From 02194ac088116fee5766c9ae565301ffb094fa30 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Fri, 24 Sep 2021 11:07:52 -0700 Subject: [PATCH] Remove `copasetic`. I'd asked what this was in chat, and Dan indicated it wasn't really used by anything, and that the intended use with OPA doesn't work that way. So YOLO `rm -rf`, it's in version control if we need it. Signed-off-by: Matt Moore --- copasetic/README.md | 94 ---------------- copasetic/main.go | 255 -------------------------------------------- 2 files changed, 349 deletions(-) delete mode 100644 copasetic/README.md delete mode 100644 copasetic/main.go diff --git a/copasetic/README.md b/copasetic/README.md deleted file mode 100644 index f95b0690794..00000000000 --- a/copasetic/README.md +++ /dev/null @@ -1,94 +0,0 @@ -# Copasetic - -This directory contains an experimental OPA plugin (embedded OPA interpreter) that adds support for `cosign` and OCI. - -## OCI - -### `oci.manifest(ref) manifest` - -This function takes a reference to an OCI image in a registry and returns the manifest. - -``` -> oci.manifest("gcr.io/dlorenc-vmtest2/demo:latest") -{ - "config": { - "digest": "sha256:562b620db00eefdbc6d1728bc900ab4137aba4cfe2e66334bfe702258e4c6d6f", - "mediaType": "application/vnd.docker.container.image.v1+json", - "size": 3510 - }, - "layers": [ - { - "digest": "sha256:83ee3a23efb7c75849515a6d46551c608b255d8402a4d3753752b88e0dc188fa", - "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "size": 28565893 - }, - { - "digest": "sha256:db98fc6f11f08950985a203e07755c3262c680d00084f601e7304b768c83b3b1", - "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "size": 843 - }, - { - "digest": "sha256:f611acd52c6cad803b06b5ba932e4aabd0f2d0d5a4d050c81de2832fcb781274", - "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "size": 162 - }, - { - "digest": "sha256:270c032c91133825ed533692ce3be5d63605a2415b86795601892bcad188a095", - "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "size": 125 - } - ], - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "schemaVersion": 2 -} -``` - -### `oci.file(ref, path) file` - -This function takes a reference to an OCI image in a registry and a path as inputs. -It returns the contents of the file at that path. - -``` -> oci.file("ubuntu:latest", "/etc/os-release") -"NAME=\"Ubuntu\"\nVERSION=\"20.04.1 LTS (Focal Fossa)\"\nID=ubuntu\nID_LIKE=debian\nPRETTY_NAME=\"Ubuntu 20.04.1 LTS\"\nVERSION_ID=\"20.04\"\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nVERSION_CODENAME=focal\nUBUNTU_CODENAME=focal\n" -``` - -## Cosign - -### `cosign.signatures(ref) []cosign.SignedPayload` - -This function takes a reference to an OCI image in a registry and returns a list of `cosign.SignedPayload` structs. -It does not perform any verification or validation. - -``` -> cosign.signatures("gcr.io/dlorenc-vmtest2/foo") -[ - { - "Base64Signature": "9mgUD6S8EqMeDJ9WZMTU7CdVXNOpJmOx5DiJJmuDEug5qxiq0LAcpEFa/Gk2uYdWOxtB9VX29req97M1WiQzDQ==", - "Payload": "eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiIn0sIkltYWdlIjp7IkRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiI4N2VmNjBmNTU4YmFkNzliZWVhNjQyNWEzYjI4OTg5ZjAxZGQ0MTcxNjQxNTBhYjNiYWFiOThkY2JmMDRkZWY4In0sIlR5cGUiOiJjb3NpZ24gY29udGFpbmVyIHNpZ25hdHVyZSJ9LCJPcHRpb25hbCI6bnVsbH0=" - }, - { - "Base64Signature": "YHhjPxaWr2OxnDsLGhZSnecLObVEBzGv8GUC4XWTgHpzfGMq4Lweo09dgWpfpEny4T6s+ZIZJmZxHSN+QLVvAg==", - "Payload": "eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiIn0sIkltYWdlIjp7IkRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiI4N2VmNjBmNTU4YmFkNzliZWVhNjQyNWEzYjI4OTg5ZjAxZGQ0MTcxNjQxNTBhYjNiYWFiOThkY2JmMDRkZWY4In0sIlR5cGUiOiJjb3NpZ24gY29udGFpbmVyIHNpZ25hdHVyZSJ9LCJPcHRpb25hbCI6eyJmb28iOiJiYXIifX0=" - } -] -``` - -### `cosign.verify(ref, pubkey) []cosign.SignedPayload` - -This