Skip to content

Commit

Permalink
feat(graphql & repodb): add info about signature validity (#1344)
Browse files Browse the repository at this point in the history
Signed-off-by: Andreea-Lupu <[email protected]>
  • Loading branch information
Andreea-Lupu authored May 24, 2023
1 parent 6e6ffe8 commit 970997f
Show file tree
Hide file tree
Showing 24 changed files with 2,053 additions and 31 deletions.
3 changes: 3 additions & 0 deletions errors/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,4 +89,7 @@ var (
ErrUserDataNotAllowed = errors.New("repodb: user data operations are not allowed")
ErrCouldNotPersistData = errors.New("repodb: could not persist to db")
ErrDedupeRebuild = errors.New("dedupe: couldn't rebuild dedupe index")
ErrSignConfigDirNotSet = errors.New("signatures: signature config dir not set")
ErrBadManifestDigest = errors.New("signatures: bad manifest digest")
ErrInvalidSignatureType = errors.New("signatures: invalid signature type")
)
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -384,7 +384,7 @@ require (
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/fulcio v1.2.0 // indirect
github.com/sigstore/rekor v1.1.1 // indirect
github.com/sigstore/sigstore v1.6.3 // indirect
github.com/sigstore/sigstore v1.6.3
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
github.com/smartystreets/assertions v1.13.1 // indirect
Expand Down
40 changes: 40 additions & 0 deletions pkg/extensions/search/convert/convert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -385,3 +385,43 @@ func TestLabels(t *testing.T) {
So(vendor, ShouldEqual, "zot-vendor")
})
}

func TestGetSignaturesInfo(t *testing.T) {
Convey("Test get signatures info - cosign", t, func() {
indexDigest := godigest.FromString("123")
repoMeta := repodb.RepoMetadata{
Signatures: map[string]repodb.ManifestSignatures{string(indexDigest): {"cosign": []repodb.SignatureInfo{{
LayersInfo: []repodb.LayerInfo{{LayerContent: []byte{}, LayerDigest: "", SignatureKey: "", Signer: "author"}},
}}}},
}

signaturesSummary := convert.GetSignaturesInfo(true, repoMeta, indexDigest)
So(signaturesSummary, ShouldNotBeEmpty)
So(*signaturesSummary[0].Author, ShouldEqual, "author")
So(*signaturesSummary[0].IsTrusted, ShouldEqual, true)
So(*signaturesSummary[0].Tool, ShouldEqual, "cosign")
})

Convey("Test get signatures info - notation", t, func() {
indexDigest := godigest.FromString("123")
repoMeta := repodb.RepoMetadata{
Signatures: map[string]repodb.ManifestSignatures{string(indexDigest): {"notation": []repodb.SignatureInfo{{
LayersInfo: []repodb.LayerInfo{
{
LayerContent: []byte{},
LayerDigest: "",
SignatureKey: "",
Signer: "author",
Date: time.Now().AddDate(0, 0, -1),
},
},
}}}},
}

signaturesSummary := convert.GetSignaturesInfo(true, repoMeta, indexDigest)
So(signaturesSummary, ShouldNotBeEmpty)
So(*signaturesSummary[0].Author, ShouldEqual, "author")
So(*signaturesSummary[0].IsTrusted, ShouldEqual, false)
So(*signaturesSummary[0].Tool, ShouldEqual, "notation")
})
}
51 changes: 51 additions & 0 deletions pkg/extensions/search/convert/repodb.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,8 @@ func ImageIndex2ImageSummary(ctx context.Context, repo, tag string, indexDigest

annotations := GetAnnotations(indexContent.Annotations, map[string]string{})

signaturesInfo := GetSignaturesInfo(isSigned, repoMeta, indexDigest)

indexSummary := gql_generated.ImageSummary{
RepoName: &repo,
Tag: &tag,
Expand All @@ -251,6 +253,7 @@ func ImageIndex2ImageSummary(ctx context.Context, repo, tag string, indexDigest
Manifests: manifestSummaries,
LastUpdated: &indexLastUpdated,
IsSigned: &isSigned,
SignatureInfo: signaturesInfo,
Size: &indexSize,
DownloadCount: &totalDownloadCount,
Description: &annotations.Description,
Expand Down Expand Up @@ -354,6 +357,8 @@ func ImageManifest2ImageSummary(ctx context.Context, repo, tag string, digest go
}
}

signaturesInfo := GetSignaturesInfo(isSigned, repoMeta, digest)

imageSummary := gql_generated.ImageSummary{
RepoName: &repoName,
Tag: &tag,
Expand All @@ -366,6 +371,7 @@ func ImageManifest2ImageSummary(ctx context.Context, repo, tag string, digest go
LastUpdated: &imageLastUpdated,
Size: &imageSize,
IsSigned: &isSigned,
SignatureInfo: signaturesInfo,
Platform: &platform,
DownloadCount: &downloadCount,
Layers: getLayersSummaries(manifestContent),
Expand All @@ -380,6 +386,7 @@ func ImageManifest2ImageSummary(ctx context.Context, repo, tag string, digest go
},
LastUpdated: &imageLastUpdated,
IsSigned: &isSigned,
SignatureInfo: signaturesInfo,
Size: &imageSize,
DownloadCount: &downloadCount,
Description: &annotations.Description,
Expand Down Expand Up @@ -511,6 +518,8 @@ func ImageManifest2ManifestSummary(ctx context.Context, repo, tag string, descri
}
}

signaturesInfo := GetSignaturesInfo(isSigned, repoMeta, digest)

manifestSummary := gql_generated.ManifestSummary{
Digest: &manifestDigestStr,
ConfigDigest: &configDigest,
Expand All @@ -521,6 +530,7 @@ func ImageManifest2ManifestSummary(ctx context.Context, repo, tag string, descri
Layers: getLayersSummaries(manifestContent),
History: historyEntries,
IsSigned: &isSigned,
SignatureInfo: signaturesInfo,
Vulnerabilities: &gql_generated.ImageVulnerabilitySummary{
MaxSeverity: &imageCveSummary.MaxSeverity,
Count: &imageCveSummary.Count,
Expand Down Expand Up @@ -744,3 +754,44 @@ func GetPreloadString(prefix, name string) string {

return name
}

func GetSignaturesInfo(isSigned bool, repoMeta repodb.RepoMetadata, indexDigest godigest.Digest,
) []*gql_generated.SignatureSummary {
signaturesInfo := []*gql_generated.SignatureSummary{}

if !isSigned {
return signaturesInfo
}

for sigType, signatures := range repoMeta.Signatures[indexDigest.String()] {
for _, sig := range signatures {
for _, layer := range sig.LayersInfo {
var (
isTrusted bool
author string
tool string
)

if layer.Signer != "" {
author = layer.Signer

if !layer.Date.IsZero() && time.Now().After(layer.Date) {
isTrusted = false
} else {
isTrusted = true
}
} else {
isTrusted = false
author = ""
}

tool = sigType

signaturesInfo = append(signaturesInfo,
&gql_generated.SignatureSummary{Tool: &tool, IsTrusted: &isTrusted, Author: &author})
}
}
}

return signaturesInfo
}
Loading

0 comments on commit 970997f

Please sign in to comment.