Refactor and add tests, implement a feature

What we didn't have in the `bash` or the `ec-cli` was the ability to have multiple sources of policy (Rego) files, e.g. from multiple git repositories or branches. Now this is available in the `ec-cli`. This does however refactor the implementation into smaller more manageable files, hopefully makes it easier to maintain. Tests were added. Ref. https://issues.redhat.com/browse/HACBS-372
enterprise-contract · Jun 7, 2022 · ba4b09d · ba4b09d
1 parent 9574190
commit ba4b09d
Show file tree

Hide file tree

Showing 17 changed files with 1,004 additions and 222 deletions.
diff --git a/cmd/eval.go b/cmd/eval.go
@@ -13,252 +13,76 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package cmd
 
 import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/exec"
-	"path"
-	"strings"
-
-	"github.com/google/go-containerregistry/pkg/name"
-	ecp "github.com/hacbs-contract/enterprise-contract-controller/api/v1alpha1"
-	getter "github.com/hashicorp/go-getter"
-	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/open-policy-agent/conftest/output"
-	confparser "github.com/open-policy-agent/conftest/parser"
-	conftest "github.com/open-policy-agent/conftest/policy"
-	"github.com/pkg/errors"
-	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
-	"github.com/sigstore/cosign/pkg/cosign"
-	"github.com/sigstore/cosign/pkg/oci"
-	"github.com/sigstore/cosign/pkg/policy"
-	cosig "github.com/sigstore/cosign/pkg/signature"
-	"github.com/sigstore/cosign/pkg/types"
-	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/hacbs-contract/ec-cli/cmd/internal/image"
+	"github.com/hacbs-contract/ec-cli/cmd/internal/policy"
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/runtime"
-	apitypes "k8s.io/apimachinery/pkg/types"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-// evalCmd represents the eval command
-var evalCmd = &cobra.Command{
-	Use:   "eval",
-	Short: "Evaluate enterprise contract",
-	Long:  `TODO: description`,
-	PreRunE: func(cmd *cobra.Command, args []string) error {
-		var err error
-		imageRef, err = name.ParseReference(imageRefStr)
-		if err != nil {
-			return err
-		}
-
-		verifier, err = cosig.PublicKeyFromKeyRef(cmd.Context(), publicKey)
-		if err != nil {
-			return errors.Wrapf(err, "unable to load public key from `%s`", publicKey)
-		}
-
-		co = cosign.CheckOpts{}
-		co.SigVerifier = verifier
-
-		if rekorURL != "" {
-			rekorClient, err := rekor.NewClient(rekorURL)
-			handle(err)
-			co.RekorClient = rekorClient
-		}
-
-		policyName = apitypes.NamespacedName{
-			Name: policyConfiguration,
-		}
-		policyParts := strings.SplitN(policyConfiguration, string(apitypes.Separator), 2)
-		if len(policyParts) == 2 {
-			policyName = apitypes.NamespacedName{
-				Namespace: policyParts[0],
-				Name:      policyParts[1],
-			}
-		}
-
-		workdir, err = os.MkdirTemp("", "ec.")
-		handle(err)
-
-		policiesPath = path.Join(workdir, "policies")
-		dataPath = path.Join(workdir, "data")
-		inputPath = path.Join(workdir, "input")
-
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		setupPolicies(cmd.Context())
-		verifyImageSignature(cmd.Context())
-		attestations := verifyImageAttestation(cmd.Context())
-		prepareInput(cmd.Context(), attestations)
-		verifyPolicy(cmd.Context())
-	},
+var arguments = struct {
+	policyConfiguration string
+	imageRef            string
+	publicKey           string
+	rekorURL            string
+	strict              bool
+}{
+	rekorURL: "https://rekor.sigstore.dev/",
 }
 
-var policyConfiguration, imageRefStr, publicKey, rekorURL string
-var strict bool
-var co cosign.CheckOpts
-var imageRef name.Reference
-var verifier signature.Verifier
-var policyName apitypes.NamespacedName
-var workdir = ""
-var inputPath = ""
-var policiesPath = ""
-var dataPath = ""
-
 func init() {
 	rootCmd.AddCommand(evalCmd)
 
