update for v1.2.0-rc.1 release

Signed-off-by: Patrick Zheng <[email protected]>
notaryproject · Aug 14, 2024 · 2574460 · 2574460
1 parent d52b619
commit 2574460
Show file tree

Hide file tree

Showing 7 changed files with 65 additions and 83 deletions.
diff --git a/notation_test.go b/notation_test.go
@@ -490,7 +490,7 @@ func (s *verifyMetadataSigner) Sign(_ context.Context, desc ocispec.Descriptor,
 }
 
 type dummyVerifier struct {
-	TrustPolicyDoc    *trustpolicy.OCIDocument
+	TrustPolicyDoc    *trustpolicy.Document
 	PluginManager     plugin.Manager
 	FailVerify        bool
 	VerificationLevel trustpolicy.VerificationLevel

diff --git a/verifier/helpers_test.go b/verifier/helpers_test.go
@@ -60,7 +60,7 @@ func TestLoadX509TrustStore(t *testing.T) {
 	// load "ca" and "signingAuthority" trust store
 	caStore := "ca:valid-trust-store"
 	signingAuthorityStore := "signingAuthority:valid-trust-store"
-	dummyPolicy := dummyOCIPolicyDocument().TrustPolicies[0]
+	dummyPolicy := dummyPolicyDocument().TrustPolicies[0]
 	dummyPolicy.TrustStores = []string{caStore, signingAuthorityStore}
 	dir.UserConfigDir = "testdata"
 	x509truststore := truststore.NewX509TrustStore(dir.ConfigFS())
@@ -138,10 +138,10 @@ func getArtifactDigestFromReference(artifactReference string) (string, error) {
 	return artifactReference[i+1:], nil
 }
 
-func dummyOCIPolicyDocument() (policyDoc trustpolicy.OCIDocument) {
-	return trustpolicy.OCIDocument{
+func dummyPolicyDocument() (policyDoc trustpolicy.Document) {
+	return trustpolicy.Document{
 		Version: "1.0",
-		TrustPolicies: []trustpolicy.OCITrustPolicy{
+		TrustPolicies: []trustpolicy.TrustPolicy{
 			{
 				Name:                  "test-statement-name",
 				RegistryScopes:        []string{"registry.acme-rockets.io/software/net-monitor"},
@@ -153,9 +153,9 @@ func dummyOCIPolicyDocument() (policyDoc trustpolicy.OCIDocument) {
 	}
 }
 
-func dummyInvalidOCIPolicyDocument() (policyDoc trustpolicy.OCIDocument) {
-	return trustpolicy.OCIDocument{
-		TrustPolicies: []trustpolicy.OCITrustPolicy{
+func dummyInvalidPolicyDocument() (policyDoc trustpolicy.Document) {
+	return trustpolicy.Document{
+		TrustPolicies: []trustpolicy.TrustPolicy{
 			{
 				Name: "invalid",
 			},

diff --git a/verifier/trustpolicy/oci.go b/verifier/trustpolicy/oci.go
@@ -25,17 +25,17 @@ import (
 	"github.com/notaryproject/notation-go/internal/trustpolicy"
 )
 
-// OCIDocument represents a trustPolicy.json document for OCI artifacts
-type OCIDocument struct {
+// Document represents a trustpolicy.json document
+type Document struct {
 	// Version of the policy document
 	Version string `json:"version"`
 
 	// TrustPolicies include each policy statement
-	TrustPolicies []OCITrustPolicy `json:"trustPolicies"`
+	TrustPolicies []TrustPolicy `json:"trustPolicies"`
 }
 
-// OCITrustPolicy represents a policy statement in the policy document for OCI artifacts
-type OCITrustPolicy struct {
+// TrustPolicy represents a policy statement in the policy document
+type TrustPolicy struct {
 	// Name of the policy statement
 	Name string `json:"name"`
 
@@ -52,29 +52,11 @@ type OCITrustPolicy struct {
 	RegistryScopes []string `json:"registryScopes"`
 }
 
-// Document represents a trustPolicy.json document
-//
-// Deprecated: Document exists for historical compatibility and should not be used.
-// To create OCI Document, use OCIDocument.
-type Document = OCIDocument
-
-// TrustPolicy represents a policy statement in the policy document
-//
-// Deprecated: TrustPolicy exists for historical compatibility and should not be used.
-// To create OCI TrustPolicy, use OCITrustPolicy.
-type TrustPolicy = OCITrustPolicy
-
-// LoadDocument loads a trust policy document from a local file system
-//
-// Deprecated: LoadDocument function exists for historical compatibility and should not be used.
-// To load OCI Document, use LoadOCIDocument function.
-var LoadDocument = LoadOCIDocument
-
 var supportedOCIPolicyVersions = []string{"1.0"}
 
