feat: Enable multi verifier name

pkg/controllers/verifier_controller.go

@@ -98,7 +98,8 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 // creates a verifier reference from CRD spec and add store to map
 func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string, namespace string) error {
 	verifierConfig, err := specToVerifierConfig(spec)
-
+	// add verifier name to verifier config
+	verifierConfig[types.Name] = objectName
 	if err != nil {
 		logrus.Error(err, "unable to convert crd specification to verifier config")
 		return fmt.Errorf("unable to convert crd specification to verifier config, err: %w", err)
@@ -139,7 +140,7 @@ func specToVerifierConfig(verifierSpec configv1beta1.VerifierSpec) (vc.VerifierC
 		}
 	}
 
-	verifierConfig[types.Name] = verifierSpec.Name
+	verifierConfig[types.SpecName] = verifierSpec.Name
 	verifierConfig[types.ArtifactTypes] = verifierSpec.ArtifactTypes
 	if verifierSpec.Source != nil {
 		verifierConfig[types.Source] = verifierSpec.Source

pkg/verifier/factory/factory.go

@@ -52,14 +52,14 @@
 // returns a single verifier from a verifierConfig
 // namespace is only applicable in K8s environment, namespace is appended to the certstore of the truststore so it is uniquely identifiable in a cluster env
 func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersion string, pluginBinDir []string, namespace string) (verifier.ReferenceVerifier, error) {
-	verifierName, ok := verifierConfig[types.Name]
+	verifierSpecName, ok := verifierConfig[types.SpecName]
 	if !ok {
 		return nil, re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithDetail(fmt.Sprintf("failed to find verifier name in the verifier config with key %s", "name"))
 	}
 
-	verifierNameStr := fmt.Sprintf("%s", verifierName)
-	if strings.ContainsRune(verifierNameStr, os.PathSeparator) {
-		return nil, re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithDetail(fmt.Sprintf("invalid plugin name for a verifier: %s", verifierNameStr))
+	verifierTypeStr := fmt.Sprintf("%s", verifierSpecName)
+	if strings.ContainsRune(verifierTypeStr, os.PathSeparator) {
+		return nil, re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithDetail(fmt.Sprintf("invalid plugin name for a verifier: %s", verifierTypeStr))
 	}
 
 	// if source is specified, download the plugin
@@ -70,18 +70,18 @@
 				return nil, re.ErrorCodeConfigInvalid.NewError(re.Verifier, "", re.EmptyLink, err, "failed to parse plugin source", re.HideStackTrace)
 			}
 
-			targetPath := path.Join(pluginBinDir[0], verifierNameStr)
+			targetPath := path.Join(pluginBinDir[0], verifierTypeStr)
 			err = pluginCommon.DownloadPlugin(source, targetPath)
 			if err != nil {
 				return nil, re.ErrorCodeDownloadPluginFailure.NewError(re.Verifier, "", re.EmptyLink, err, "failed to download plugin", re.HideStackTrace)
 			}
-			logrus.Infof("downloaded verifier plugin %s from %s to %s", verifierNameStr, source.Artifact, targetPath)
+			logrus.Infof("downloaded verifier plugin type %s from %s to %s", verifierTypeStr, source.Artifact, targetPath)
 		} else {
-			logrus.Warnf("%s was specified for verifier plugin %s, but dynamic plugins are currently disabled", types.Source, verifierNameStr)
+			logrus.Warnf("%s was specified for verifier plugin type %s, but dynamic plugins are currently disabled", types.Source, verifierTypeStr)
 		}
 	}
 
-	verifierFactory, ok := builtInVerifiers[verifierNameStr]
+	verifierFactory, ok := builtInVerifiers[verifierTypeStr]
 	if ok {
 		return verifierFactory.Create(configVersion, verifierConfig, pluginBinDir[0], namespace)
 	}

pkg/verifier/factory/factory_test.go

@@ -35,7 +35,7 @@ type TestVerifier struct {
 type TestVerifierFactory struct{}
 
 func (s *TestVerifier) Name() string {
-	return "test-verifier"
+	return "test-verifier-0"
 }
 
 func (s *TestVerifier) CanVerify(_ context.Context, _ ocispecs.ReferenceDescriptor) bool {
@@ -63,7 +63,8 @@ func TestCreateVerifiersFromConfig_BuiltInVerifiers_ReturnsExpected(t *testing.T
 	}
 
 	verifierConfig := map[string]interface{}{
-		"name": "test-verifier",
+		"name":     "test-verifier-0",
+		"specName": "test-verifier",
 	}
 	verifiersConfig := config.VerifiersConfig{
 		Verifiers: []config.VerifierConfig{verifierConfig},
@@ -79,8 +80,8 @@ func TestCreateVerifiersFromConfig_BuiltInVerifiers_ReturnsExpected(t *testing.T
 		t.Fatalf("expected to have %d verifiers, actual count %d", 1, len(verifiers))
 	}
 