-	evalCmd.Flags().StringVar(&policyConfiguration, "policy", "ec-policy", "Policy configuration name")
+	evalCmd.Flags().StringVar(&arguments.policyConfiguration, "policy", "ec-policy", "Policy configuration name")
 
-	evalCmd.Flags().StringVar(&imageRefStr, "image", "", "Image reference")
+	evalCmd.Flags().StringVar(&arguments.imageRef, "image", "", "Image reference")
 	evalCmd.MarkFlagRequired("image")
 
-	evalCmd.Flags().StringVar(&publicKey, "public-key", "", "Public key")
+	evalCmd.Flags().StringVar(&arguments.publicKey, "public-key", "", "Public key")
 	evalCmd.MarkFlagRequired("public-key")
 
-	evalCmd.Flags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev/", "Rekor URL")
+	evalCmd.Flags().StringVar(&arguments.rekorURL, "rekor-url", "", "Rekor URL")
 
-	evalCmd.Flags().BoolVar(&strict, "strict", false, "Enable strict mode")
+	evalCmd.Flags().BoolVar(&arguments.strict, "strict", false, "Enable strict mode")
 }
 
-func handle(err error) {
-	if err == nil {
-		return
-	}
-
-	fmt.Fprintf(os.Stderr, "%v", err)
-
-	if strict {
-		var exitErr *exec.ExitError
-		if errors.As(err, &exitErr) {
-			os.Exit(exitErr.ExitCode())
+var evalCmd = &cobra.Command{
+	Use:   "eval",
+	Short: "Evaluate enterprise contract",
+	Long:  `TODO: description`,
+	PreRunE: func(cmd *cobra.Command, args []string) error {
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		i, err := image.NewImageValidator(cmd.Context(), arguments.imageRef, arguments.publicKey, arguments.rekorURL)
+		if err != nil {
+			return err
 		}
 
-		// not ExitError, exit with status=2
-		os.Exit(2)
-	}
-
-	// non strict exit
-	os.Exit(0)
-}
-
-func verifyImageSignature(ctx context.Context) {
-	_, _, err := cosign.VerifyImageSignatures(ctx, imageRef, &co)
-	handle(err)
-}
-
-func verifyImageAttestation(ctx context.Context) []oci.Signature {
-	attestations, _, err := cosign.VerifyImageAttestations(ctx, imageRef, &co)
-	handle(err)
-
-	return attestations
-}
-
-func prepareInput(ctx context.Context, attestations []oci.Signature) {
-	// TODO handle multiple attestations of same (pipeline) buildType
-	for _, att := range attestations {
-		if typ, err := att.MediaType(); err == nil && typ == types.DssePayloadType {
-			payload, err := policy.AttestationToPayloadJSON(ctx, "slsaprovenance", att)
-			handle(err)
-
-			var statement in_toto.Statement
-			err = json.Unmarshal(payload, &statement)
-			handle(err)
-
-			if buildType, ok := statement.Predicate.(map[string]interface{})["buildType"]; ok && (fmt.Sprintf("%v", buildType) == "https://tekton.dev/attestations/chains/pipelinerun@v2") {
-				// TODO fails with multiple input.jsons, but that's okay we don't want to overwrite anyhow
-				err := os.Mkdir(inputPath, 0755)
-				handle(err)
-
-				input, err := os.Create(path.Join(inputPath, "input.json"))
-				handle(err)
-				defer input.Close()
-
-				fmt.Fprint(input, `{"attestations":[`)
-				j := json.NewEncoder(input)
-				err = j.Encode(statement)
-				handle(err)
-				fmt.Fprint(input, `]}`)
-			}
+		if err := i.ValidateImageSignature(cmd.Context()); err != nil {
+			return err
 		}
-	}
-}
-
-func setupPolicies(ctx context.Context) {
-	scheme := runtime.NewScheme()
-	ecp.AddToScheme(scheme)
-	kubeconfig := ctrl.GetConfigOrDie()
-	c, err := client.New(kubeconfig, client.Options{Scheme: scheme})
-	handle(err)
 