-// LoadOCIDocument retrieves a trust policy document from the local file system.
-func LoadOCIDocument() (*OCIDocument, error) {
-	var doc OCIDocument
+// LoadDocument retrieves a trust policy document from the local file system.
+func LoadDocument() (*Document, error) {
+	var doc Document
 	if err := getDocument(dir.PathTrustPolicy, &doc); err != nil {
 		return nil, err
 	}
@@ -83,7 +65,7 @@ func LoadOCIDocument() (*OCIDocument, error) {
 
 // Validate validates a policy document according to its version's rule set.
 // if any rule is violated, returns an error
-func (policyDoc *OCIDocument) Validate() error {
+func (policyDoc *Document) Validate() error {
 	// sanity check
 	if policyDoc == nil {
 		return errors.New("oci trust policy document cannot be nil")
@@ -128,14 +110,14 @@ func (policyDoc *OCIDocument) Validate() error {
 // statement that applies to the given registry scope. If no applicable trust
 // policy is found, returns an error
 // see https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#selecting-a-trust-policy-based-on-artifact-uri
-func (policyDoc *OCIDocument) GetApplicableTrustPolicy(artifactReference string) (*OCITrustPolicy, error) {
+func (policyDoc *Document) GetApplicableTrustPolicy(artifactReference string) (*TrustPolicy, error) {
 	artifactPath, err := getArtifactPathFromReference(artifactReference)
 	if err != nil {
 		return nil, err
 	}
 
-	var wildcardPolicy *OCITrustPolicy
-	var applicablePolicy *OCITrustPolicy
+	var wildcardPolicy *TrustPolicy
+	var applicablePolicy *TrustPolicy
 	for _, policyStatement := range policyDoc.TrustPolicies {
 		if slices.Contains(policyStatement.RegistryScopes, trustpolicy.Wildcard) {
 			// we need to deep copy because we can't use the loop variable
@@ -158,8 +140,8 @@ func (policyDoc *OCIDocument) GetApplicableTrustPolicy(artifactReference string)
 }
 
 // clone returns a pointer to the deeply copied TrustPolicy
-func (t *OCITrustPolicy) clone() *OCITrustPolicy {
-	return &OCITrustPolicy{
+func (t *TrustPolicy) clone() *TrustPolicy {
+	return &TrustPolicy{
 		Name:                  t.Name,
 		SignatureVerification: t.SignatureVerification,
 		TrustedIdentities:     append([]string(nil), t.TrustedIdentities...),
@@ -170,7 +152,7 @@ func (t *OCITrustPolicy) clone() *OCITrustPolicy {
 
 // validateRegistryScopes validates if the policy document is following the
 // Notary Project spec rules for registry scopes
-func validateRegistryScopes(policyDoc *OCIDocument) error {
+func validateRegistryScopes(policyDoc *Document) error {
 	registryScopeCount := make(map[string]int)
 	for _, statement := range policyDoc.TrustPolicies {
 		// Verify registry scopes are valid

diff --git a/verifier/trustpolicy/oci_test.go b/verifier/trustpolicy/oci_test.go
@@ -33,7 +33,7 @@ func TestLoadOCIDocumentFromOldFileLocation(t *testing.T) {
 	}
 	t.Cleanup(func() { os.RemoveAll(tempRoot) })
 
-	if _, err := LoadOCIDocument(); err != nil {
+	if _, err := LoadDocument(); err != nil {
 		t.Fatalf("LoadOCIDocument() should not throw error for an existing policy file. Error: %v", err)
 	}
 }
@@ -48,15 +48,15 @@ func TestLoadOCIDocumentFromNewFileLocation(t *testing.T) {
 	}
 	t.Cleanup(func() { os.RemoveAll(tempRoot) })
 
-	if _, err := LoadOCIDocument(); err != nil {
+	if _, err := LoadDocument(); err != nil {
 		t.Fatalf("LoadOCIDocument() should not throw error for an existing policy file. Error: %v", err)
 	}
 }
 
 func TestLoadOCIDocumentError(t *testing.T) {
 	tempRoot := t.TempDir()
 	dir.UserConfigDir = tempRoot
-	if _, err := LoadOCIDocument(); err == nil {
+	if _, err := LoadDocument(); err == nil {
 		t.Fatalf("LoadOCIDocument() should throw error if OCI trust policy is not found")
 	}
 }
@@ -72,7 +72,7 @@ func TestApplicableTrustPolicy(t *testing.T) {
 	policyStatement.RegistryScopes = []string{registryScope}
 	policyStatement.SignatureVerification = SignatureVerification{VerificationLevel: "strict"}
 
