
+	assetName, err := cmd.Flags().GetString("assetName")
+	if err != nil {
+		return "", err
+	}
+
 	// if the token is not set, try to get it from the keyring
 	if token == "" {
-		token, err = getTokenFromKeyring()
+		token, err = getTokenFromKeyring(assetName)
 		if err != nil {
 			return "", err
 		}
@@ -179,8 +184,5 @@ func NewInTotoRecordStopCommand() *cobra.Command {
 
 	cmd.Flags().String("output", "", "The output file name. Default is the <step>.link.json name")
 
-	cmd.Flags().String("apiUrl", "", "The devguard api url")
-	cmd.Flags().String("assetName", "", "The asset name to use")
-
 	return cmd
 }
diff --git a/cmd/devguard-scanner/commands/intoto/intoto_run.go b/cmd/devguard-scanner/commands/intoto/intoto_run.go
@@ -173,7 +173,6 @@ func NewInTotoRunCommand() *cobra.Command {
 	}
 
 	cmd.Flags().String("apiUrl", "", "The devguard api url")
-	cmd.Flags().String("assetName", "", "The asset name to use")
 
 	return cmd
 }
diff --git a/cmd/devguard-scanner/commands/intoto/intoto_verify.go b/cmd/devguard-scanner/commands/intoto/intoto_verify.go
@@ -82,14 +82,17 @@ func verify(cmd *cobra.Command, args []string) error {
 
 	// remove the layout
 	os.Remove("root.layout.json")
-	linkDir := os.TempDir()
+	linkDir, err := os.MkdirTemp("", "links")
+	if err != nil {
+		return errors.Wrap(err, "could not create temp dir")
+	}
 
 	err = downloadSupplyChainLinks(cmd.Context(), c, linkDir, apiUrl, assetName, supplyChainId)
 	if err != nil {
 		return errors.Wrap(err, "could not download supply chain links")
 	}
 
-	defer os.RemoveAll("links")
+	defer os.RemoveAll(linkDir)
 
 	// read the layoutKey
 	layoutKeyPath, err := cmd.Flags().GetString("layoutKey")
@@ -113,7 +116,11 @@ func verify(cmd *cobra.Command, args []string) error {
 
 	// now get the digest from the layout argument - we expect it to be an image tag
 	// use crane to get the digest
-	err = exec.Command("sh", "-c", "crane", "digest", fmt.Sprintf("\"%s\"", imageName), ">", "image-digest.txt").Run() // nolint:gosec//Checked using regex
+	craneCmd := exec.Command("sh", "-c", "crane digest "+fmt.Sprintf("\"%s\"", imageName)+"> image-digest.txt") // nolint:gosec//Checked using regex
+	craneCmd.Stderr = os.Stderr
+	craneCmd.Stdout = os.Stdout
+
+	err = craneCmd.Run()
 	if err != nil {
 		return err
 	}
@@ -127,6 +134,7 @@ func verify(cmd *cobra.Command, args []string) error {
 
 	// if a verify-digest.link was created, delete it
 	os.Remove("verify-digest.link") // nolint:errcheck
+	os.Remove("image-digest.txt")   // nolint:errcheck
 
 	return err
 }
@@ -147,15 +155,11 @@ func NewInTotoVerifyCommand() *cobra.Command {
 
 	cmd.Flags().String("supplyChainId", "", "Supply chain ID")
 	cmd.Flags().String("token", "", "Token")
-	cmd.Flags().String("apiUrl", "", "API URL")
-	cmd.Flags().String("assetName", "", "Asset name")
 
 	cmd.Flags().String("layoutKey", "", "Path to the layout key")
 
 	panicOnError(cmd.MarkFlagRequired("supplyChainId"))
 	panicOnError(cmd.MarkFlagRequired("token"))
-	panicOnError(cmd.MarkFlagRequired("apiUrl"))
-	panicOnError(cmd.MarkFlagRequired("assetName"))
 	panicOnError(cmd.MarkFlagRequired("layoutKey"))
 
 	return cmd