From 767d1e30c37cfd985e8a0d330a4fc8dc71b229cd Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 15 Aug 2024 08:57:05 +0800 Subject: [PATCH] refactor: update verifier (#1002) Signed-off-by: Patrick Zheng --- cmd/notation/verify.go | 37 ++++++++++++++++++- cmd/notation/verify_test.go | 14 +++++++ go.mod | 6 +-- go.sum | 12 +++--- test/e2e/go.mod | 4 +- test/e2e/go.sum | 8 ++-- test/e2e/plugin/go.mod | 6 +-- test/e2e/plugin/go.sum | 12 +++--- .../e2e/suite/trustpolicy/trusted_identity.go | 6 +-- 9 files changed, 77 insertions(+), 28 deletions(-) diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go index 6417b10c6..536f3d898 100644 --- a/cmd/notation/verify.go +++ b/cmd/notation/verify.go @@ -14,18 +14,26 @@ package main import ( + "context" "errors" "fmt" "io/fs" + "net/http" "os" "reflect" + "time" + "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-go" + "github.com/notaryproject/notation-go/dir" + "github.com/notaryproject/notation-go/plugin" "github.com/notaryproject/notation-go/verifier" "github.com/notaryproject/notation-go/verifier/trustpolicy" "github.com/notaryproject/notation-go/verifier/truststore" "github.com/notaryproject/notation/cmd/notation/internal/experimental" "github.com/notaryproject/notation/internal/cmd" + "github.com/notaryproject/notation/internal/httputil" "github.com/notaryproject/notation/internal/ioutil" "github.com/spf13/cobra" ) @@ -111,7 +119,7 @@ func runVerify(command *cobra.Command, opts *verifyOpts) error { ctx := opts.LoggingFlagOpts.InitializeLogger(command.Context()) // initialize - sigVerifier, err := verifier.NewFromConfig() + sigVerifier, err := getVerifier(ctx) if err != nil { return err } @@ -219,3 +227,30 @@ func printMetadataIfPresent(outcome *notation.VerificationOutcome) { ioutil.PrintMetadataMap(os.Stdout, metadata) } } + +func getVerifier(ctx context.Context) (notation.Verifier, error) { + policyDocument, err := trustpolicy.LoadOCIDocument() + if err != nil { + return nil, err + } + x509TrustStore := truststore.NewX509TrustStore(dir.ConfigFS()) + ocspHttpClient := httputil.NewClient(ctx, &http.Client{Timeout: 2 * time.Second}) + revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: ocspHttpClient, + CertChainPurpose: purpose.CodeSigning, + }) + if err != nil { + return nil, err + } + revocationTimestampingValidator, err := revocation.NewWithOptions(revocation.Options{ + OCSPHTTPClient: ocspHttpClient, + CertChainPurpose: purpose.Timestamping, + }) + if err != nil { + return nil, err + } + return verifier.NewVerifierWithOptions(policyDocument, nil, x509TrustStore, plugin.NewCLIManager(dir.PluginFS()), verifier.VerifierOptions{ + RevocationCodeSigningValidator: revocationCodeSigningValidator, + RevocationTimestampingValidator: revocationTimestampingValidator, + }) +} diff --git a/cmd/notation/verify_test.go b/cmd/notation/verify_test.go index 6ae49b8c8..e554ae2ee 100644 --- a/cmd/notation/verify_test.go +++ b/cmd/notation/verify_test.go @@ -14,8 +14,11 @@ package main import ( + "context" "reflect" "testing" + + "github.com/notaryproject/notation-go/dir" ) func TestVerifyCommand_BasicArgs(t *testing.T) { @@ -80,3 +83,14 @@ func TestVerifyCommand_MissingArgs(t *testing.T) { t.Fatal("Parse Args expected error, but ok") } } + +func TestGetVerifier(t *testing.T) { + t.Run("non-existing trust policy", func(t *testing.T) { + dir.UserConfigDir = "/" + expectedErrMsg := "trust policy is not present. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy" + _, err := getVerifier(context.Background()) + if err == nil || err.Error() != expectedErrMsg { + t.Fatalf("expected %s, but got %s", expectedErrMsg, err) + } + }) +} diff --git a/go.mod b/go.mod index d83f8ac2c..2e4eb2603 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,9 @@ module github.com/notaryproject/notation go 1.22 require ( - github.com/notaryproject/notation-core-go v1.1.0-beta.1 - github.com/notaryproject/notation-go v1.2.0-beta.1 - github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 + github.com/notaryproject/notation-core-go v1.1.0-rc.1 + github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240814004621-3c5a659c1d1d + github.com/notaryproject/tspclient-go v0.2.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/sirupsen/logrus v1.9.3 diff --git a/go.sum b/go.sum index be1d39fb3..6d0bccf2d 100644 --- a/go.sum +++ b/go.sum @@ -35,14 +35,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.1.0-beta.1 h1:Rpg8qhoEo4nIdiAWz597lbEcvEmjKwJLUtvJqXa8M4c= -github.com/notaryproject/notation-core-go v1.1.0-beta.1/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= -github.com/notaryproject/notation-go v1.2.0-beta.1 h1:xSDkmdZ5j7kLrVs2ae8MyowdN7kEzwlV0EIhHjKfF90= -github.com/notaryproject/notation-go v1.2.0-beta.1/go.mod h1:RypdKUKCUZ8QgJAqaaesgUkTRHQIB+puCPdH3/3dVGE= +github.com/notaryproject/notation-core-go v1.1.0-rc.1 h1:6cxfVUuc4rTqYu0u7vOmgXfqw1zZabSLJNo8KvkDEzU= +github.com/notaryproject/notation-core-go v1.1.0-rc.1/go.mod h1:j6NELapik2bE1DcrL5otTfXWuW5PR/JLLfREZ4ggmYY= +github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240814004621-3c5a659c1d1d h1:7/lNsNkauXRhFuQ7TXTBuJA9PjrLhVraaAHuoDisK5Q= +github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240814004621-3c5a659c1d1d/go.mod h1:YpPRyhvDtpYVYGtRJ1PGZJhigT3mnl9jwqYj7tTBYVM= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= +github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 326aab3b4..6ca597d2e 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -3,7 +3,7 @@ module github.com/notaryproject/notation/test/e2e go 1.21 require ( - github.com/notaryproject/notation-core-go v1.1.0-beta.1 + github.com/notaryproject/notation-core-go v1.1.0-rc.1 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/opencontainers/image-spec v1.1.0 @@ -16,7 +16,7 @@ require ( github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect - github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 // indirect + github.com/notaryproject/tspclient-go v0.2.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 11dc8dee5..755867647 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -13,10 +13,10 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 h1:2XF1Vzq06X+inNqgJ9tRnGuw+ZVCB3FazXODD6JE1R8= github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= -github.com/notaryproject/notation-core-go v1.1.0-beta.1 h1:Rpg8qhoEo4nIdiAWz597lbEcvEmjKwJLUtvJqXa8M4c= -github.com/notaryproject/notation-core-go v1.1.0-beta.1/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/notation-core-go v1.1.0-rc.1 h1:6cxfVUuc4rTqYu0u7vOmgXfqw1zZabSLJNo8KvkDEzU= +github.com/notaryproject/notation-core-go v1.1.0-rc.1/go.mod h1:j6NELapik2bE1DcrL5otTfXWuW5PR/JLLfREZ4ggmYY= +github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= +github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod index 79a26745c..76f2cd502 100644 --- a/test/e2e/plugin/go.mod +++ b/test/e2e/plugin/go.mod @@ -4,8 +4,8 @@ go 1.21 require ( github.com/golang-jwt/jwt v3.2.2+incompatible - github.com/notaryproject/notation-core-go v1.1.0-beta.1 - github.com/notaryproject/notation-go v1.2.0-beta.1 + github.com/notaryproject/notation-core-go v1.1.0-rc.1 + github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240814004621-3c5a659c1d1d github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/spf13/cobra v1.7.0 ) @@ -18,7 +18,7 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 // indirect + github.com/notaryproject/tspclient-go v0.2.