Skip to content

Commit

Permalink
Merge pull request #130 from philips-labs/configurable-auth-from-cli
Browse files Browse the repository at this point in the history
  • Loading branch information
marcofranssen authored Feb 14, 2022
2 parents 9a1ac90 + 419b873 commit de12b70
Show file tree
Hide file tree
Showing 12 changed files with 163 additions and 24 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ jobs:
cosign-release: 'v1.5.1'

- name: Generate provenance for ${{ matrix.repo }}
uses: philips-labs/slsa-provenance-action@v0.6.0
uses: philips-labs/slsa-provenance-action@v0.7.0-rc
with:
command: generate
subcommand: container
Expand Down Expand Up @@ -203,7 +203,7 @@ jobs:

steps:
- name: Generate provenance for Release
uses: philips-labs/slsa-provenance-action@v0.6.0
uses: philips-labs/slsa-provenance-action@v0.7.0-rc
with:
command: generate
subcommand: github-release
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/example-publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
uses: actions/download-artifact@v2

- name: Generate provenance
uses: philips-labs/slsa-provenance-action@v0.6.0
uses: philips-labs/slsa-provenance-action@v0.7.0-rc
with:
command: generate
subcommand: files
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ coverage.out
.DS_Store
.env
cosign.key
.slsa-provenance
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ gh-release: ## Creates a new release by creating a new tag and pushing it
@:$(call check_defined, DESCRIPTION)
@git stash -u
@echo Bumping $(OLD_VERSION) to $(NEW_VERSION)
@$(SED) -i 's/$(OLD_VERSION)/$(NEW_VERSION)/g' .github/workflows/*.yaml *.yaml *.md
@$(SED) -i 's/$(OLD_VERSION)/$(NEW_VERSION)/g' .github/workflows/*.yaml *.yaml *.md *.sh
@git add .
@git commit -s -m "Bump $(OLD_VERSION) to $(NEW_VERSION) for release"
@git tag -sam "$(DESCRIPTION)" $(NEW_VERSION)
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,15 +109,15 @@ See all available images [here.](https://hub.docker.com/r/philipssoftware/slsa-p
Run the Docker image by doing:

```sh
docker run philipssoftware/slsa-provenance:v0.6.0
docker run philipssoftware/slsa-provenance:v0.7.0-rc
```

**GitHub Container Registry**
See all available images [here.](https://github.com/philips-labs/slsa-provenance-action/pkgs/container/slsa-provenance)
Run the Docker image by doing:

```sh
docker run ghcr.io/philips-labs/slsa-provenance:v0.6.0
docker run ghcr.io/philips-labs/slsa-provenance:v0.7.0-rc
```

The Docker image includes the working binary that can be executed by using the ``slsa-provenance`` command.
Expand Down Expand Up @@ -145,7 +145,7 @@ The easiest way to use this action is to add the following into your workflow fi

steps:
- name: Generate provenance for Release
uses: philips-labs/slsa-provenance-action@v0.6.0
uses: philips-labs/slsa-provenance-action@v0.7.0-rc
with:
command: generate
subcommand: files
Expand Down Expand Up @@ -180,7 +180,7 @@ The easiest way to use this action is to add the following into your workflow fi
path: extra-materials/

- name: Generate provenance
uses: philips-labs/slsa-provenance-action@v0.6.0
uses: philips-labs/slsa-provenance-action@v0.7.0-rc
with:
command: generate
subcommand: files
Expand Down
2 changes: 1 addition & 1 deletion RELEASE.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
To make a new release you can make use of the following `make` task.

```bash
make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.0 DESCRIPTION="A test release to see how it works"
make gh-release NEW_VERSION=v0.7.0-rc OLD_VERSION=v0.5.0 DESCRIPTION="A test release to see how it works"
```

`NEW_VERSION` the version that you want to release.
Expand Down
26 changes: 17 additions & 9 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,25 @@ inputs:
arguments:
description: 'commandline options for the given subcommand'
required: true
install-dir:
description: 'Where to install the slsa-provenance binary'
required: false
default: '$HOME/.slsa-provenance'
runs:
using: 'composite'
steps:
- name: install binary
shell: bash
run: $GITHUB_ACTION_PATH/install-slsa-provenance.sh
env:
INSTALL_PATH: ${{ inputs.install-dir }}