-	policy := &ecp.EnterpriseContractPolicy{}
-	err = c.Get(ctx, policyName, policy)
-	handle(err)
-
-	for _, source := range policy.Spec.Sources {
-		if source.GitRepository != nil {
-			git := *source.GitRepository
-			gitFetchPolicies(ctx, git.Repository, git.Revision)
+		if err := i.ValidateAttestationSignature(cmd.Context()); err != nil {
+			return err
 		}
-	}
 
-	if policy.Spec.Exceptions != nil {
-		config := map[string]interface{}{
-			"config": map[string]interface{}{
-				"policy": map[string]interface{}{
-					"non_blocking_checks": policy.Spec.Exceptions.NonBlocking,
-				},
-			},
+		p, err := policy.NewPolicyEvaluator(arguments.policyConfiguration)
+		if err != nil {
+			return err
 		}
 
-		err := os.Mkdir(dataPath, 0755)
-		handle(err)
-
-		f, err := os.Create(path.Join(dataPath, "config.json"))
-		handle(err)
-		defer f.Close()
-
-		j := json.NewEncoder(f)
-		err = j.Encode(config)
-		handle(err)
-	}
-}
-
-func gitFetchPolicies(ctx context.Context, repository string, revision *string) {
-	source := repository
-	if revision != nil {
-		source += "?ref=" + *revision
-	}
-
-	err := getter.Get(policiesPath, source, getter.WithContext(ctx))
-	handle(err)
-}
-
-func verifyPolicy(ctx context.Context) {
-	engine, err := conftest.LoadWithData(ctx, []string{policiesPath}, []string{dataPath}, "")
-	handle(err)
-
-	configurations, err := confparser.ParseConfigurations([]string{path.Join(inputPath, "input.json")})
-	handle(err)
-
-	result, err := engine.Check(ctx, configurations, "main")
-	handle(err)
+		results, err := p.Evaluate(cmd.Context(), i.Attestations())
+		if err != nil {
+			return err
+		}
 
-	outputter := output.Get("json", output.Options{
-		NoColor:            true,
-		SuppressExceptions: false,
-		Tracing:            false,
-		JUnitHideMessage:   true,
-	})
-	err = outputter.Output(result)
-	handle(err)
+		if err := p.Output(results); err != nil {
+			return err
+		}
 
-	os.Exit(output.ExitCode(result))
+		return nil
+	},
 }
diff --git a/cmd/internal/image/image.go b/cmd/internal/image/image.go
@@ -0,0 +1,86 @@
+/*
+Copyright © 2022 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package image
+
+import (
+	"context"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/pkg/oci"
+	"github.com/sigstore/cosign/pkg/signature"
+)
+
+type imageValidator struct {
+	reference    name.Reference
+	checkOpts    cosign.CheckOpts
+	attestations []oci.Signature
+}
+
+// NewImageValidator constructs a new imageValidator with the provided parameters
+func NewImageValidator(ctx context.Context, image string, publicKey string, rekorURL string) (*imageValidator, error) {
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return nil, err
+	}
+
+	verifier, err := signature.PublicKeyFromKeyRef(ctx, publicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	checkOpts := cosign.CheckOpts{}
+	checkOpts.SigVerifier = verifier
+
+	if rekorURL != "" {
+		rekorClient, err := rekor.NewClient(rekorURL)
+		if err != nil {
+			return nil, err
+		}
+
+		checkOpts.RekorClient = rekorClient
+	}
+
+	return &imageValidator{
+		reference: ref,
+		checkOpts: checkOpts,
+	}, nil
+}
+
+func (i *imageValidator) ValidateImageSignature(ctx context.Context) error {
+	// TODO check what to do with _, _
+	_, _, err := cosign.VerifyImageSignatures(ctx, i.reference, &i.checkOpts)
+
+	return err
+}
+
+func (i *imageValidator) ValidateAttestationSignature(ctx context.Context) error {
+	// TODO check what to do with _
+	attestations, _, err := cosign.VerifyImageAttestations(ctx, i.reference, &i.checkOpts)
+	if err != nil {
+		return err
+	}
+
+	i.attestations = attestations
+
+	return nil
+}
+
+func (i *imageValidator) Attestations() []oci.Signature {
+	return i.attestations
+}