From 360944b83b835dee8618bc2280f8664313d6e5be Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 18 Apr 2023 15:32:10 -0400 Subject: [PATCH] Make util.EncryptConfig,DecryptConfig, GetFormat public We want to share these functions with Podman, Podman currently has a slightly different version which is correct, so use correct version in Buildah and vendor it into Podman. Fixing: https://github.com/containers/podman/issues/18196 Signed-off-by: Daniel J Walsh --- cmd/buildah/addcopy.go | 2 +- cmd/buildah/commit.go | 10 ++++---- cmd/buildah/from.go | 2 +- cmd/buildah/pull.go | 2 +- cmd/buildah/push.go | 10 ++++---- internal/util/util.go | 48 ------------------------------------ internal/util/util_test.go | 20 --------------- pkg/cli/build.go | 7 +++--- pkg/util/util.go | 50 ++++++++++++++++++++++++++++++++++++++ pkg/util/util_test.go | 13 ++++++++++ tests/bud.bats | 2 +- tests/from.bats | 2 +- tests/pull.bats | 2 +- 13 files changed, 82 insertions(+), 88 deletions(-) delete mode 100644 internal/util/util_test.go diff --git a/cmd/buildah/addcopy.go b/cmd/buildah/addcopy.go index ccb2152a1cd..b4f12253dfb 100644 --- a/cmd/buildah/addcopy.go +++ b/cmd/buildah/addcopy.go @@ -9,9 +9,9 @@ import ( "time" "github.com/containers/buildah" - "github.com/containers/buildah/internal/util" buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/buildah/pkg/parse" + "github.com/containers/buildah/pkg/util" "github.com/containers/common/pkg/auth" "github.com/containers/storage" "github.com/sirupsen/logrus" diff --git a/cmd/buildah/commit.go b/cmd/buildah/commit.go index 97c526c9cf9..b95c7d34462 100644 --- a/cmd/buildah/commit.go +++ b/cmd/buildah/commit.go @@ -8,10 +8,10 @@ import ( "github.com/containers/buildah" "github.com/containers/buildah/define" - iutil "github.com/containers/buildah/internal/util" buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/buildah/pkg/parse" - "github.com/containers/buildah/util" + "github.com/containers/buildah/pkg/util" + butil "github.com/containers/buildah/util" "github.com/containers/common/pkg/auth" "github.com/containers/common/pkg/completion" "github.com/containers/image/v5/pkg/shortnames" @@ -153,7 +153,7 @@ func commitCmd(c *cobra.Command, args []string, iopts commitInputOptions) error compress = define.Uncompressed } - format, err := iutil.GetFormat(iopts.format) + format, err := util.GetFormat(iopts.format) if err != nil { return err } @@ -198,7 +198,7 @@ func commitCmd(c *cobra.Command, args []string, iopts commitInputOptions) error builder.SetLabel(buildah.BuilderIdentityAnnotation, define.Version) } - encConfig, encLayers, err := iutil.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers) + encConfig, encLayers, err := util.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers) if err != nil { return fmt.Errorf("unable to obtain encryption config: %w", err) } @@ -249,7 +249,7 @@ func commitCmd(c *cobra.Command, args []string, iopts commitInputOptions) error } id, ref, _, err := builder.Commit(ctx, dest, options) if err != nil { - return util.GetFailureCause(err, fmt.Errorf("committing container %q to %q: %w", builder.Container, image, err)) + return butil.GetFailureCause(err, fmt.Errorf("committing container %q to %q: %w", builder.Container, image, err)) } if ref != nil && id != "" { logrus.Debugf("wrote image %s with ID %s", ref, id) diff --git a/cmd/buildah/from.go b/cmd/buildah/from.go index 15d2f836c5e..d11dfcc2d64 100644 --- a/cmd/buildah/from.go +++ b/cmd/buildah/from.go @@ -10,9 +10,9 @@ import ( "github.com/containers/buildah" "github.com/containers/buildah/define" - "github.com/containers/buildah/internal/util" buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/buildah/pkg/parse" + "github.com/containers/buildah/pkg/util" "github.com/containers/common/pkg/auth" "github.com/containers/common/pkg/config" "github.com/sirupsen/logrus" diff --git a/cmd/buildah/pull.go b/cmd/buildah/pull.go index 70da570cecb..5e7e53968f4 100644 --- a/cmd/buildah/pull.go +++ b/cmd/buildah/pull.go @@ -9,9 +9,9 @@ import ( "github.com/containers/buildah" "github.com/containers/buildah/define" - "github.com/containers/buildah/internal/util" buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/buildah/pkg/parse" + "github.com/containers/buildah/pkg/util" "github.com/containers/common/pkg/auth" "github.com/sirupsen/logrus" "github.com/spf13/cobra" diff --git a/cmd/buildah/push.go b/cmd/buildah/push.go index c2706a48440..36848f446c5 100644 --- a/cmd/buildah/push.go +++ b/cmd/buildah/push.go @@ -10,10 +10,10 @@ import ( "github.com/containers/buildah" "github.com/containers/buildah/define" - iutil "github.com/containers/buildah/internal/util" buildahcli "github.com/containers/buildah/pkg/cli" "github.com/containers/buildah/pkg/parse" - "github.com/containers/buildah/util" + "github.com/containers/buildah/pkg/util" + butil "github.com/containers/buildah/util" "github.com/containers/common/pkg/auth" "github.com/containers/image/v5/manifest" "github.com/containers/image/v5/pkg/compression" @@ -187,7 +187,7 @@ func pushCmd(c *cobra.Command, args []string, iopts pushOptions) error { } } - encConfig, encLayers, err := iutil.