Make util.EncryptConfig,DecryptConfig, GetFormat public

We want to share these functions with Podman, Podman currently has a slightly different version which is correct, so use correct version in Buildah and vendor it into Podman. Fixing: containers/podman#18196 Signed-off-by: Daniel J Walsh <[email protected]>
rhatdan · Apr 19, 2023 · d72e62d · d72e62d
1 parent 216d6be
commit d72e62d
Show file tree

Hide file tree

Showing 13 changed files with 83 additions and 89 deletions.
diff --git a/cmd/buildah/addcopy.go b/cmd/buildah/addcopy.go
@@ -9,9 +9,9 @@ import (
 	"time"
 
 	"github.com/containers/buildah"
-	"github.com/containers/buildah/internal/util"
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/buildah/pkg/util"
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/storage"
 	"github.com/sirupsen/logrus"

diff --git a/cmd/buildah/commit.go b/cmd/buildah/commit.go
@@ -8,10 +8,10 @@ import (
 
 	"github.com/containers/buildah"
 	"github.com/containers/buildah/define"
-	iutil "github.com/containers/buildah/internal/util"
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
-	"github.com/containers/buildah/util"
+	"github.com/containers/buildah/pkg/util"
+	butil "github.com/containers/buildah/util"
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/image/v5/pkg/shortnames"
@@ -153,7 +153,7 @@ func commitCmd(c *cobra.Command, args []string, iopts commitInputOptions) error
 		compress = define.Uncompressed
 	}
 
-	format, err := iutil.GetFormat(iopts.format)
+	format, err := util.GetFormat(iopts.format)
 	if err != nil {
 		return err
 	}
@@ -198,7 +198,7 @@ func commitCmd(c *cobra.Command, args []string, iopts commitInputOptions) error
 		builder.SetLabel(buildah.BuilderIdentityAnnotation, define.Version)
 	}
 
-	encConfig, encLayers, err := iutil.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers)
+	encConfig, encLayers, err := util.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers)
 	if err != nil {
 		return fmt.Errorf("unable to obtain encryption config: %w", err)
 	}
@@ -249,7 +249,7 @@ func commitCmd(c *cobra.Command, args []string, iopts commitInputOptions) error
 	}
 	id, ref, _, err := builder.Commit(ctx, dest, options)
 	if err != nil {
-		return util.GetFailureCause(err, fmt.Errorf("committing container %q to %q: %w", builder.Container, image, err))
+		return butil.GetFailureCause(err, fmt.Errorf("committing container %q to %q: %w", builder.Container, image, err))
 	}
 	if ref != nil && id != "" {
 		logrus.Debugf("wrote image %s with ID %s", ref, id)

diff --git a/cmd/buildah/from.go b/cmd/buildah/from.go
@@ -10,9 +10,9 @@ import (
 
 	"github.com/containers/buildah"
 	"github.com/containers/buildah/define"
-	"github.com/containers/buildah/internal/util"
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/buildah/pkg/util"
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/common/pkg/config"
 	"github.com/sirupsen/logrus"

diff --git a/cmd/buildah/pull.go b/cmd/buildah/pull.go
@@ -9,9 +9,9 @@ import (
 
 	"github.com/containers/buildah"
 	"github.com/containers/buildah/define"
-	"github.com/containers/buildah/internal/util"
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
+	"github.com/containers/buildah/pkg/util"
 	"github.com/containers/common/pkg/auth"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

diff --git a/cmd/buildah/push.go b/cmd/buildah/push.go
@@ -10,10 +10,10 @@ import (
 
 	"github.com/containers/buildah"
 	"github.com/containers/buildah/define"
-	iutil "github.com/containers/buildah/internal/util"
 	buildahcli "github.com/containers/buildah/pkg/cli"
 	"github.com/containers/buildah/pkg/parse"
-	"github.com/containers/buildah/util"
+	"github.com/containers/buildah/pkg/util"
+	butil "github.com/containers/buildah/util"
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
@@ -187,7 +187,7 @@ func pushCmd(c *cobra.Command, args []string, iopts pushOptions) error {
 		}
 	}
 