- name: compose arguments
id: compose-args
shell: bash
run: |
encoded_github="$( echo ${GITHUB_CONTEXT} | base64 -w 0)"
encoded_runner="$( echo ${RUNNER_CONTEXT} | base64 -w 0)"
encoded_github="$(echo ${GITHUB_CONTEXT} | base64 -w 0)"
encoded_runner="$(echo ${RUNNER_CONTEXT} | base64 -w 0)"
args=(${{ inputs.command }})
args+=(${{ inputs.subcommand }})
Expand All @@ -45,11 +55,9 @@ runs:
env:
GITHUB_CONTEXT: ${{ inputs.github_context }}
RUNNER_CONTEXT: ${{ inputs.runner_context }}
- name: Debug arguments

- name: Generate provenance
shell: bash
run: |
echo Running slsa-provenance with following arguments
echo ${{ steps.compose-args.outputs.provenance_args }}
- uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.6.0'
with:
args: ${{ steps.compose-args.outputs.provenance_args }}
run: $INSTALL_PATH/slsa-provenance ${{ steps.compose-args.outputs.provenance_args }}
env:
INSTALL_PATH: ${{ inputs.install-dir }}
2 changes: 1 addition & 1 deletion cmd/slsa-provenance/cli/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func OCI() *cobra.Command {
return err
}

opts := oci.WithDefaultClientOptions(cmd.Context(), true)
opts := o.GetRegistryClientOpts(cmd.Context())
subjecter := oci.NewContainerSubjecter(repo, digest, tags, opts...)

env := &github.Environment{
Expand Down
21 changes: 18 additions & 3 deletions cmd/slsa-provenance/cli/options/oci.go
Original file line number Diff line number Diff line change
@@ -1,15 +1,22 @@
package options

import (
"context"

"github.com/google/go-containerregistry/pkg/crane"
"github.com/spf13/cobra"

"github.com/philips-labs/slsa-provenance-action/lib/oci"
)

// OCIOptions Commandline flags used for the generate oci command.
type OCIOptions struct {
GenerateOptions
Repository string
Digest string
Tags []string
Repository string
Digest string
Tags []string
AllowInsecure bool
KubernetesKeychain bool
}

// GetRepository The oci repository to search for the given tags.
Expand Down Expand Up @@ -39,4 +46,12 @@ func (o *OCIOptions) AddFlags(cmd *cobra.Command) {
cmd.PersistentFlags().StringVar(&o.Repository, "repository", "", "The repository of the oci artifact.")
cmd.PersistentFlags().StringVar(&o.Digest, "digest", "", "The digest for the oci artifact.")
cmd.PersistentFlags().StringSliceVar(&o.Tags, "tags", []string{"latest"}, "The given tags for this oci release.")
cmd.Flags().BoolVar(&o.AllowInsecure, "allow-insecure", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
cmd.Flags().BoolVar(&o.KubernetesKeychain, "k8s-keychain", false, "whether to use the kubernetes keychain instead of the default keychain (supports workload identity).")
}

// GetRegistryClientOpts sets some sane default options for crane to authenticate
// private registries
func (o *OCIOptions) GetRegistryClientOpts(ctx context.Context) []crane.Option {
return oci.WithDefaultClientOptions(ctx, o.KubernetesKeychain, o.AllowInsecure)
}
109 changes: 109 additions & 0 deletions install-slsa-provenance.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
#!/usr/bin/env bash

shopt -s expand_aliases

if [ -z "$NO_COLOR" ]; then
alias log_info="echo -e \"\033[1;32mINFO\033[0m:\""
alias log_error="echo -e \"\033[1;31mERROR\033[0m:\""
alias log_warning="echo -e \"\033[1;33mWARN\033[0m:\""
else
alias log_info="echo \"INFO:\""
alias log_error="echo \"ERROR:\""
alias log_warning="echo \"WARN:\""
fi

set -e

GITHUB_API=${GITHUB_API:-'https://api.github.com'}

# default to relative path if INSTALL_PATH is not set
INSTALL_PATH=${INSTALL_PATH:-$(realpath ./.slsa-provenance)}

mkdir -p "${INSTALL_PATH}"