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers) + encConfig, encLayers, err := util.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers) if err != nil { return fmt.Errorf("unable to obtain encryption config: %w", err) } @@ -234,7 +234,7 @@ func pushCmd(c *cobra.Command, args []string, iopts pushOptions) error { return nil } } - return util.GetFailureCause(err, fmt.Errorf("pushing image %q to %q: %w", src, destSpec, err)) + return butil.GetFailureCause(err, fmt.Errorf("pushing image %q to %q: %w", src, destSpec, err)) } if ref != nil { logrus.Debugf("pushed image %q with digest %s", ref, digest.String()) @@ -246,7 +246,7 @@ func pushCmd(c *cobra.Command, args []string, iopts pushOptions) error { if iopts.digestfile != "" { if err = os.WriteFile(iopts.digestfile, []byte(digest.String()), 0644); err != nil { - return util.GetFailureCause(err, fmt.Errorf("failed to write digest to file %q: %w", iopts.digestfile, err)) + return butil.GetFailureCause(err, fmt.Errorf("failed to write digest to file %q: %w", iopts.digestfile, err)) } } diff --git a/internal/util/util.go b/internal/util/util.go index c945ca85b8b..62082676122 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -9,8 +9,6 @@ import ( "github.com/containers/buildah/define" "github.com/containers/common/libimage" "github.com/containers/image/v5/types" - encconfig "github.com/containers/ocicrypt/config" - enchelpers "github.com/containers/ocicrypt/helpers" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/chrootarchive" @@ -106,49 +104,3 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error { } return nil } - -// DecryptConfig translates decryptionKeys into a DescriptionConfig structure -func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) { - decryptConfig := &encconfig.DecryptConfig{} - if len(decryptionKeys) > 0 { - // decryption - dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys) - if err != nil { - return nil, fmt.Errorf("invalid decryption keys: %w", err) - } - cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc}) - decryptConfig = cc.DecryptConfig - } - - return decryptConfig, nil -} - -// EncryptConfig translates encryptionKeys into a EncriptionsConfig structure -func EncryptConfig(encryptionKeys []string, encryptLayers []int) (*encconfig.EncryptConfig, *[]int, error) { - var encLayers *[]int - var encConfig *encconfig.EncryptConfig - - if len(encryptionKeys) > 0 { - // encryption - encLayers = &encryptLayers - ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{}) - if err != nil { - return nil, nil, fmt.Errorf("invalid encryption keys: %w", err) - } - cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc}) - encConfig = cc.EncryptConfig - } - return encConfig, encLayers, nil -} - -// GetFormat translates format string into either docker or OCI format constant -func GetFormat(format string) (string, error) { - switch format { - case define.OCI: - return define.OCIv1ImageManifest, nil - case define.DOCKER: - return define.Dockerv2ImageManifest, nil - default: - return "", fmt.Errorf("unrecognized image type %q", format) - } -} diff --git a/internal/util/util_test.go b/internal/util/util_test.go deleted file mode 100644 index c7109eb610e..00000000000 --- a/internal/util/util_test.go +++ /dev/null @@ -1,20 +0,0 @@ -package util - -import ( - "testing" - - "github.com/containers/buildah/define" - "github.com/stretchr/testify/assert" -) - -func TestGetFormat(t *testing.T) { - _, err := GetFormat("bogus") - assert.NotNil(t, err) - - format, err := GetFormat("oci") - assert.Nil(t, err) - assert.Equalf(t, define.OCIv1ImageManifest, format, "expected oci format but got %v.", format) - format, err = GetFormat("docker") - assert.Nil(t, err) - assert.Equalf(t, define.Dockerv2ImageManifest, format, "expected docker format but got %v.", format) -} diff --git a/pkg/cli/build.go b/pkg/cli/build.go index e5f4ed976f1..1bdd8005a8d 100644 --- a/pkg/cli/build.go +++ b/pkg/cli/build.go @@ -14,7 +14,6 @@ import ( "time" "github.com/containers/buildah/define" - iutil "github.com/containers/buildah/internal/util" "github.com/containers/buildah/pkg/parse" "github.com/containers/buildah/pkg/util" "github.com/containers/common/pkg/auth" @@ -135,7 +134,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) ( } containerfiles := getContainerfiles(iopts.File) - format, err := iutil.GetFormat(iopts.Format) + format, err := util.GetFormat(iopts.Format) if err != nil { return options, nil, nil, err } @@ -272,7 +271,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) ( return options, nil, nil, err } - decryptConfig, err := iutil.DecryptConfig(iopts.DecryptionKeys) + decryptConfig, err := util.DecryptConfig(iopts.DecryptionKeys) if err != nil { return options, nil, nil, fmt.Errorf("unable to obtain decrypt config: %w", err) } @@ -433,7 +432,7 @@ func readBuildArgFile(buildargfile string, args map[string]string) error { return err } for _, arg := range strings.Split(string(argfile), "\n") { - if len (arg) == 0 || arg[0] == '#' { + if len(arg) == 0 || arg[0] == '#' { continue } readBuildArg(arg, args) diff --git a/pkg/util/util.go b/pkg/util/util.go index 6bb20219d67..d1007913929 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -5,6 +5,10 @@ import ( "os" "path/filepath" "strings" + + "github.com/containers/buildah/define" + encconfig "github.com/containers/ocicrypt/config" + enchelpers "github.com/containers/ocicrypt/helpers" ) // Mirrors path to a tmpfile if path points to a @@ -77,3 +81,49 @@ func DiscoverContainerfile(path string) (foundCtrFile string, err error) { return foundCtrFile, nil } + +// DecryptConfig translates decryptionKeys into a DescriptionConfig structure +func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) { + var decryptConfig *encconfig.DecryptConfig + if len(decryptionKeys) > 0 { + // decryption + dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys) + if err != nil { + return nil, fmt.Errorf("invalid decryption keys: %w", err) + } + cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc}) + decryptConfig = cc.DecryptConfig + } + + return decryptConfig, nil +} + +// EncryptConfig translates encryptionKeys into a EncriptionsConfig structure +func EncryptConfig(encryptionKeys []string, encryptLayers []int) (*encconfig.EncryptConfig, *[]int, error) { + var encLayers *[]int + var encConfig *encconfig.EncryptConfig + + if len(encryptionKeys) > 0 { + // encryption + encLayers = &encryptLayers + ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{}) + if err != nil { + return nil, nil, fmt.Errorf("invalid encryption keys: %w", err) + } + cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc}) + encConfig = cc.EncryptConfig + } + return encConfig, encLayers, nil +} + +// GetFormat translates format string into either docker or OCI format constant +func GetFormat(format string) (string, error) { + switch format { + case define.OCI: + return define.OCIv1ImageManifest, nil + case define.DOCKER: + return define.Dockerv2ImageManifest, nil + default: + return "", fmt.Errorf("unrecognized image type %q", format) + } +} diff --git a/pkg/util/util_test.go b/pkg/util/util_test.go index a39108e5711..f3d2d1559f1 100644 --- a/pkg/util/util_test.go +++ b/pkg/util/util_test.go @@ -3,6 +3,7 @@ package util import ( "testing" + "github.com/containers/buildah/define" "github.com/stretchr/testify/assert" ) @@ -30,3 +31,15 @@ func TestDiscoverContainerfile(t *testing.T) { assert.Equal(t, name, "test/test2/Dockerfile") } + +func TestGetFormat(t *testing.T) { + _, err := GetFormat("bogus") + assert.NotNil(t, err) + + format, err := GetFormat("oci") + assert.Nil(t, err) + assert.Equalf(t, define.OCIv1ImageManifest, format, "expected oci format but got %v.", format) + format, err = GetFormat("docker") + assert.Nil(t, err) + assert.Equalf(t, define.Dockerv2ImageManifest, format, "expected docker format but got %v.", format) +} diff --git a/tests/bud.bats b/tests/bud.bats index 485fa6a9fb1..6d61a6e1765 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -4009,7 +4009,7 @@ EOM echo FROM localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest > $contextdir/Dockerfile # Try to build from encrypted image without key - run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile + run_buildah 1 build $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile assert "$output" =~ "missing private key needed for decryption" # Try to build from encrypted image with wrong key diff --git a/tests/from.bats b/tests/from.bats index 118868cbed6..af053e4888d 100644 --- a/tests/from.bats +++ b/tests/from.bats @@ -427,7 +427,7 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try encrypted image without key should fail - run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc + run_buildah 1 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc expect_output --substring "decrypting layer .* missing private key needed for decryption" # Try encrypted image with wrong key should fail diff --git a/tests/pull.bats b/tests/pull.bats index 969321b2673..79f43b7ff7f 100644 --- a/tests/pull.bats +++ b/tests/pull.bats @@ -190,7 +190,7 @@ load helpers run_buildah push $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try to pull encrypted image without key should fail - run_buildah 125 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc + run_buildah 1 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc expect_output --substring "decrypting layer .* missing private key needed for decryption" # Try to pull encrypted image with wrong key should fail