-	encConfig, encLayers, err := iutil.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers)
+	encConfig, encLayers, err := util.EncryptConfig(iopts.encryptionKeys, iopts.encryptLayers)
 	if err != nil {
 		return fmt.Errorf("unable to obtain encryption config: %w", err)
 	}
@@ -234,7 +234,7 @@ func pushCmd(c *cobra.Command, args []string, iopts pushOptions) error {
 				return nil
 			}
 		}
-		return util.GetFailureCause(err, fmt.Errorf("pushing image %q to %q: %w", src, destSpec, err))
+		return butil.GetFailureCause(err, fmt.Errorf("pushing image %q to %q: %w", src, destSpec, err))
 	}
 	if ref != nil {
 		logrus.Debugf("pushed image %q with digest %s", ref, digest.String())
@@ -246,7 +246,7 @@ func pushCmd(c *cobra.Command, args []string, iopts pushOptions) error {
 
 	if iopts.digestfile != "" {
 		if err = os.WriteFile(iopts.digestfile, []byte(digest.String()), 0644); err != nil {
-			return util.GetFailureCause(err, fmt.Errorf("failed to write digest to file %q: %w", iopts.digestfile, err))
+			return butil.GetFailureCause(err, fmt.Errorf("failed to write digest to file %q: %w", iopts.digestfile, err))
 		}
 	}
 

diff --git a/internal/util/util.go b/internal/util/util.go
@@ -9,8 +9,6 @@ import (
 	"github.com/containers/buildah/define"
 	"github.com/containers/common/libimage"
 	"github.com/containers/image/v5/types"
-	encconfig "github.com/containers/ocicrypt/config"
-	enchelpers "github.com/containers/ocicrypt/helpers"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/chrootarchive"
@@ -106,49 +104,3 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error {
 	}
 	return nil
 }
-
-// DecryptConfig translates decryptionKeys into a DescriptionConfig structure
-func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) {
-	decryptConfig := &encconfig.DecryptConfig{}
-	if len(decryptionKeys) > 0 {
-		// decryption
-		dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)
-		if err != nil {
-			return nil, fmt.Errorf("invalid decryption keys: %w", err)
-		}
-		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
-		decryptConfig = cc.DecryptConfig
-	}
-
-	return decryptConfig, nil
-}
-
-// EncryptConfig translates encryptionKeys into a EncriptionsConfig structure
-func EncryptConfig(encryptionKeys []string, encryptLayers []int) (*encconfig.EncryptConfig, *[]int, error) {
-	var encLayers *[]int
-	var encConfig *encconfig.EncryptConfig
-
-	if len(encryptionKeys) > 0 {
-		// encryption
-		encLayers = &encryptLayers
-		ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{})
-		if err != nil {
-			return nil, nil, fmt.Errorf("invalid encryption keys: %w", err)
-		}
-		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc})
-		encConfig = cc.EncryptConfig
-	}
-	return encConfig, encLayers, nil
-}
-
-// GetFormat translates format string into either docker or OCI format constant
-func GetFormat(format string) (string, error) {
-	switch format {
-	case define.OCI:
-		return define.OCIv1ImageManifest, nil
-	case define.DOCKER:
-		return define.Dockerv2ImageManifest, nil
-	default:
-		return "", fmt.Errorf("unrecognized image type %q", format)
-	}
-}
diff --git a/internal/util/util_test.go b/internal/util/util_test.go
diff --git a/pkg/cli/build.go b/pkg/cli/build.go
@@ -14,7 +14,6 @@ import (
 	"time"
 
 	"github.com/containers/buildah/define"
-	iutil "github.com/containers/buildah/internal/util"
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/buildah/pkg/util"
 	"github.com/containers/common/pkg/auth"
@@ -135,7 +134,7 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 	}
 
 	containerfiles := getContainerfiles(iopts.File)
-	format, err := iutil.GetFormat(iopts.Format)
+	format, err := util.GetFormat(iopts.Format)
 	if err != nil {
 		return options, nil, nil, err
 	}
@@ -272,8 +271,8 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 		return options, nil, nil, err
 	}
 
-	decryptConfig, err := iutil.DecryptConfig(iopts.DecryptionKeys)
-	if err != nil {
+	decryptConfig, err := util.DecryptConfig(iopts.DecryptionKeys)
+	if err != nil || decryptConfig == nil {
 		return options, nil, nil, fmt.Errorf("unable to obtain decrypt config: %w", err)
 	}
 
