Merge pull request #14 from pjbgf-forks/fixes

pjbgf · web-flow · commit e66a6f82da17 · 2024-12-06T16:28:11.000Z
Add support for OBS signed images
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,7 +27,6 @@ jobs:
         with:
           go-version: stable
 
-      - uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
       - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Run GoReleaser
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -2,9 +2,10 @@ name: Tests
 
 on:
   push:
+  pull_request:
+  workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
@@ -20,3 +21,21 @@ jobs:
     
     - run: make test
     - run: make verify
+
+  e2e:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - uses: ./actions/install-slsactl
+    - run: make e2e
+
+  test-verify-action:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - uses: ./actions/verify
+      with:
+        image: ghcr.io/kubewarden/policy-server:v1.19.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -40,12 +40,6 @@ source:
   enabled: true
   name_template: '{{ .ProjectName }}_{{ .Version }}_source'
 
-sboms:
-  - id: source
-    artifacts: source
-    documents:
-      - '{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json'
-
 release:
   extra_files:
     - glob: ./**/*.bundle
diff --git a/Makefile b/Makefile
@@ -8,6 +8,9 @@ build:
 test:
 	go test -race ./...
 
+e2e:
+	./hack/e2e.sh
+
 verify: verify-lint verify-dirty ## Run verification checks.
 
 verify-lint: $(GOLANGCI)
diff --git a/actions/install-slsactl/action.yml b/actions/install-slsactl/action.yml
@@ -0,0 +1,32 @@
+# This GitHub action install the slsactl CLI, making it available for
+# other steps within an GitHub workflow to refer to it.
+#
+# Reference usage:
+#    steps:
+#      ...
+#      - uses: rancherlabs/slsactl/actions/install-slsactl@main
+#        with:
+#          version: latest
+
+name: install-slsactl
+
+inputs:
+  version:
+    description: |
+      The slsactl version to be installed.
+    required: false
+    default: latest
+    type: string
+
+runs:
+  using: composite
+
+  steps:
+  - uses: actions/setup-go@v5
+    with:
+      go-version: 'stable'
+
+  - name: Install slsactl
+    shell:
+    run: |
+      go install github.com/rancherlabs/slsactl@${{ inputs.version }}
diff --git a/actions/verify/action.yml b/actions/verify/action.yml
@@ -29,10 +29,7 @@ runs:
     with:
       go-version: 'stable'
 
-  - name: Install slsactl
-    shell:
-    run: |
-      go install github.com/rancherlabs/slsactl@latest
+  - uses: ./actions/install-slsactl
 
   - name: Verify image
     shell: bash
diff --git a/hack/e2e.sh b/hack/e2e.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -eox pipefail
+
+IMAGE=${IMAGE:-ghcr.io/kubewarden/policy-server:v1.19.0}
+
+slsactl verify "${IMAGE}"
+slsactl download provenance "${IMAGE}"
+slsactl download provenance --format=slsav1 "${IMAGE}"
+slsactl download sbom "${IMAGE}"
+slsactl download sbom -format cyclonedxjson "${IMAGE}"
+slsactl version
diff --git a/pkg/verify/mapping.go b/pkg/verify/mapping.go
@@ -1,5 +1,10 @@
 package verify
 
+import (
+	"fmt"
+	"strings"
+)
+
 // imageRepo holds the mappings between container image and source code repositories.
 var imageRepo = map[string]string{
 	"rancher/rke2-runtime":                    "rancher/rke2",
@@ -20,3 +25,25 @@ var imageRepo = map[string]string{
 	"rancher/nginx-ingress-controller":        "rancher/ingress-nginx",
 	"rancher/rancher":                         "rancher/rancher-prime",
 }
+
+var obs = map[string]struct{}{
+	"rancher/elemental-operator":            {},
+	"rancher/seedimage-builder":             {},
+	"rancher/elemental-channel/sl-micro":    {},
+	"rancher/elemental-operator-crds-chart": {},
+	"rancher/elemental-operator-chart":      {},
+}
+
+func obsSigned(image string) bool {
+	bef, after, _ := strings.Cut(image, "/")
+	if strings.Contains(bef, ".") {
+		image = after
+	}
+
+	bef, _, _ = strings.Cut(image, ":")
+	image = bef
+	fmt.Println(image)
+
+	_, ok := obs[image]
+	return ok
+}
diff --git a/pkg/verify/verify.go b/pkg/verify/verify.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto"
 	"fmt"
+	"log/slog"
 	"os"
 	"strings"
 	"time"
@@ -13,7 +14,12 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
 )
 