-	if verifiers[0].Name() != "test-verifier" {
-		t.Fatalf("expected to create test verifier")
+	if nameResult := verifiers[0].Name(); nameResult != "test-verifier-0" {
+		t.Fatalf("expected to create test-verifier-0 for test case but got %v", nameResult)
 	}
 
 	if _, ok := verifiers[0].(*plugin.VerifierPlugin); ok {
@@ -98,7 +99,8 @@ func TestCreateVerifiersFromConfig_BuiltInVerifiers_ReturnsExpected(t *testing.T
 
 func TestCreateVerifiersFromConfig_PluginVerifiers_ReturnsExpected(t *testing.T) {
 	verifierConfig := map[string]interface{}{
-		"name": "plugin-verifier",
+		"name":     "plugin-verifier-0",
+		"specName": "plugin-verifier",
 	}
 	verifiersConfig := config.VerifiersConfig{
 		Verifiers: []config.VerifierConfig{verifierConfig},
@@ -114,8 +116,8 @@ func TestCreateVerifiersFromConfig_PluginVerifiers_ReturnsExpected(t *testing.T)
 		t.Fatalf("expected to have %d verifiers, actual count %d", 1, len(verifiers))
 	}
 
-	if verifiers[0].Name() != "plugin-verifier" {
-		t.Fatalf("expected to create plugin verifier")
+	if verifiers[0].Name() != "plugin-verifier-0" {
+		t.Fatalf("expected to create plugin-verifier-0")
 	}
 
 	if _, ok := verifiers[0].(*plugin.VerifierPlugin); !ok {

pkg/verifier/notation/notation.go

@@ -34,6 +34,7 @@
 	"github.com/deislabs/ratify/pkg/verifier"
 	"github.com/deislabs/ratify/pkg/verifier/config"
 	"github.com/deislabs/ratify/pkg/verifier/factory"
+	"github.com/deislabs/ratify/pkg/verifier/types"
 	"github.com/notaryproject/notation-go/log"
 
 	_ "github.com/notaryproject/notation-core-go/signature/cose" // register COSE signature
@@ -45,8 +46,8 @@
 )
 
 const (
-	verifierName    = "notation"
-	defaultCertPath = "ratify-certs/notation/truststore"
+	verifierSpecName = "notation"
+	defaultCertPath  = "ratify-certs/notation/truststore"
 )
 
 // NotationPluginVerifierConfig describes the configuration of notation verifier
@@ -63,18 +64,21 @@
 }
 
 type notationPluginVerifier struct {
+	name             string
+	specName         string
 	artifactTypes    []string
 	notationVerifier *notation.Verifier
 }
 
 type notationPluginVerifierFactory struct{}
 
 func init() {
-	factory.Register(verifierName, &notationPluginVerifierFactory{})
+	factory.Register(verifierSpecName, &notationPluginVerifierFactory{})
 }
 
 func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.VerifierConfig, pluginDirectory string, namespace string) (verifier.ReferenceVerifier, error) {
 	logger.GetLogger(context.Background(), logOpt).Debugf("creating notation with config %v, namespace '%v'", verifierConfig, namespace)
+	verifierName := verifierConfig[types.Name].(string)
 	conf, err := parseVerifierConfig(verifierConfig, namespace)
 	if err != nil {
 		return nil, re.ErrorCodeConfigInvalid.WithComponentType(re.Verifier).WithPluginName(verifierName)
@@ -87,13 +91,15 @@
 
 	artifactTypes := strings.Split(conf.ArtifactTypes, ",")
 	return &notationPluginVerifier{
+		name:             verifierName,
+		specName:         verifierSpecName,
 		artifactTypes:    artifactTypes,
 		notationVerifier: &verfiyService,
 	}, nil
 }
 
 func (v *notationPluginVerifier) Name() string {
-	return verifierName
+	return v.name
 }
 
 func (v *notationPluginVerifier) CanVerify(_ context.Context, referenceDescriptor ocispecs.ReferenceDescriptor) bool {
@@ -122,7 +128,7 @@
 	}
 
 	if len(referenceManifest.Blobs) == 0 {
-		return verifier.VerifierResult{IsSuccess: false}, re.ErrorCodeSignatureNotFound.NewError(re.Verifier, verifierName, re.EmptyLink, nil, fmt.Sprintf("no signature content found for referrer: %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()), re.HideStackTrace)
+		return verifier.VerifierResult{IsSuccess: false}, re.ErrorCodeSignatureNotFound.NewError(re.Verifier, v.name, re.EmptyLink, nil, fmt.Sprintf("no signature content found for referrer: %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()), re.HideStackTrace)
 	}
 
 	for _, blobDesc := range referenceManifest.Blobs {
@@ -136,7 +142,7 @@
 		subjectRef := fmt.Sprintf("%s@%s", subjectReference.Path, subjectReference.Digest.String())
 		outcome, err := v.verifySignature(ctx, subjectRef, blobDesc.MediaType, subjectDesc.Descriptor, refBlob)
 		if err != nil {
-			return verifier.VerifierResult{IsSuccess: false, Extensions: extensions}, re.ErrorCodeVerifyPluginFailure.NewError(re.Verifier, verifierName, re.NotationTsgLink, err, "failed to verify signature of digest", re.HideStackTrace)
+			return verifier.VerifierResult{IsSuccess: false, Extensions: extensions}, re.ErrorCodeVerifyPluginFailure.NewError(re.Verifier, v.name, re.NotationTsgLink, err, "failed to verify signature of digest", re.HideStackTrace)
 		}
 