VERSION=v0.7.0-rc
RELEASE="https://github.com/philips-labs/slsa-provenance-action/releases/download/${VERSION}"

if [[ "$VERSION" == *-draft ]] ; then
curl_args=(-H "Authorization: token $GITHUB_TOKEN")
assets=$(curl "${curl_args[@]}" -s "${GITHUB_API}/repos/philips-labs/slsa-provenance-action/releases?per_page=10" | jq "map(select(.name == \"${VERSION}\"))" | jq -r '.[0].assets')
fi

function download {
url="${2}"
if [[ "$VERSION" == *-draft ]] ; then
url="$(echo "${assets}" | jq "map(select(.name == \"$1\"))" | jq -r '.[0].url')"
curl_args+=(-H 'Accept: application/octet-stream')
fi
log_info "Downloading ${1} from ${url}"
curl -sLo "${1}" --show-error "${curl_args[@]}" "${url}"
echo
}

OS=${RUNNER_OS:-Linux}
ARCH=${RUNNER_ARCH:-X64}

case "${ARCH}" in
X64)
ARCH=amd64
;;
ARM64)
ARCH=arm64
;;
*)
log_error "unsupported ARCH ${ARCH}"
exit 1
;;
esac

BINARY=slsa-provenance
case "${OS}" in
Linux)
OS=linux
ARCHIVE="slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz"
;;
macOS)
ARCHIVE="slsa-provenance_${VERSION/v}_${OS}_${ARCH}.tar.gz"
;;
Windows)
OS=windows
ARCHIVE="slsa-provenance_${VERSION/v}_${OS}_${ARCH}.zip"
BINARY="${BINARY}.exe"
;;
*)
log_error "unsupported OS ${OS}"
exit 1
;;
esac

DOWNLOAD="${RELEASE}/${ARCHIVE}"

log_info "Installing ${BINARY} (${OS}/${ARCH}) at ${INSTALL_PATH}"
mkdir -p "$INSTALL_PATH"

trap "popd >/dev/null" EXIT
pushd "$INSTALL_PATH" > /dev/null || exit

download "${ARCHIVE}" "${DOWNLOAD}"

if [ -x "$(command -v cosign)" ] ; then
download ${ARCHIVE}.sig "${DOWNLOAD}.sig"
download cosign.pub "$RELEASE/cosign.pub"

log_info "Verifying signature…"
cosign verify-blob --key cosign.pub --signature "${ARCHIVE}.sig" "${ARCHIVE}"
rm "${ARCHIVE}.sig" cosign.pub
else
log_warning >&2
log_warning " cosign binary not installed in PATH. Unable to verify signature!" >&2
log_warning >&2
log_warning " Consider installing cosign first, to be able to verify the signature!" >&2
log_warning >&2
fi

log_info "extracting ${BINARY} from ${ARCHIVE}"
tar -xzf "${ARCHIVE}" "${BINARY}"
rm "${ARCHIVE}"

# for testing purposes fall back to "$INSTALL_PATH/GITHUB_PATH"
echo "$INSTALL_PATH" >> "${GITHUB_PATH:-"$INSTALL_PATH/GITHUB_PATH"}"
8 changes: 7 additions & 1 deletion lib/oci/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package oci

import (
"context"
"crypto/tls"
"net/http"

"github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
"github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api"
Expand All @@ -13,7 +15,7 @@ import (

// WithDefaultClientOptions sets some sane default options for crane to authenticate
// private registries
func WithDefaultClientOptions(ctx context.Context, k8sKeychain bool) []crane.Option {
func WithDefaultClientOptions(ctx context.Context, k8sKeychain, allowInsecure bool) []crane.Option {
opts := []crane.Option{
crane.WithContext(ctx),
}
Expand All @@ -30,5 +32,9 @@ func WithDefaultClientOptions(ctx context.Context, k8sKeychain bool) []crane.Opt
opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
}

if allowInsecure {
opts = append(opts, crane.WithTransport(&http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}})) // #nosec G402
}

return opts
}
2 changes: 1 addition & 1 deletion lib/oci/subjects_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ func TestSubjects(t *testing.T) {

repo := "ghcr.io/philips-labs/slsa-provenance"

opts := WithDefaultClientOptions(context.Background(), false)
opts := WithDefaultClientOptions(context.Background(), false, false)

errorCases := []struct {
name string
Expand Down

0 comments on commit de12b70

Please sign in to comment.