function takes a reference to an OCI image in a registry and a base64 encoded PKIX public key. -It returns a list of verified `cosign.SignedPayload` structs. - -``` -> cosign.verify("gcr.io/dlorenc-vmtest2/demo", "MCowBQYDK2VwAyEAAh79z2geyybj2erSCpXpkgXc5mdg0fanVZjWNpwMLeA=") -[ - { - "Base64Signature": "sR/r52vbIodlYxPBL5n0WK1sS7jJ/g4S423TJ3nT9WWp+/Z8UAkFjs/Mrh/KTPXePx73TSNabN8S+tu/A/BMAw==", - "Payload": "eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiIn0sIkltYWdlIjp7IkRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiI5N2ZjMjIyY2VlNzk5MWI1YjA2MWQ0ZDRhZmRiNWYzNDI4ZmNiMGM5MDU0ZTE2OTAzMTM3ODZiZWZhMWU0ZTM2In0sIlR5cGUiOiJjb3NpZ24gY29udGFpbmVyIHNpZ25hdHVyZSJ9LCJPcHRpb25hbCI6eyJ0YWciOiJzaWduZWR0YWcifX0=" - }, - { - "Base64Signature": "bMEsdC3m6Ca1rwBOY6lvqpOeBWo1lvu26DkHcsd6Upo91+aeUIVzOIzsZPFwUNXZ64p6RgLWGol2vP/3nrZNDw==", - "Payload": "eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiIn0sIkltYWdlIjp7IkRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiI5N2ZjMjIyY2VlNzk5MWI1YjA2MWQ0ZDRhZmRiNWYzNDI4ZmNiMGM5MDU0ZTE2OTAzMTM3ODZiZWZhMWU0ZTM2In0sIlR5cGUiOiJjb3NpZ24gY29udGFpbmVyIHNpZ25hdHVyZSJ9LCJPcHRpb25hbCI6eyJzaWduZWR0YWciOiJzaWduZWR0YWcifX0=" - } -] -``` diff --git a/copasetic/main.go b/copasetic/main.go deleted file mode 100644 index 79c7691edff..00000000000 --- a/copasetic/main.go +++ /dev/null @@ -1,255 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "archive/tar" - "bytes" - "encoding/json" - "errors" - "flag" - "fmt" - "io" - "io/ioutil" - "os" - "path/filepath" - - "github.com/google/go-containerregistry/pkg/name" - v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/mutate" - "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/cmd" - "github.com/open-policy-agent/opa/rego" - "github.com/open-policy-agent/opa/types" - - "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/cmd/cosign/cli/options" - "github.com/sigstore/cosign/pkg/cosign" - ociremote "github.com/sigstore/cosign/pkg/oci/remote" - sigs "github.com/sigstore/cosign/pkg/signature" - "github.com/sigstore/sigstore/pkg/signature" - signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" -) - -func main() { - fs := flag.NewFlagSet("copasetic", flag.ExitOnError) - rekorURL := fs.String("rekor-url", "https://rekor.sigstore.dev", "[EXPERIMENTAL] address of rekor STL server") - var regOpts options.RegistryOpts - options.ApplyRegistryFlags(®Opts, fs) - flag.Parse() - - rego.RegisterBuiltin2( - ®o.Function{ - Name: "oci.manifest", - Decl: types.NewFunction(types.Args(types.S), types.A), - Memoize: true, - }, - func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) { - var tag string - - if err := ast.As(a.Value, &tag); err != nil { - return nil, err - } - - ref, err := name.ParseReference(tag) - if err != nil { - return nil, err - } - - img, err := remote.Image(ref, regOpts.GetRegistryClientOpts(bctx.Context)...) - if err != nil { - return nil, err - } - - mfst, err := img.RawManifest() - if err != nil { - return nil, err - } - - v, err := ast.ValueFromReader(bytes.NewReader(mfst)) - if err != nil { - return nil, err - } - - return ast.NewTerm(v), nil - }, - ) - - rego.RegisterBuiltin2( - ®o.Function{ - Name: "oci.file", - Decl: types.NewFunction(types.Args(types.S, types.S), types.A), - Memoize: true, - }, - func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) { - var tag, path string - - if err := ast.As(a.Value, &tag); err != nil { - return nil, err - } else if err := ast.As(b.Value, &path); err != nil { - return nil, err - } - - ref, err := name.ParseReference(tag) - if err != nil { - return nil, err - } - - img, err := remote.Image(ref, regOpts.GetRegistryClientOpts(bctx.Context)...) - if err != nil { - return nil, err - } - - fc, err := findFile(img, path) - if err != nil { - return nil, err - } - v := ast.String(string(fc)) - return ast.NewTerm(v), nil - }, - ) - - rego.RegisterBuiltin1( - ®o.Function{ - Name: "cosign.signatures", - Decl: types.NewFunction(types.Args(types.S), types.A), - Memoize: true, - }, - func(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) { - var tag string - - if err := ast.As(a.Value, &tag); err != nil { - return nil, err - } - - ref, err := name.ParseReference(tag) - if err != nil { - return nil, err - } - registryOpts := regOpts.GetRegistryClientOpts(bctx.Context) - - sps, err := cosign.FetchSignaturesForReference(bctx.Context, ref, ociremote.WithRemoteOptions(registryOpts...)) - if err != nil { - return nil, err - } - b, err := json.Marshal(sps) - if err != nil { - return nil, err - } - v, err := ast.ValueFromReader(bytes.NewReader(b)) - if err != nil { - return nil, err - } - return ast.NewTerm(v), nil - }, - ) - - rego.RegisterBuiltin2( - ®o.Function{ - Name: "cosign.verify", - Decl: types.NewFunction(types.Args(types.S, types.S), types.A), - Memoize: true, - }, - func(bctx rego.BuiltinContext, tagParam, keyParam *ast.Term) (*ast.Term, error) { - var tag string - if err := ast.As(tagParam.Value, &tag); err != nil { - return nil, err - } - - var key string - if err := ast.As(keyParam.Value, &key); err != nil { - return nil, err - } - - ref, err := name.ParseReference(tag) - if err != nil { - return nil, err - } - - pubKey, err := sigs.LoadPublicKey(bctx.Context, key) - if err != nil { - return nil, err - } - ctxOpt := signatureoptions.WithContext(bctx.Context) - co := &cosign.CheckOpts{ - SigVerifier: pubKey, - PKOpts: []signature.PublicKeyOption{ctxOpt}, - ClaimVerifier: cosign.SimpleClaimVerifier, - RootCerts: fulcio.GetRoots(), - RegistryClientOpts: regOpts.ClientOpts(bctx.Context), - RekorURL: *rekorURL, - } - sps, _, err := cosign.VerifySignatures(bctx.Context, ref, co) - if err != nil { - return nil, err - } - - b, err := json.Marshal(sps) - if err != nil { - return nil, err - } - - v, err := ast.ValueFromReader(bytes.NewReader(b)) - if err != nil { - return nil, err - } - return ast.NewTerm(v), nil - }, - ) - - if err := cmd.RootCommand.Execute(); err != nil { - fmt.Println(err) - os.Exit(1) - } -} - -func findFile(img v1.Image, path string) ([]byte, error) { - rc := mutate.Extract(img) - defer rc.Close() - - tr := tar.NewReader(rc) - for { - hdr, err := tr.Next() - if errors.Is(err, io.EOF) { - break // End of archive - } - if err != nil { - return nil, err - } - - fp := hdr.Name - if !filepath.IsAbs(fp) { - fp = "/" + fp - } - if fp == filepath.Clean(path) { - if hdr.Typeflag == tar.TypeSymlink { - // Resolve and recurse! - dst := hdr.Linkname - if !filepath.IsAbs(hdr.Linkname) { - dst, _ = filepath.Abs(filepath.Join(filepath.Dir(fp), filepath.Clean(hdr.Linkname))) - } - return findFile(img, dst) - } - b, err := ioutil.ReadAll(tr) - if err != nil { - return nil, err - } - return b, nil - } - } - return nil, fmt.Errorf("path %s not found", path) -}