 		// Note: notation verifier already validates certificate chain is not empty.
@@ -146,7 +152,7 @@
 	}
 
 	return verifier.VerifierResult{
-		Name:       verifierName,
+		Name:       v.name,
 		IsSuccess:  true,
 		Message:    "signature verification success",
 		Extensions: extensions,
@@ -173,6 +179,7 @@
 }
 
 func parseVerifierConfig(verifierConfig config.VerifierConfig, namespace string) (*NotationPluginVerifierConfig, error) {
+	verifierName := verifierConfig[types.Name].(string)
 	conf := &NotationPluginVerifierConfig{}
 
 	verifierConfigBytes, err := json.Marshal(verifierConfig)

pkg/verifier/notation/notation_test.go

@@ -130,11 +130,19 @@ func (s mockStore) GetSubjectDescriptor(_ context.Context, _ common.Reference) (
 }
 
 func TestName(t *testing.T) {
-	v := &notationPluginVerifier{}
-	name := v.Name()
+	verifierConfig := map[string]interface{}{
+		"name":           "notation-verifier-0",
+		"specName":       "notation",
+		"trustPolicyDoc": testTrustPolicy,
+	}
 
-	if name != "notation" {
-		t.Fatalf("expect name: notation, got: %s", name)
+	f := &notationPluginVerifierFactory{}
+	verifier, err := f.Create(testVersion, verifierConfig, "", "")
+	if err != nil {
+		t.Fatalf("failed create notation verifier got error = %v", err)
+	}
+	if name := verifier.Name(); name != "notation-verifier-0" {
+		t.Fatalf("expect name: notation-verifier-0, got: %s", name)
 	}
 }
 
@@ -192,7 +200,8 @@ func TestParseVerifierConfig(t *testing.T) {
 		{
 			name: "failed unmarshalling to notation config",
 			configMap: map[string]interface{}{
-				"name": []string{test},
+				"name":              test,
+				"verificationCerts": test,
 			},
 			expectErr: true,
 			expect:    nil,
@@ -281,7 +290,8 @@ func TestCreate(t *testing.T) {
 		{
 			name: "failed parsing verifier config",
 			configMap: map[string]interface{}{
-				"name": []string{test},
+				"name":           test,
+				"trustPolicyDoc": 1,
 			},
 			expectErr: true,
 		},

pkg/verifier/plugin/plugin.go

@@ -36,6 +36,7 @@
 // VerifierPlugin describes a verifier that is implemented by invoking the plugins
 type VerifierPlugin struct {
 	name             string
+	specName         string
 	artifactTypes    []string
 	nestedReferences []string
 	version          string
@@ -51,6 +52,11 @@
 		return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("failed to find verifier name in the verifier config with key: %s", types.Name))
 	}
 
+	verifierSpecName, ok := verifierConfig[types.SpecName]
+	if !ok {
+		return nil, re.ErrorCodeConfigInvalid.WithDetail(fmt.Sprintf("failed to find verifier spec name in the verifier config with key: %s", types.SpecName))
+	}
+
 	var nestedReferences []string
 	if vs, ok := verifierConfig[types.NestedReferences]; ok {
 		nestedReferences = strings.Split(fmt.Sprintf("%s", vs), ",")
@@ -67,6 +73,7 @@
 
 	return &VerifierPlugin{
 		name:             fmt.Sprintf("%s", verifierName),
+		specName:         fmt.Sprintf("%s", verifierSpecName),
 		version:          version,
 		path:             pluginPaths,
 		rawConfig:        verifierConfig,
@@ -107,7 +114,7 @@
 	subjectReference common.Reference,
 	referenceDescriptor ocispecs.ReferenceDescriptor,
 	referrerStoreConfig *rc.StoreConfig) (*verifier.VerifierResult, error) {
-	pluginPath, err := vp.executor.FindInPaths(vp.name, vp.path)
+	pluginPath, err := vp.executor.FindInPaths(vp.specName, vp.path)
 	if err != nil {
 		return nil, re.ErrorCodePluginNotFound.NewError(re.Verifier, vp.name, re.EmptyLink, err, nil, re.HideStackTrace)
 	}

pkg/verifier/plugin/plugin_test.go

@@ -46,6 +46,7 @@ func (e *TestExecutor) FindInPaths(plugin string, paths []string) (string, error
 func TestNewVerifier_Expected(t *testing.T) {
 	verifierConfig := map[string]interface{}{
 		"name":             "test-verifier",
+		"specName":         "test-verifier",
 		"artifactTypes":    "test1,test2",
 		"nestedReferences": "ref1,ref2",
 	}

pkg/verifier/types/types.go

@@ -26,6 +26,7 @@ const (
 	SpecVersion      string = "0.1.0"
 	Version          string = "version"
 	Name             string = "name"
+	SpecName         string = "specName"
 	ArtifactTypes    string = "artifactTypes"
 	NestedReferences string = "nestedReferences"
 	Source           string = "source"