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum index 43feafd68..13a2a0b74 100644 --- a/test/e2e/plugin/go.sum +++ b/test/e2e/plugin/go.sum @@ -37,14 +37,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.1.0-beta.1 h1:Rpg8qhoEo4nIdiAWz597lbEcvEmjKwJLUtvJqXa8M4c= -github.com/notaryproject/notation-core-go v1.1.0-beta.1/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY= -github.com/notaryproject/notation-go v1.2.0-beta.1 h1:xSDkmdZ5j7kLrVs2ae8MyowdN7kEzwlV0EIhHjKfF90= -github.com/notaryproject/notation-go v1.2.0-beta.1/go.mod h1:RypdKUKCUZ8QgJAqaaesgUkTRHQIB+puCPdH3/3dVGE= +github.com/notaryproject/notation-core-go v1.1.0-rc.1 h1:6cxfVUuc4rTqYu0u7vOmgXfqw1zZabSLJNo8KvkDEzU= +github.com/notaryproject/notation-core-go v1.1.0-rc.1/go.mod h1:j6NELapik2bE1DcrL5otTfXWuW5PR/JLLfREZ4ggmYY= +github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240814004621-3c5a659c1d1d h1:7/lNsNkauXRhFuQ7TXTBuJA9PjrLhVraaAHuoDisK5Q= +github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240814004621-3c5a659c1d1d/go.mod h1:YpPRyhvDtpYVYGtRJ1PGZJhigT3mnl9jwqYj7tTBYVM= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y= -github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= +github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= diff --git a/test/e2e/suite/trustpolicy/trusted_identity.go b/test/e2e/suite/trustpolicy/trusted_identity.go index 2f276a2b4..80ca06214 100644 --- a/test/e2e/suite/trustpolicy/trusted_identity.go +++ b/test/e2e/suite/trustpolicy/trusted_identity.go @@ -125,7 +125,7 @@ var _ = Describe("notation trust policy trusted identity test", func() { artifact := GenerateArtifact("e2e-valid-signature", "") notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchErrKeyWords(`distinguished name (DN) " CN=e2e,L=Seattle,ST=WA,C=US" has no mandatory RDN attribute for "O", it must contain 'C', 'ST', and 'O' RDN attributes at a minimum`) + MatchErrKeyWords(`distinguished name (DN) " CN=e2e,L=Seattle,ST=WA,C=US" has no mandatory RDN attribute for "O", it must contain 'C', 'ST' or 'S', and 'O' RDN attributes at a minimum`) }) }) @@ -135,7 +135,7 @@ var _ = Describe("notation trust policy trusted identity test", func() { artifact := GenerateArtifact("e2e-valid-signature", "") notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchErrKeyWords(`distinguished name (DN) " CN=e2e,O=Notary,L=Seattle,C=US" has no mandatory RDN attribute for "ST", it must contain 'C', 'ST', and 'O' RDN attributes at a minimum`) + MatchErrKeyWords(`distinguished name (DN) " CN=e2e,O=Notary,L=Seattle,C=US" has no mandatory RDN attribute for "ST", it must contain 'C', 'ST' or 'S', and 'O' RDN attributes at a minimum`) }) }) @@ -145,7 +145,7 @@ var _ = Describe("notation trust policy trusted identity test", func() { artifact := GenerateArtifact("e2e-valid-signature", "") notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-v"). - MatchErrKeyWords(`distinguished name (DN) " CN=e2e,O=Notary,L=Seattle,ST=WA" has no mandatory RDN attribute for "C", it must contain 'C', 'ST', and 'O' RDN attributes at a minimum`) + MatchErrKeyWords(`distinguished name (DN) " CN=e2e,O=Notary,L=Seattle,ST=WA" has no mandatory RDN attribute for "C", it must contain 'C', 'ST' or 'S', and 'O' RDN attributes at a minimum`) }) }) })