STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cli/pkg/cmd/attestation/inspect/bundle.go
Meredith Lancaster 90b7bf97c5
gh-attestation cmd integration (#8698) 
* add attestation cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add codeowners

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update args passed to the attestation cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* rename file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use gh-attestation branch for passing iostreams from the root

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add package security team entry to codeowners

Signed-off-by: Meredith Lancaster <malancas@github.com>

* start moving over verify cmd and general verification code

Signed-off-by: Meredith Lancaster <malancas@github.com>

* clean up common and verify specific policy code

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move artifact package over

Signed-off-by: Meredith Lancaster <malancas@github.com>

* start pulling in the github api client wrapper

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix imports

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add logger and test packages

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add additional packages to support verify command

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix mock api client

Signed-off-by: Meredith Lancaster <malancas@github.com>

* clean up mock api client

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include missing fields

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use correct owner

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add more mock api client options

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add download cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add inspect cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* pass factory object to inspect cmd, add inspect sub cmd to attestation cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add verify-tuf-root cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* pass iostream struct from command

Signed-off-by: Meredith Lancaster <malancas@github.com>

* rename logger pkg to logger

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix path in codeowners

Signed-off-by: Meredith Lancaster <malancas@github.com>

* formatter

Signed-off-by: Meredith Lancaster <malancas@github.com>

* go mod tidy

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix printf linter issue

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix printf linter issue

Signed-off-by: Meredith Lancaster <malancas@github.com>

* check user's GH host for compatibility

Signed-off-by: Meredith Lancaster <malancas@github.com>

* pass oci client to commands directly

Signed-off-by: Meredith Lancaster <malancas@github.com>

* rename command

Signed-off-by: Meredith Lancaster <malancas@github.com>

* mark tuf-root-verify cmd hidden

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move client initialization back to subcommands

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add more verbose options and logging

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add missing logger

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add testing around OCI and API client

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add integration test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix file path

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix command

Signed-off-by: Meredith Lancaster <malancas@github.com>

* build executable before integration test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* split integration tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* remove integration test steps

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix flag value

Signed-off-by: Meredith Lancaster <malancas@github.com>

* run integration tests on ubuntu for now

Signed-off-by: Meredith Lancaster <malancas@github.com>

* pull over doc updates

Signed-off-by: Meredith Lancaster <malancas@github.com>

* delete unused test data

Signed-off-by: Meredith Lancaster <malancas@github.com>

* remove Go patch version

Signed-off-by: Meredith Lancaster <malancas@github.com>

* switch assert to require

Signed-off-by: Meredith Lancaster <malancas@github.com>

* rename file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move integration tests to prexisting test workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use platform matrix for integration tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* simplify build step

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use StringEnumFlag handling

Signed-off-by: Meredith Lancaster <malancas@github.com>

* typo

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use the iostreams.Test helper func

Signed-off-by: Meredith Lancaster <malancas@github.com>

* create interface for oci client

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add tests for oci client

Signed-off-by: Meredith Lancaster <malancas@github.com>

* rename files

Signed-off-by: Meredith Lancaster <malancas@github.com>

* format file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix shellcheck issues

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use testing TempDir method

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup unused tempdir handling

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use table driven tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* check correct cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* support repo option in download sub cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* switch over to using RunE

Signed-off-by: Meredith Lancaster <malancas@github.com>

* unexport top level subcommand funcs

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add comment around keychain option

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update comments

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix inconsistent naming

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add tests for CLI commands

Signed-off-by: Meredith Lancaster <malancas@github.com>

* check for noattestationsfound err

Signed-off-by: Meredith Lancaster <malancas@github.com>

* try out metadata abstraction instead

Signed-off-by: Meredith Lancaster <malancas@github.com>

* switch to using MetadataStore abstraction

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include test case with failing metadata store

Signed-off-by: Meredith Lancaster <malancas@github.com>

* look for err specific to file write

Signed-off-by: Meredith Lancaster <malancas@github.com>

* unexport fields

Signed-off-by: Meredith Lancaster <malancas@github.com>

* return err when an unsupported hash alg is provided

Signed-off-by: Meredith Lancaster <malancas@github.com>

* PrintTableToStdOut returns err when rendering fails

Signed-off-by: Meredith Lancaster <malancas@github.com>

* start adding sigstore verifier unit tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add more sigstore verifier specific tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use cli table printer

Signed-off-by: Meredith Lancaster <malancas@github.com>

* return JSON results in slice instead of table

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move mock client to test file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* remove unneeded table printer method

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add initial tests for tufrootverify cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* formatting

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup method

Signed-off-by: Meredith Lancaster <malancas@github.com>

* close file in error handling branch

Signed-off-by: Meredith Lancaster <malancas@github.com>

* normalize artifact path

Signed-off-by: Meredith Lancaster <malancas@github.com>

* remove unneeded embedded file system

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include image name reference err

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use GH_DEBUG value for io handling

Signed-off-by: Meredith Lancaster <malancas@github.com>

* remove quiet and verbose flags

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add more tufrootveriify tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* GitHubTUFOptions no longer needs to return error