-	policyDoc.TrustPolicies = []OCITrustPolicy{
+	policyDoc.TrustPolicies = []TrustPolicy{
 		policyStatement,
 	}
 	// existing Registry Scope
@@ -88,15 +88,15 @@ func TestApplicableTrustPolicy(t *testing.T) {
 	}
 
 	// wildcard registry scope
-	wildcardStatement := OCITrustPolicy{
+	wildcardStatement := TrustPolicy{
 		Name:                  "test-statement-name-2",
 		SignatureVerification: SignatureVerification{VerificationLevel: "skip"},
 		TrustStores:           []string{},
 		TrustedIdentities:     []string{},
 		RegistryScopes:        []string{"*"},
 	}
 
-	policyDoc.TrustPolicies = []OCITrustPolicy{
+	policyDoc.TrustPolicies = []TrustPolicy{
 		policyStatement,
 		wildcardStatement,
 	}
@@ -110,7 +110,7 @@ func TestApplicableTrustPolicy(t *testing.T) {
 // and tests various validations on policy elements
 func TestValidateInvalidPolicyDocument(t *testing.T) {
 	// Sanity check
-	var nilPolicyDoc *OCIDocument
+	var nilPolicyDoc *Document
 	err := nilPolicyDoc.Validate()
 	if err == nil || err.Error() != "oci trust policy document cannot be nil" {
 		t.Fatalf("nil policyDoc should return error")
@@ -153,7 +153,7 @@ func TestValidateInvalidPolicyDocument(t *testing.T) {
 	policyStatement1 := policyDoc.TrustPolicies[0].clone()
 	policyStatement2 := policyDoc.TrustPolicies[0].clone()
 	policyStatement2.Name = "test-statement-name-2"
-	policyDoc.TrustPolicies = []OCITrustPolicy{*policyStatement1, *policyStatement2}
+	policyDoc.TrustPolicies = []TrustPolicy{*policyStatement1, *policyStatement2}
 	err = policyDoc.Validate()
 	if err == nil || err.Error() != "registry scope \"registry.acme-rockets.io/software/net-monitor\" is present in multiple oci trust policy statements, one registry scope value can only be associated with one statement" {
 		t.Fatalf("Policy statements with same registry scope should return error %q", err)
@@ -279,7 +279,7 @@ func TestValidateInvalidPolicyDocument(t *testing.T) {
 	policyStatement1 = policyDoc.TrustPolicies[0].clone()
 	policyStatement2 = policyDoc.TrustPolicies[0].clone()
 	policyStatement2.RegistryScopes = []string{"registry.acme-rockets.io/software/legacy/metrics"}
-	policyDoc.TrustPolicies = []OCITrustPolicy{*policyStatement1, *policyStatement2}
+	policyDoc.TrustPolicies = []TrustPolicy{*policyStatement1, *policyStatement2}
 	err = policyDoc.Validate()
 	if err == nil || err.Error() != "multiple oci trust policy statements use the same name \"test-statement-name\", statement names must be unique" {
 		t.Fatalf("policy statements with same name should return error")
@@ -376,7 +376,7 @@ func TestValidateValidPolicyDocument(t *testing.T) {
 	policyStatement8.RegistryScopes = []string{"registry.acme-rockets.io/software/net-monitor8"}
 	policyStatement8.SignatureVerification.VerifyTimestamp = OptionAfterCertExpiry
 
-	policyDoc.TrustPolicies = []OCITrustPolicy{
+	policyDoc.TrustPolicies = []TrustPolicy{
 		*policyStatement1,
 		*policyStatement2,
 		*policyStatement3,

diff --git a/verifier/trustpolicy/trustpolicy_test.go b/verifier/trustpolicy/trustpolicy_test.go
@@ -26,10 +26,10 @@ import (
 	"github.com/notaryproject/notation-go/dir"
 )
 