@@ -433,7 +432,7 @@ func readBuildArgFile(buildargfile string, args map[string]string) error {
 		return err
 	}
 	for _, arg := range strings.Split(string(argfile), "\n") {
-		if len (arg) == 0 || arg[0] == '#' {
+		if len(arg) == 0 || arg[0] == '#' {
 			continue
 		}
 		readBuildArg(arg, args)

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -5,6 +5,10 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/containers/buildah/define"
+	encconfig "github.com/containers/ocicrypt/config"
+	enchelpers "github.com/containers/ocicrypt/helpers"
 )
 
 // Mirrors path to a tmpfile if path points to a
@@ -77,3 +81,49 @@ func DiscoverContainerfile(path string) (foundCtrFile string, err error) {
 
 	return foundCtrFile, nil
 }
+
+// DecryptConfig translates decryptionKeys into a DescriptionConfig structure
+func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) {
+	var decryptConfig *encconfig.DecryptConfig
+	if len(decryptionKeys) > 0 {
+		// decryption
+		dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)
+		if err != nil {
+			return nil, fmt.Errorf("invalid decryption keys: %w", err)
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
+		decryptConfig = cc.DecryptConfig
+	}
+
+	return decryptConfig, nil
+}
+
+// EncryptConfig translates encryptionKeys into a EncriptionsConfig structure
+func EncryptConfig(encryptionKeys []string, encryptLayers []int) (*encconfig.EncryptConfig, *[]int, error) {
+	var encLayers *[]int
+	var encConfig *encconfig.EncryptConfig
+
+	if len(encryptionKeys) > 0 {
+		// encryption
+		encLayers = &encryptLayers
+		ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{})
+		if err != nil {
+			return nil, nil, fmt.Errorf("invalid encryption keys: %w", err)
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc})
+		encConfig = cc.EncryptConfig
+	}
+	return encConfig, encLayers, nil
+}
+
+// GetFormat translates format string into either docker or OCI format constant
+func GetFormat(format string) (string, error) {
+	switch format {
+	case define.OCI:
+		return define.OCIv1ImageManifest, nil
+	case define.DOCKER:
+		return define.Dockerv2ImageManifest, nil
+	default:
+		return "", fmt.Errorf("unrecognized image type %q", format)
+	}
+}
diff --git a/pkg/util/util_test.go b/pkg/util/util_test.go
@@ -3,6 +3,7 @@ package util
 import (
 	"testing"
 
+	"github.com/containers/buildah/define"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -30,3 +31,15 @@ func TestDiscoverContainerfile(t *testing.T) {
 	assert.Equal(t, name, "test/test2/Dockerfile")
 
 }
+
+func TestGetFormat(t *testing.T) {
+	_, err := GetFormat("bogus")
+	assert.NotNil(t, err)
+
+	format, err := GetFormat("oci")
+	assert.Nil(t, err)
+	assert.Equalf(t, define.OCIv1ImageManifest, format, "expected oci format but got %v.", format)
+	format, err = GetFormat("docker")
+	assert.Nil(t, err)
+	assert.Equalf(t, define.Dockerv2ImageManifest, format, "expected docker format but got %v.", format)
+}
diff --git a/tests/bud.bats b/tests/bud.bats
@@ -3997,7 +3997,7 @@ EOM
   echo FROM localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest > $contextdir/Dockerfile
 
   # Try to build from encrypted image without key
-  run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false  --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile
+  run_buildah 1 build $WITH_POLICY_JSON --tls-verify=false  --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile
   assert "$output" =~ "missing private key needed for decryption"
 
   # Try to build from encrypted image with wrong key

diff --git a/tests/from.bats b/tests/from.bats
@@ -427,7 +427,7 @@ load helpers
   run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
 
   # Try encrypted image without key should fail
-  run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
+  run_buildah 1 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
   expect_output --substring "decrypting layer .* missing private key needed for decryption"
 
   # Try encrypted image with wrong key should fail

diff --git a/tests/pull.bats b/tests/pull.bats
@@ -190,7 +190,7 @@ load helpers
   run_buildah push $WITH_POLICY_JSON --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox  oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
 
   # Try to pull encrypted image without key should fail
-  run_buildah 125 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
+  run_buildah 1 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
   expect_output --substring "decrypting layer .* missing private key needed for decryption"
 
   # Try to pull encrypted image with wrong key should fail