-const timeout = 45 * time.Second
+const (
+	timeout    = 45 * time.Second
+	maxWorkers = 5
+	hashAlgo   = crypto.SHA256
+	obsKey     = "https://ftp.suse.com/pub/projects/security/keys/container-key.pem"
+)
 
 var archSuffixes = []string{
 	"-linux-amd64",
@@ -30,11 +36,38 @@ var archSuffixes = []string{
 //
 // Upstream documentation:
 // https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md
-func Verify(imageName string) error {
+func Verify(image string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	certIdentity, err := certIdentity(imageName)
+	if obsSigned(image) {
+		return verifyObs(ctx, image)
+	}
+
+	return verifyKeyless(ctx, image)
+}
+
+func verifyObs(ctx context.Context, image string) error {
+	slog.Debug("OBS verification")
+	v := &verify.VerifyCommand{
+		KeyRef:        obsKey,
+		RekorURL:      options.DefaultRekorURL,
+		CertRef:       obsKey,
+		CheckClaims:   true,
+		HashAlgorithm: hashAlgo,
+		MaxWorkers:    maxWorkers,
+	}
+
+	if strings.EqualFold(os.Getenv("DEBUG"), "true") {
+		logs.Debug.SetOutput(os.Stderr)
+	}
+
+	return v.Exec(ctx, []string{image})
+}
+
+func verifyKeyless(ctx context.Context, image string) error {
+	slog.Info("GHA keyless verification")
+	certIdentity, err := certIdentity(image)
 	if err != nil {
 		return err
 	}
@@ -47,15 +80,15 @@ func Verify(imageName string) error {
 			CertOidcIssuer: "https://token.actions.githubusercontent.com",
 		},
 		CheckClaims:   true,
-		HashAlgorithm: crypto.SHA256,
-		MaxWorkers:    5,
+		HashAlgorithm: hashAlgo,
+		MaxWorkers:    maxWorkers,
 	}
 
 	if strings.EqualFold(os.Getenv("DEBUG"), "true") {
 		logs.Debug.SetOutput(os.Stderr)
 	}
 
-	return v.Exec(ctx, []string{imageName})
+	return v.Exec(ctx, []string{image})
 }
 
 func certIdentity(imageName string) (string, error) {
diff --git a/pkg/verify/verify_test.go b/pkg/verify/verify_test.go
@@ -93,7 +93,6 @@ func TestCertificateIdentity(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.image, func(t *testing.T) {
 			t.Parallel()
 
@@ -109,3 +108,26 @@ func TestCertificateIdentity(t *testing.T) {
 		})
 	}
 }
+
+func TestObsSigned(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		image string
+		want  bool
+	}{
+		{image: "rancher/elemental-operator", want: true},
+		{image: "rancher/seedimage-builder", want: true},
+		{image: "rancher/elemental-channel/sl-micro", want: true},
+		{image: "rancher/elemental-operator-crds-chart", want: true},
+		{image: "rancher/elemental-operator-chart", want: true},
+		{image: "rancher/rancher"},
+		{image: "ghcr.io/kubewarden/policy-server"},
+		{image: "fuzz/bar"},
+	}
+
+	for _, tc := range tests {
+		got := obsSigned(tc.image)
+		assert.Equal(t, tc.want, got)
+	}
+}
