Bug 1874056: Clean up and modify to use library-go verify package #535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

openshift-merge-robot merged 2 commits into openshift:master from jottofar:ota-193

Sep 16, 2020

pkg/cli/admin/release/extract.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,8 +9,6 @@ import ( @@
     	"io/ioutil"
     	"os"
     	"path"
-    	"path/filepath"
-    	"strings"
     	"sync"
     	"time"
@@ Expand Down Expand Up / @@ -290,23 +288,6 @@ func (o *ExtractOptions) Run() error { @@
     							manifestErrs = append(manifestErrs, errors.Wrapf(err, "error parsing %s", hdr.Name))
     							return true, nil
     						}
-    						for i := range ms {
-    							ms[i].OriginalFilename = filepath.Base(hdr.Name)
-    							src := fmt.Sprintf("the config map %s/%s", ms[i].Obj.GetNamespace(), ms[i].Obj.GetName())
-    							data, _, err := unstructured.NestedStringMap(ms[i].Obj.Object, "data")
-    							if err != nil {
-    								manifestErrs = append(manifestErrs, errors.Wrapf(err, "%s is not valid", src))
-    								continue
-    							}
-    							for k, v := range data {
-    								switch {
-    								case strings.HasPrefix(k, "verifier-public-key-"):
-    									klog.V(2).Infof("Found in %s:\n%s %s", hdr.Name, k, v)
-    								case strings.HasPrefix(k, "store-"):
-    									klog.V(2).Infof("Found in %s:\n%s\n%s", hdr.Name, k, v)
-    								}
-    							}
-    						}
     						o.Manifests = append(o.Manifests, ms...)
     					}
     				}
@@ Expand All / @@ -320,19 +301,10 @@ func (o *ExtractOptions) Run() error { @@
     			return fmt.Errorf("image did not contain %s", o.File)
     		}
-    		// Only output manifest errors if manifests were being extracted and we didn't find the expected signature
-    		// manifests. We don't care about errors in other manifests and they will only confuse/alarm the user.
+    		// Only output manifest errors if manifests were being extracted.
     		// Do not return an error so current operation, e.g. mirroring, continues.
-    		if len(manifestErrs) > 0 {
-    			if o.ExtractManifests && len(o.Manifests) == 0 {
-    				fmt.Fprintf(o.ErrOut, "Errors: %s\n", errorList(manifestErrs))
-    			}
-    		}
-    		// Output an error if manifests were being extracted and we didn't find the expected signature
-    		// manifests. Do not return an error so current operation, e.g. mirroring, continues.
-    		if o.ExtractManifests && len(o.Manifests) == 0 {
-    			fmt.Fprintf(o.ErrOut, "No manifests found\n")
+    		if o.ExtractManifests && len(manifestErrs) > 0 {
+    			fmt.Fprintf(o.ErrOut, "Errors: %s\n", errorList(manifestErrs))
     		}
     		return nil
@@ Expand Down @@

pkg/cli/admin/release/mirror.go

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -39,11 +39,14 @@ import (
  
    	"github.com/openshift/library-go/pkg/image/dockerv1client"

    	imagereference "github.com/openshift/library-go/pkg/image/reference"

    	"github.com/openshift/library-go/pkg/manifest"

    	"github.com/openshift/library-go/pkg/verify"

    	"github.com/openshift/library-go/pkg/verify/store/configmap"

    	"github.com/openshift/library-go/pkg/verify/store/sigstore"

    	"github.com/openshift/library-go/pkg/verify/util"

    	"github.com/openshift/oc/pkg/cli/image/extract"

    	"github.com/openshift/oc/pkg/cli/image/imagesource"

    	imagemanifest "github.com/openshift/oc/pkg/cli/image/manifest"

    	"github.com/openshift/oc/pkg/cli/image/mirror"

    	"github.com/openshift/oc/pkg/helpers/release"

    )

    // configFilesBaseDir is created under '--to-dir', when specified, to contain release image

    @@ -236,7 +239,7 @@ func (o *MirrorOptions) Complete(cmd *cobra.Command, f kcmdutil.Factory, args []
  
    		if err != nil {

    			return nil, err

    		}

    		client := coreClient.ConfigMaps(release.NamespaceLabelConfigMap)

    		client := coreClient.ConfigMaps(configmap.NamespaceLabelConfigMap)

    		return client, nil

    	}

    	o.PrintImageContentInstructions = true

    @@ -321,7 +324,7 @@ func (o *MirrorOptions) handleSignatures(context context.Context, signaturesByDi
  
    		}

    	}

    	for digest, signatures := range signaturesByDigest {

    		cmData, err := release.GetSignaturesAsConfigmap(digest, signatures)

    		cmData, err := verify.GetSignaturesAsConfigmap(digest, signatures)

    		if err != nil {

    			return fmt.Errorf("converting signatures to a configmap: %v", err)

    		}

    @@ -360,7 +363,7 @@ func (o *MirrorOptions) handleSignatures(context context.Context, signaturesByDi
  
    			if o.DryRun {

    				fmt.Fprintf(o.Out, "info: Write configmap signature file %s\n", fullName)

    			} else {

    				cmDataBytes, err := yaml.Marshal(cmData)

    				cmDataBytes, err := util.ConfigMapAsBytes(cmData)

    				if err != nil {

    					return fmt.Errorf("marshaling configmap YAML: %v", err)

    				}

    @@ -497,19 +500,18 @@ func (o *MirrorOptions) Run() error {
  
    	sourceFn := func(ref imagesource.TypedImageReference) imagesource.TypedImageReference {

    		return ref

    	}

    	// Wraps operator's HTTPClient method to allow image verifier to create http client with up-to-date config

    	clientBuilder := &verifyClientBuilder{builder: o.HTTPClient}

    	httpClientConstructor := sigstore.NewCachedHTTPClientConstructor(o.HTTPClient, nil)

    	// Attempt to load a verifier as defined by the release being mirrored

    	imageVerifier, err := release.LoadConfigMapVerifierDataFromUpdate(manifests, clientBuilder, nil)

    	imageVerifier, err := verify.NewFromManifests(manifests, httpClientConstructor.HTTPClient)

    	if err != nil {

    		return fmt.Errorf("Unable to load configmap verifier: %v", err)

    	}

    	if imageVerifier != nil {

    		klog.V(4).Infof("Verifying release authenticity: %v", imageVerifier)

    	} else {

    		fmt.Fprintf(o.ErrOut, "warning: No release authenticity verification is configured, all releases are considered unverified\n")

    		imageVerifier = release.Reject

    	}

    	// verify the provided payload

    	ctx, cancelFn := context.WithCancel(context.Background())

pkg/helpers/release/configmap_test.go

This file was deleted.

pkg/helpers/release/testdata/keyrings/combined.txt

This file was deleted.

pkg/helpers/release/testdata/keyrings/redhat.txt

This file was deleted.

pkg/helpers/release/testdata/keyrings/simple.txt

This file was deleted.

pkg/helpers/release/testdata/signatures-2/.gitkeep

Empty file.

...tures/sha256=e3f12513a4b22a2d7c0e7c9207f52128113758d9d68c7d06b11a0ac7672966f7/signature-1

Binary file not shown.

...tures/sha256=edd9824f0404f1a139688017e7001370e2f3fbc088b94da84506653b473fe140/signature-1

Binary file not shown.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug 1874056: Clean up and modify to use library-go verify package #535

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!