pass http client for use with tuf

Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-05-07 09:18:43 -06:00 · 2025-05-07 09:18:43 -06:00 · 6b226754fd
commit 6b226754fd
parent d6068820d3
4 changed files with 10 additions and 8 deletions
--- a/pkg/cmd/attestation/trustedroot/trustedroot.go
+++ b/pkg/cmd/attestation/trustedroot/trustedroot.go
@ -122,7 +122,7 @@ func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error {
 	var tufOptions []tufConfig
 	var defaultTR = "trusted_root.json"

-	tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string]())
+	tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string](), nil)
 	// Disable local caching, so we get up-to-date response from TUF repository
 	tufOpt.CacheValidity = 0

@ -151,7 +151,7 @@ func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error {
 			targets:    []string{defaultTR},
 		})

-		tufOpt = verification.GitHubTUFOptions(o.None[string]())
+		tufOpt = verification.GitHubTUFOptions(o.None[string](), nil)
 		tufOpt.CacheValidity = 0
 		tufOptions = append(tufOptions, tufConfig{
 			tufOptions: tufOpt,
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@ -73,7 +73,7 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, erro
 		return liveVerifier, nil
 	}
 	if !config.NoPublicGood {
-		publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir)
+		publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir, config.HttpClient)
 		if err != nil {
 			return nil, err
 		}
@ -350,8 +350,8 @@ func newGitHubVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verify.Si
 	return gv, nil
 }

-func newPublicGoodVerifier(tufMetadataDir o.Option[string]) (*verify.SignedEntityVerifier, error) {
-	opts := DefaultOptionsWithCacheSetting(tufMetadataDir)
+func newPublicGoodVerifier(tufMetadataDir o.Option[string], hc *http.Client) (*verify.SignedEntityVerifier, error) {
+	opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc)
 	client, err := tuf.New(opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUF client: %v", err)
--- a/pkg/cmd/attestation/verification/tuf.go
+++ b/pkg/cmd/attestation/verification/tuf.go
@ -2,9 +2,11 @@ package verification

 import (
 	_ "embed"
+	"net/http"
 	"os"
 	"path/filepath"

+	"github.com/cenkalti/backoff/v5"
 	o "github.com/cli/cli/v2/pkg/option"
 	"github.com/cli/go-gh/v2/pkg/config"
 	"github.com/sigstore/sigstore-go/pkg/tuf"
@ -43,7 +45,7 @@ func DefaultOptionsWithCacheSetting(tufMetadataDir o.Option[string], hc *http.Cl
 }

 func GitHubTUFOptions(tufMetadataDir o.Option[string], hc *http.Client) *tuf.Options {
-	opts := DefaultOptionsWithCacheSetting(tufMetadataDir)
+	opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc)

 	opts.Root = githubRoot
 	opts.RepositoryBaseURL = GitHubTUFMirror
--- a/pkg/cmd/attestation/verification/tuf_test.go
+++ b/pkg/cmd/attestation/verification/tuf_test.go
@ -12,7 +12,7 @@ import (

 func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) {
 	os.Setenv("CODESPACES", "true")
-	opts := GitHubTUFOptions(o.None[string]())
+	opts := GitHubTUFOptions(o.None[string](), nil)

 	require.Equal(t, GitHubTUFMirror, opts.RepositoryBaseURL)
 	require.NotNil(t, opts.Root)
@ -21,6 +21,6 @@ func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) {
 }

 func TestGitHubTUFOptionsWithMetadataDir(t *testing.T) {
-	opts := GitHubTUFOptions(o.Some("anything"))
+	opts := GitHubTUFOptions(o.Some("anything"), nil)
 	require.Equal(t, "anything", opts.CachePath)
 }