From bcb26d381e6291977f1452ac64186d541c488c5a Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sat, 18 Jun 2022 14:13:57 -0500 Subject: [PATCH] Refactor - Use interface of Rekor - Use rekor interface instead of concrete implementation so that it can be mocked and tested. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- main.go | 2 +- pkg/provenance.go | 29 +++++++++++++++-------------- pkg/provenance_test.go | 2 +- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/main.go b/main.go index 239aa8241..0b66a5998 100644 --- a/main.go +++ b/main.go @@ -38,7 +38,7 @@ func verify(ctx context.Context, } /* Verify signature on the intoto attestation. */ - env, cert, err := pkg.VerifyProvenanceSignature(ctx, rClient, provenance, artifactHash) + env, cert, err := pkg.VerifyProvenanceSignature(ctx, provenance, artifactHash, rClient.Index, rClient.Tlog, rClient.Entries) if err != nil { return nil, err } diff --git a/pkg/provenance.go b/pkg/provenance.go index e38b435b0..7b5b60147 100644 --- a/pkg/provenance.go +++ b/pkg/provenance.go @@ -29,7 +29,6 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/bundle" - "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/client/entries" "github.com/sigstore/rekor/pkg/generated/client/index" "github.com/sigstore/rekor/pkg/generated/client/tlog" @@ -99,11 +98,11 @@ func getSha256Digest(env *dsselib.Envelope) (string, error) { } // GetRekorEntries finds all entry UUIDs by the digest of the artifact binary. -func GetRekorEntries(rClient *client.Rekor, artifactHash string) ([]string, error) { +func GetRekorEntries(rClient index.ClientService, artifactHash string) ([]string, error) { // Use search index to find rekor entry UUIDs that match Subject Digest. params := index.NewSearchIndexParams() params.Query = &models.SearchIndex{Hash: fmt.Sprintf("sha256:%v", artifactHash)} - resp, err := rClient.Index.SearchIndex(params) + resp, err := rClient.SearchIndex(params) if err != nil { return nil, fmt.Errorf("%w: %s", ErrorRekorSearch, err.Error()) } @@ -115,9 +114,9 @@ func GetRekorEntries(rClient *client.Rekor, artifactHash string) ([]string, erro return resp.GetPayload(), nil } -func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, proof *models.InclusionProof, pub *ecdsa.PublicKey) error { +func verifyRootHash(ctx context.Context, clientService tlog.ClientService, proof *models.InclusionProof, pub *ecdsa.PublicKey) error { infoParams := tlog.NewGetLogInfoParamsWithContext(ctx) - result, err := rekorClient.Tlog.GetLogInfo(infoParams) + result, err := clientService.GetLogInfo(infoParams) if err != nil { return err } @@ -152,7 +151,7 @@ func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, proof *model consistencyParams.FirstSize = proof.TreeSize // Root hash at the time the proof was returned consistencyParams.LastSize = int64(sth.Size) // Root hash verified with rekor pubkey - consistencyProof, err := rekorClient.Tlog.GetLogProof(consistencyParams) + consistencyProof, err := clientService.GetLogProof(consistencyParams) if err != nil { return err } @@ -174,11 +173,11 @@ func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, proof *model return nil } -func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error) { +func verifyTlogEntry(ctx context.Context, clientService entries.ClientService, tlog tlog.ClientService, uuid string) (*models.LogEntryAnon, error) { params := entries.NewGetLogEntryByUUIDParamsWithContext(ctx) params.EntryUUID = uuid - lep, err := rekorClient.Entries.GetLogEntryByUUID(params) + lep, err := clientService.GetLogEntryByUUID(params) if err != nil { return nil, err } @@ -218,7 +217,7 @@ func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string var entryVerError error for _, pubKey := range pubs { // Verify inclusion against the signed tree head - entryVerError = verifyRootHash(ctx, rekorClient, e.Verification.InclusionProof, pubKey.PubKey) + entryVerError = verifyRootHash(ctx, tlog, e.Verification.InclusionProof, pubKey.PubKey) if entryVerError == nil { break } @@ -299,9 +298,10 @@ func extractCert(e *models.LogEntryAnon) (*x509.Certificate, error) { // VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance // and the signing certificate given the provenance and artifact hash. -func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, artifactHash string) (*dsselib.Envelope, *x509.Certificate, error) { +func VerifyProvenanceSignature(ctx context.Context, provenance []byte, artifactHash string, + index index.ClientService, tlog tlog.ClientService, entries entries.ClientService) (*dsselib.Envelope, *x509.Certificate, error) { // Get Rekor entries corresponding to the binary artifact in the provenance. - uuids, err := GetRekorEntries(rClient, artifactHash) + uuids, err := GetRekorEntries(index, artifactHash) if err != nil { return nil, nil, err } @@ -312,7 +312,7 @@ func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, prove } // Verify the provenance and return the signing certificate. - cert, err := FindSigningCertificate(ctx, uuids, *env, rClient) + cert, err := FindSigningCertificate(ctx, uuids, *env, tlog, entries) if err != nil { return nil, nil, err } @@ -321,7 +321,8 @@ func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, prove } // FindSigningCertificate finds and verifies a matching signing certificate from a list of Rekor entry UUIDs. -func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dsselib.Envelope, rClient *client.Rekor) (*x509.Certificate, error) { +func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dsselib.Envelope, + tlog tlog.ClientService, entries entries.ClientService) (*x509.Certificate, error) { attBytes, err := cjson.MarshalCanonical(dssePayload) if err != nil { return nil, err @@ -334,7 +335,7 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss // * Check signature expiration against IntegratedTime in entry. // * If all succeed, return the signing certificate. for _, uuid := range uuids { - entry, err := verifyTlogEntry(ctx, rClient, uuid) + entry, err := verifyTlogEntry(ctx, entries, tlog, uuid) if err != nil { continue } diff --git a/pkg/provenance_test.go b/pkg/provenance_test.go index 5c38327f4..b3cd3957c 100644 --- a/pkg/provenance_test.go +++ b/pkg/provenance_test.go @@ -88,7 +88,7 @@ func Test_GetRekorEntries(t *testing.T) { var mClient client.Rekor mClient.Index = &MockIndexClient{result: tt.res} - _, err := GetRekorEntries(&mClient, tt.artifactHash) + _, err := GetRekorEntries(mClient.Index, tt.artifactHash) if !errCmp(err, tt.expected) { t.Errorf(cmp.Diff(err, tt.expected)) }