From 25abbb048c34194fa412beac251371d21e22a755 Mon Sep 17 00:00:00 2001
From: Shunsuke Suzuki <suzuki-shunsuke@users.noreply.github.com>
Date: Sat, 27 Jan 2024 06:44:05 +0900
Subject: [PATCH] feat: support disabling cosign and SLSA (#2634)

* feat: support disabling cosign

* feat: support disabling slsa verification

* fix: support disabling the checksum file verification with cosign

* fix: suppress a lint error
---
 pkg/cli/runner.go                   | 14 +++++++++++++-
 pkg/config/package.go               |  2 ++
 pkg/installpackage/checksum.go      |  2 +-
 pkg/installpackage/installer.go     |  4 ++++
 pkg/installpackage/verify_cosign.go |  5 +++++
 pkg/installpackage/verify_slsa.go   |  4 ++++
 6 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/pkg/cli/runner.go b/pkg/cli/runner.go
index 9054aac05..6bd7c6026 100644
--- a/pkg/cli/runner.go
+++ b/pkg/cli/runner.go
@@ -52,6 +52,8 @@ func (r *Runner) setParam(c *cli.Context, commandName string, param *config.Para
 	param.All = c.Bool("all")
 	param.Detail = c.Bool("detail")
 	param.Prune = c.Bool("prune")
+	param.CosignDisabled = c.Bool("disable-cosign")
+	param.SLSADisabled = c.Bool("disable-slsa")
 	param.Limit = c.Int("limit")
 	param.SelectVersion = c.Bool("select-version")
 	param.ShowVersion = c.Bool("version")
@@ -128,7 +130,7 @@ func parseTags(tags []string) map[string]struct{} {
 	return tagsM
 }
 
-func (r *Runner) Run(ctx context.Context, args ...string) error {
+func (r *Runner) Run(ctx context.Context, args ...string) error { //nolint:funlen
 	compiledDate, err := time.Parse(time.RFC3339, r.LDFlags.Date)
 	if err != nil {
 		compiledDate = time.Now()
@@ -151,6 +153,16 @@ func (r *Runner) Run(ctx context.Context, args ...string) error {
 				Usage:   "configuration file path",
 				EnvVars: []string{"AQUA_CONFIG"},
 			},
+			&cli.BoolFlag{
+				Name:    "disable-cosign",
+				Usage:   "Disable Cosign verification",
+				EnvVars: []string{"AQUA_DISABLE_COSIGN"},
+			},
+			&cli.BoolFlag{
+				Name:    "disable-slsa",
+				Usage:   "Disable SLSA verification",
+				EnvVars: []string{"AQUA_DISABLE_SLSA"},
+			},
 			&cli.StringFlag{
 				Name:  "trace",
 				Usage: "trace output file path",
diff --git a/pkg/config/package.go b/pkg/config/package.go
index 328a2ac98..5df0ad88b 100644
--- a/pkg/config/package.go
+++ b/pkg/config/package.go
@@ -274,6 +274,8 @@ type Param struct {
 	Detail                bool
 	OnlyPackage           bool
 	OnlyRegistry          bool
+	CosignDisabled        bool
+	SLSADisabled          bool
 	PolicyConfigFilePaths []string
 	Commands              []string
 }
diff --git a/pkg/installpackage/checksum.go b/pkg/installpackage/checksum.go
index 742907f69..6b7601e15 100644
--- a/pkg/installpackage/checksum.go
+++ b/pkg/installpackage/checksum.go
@@ -28,7 +28,7 @@ func (is *Installer) dlAndExtractChecksum(ctx context.Context, logE *logrus.Entr
 		return "", fmt.Errorf("read a checksum file: %w", err)
 	}
 
-	if cos := pkg.PackageInfo.Checksum.GetCosign(); cos.GetEnabled() {
+	if cos := pkg.PackageInfo.Checksum.GetCosign(); cos.GetEnabled() && !is.cosignDisabled {
 		f, err := afero.TempFile(is.fs, "", "")
 		if err != nil {
 			return "", fmt.Errorf("create a temporal file: %w", err)
diff --git a/pkg/installpackage/installer.go b/pkg/installpackage/installer.go
index 02fd50f1e..be293d5e9 100644
--- a/pkg/installpackage/installer.go
+++ b/pkg/installpackage/installer.go
@@ -46,6 +46,8 @@ type Installer struct {
 	maxParallelism        int
 	progressBar           bool
 	onlyLink              bool
+	cosignDisabled        bool
+	slsaDisabled          bool
 }
 
 func New(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker Linker, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, cosignVerifier CosignVerifier, slsaVerifier SLSAVerifier, goInstallInstaller GoInstallInstaller, goBuildInstaller GoBuildInstaller, cargoPackageInstaller CargoPackageInstaller) *Installer {
@@ -73,6 +75,8 @@ func newInstaller(param *config.Param, downloader download.ClientAPI, rt *runtim
 		linker:                linker,
 		progressBar:           param.ProgressBar,
 		onlyLink:              param.OnlyLink,
+		cosignDisabled:        param.CosignDisabled,
+		slsaDisabled:          param.SLSADisabled,
 		copyDir:               param.Dest,
 		unarchiver:            unarchiver,
 		cosign:                cosignVerifier,
diff --git a/pkg/installpackage/verify_cosign.go b/pkg/installpackage/verify_cosign.go
index d51fa7ced..e6a591760 100644
--- a/pkg/installpackage/verify_cosign.go
+++ b/pkg/installpackage/verify_cosign.go
@@ -10,6 +10,11 @@ import (
 )
 
 func (is *Installer) verifyWithCosign(ctx context.Context, logE *logrus.Entry, bodyFile *download.DownloadedFile, param *DownloadParam) error {
+	if is.cosignDisabled {
+		logE.Debug("cosign is disabled")
+		return nil
+	}
+
 	ppkg := param.Package
 
 	cos := ppkg.PackageInfo.Cosign
diff --git a/pkg/installpackage/verify_slsa.go b/pkg/installpackage/verify_slsa.go
index b7dee1805..f875c0934 100644
--- a/pkg/installpackage/verify_slsa.go
+++ b/pkg/installpackage/verify_slsa.go
@@ -10,6 +10,10 @@ import (
 )
 
 func (is *Installer) verifyWithSLSA(ctx context.Context, logE *logrus.Entry, bodyFile *download.DownloadedFile, param *DownloadParam) error {
+	if is.slsaDisabled {
+		logE.Debug("slsa verification is disabled")
+		return nil
+	}
 	ppkg := param.Package
 	pkgInfo := param.Package.PackageInfo
 	sp := ppkg.PackageInfo.SLSAProvenance