Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

create mutate functions for oci.Signature #1199

Merged
merged 4 commits into from
Dec 14, 2021
Merged

create mutate functions for oci.Signature #1199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c78e397
create `mutate` functions for `oci.Signature`
Dec 11, 2021
5df4fd8
code review feedback
Dec 14, 2021
0450b1d
add comprehensivness to assertSignaturesEqual
Dec 14, 2021
cd447e8
add comments to `With...` `SignatureOption`s
Dec 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 51 additions & 1 deletion pkg/oci/mutate/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@

package mutate

import "github.com/sigstore/cosign/pkg/oci"
import (
"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/sigstore/cosign/pkg/oci"
)

// DupeDetector scans a list of signatures looking for a duplicate.
type DupeDetector interface {
Expand Down Expand Up @@ -54,3 +57,50 @@ func WithReplaceOp(ro ReplaceOp) SignOption {
so.ro = ro
}
}

type signatureOpts struct {
annotations map[string]string
bundle *oci.Bundle
cert []byte
chain []byte
mediaType types.MediaType
}

type SignatureOption func(*signatureOpts)

// WithAnnotations specifies the annotations the Signature should have.
func WithAnnotations(annotations map[string]string) SignatureOption {
return func(so *signatureOpts) {
so.annotations = annotations
}
}

// WithBundle specifies the new Bundle the Signature should have.
func WithBundle(bundle *oci.Bundle) SignatureOption {
return func(so *signatureOpts) {
so.bundle = bundle
}
}

// WithCertChain specifies the new cert and chain the Signature should have.
func WithCertChain(cert, chain []byte) SignatureOption {
return func(so *signatureOpts) {
so.cert = cert
so.chain = chain
}
}

// WithMediaType specifies the new MediaType the Signature should have.
func WithMediaType(mediaType types.MediaType) SignatureOption {
return func(so *signatureOpts) {
so.mediaType = mediaType
}
}

func makeSignatureOption(opts ...SignatureOption) *signatureOpts {
so := &signatureOpts{}
for _, opt := range opts {
opt(so)
}
return so
}
192 changes: 192 additions & 0 deletions pkg/oci/mutate/signature.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package mutate

import (
"bytes"
"crypto/x509"
"encoding/json"
"io"

v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/pkg/errors"
"github.com/sigstore/cosign/pkg/oci"
"github.com/sigstore/cosign/pkg/oci/static"
"github.com/sigstore/sigstore/pkg/cryptoutils"
)

type sigWrapper struct {
wrapped oci.Signature

annotations map[string]string
bundle *oci.Bundle
cert *x509.Certificate
chain []*x509.Certificate
mediaType types.MediaType
}

var _ v1.Layer = (*sigWrapper)(nil)
var _ oci.Signature = (*sigWrapper)(nil)

func copyAnnotations(ann map[string]string) map[string]string {
new := make(map[string]string, len(ann))
for k, v := range ann {
new[k] = v
}
return new
}

// Annotations implements oci.Signature.
func (sw *sigWrapper) Annotations() (map[string]string, error) {
if sw.annotations != nil {
return copyAnnotations(sw.annotations), nil
}
return sw.wrapped.Annotations()
}

// Payload implements oci.Signature.
func (sw *sigWrapper) Payload() ([]byte, error) {
return sw.wrapped.Payload()
}

// Base64Signature implements oci.Signature.
func (sw *sigWrapper) Base64Signature() (string, error) {
return sw.wrapped.Base64Signature()
}

// Cert implements oci.Signature.
func (sw *sigWrapper) Cert() (*x509.Certificate, error) {
if sw.cert != nil {
return sw.cert, nil
}
return sw.wrapped.Cert()
}

// Chain implements oci.Signature.
func (sw *sigWrapper) Chain() ([]*x509.Certificate, error) {
if sw.chain != nil {
return sw.chain, nil
}
return sw.wrapped.Chain()
}

// Bundle implements oci.Signature.
func (sw *sigWrapper) Bundle() (*oci.Bundle, error) {
if sw.bundle != nil {
return sw.bundle, nil
}
return sw.wrapped.Bundle()
}

// MediaType implements v1.Layer
func (sw *sigWrapper) MediaType() (types.MediaType, error) {
if sw.mediaType != "" {
return sw.mediaType, nil
}
return sw.wrapped.MediaType()
}

// Digest implements v1.Layer
func (sw *sigWrapper) Digest() (v1.Hash, error) {
return sw.wrapped.Digest()
}

// DiffID implements v1.Layer
func (sw *sigWrapper) DiffID() (v1.Hash, error) {
return sw.wrapped.DiffID()
}

// Compressed implements v1.Layer
func (sw *sigWrapper) Compressed() (io.ReadCloser, error) {
return sw.wrapped.Compressed()
}

// Uncompressed implements v1.Layer
func (sw *sigWrapper) Uncompressed() (io.ReadCloser, error) {
return sw.wrapped.Uncompressed()
}

// Size implements v1.Layer
func (sw *sigWrapper) Size() (int64, error) {
return sw.wrapped.Size()
}

// Signature returns a new oci.Signature based on the provided original, plus the requested mutations.
func Signature(original oci.Signature, opts ...SignatureOption) (oci.Signature, error) {
newSig := sigWrapper{wrapped: original}

so := makeSignatureOption(opts...)
oldAnn, err := original.Annotations()
if err != nil {
return nil, errors.Wrap(err, "could not get annotations from signature to mutate")
}

var newAnn map[string]string
if so.annotations != nil {
newAnn = copyAnnotations(so.annotations)
newAnn[static.SignatureAnnotationKey] = oldAnn[static.SignatureAnnotationKey]
for _, key := range []string{static.BundleAnnotationKey, static.CertificateAnnotationKey, static.ChainAnnotationKey} {
if val, isSet := oldAnn[key]; isSet {
newAnn[key] = val
} else {
delete(newAnn, key)
}
}
} else {
newAnn = copyAnnotations(oldAnn)
}

if so.bundle != nil {
newSig.bundle = so.bundle
b, err := json.Marshal(so.bundle)
if err != nil {
return nil, err
}
newAnn[static.BundleAnnotationKey] = string(b)
}

if so.cert != nil {
var cert *x509.Certificate
var chain []*x509.Certificate

certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(so.cert))
if err != nil {
return nil, err
}
newAnn[static.CertificateAnnotationKey] = string(so.cert)
cert = certs[0]

delete(newAnn, static.ChainAnnotationKey)
if so.chain != nil {
chain, err = cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(so.chain))
if err != nil {
return nil, err
}
newAnn[static.ChainAnnotationKey] = string(so.chain)
}

newSig.cert = cert
newSig.chain = chain
}

if so.mediaType != "" {
newSig.mediaType = so.mediaType
}

newSig.annotations = newAnn

return &newSig, nil
}
Loading