diff --git a/cmd/devguard-scanner/commands/intoto/intoto.go b/cmd/devguard-scanner/commands/intoto/intoto.go index 0c86568..928a10a 100644 --- a/cmd/devguard-scanner/commands/intoto/intoto.go +++ b/cmd/devguard-scanner/commands/intoto/intoto.go @@ -32,8 +32,8 @@ import ( "github.com/zalando/go-keyring" ) -func getTokenFromKeyring() (string, error) { - service := "devguard" +func getTokenFromKeyring(assetName string) (string, error) { + service := "devguard/" + assetName user := "devguard" token, err := keyring.Get(service, user) @@ -44,8 +44,8 @@ func getTokenFromKeyring() (string, error) { return token, nil } -func storeTokenInKeyring(token string) error { - service := "devguard" +func storeTokenInKeyring(assetName, token string) error { + service := "devguard/" + assetName user := "devguard" // set password @@ -197,7 +197,7 @@ func newInTotoSetupCommand() *cobra.Command { } // set the token to the keyring - err = storeTokenInKeyring(token) + err = storeTokenInKeyring(assetName, token) if err != nil { return err } @@ -254,6 +254,9 @@ func NewInTotoCommand() *cobra.Command { Short: "InToto commands", } + cmd.PersistentFlags().String("assetName", "", "The asset name to use") + cmd.PersistentFlags().String("apiUrl", "", "The devguard api url") + // add the token to both commands as needed flag cmd.PersistentFlags().String("token", "", "The token to use for in-toto") cmd.PersistentFlags().String("step", "", "The name of the in-toto link") @@ -266,6 +269,9 @@ func NewInTotoCommand() *cobra.Command { cmd.PersistentFlags().String("supplyChainId", "", "The supply chain id to use. If empty, tries to extract the current commit hash.") + panicOnError(cmd.MarkPersistentFlagRequired("apiUrl")) + panicOnError(cmd.MarkPersistentFlagRequired("assetName")) + cmd.AddCommand( NewInTotoRecordStartCommand(), NewInTotoRecordStopCommand(), diff --git a/cmd/devguard-scanner/commands/intoto/intoto_record.go b/cmd/devguard-scanner/commands/intoto/intoto_record.go index aaad59d..80a5c3a 100644 --- a/cmd/devguard-scanner/commands/intoto/intoto_record.go +++ b/cmd/devguard-scanner/commands/intoto/intoto_record.go @@ -32,9 +32,14 @@ func getTokenFromCommandOrKeyring(cmd *cobra.Command) (string, error) { return "", err } + assetName, err := cmd.Flags().GetString("assetName") + if err != nil { + return "", err + } + // if the token is not set, try to get it from the keyring if token == "" { - token, err = getTokenFromKeyring() + token, err = getTokenFromKeyring(assetName) if err != nil { return "", err } @@ -179,8 +184,5 @@ func NewInTotoRecordStopCommand() *cobra.Command { cmd.Flags().String("output", "", "The output file name. Default is the .link.json name") - cmd.Flags().String("apiUrl", "", "The devguard api url") - cmd.Flags().String("assetName", "", "The asset name to use") - return cmd } diff --git a/cmd/devguard-scanner/commands/intoto/intoto_run.go b/cmd/devguard-scanner/commands/intoto/intoto_run.go index d789fdc..9b389f8 100644 --- a/cmd/devguard-scanner/commands/intoto/intoto_run.go +++ b/cmd/devguard-scanner/commands/intoto/intoto_run.go @@ -173,7 +173,6 @@ func NewInTotoRunCommand() *cobra.Command { } cmd.Flags().String("apiUrl", "", "The devguard api url") - cmd.Flags().String("assetName", "", "The asset name to use") return cmd } diff --git a/cmd/devguard-scanner/commands/intoto/intoto_verify.go b/cmd/devguard-scanner/commands/intoto/intoto_verify.go index 72fd229..6491274 100644 --- a/cmd/devguard-scanner/commands/intoto/intoto_verify.go +++ b/cmd/devguard-scanner/commands/intoto/intoto_verify.go @@ -82,14 +82,17 @@ func verify(cmd *cobra.Command, args []string) error { // remove the layout os.Remove("root.layout.json") - linkDir := os.TempDir() + linkDir, err := os.MkdirTemp("", "links") + if err != nil { + return errors.Wrap(err, "could not create temp dir") + } err = downloadSupplyChainLinks(cmd.Context(), c, linkDir, apiUrl, assetName, supplyChainId) if err != nil { return errors.Wrap(err, "could not download supply chain links") } - defer os.RemoveAll("links") + defer os.RemoveAll(linkDir) // read the layoutKey layoutKeyPath, err := cmd.Flags().GetString("layoutKey") @@ -113,7 +116,11 @@ func verify(cmd *cobra.Command, args []string) error { // now get the digest from the layout argument - we expect it to be an image tag // use crane to get the digest - err = exec.Command("sh", "-c", "crane", "digest", fmt.Sprintf("\"%s\"", imageName), ">", "image-digest.txt").Run() // nolint:gosec//Checked using regex + craneCmd := exec.Command("sh", "-c", "crane digest "+fmt.Sprintf("\"%s\"", imageName)+"> image-digest.txt") // nolint:gosec//Checked using regex + craneCmd.Stderr = os.Stderr + craneCmd.Stdout = os.Stdout + + err = craneCmd.Run() if err != nil { return err } @@ -127,6 +134,7 @@ func verify(cmd *cobra.Command, args []string) error { // if a verify-digest.link was created, delete it os.Remove("verify-digest.link") // nolint:errcheck + os.Remove("image-digest.txt") // nolint:errcheck return err } @@ -147,15 +155,11 @@ func NewInTotoVerifyCommand() *cobra.Command { cmd.Flags().String("supplyChainId", "", "Supply chain ID") cmd.Flags().String("token", "", "Token") - cmd.Flags().String("apiUrl", "", "API URL") - cmd.Flags().String("assetName", "", "Asset name") cmd.Flags().String("layoutKey", "", "Path to the layout key") panicOnError(cmd.MarkFlagRequired("supplyChainId")) panicOnError(cmd.MarkFlagRequired("token")) - panicOnError(cmd.MarkFlagRequired("apiUrl")) - panicOnError(cmd.MarkFlagRequired("assetName")) panicOnError(cmd.MarkFlagRequired("layoutKey")) return cmd