Signed-off-by: Meredith Lancaster <malancas@github.com>

* remove unneeded slice

Signed-off-by: Meredith Lancaster <malancas@github.com>

* normalize all relative paths

Signed-off-by: Meredith Lancaster <malancas@github.com>

* clean up nil client checks

Signed-off-by: Meredith Lancaster <malancas@github.com>

* set api server based on host

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add comment about http client

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use format flag to handle json output in verify cmd

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use format flag to handle json output

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use normalized path for cli test arg

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add tests for json output

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup error wrapping

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use test fixtures correctly by normalizing path

Signed-off-by: Meredith Lancaster <malancas@github.com>

* dont clean

Signed-off-by: Meredith Lancaster <malancas@github.com>

* escape backwards slash for windows files with replace

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use strings.Split func

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use strings.Replace for all command tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use CLI cache dir to store tuf metadata

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Tweaked docstrings for gh attestation download

* Tweaked docstrings for gh attestation verify

* Fix for bug in gh attestation where the wrong hostname was being passed to the API client.

* lets hide tuf-root-verify eh?

* Forgot verify's short str.

* add remote verification test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Revert "add remote verification test"

This reverts commit c0ceb99ca8.

* update json result handling

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add json tags to struct returned by command

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix how json results are handled

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add test to ensure JSON output is valid

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
2024-04-01 11:13:47 -06:00

128 lines
3.7 KiB
Go
Raw Blame History

package inspect
import (
"encoding/json"
"fmt"
"strings"
"github.com/cli/cli/v2/pkg/cmd/attestation/api"
"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
)
type workflow struct {
Repository string `json:"repository"`
}
type externalParameters struct {
Workflow workflow `json:"workflow"`
}
type githubInfo struct {
RepositoryID string `json:"repository_id"`
RepositoryOwnerId string `json:"repository_owner_id"`
}
type internalParameters struct {
GitHub githubInfo `json:"github"`
}
type buildDefinition struct {
ExternalParameters externalParameters `json:"externalParameters"`
InternalParameters internalParameters `json:"internalParameters"`
}
type metadata struct {
InvocationID string `json:"invocationId"`
}
type runDetails struct {
Metadata metadata `json:"metadata"`
}
// Predicate captures the predicate of a given attestation
type Predicate struct {
BuildDefinition buildDefinition `json:"buildDefinition"`
RunDetails runDetails `json:"runDetails"`
}
// AttestationDetail captures attestation source details
// that will be returned by the inspect command
type AttestationDetail struct {
OrgName string `json:"orgName"`
OrgID string `json:"orgId"`
RepositoryName string `json:"repositoryName"`
RepositoryID string `json:"repositoryId"`
WorkflowID string `json:"workflowId"`
}
func getOrgAndRepo(repoURL string) (string, string, error) {
after, found := strings.CutPrefix(repoURL, "https://github.com/")
if !found {
return "", "", fmt.Errorf("failed to get org and repo from %s", repoURL)
}
parts := strings.Split(after, "/")
return parts[0], parts[1], nil
}
func getAttestationDetail(attr api.Attestation) (AttestationDetail, error) {
envelope, err := attr.Bundle.Envelope()
if err != nil {
return AttestationDetail{}, fmt.Errorf("failed to get envelope from bundle: %v", err)
}
statement, err := envelope.EnvelopeContent().Statement()
if err != nil {
return AttestationDetail{}, fmt.Errorf("failed to get statement from envelope: %v", err)
}
var predicate Predicate
predicateJson, err := json.Marshal(statement.Predicate)
if err != nil {
return AttestationDetail{}, fmt.Errorf("failed to marshal predicate: %v", err)
}
err = json.Unmarshal(predicateJson, &predicate)
if err != nil {
return AttestationDetail{}, fmt.Errorf("failed to unmarshal predicate: %v", err)
}
org, repo, err := getOrgAndRepo(predicate.BuildDefinition.ExternalParameters.Workflow.Repository)
if err != nil {
return AttestationDetail{}, fmt.Errorf("failed to parse attestation content: %v", err)
}
return AttestationDetail{
OrgName: org,
OrgID: predicate.BuildDefinition.InternalParameters.GitHub.RepositoryOwnerId,
RepositoryName: repo,
RepositoryID: predicate.BuildDefinition.InternalParameters.GitHub.RepositoryID,
WorkflowID: predicate.RunDetails.Metadata.InvocationID,
}, nil
}
func getDetailsAsSlice(results []*verification.AttestationProcessingResult) ([][]string, error) {
details := make([][]string, len(results))
for i, result := range results {
detail, err := getAttestationDetail(*result.Attestation)
if err != nil {
return nil, fmt.Errorf("failed to get attestation detail: %v", err)
}
details[i] = []string{detail.RepositoryName, detail.RepositoryID, detail.OrgName, detail.OrgID, detail.WorkflowID}
}
return details, nil
}
func getAttestationDetails(results []*verification.AttestationProcessingResult) ([]AttestationDetail, error) {
details := make([]AttestationDetail, len(results))
for i, result := range results {
detail, err := getAttestationDetail(*result.Attestation)
if err != nil {
return nil, fmt.Errorf("failed to get attestation detail: %v", err)
}
details[i] = detail
}
return details, nil
}
Reference in a new issue View git blame Copy permalink