-func dummyOCIPolicyDocument() OCIDocument {
-	return OCIDocument{
+func dummyOCIPolicyDocument() Document {
+	return Document{
 		Version: "1.0",
-		TrustPolicies: []OCITrustPolicy{
+		TrustPolicies: []TrustPolicy{
 			{
 				Name:                  "test-statement-name",
 				RegistryScopes:        []string{"registry.acme-rockets.io/software/net-monitor"},
@@ -292,7 +292,7 @@ func TestGetDocument(t *testing.T) {
 		t.Skip("skipping test on Windows")
 	}
 	dir.UserConfigDir = "/"
-	var ociDoc OCIDocument
+	var ociDoc Document
 	tests := []struct {
 		name             string
 		expectedDocument any
@@ -325,7 +325,7 @@ func TestGetDocument(t *testing.T) {
 func TestGetDocumentErrors(t *testing.T) {
 	dir.UserConfigDir = "/"
 	t.Run("non-existing policy file", func(t *testing.T) {
-		var doc OCIDocument
+		var doc Document
 		if err := getDocument("blaah", &doc); err == nil || err.Error() != fmt.Sprintf("trust policy is not present. To create a trust policy, see: %s", trustPolicyLink) {
 			t.Fatalf("getDocument() should throw error for non existent policy")
 		}
@@ -342,7 +342,7 @@ func TestGetDocumentErrors(t *testing.T) {
 		}
 		t.Cleanup(func() { os.RemoveAll(tempRoot) })
 
-		var doc OCIDocument
+		var doc Document
 		if err := getDocument(path, &doc); err == nil || err.Error() != fmt.Sprintf("malformed trust policy. To create a trust policy, see: %s", trustPolicyLink) {
 			t.Fatalf("getDocument() should throw error for invalid policy file. Error: %v", err)
 		}
@@ -359,7 +359,7 @@ func TestGetDocumentErrors(t *testing.T) {
 			t.Fatalf("creation of invalid permission policy file failed. Error: %v", err)
 		}
 		expectedErrMsg := fmt.Sprintf("unable to read trust policy due to file permissions, please verify the permissions of %s", path)
-		var doc OCIDocument
+		var doc Document
 		if err := getDocument(path, &doc); err == nil || err.Error() != expectedErrMsg {
 			t.Errorf("getDocument() should throw error for a policy file with bad permissions. "+
 				"Expected error: '%v'qq but found '%v'", expectedErrMsg, err.Error())
@@ -380,7 +380,7 @@ func TestGetDocumentErrors(t *testing.T) {
 		if err := os.Symlink(path, symlinkPath); err != nil {
 			t.Fatalf("creation of symlink for policy file failed. Error: %v", err)
 		}
-		var doc OCIDocument
+		var doc Document
 		if err := getDocument(symlinkPath, &doc); err == nil || !strings.HasPrefix(err.Error(), "trust policy is not a regular file (symlinks are not supported)") {
 			t.Fatalf("getDocument() should throw error for a symlink policy file. Error: %v", err)
 		}

diff --git a/verifier/verifier.go b/verifier/verifier.go
@@ -51,7 +51,7 @@ import (
 
 // verifier implements notation.Verifier and notation.verifySkipper
 type verifier struct {
-	trustPolicyDoc                  *trustpolicy.OCIDocument
+	trustPolicyDoc                  *trustpolicy.Document
 	trustStore                      truststore.X509TrustStore
 	pluginManager                   plugin.Manager
 	revocationClient                revocation.Revocation
@@ -82,7 +82,7 @@ type VerifierOptions struct {
 // NewFromConfig returns a verifier based on local file system.
 func NewFromConfig() (notation.Verifier, error) {
 	// load trust policy
-	policyDocument, err := trustpolicy.LoadOCIDocument()
+	policyDocument, err := trustpolicy.LoadDocument()
 	if err != nil {
 		return nil, err
 	}
@@ -93,13 +93,13 @@ func NewFromConfig() (notation.Verifier, error) {
 }
 
 // New creates a new verifier given trustPolicy, trustStore and pluginManager
-func New(trustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager) (notation.Verifier, error) {
+func New(trustPolicy *trustpolicy.Document, trustStore truststore.X509TrustStore, pluginManager plugin.Manager) (notation.Verifier, error) {
 	return NewWithOptions(trustPolicy, trustStore, pluginManager, VerifierOptions{})
 }
 
 // NewWithOptions creates a new verifier given trustPolicy, trustStore,
 // pluginManager, and verifierOptions
-func NewWithOptions(trustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, verifierOptions VerifierOptions) (notation.Verifier, error) {
+func NewWithOptions(trustPolicy *trustpolicy.Document, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, verifierOptions VerifierOptions) (notation.Verifier, error) {
 	if trustStore == nil {
 		return nil, errors.New("trustStore cannot be nil")
 	}