Skip to content

Commit

Permalink
Merge branch 'dev' into dependabot/github_actions/sigstore/cosign-ins…
Browse files Browse the repository at this point in the history
…taller-3.8.0
  • Loading branch information
akashsinghal authored Feb 6, 2025
2 parents e09eecb + 4ebb248 commit 5d13f56
Show file tree
Hide file tree
Showing 11 changed files with 35 additions and 83 deletions.
4 changes: 2 additions & 2 deletions charts/ratify/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: ratify
description: A Helm chart for Ratify
version: 1.15.0-rc.1
appVersion: v1.4.0-rc.1
version: 1.15.0
appVersion: v1.4.0
home: https://github.com/ratify-project/ratify
icon: https://raw.githubusercontent.com/ratify-project/ratify/main/logo.svg
2 changes: 1 addition & 1 deletion charts/ratify/values.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
image:
repository: ghcr.io/ratify-project/ratify
crdRepository: ghcr.io/ratify-project/ratify-crds
tag: v1.4.0-rc.1
tag: v1.4.0
pullPolicy: IfNotPresent

nameOverride: ""
Expand Down
2 changes: 1 addition & 1 deletion helmfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ releases:
- name: ratify
namespace: gatekeeper-system
chart: ratify/ratify
version: 1.15.0-rc.1 # Make sure this matches Chart.yaml
version: 1.15.0 # Make sure this matches Chart.yaml
wait: true
needs:
- gatekeeper
Expand Down
2 changes: 1 addition & 1 deletion high-availability.helmfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ releases:
- name: ratify
namespace: gatekeeper-system
chart: ratify/ratify
version: 1.15.0-rc.1 # Make sure this matches Chart.yaml
version: 1.15.0 # Make sure this matches Chart.yaml
wait: true
needs:
- dapr-system/dapr
Expand Down
5 changes: 0 additions & 5 deletions pkg/keymanagementprovider/refresh/kubeRefresh_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
"testing"
"time"

"github.com/notaryproject/notation-core-go/revocation"
corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
re "github.com/ratify-project/ratify/errors"
"github.com/ratify-project/ratify/pkg/keymanagementprovider"
Expand Down Expand Up @@ -180,10 +179,6 @@ func (h *MockCRLHandler) NewFetcher() (corecrl.Fetcher, error) {
return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher")
}

func (h *MockCRLHandler) NewValidator(_ revocation.Options) (revocation.Validator, error) {
return nil, nil
}

func TestKubeRefresher_GetResult(t *testing.T) {
kr := &KubeRefresher{
Result: ctrl.Result{RequeueAfter: time.Minute},
Expand Down
9 changes: 8 additions & 1 deletion pkg/utils/azureauth/authenticationUtils.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package azureauth
import (
"context"
"fmt"
"net/url"
"os"
"time"

Expand Down Expand Up @@ -47,9 +48,15 @@ func GetAADAccessToken(ctx context.Context, tenantID, clientID, scope string) (c
return readJWTFromFS(tokenFilePath)
})

// join the authority prefix with tenantID to create authority URL
authorityURL, err := url.JoinPath(authority, tenantID)
if err != nil {
return confidential.AuthResult{}, fmt.Errorf("failed to create authority URL when joining authority prefix and tenantID: %w", err)
}

// create the confidential client to request an AAD token
confidentialClientApp, err := confidential.New(
fmt.Sprintf("%s%s/oauth2/token", authority, tenantID),
authorityURL,
clientID,
cred)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions pkg/verifier/notation/notation.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,14 +193,14 @@ func getVerifierService(ctx context.Context, conf *NotationPluginVerifierConfig,
if err != nil {
logger.GetLogger(ctx, logOpt).Warnf("Unable to create CRL fetcher for notation verifier %s with error: %s", conf.Name, err)
}
revocationCodeSigningValidator, err := revocationFactory.NewValidator(revocation.Options{
revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
CRLFetcher: crlFetcher,
CertChainPurpose: purpose.CodeSigning,
})
if err != nil {
return nil, err
}
revocationTimestampingValidator, err := revocationFactory.NewValidator(revocation.Options{
revocationTimestampingValidator, err := revocation.NewWithOptions(revocation.Options{
CRLFetcher: crlFetcher,
CertChainPurpose: purpose.Timestamping,
})
Expand Down
71 changes: 20 additions & 51 deletions pkg/verifier/notation/notation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,10 @@ import (
"reflect"
"testing"

"github.com/notaryproject/notation-core-go/revocation"
corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
"github.com/notaryproject/notation-core-go/revocation/purpose"
sig "github.com/notaryproject/notation-core-go/signature"
"github.com/notaryproject/notation-go"
"github.com/notaryproject/notation-go/verifier/trustpolicy"
"github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
ratifyconfig "github.com/ratify-project/ratify/config"
Expand Down Expand Up @@ -582,43 +581,27 @@ func TestGetVerifierService(t *testing.T) {
errContent: nil,
},
{
name: "failed to create file cache",
conf: &NotationPluginVerifierConfig{
VerificationCerts: []string{defaultCertDir},
},
pluginDir: "",
RevocationFactory: mockRevocationFactory{httpClient: &http.Client{}, failFileCache: true},
expectErr: true,
errContent: nil,
},
{
name: "failed to create code signing validator",
conf: &NotationPluginVerifierConfig{
VerificationCerts: []string{defaultCertDir},
},
pluginDir: "",
RevocationFactory: mockRevocationFactory{httpClient: &http.Client{}, failCodeSigningValidator: true},
expectErr: true,
errContent: fmt.Errorf("failed to create code signing validator"),
},
{
name: "failed to create timestamping validator",
conf: &NotationPluginVerifierConfig{
VerificationCerts: []string{defaultCertDir},
},
pluginDir: "",
RevocationFactory: mockRevocationFactory{httpClient: &http.Client{}, failTimestampingValidator: true},
expectErr: true,
errContent: fmt.Errorf("failed to create timestamping validator"),
},
{
name: "failed to create verifier",
name: "successfully create verifier service",
conf: &NotationPluginVerifierConfig{
VerificationCerts: []string{defaultCertDir},
TrustPolicyDoc: trustpolicy.Document{
Version: "1.0",
TrustPolicies: []trustpolicy.TrustPolicy{
{
Name: "default",
RegistryScopes: []string{"*"},
SignatureVerification: trustpolicy.SignatureVerification{
VerificationLevel: "strict",
},
TrustStores: []string{"ca:certs"},
TrustedIdentities: []string{"*"},
},
},
},
},
pluginDir: "",
RevocationFactory: mockRevocationFactory{httpClient: &http.Client{}, failVerifier: true},
expectErr: true,
RevocationFactory: mockRevocationFactory{httpClient: &http.Client{}},
expectErr: false,
errContent: nil,
},
}
Expand All @@ -637,12 +620,8 @@ func TestGetVerifierService(t *testing.T) {
}

type mockRevocationFactory struct {
failFetcher bool
failFileCache bool
failCodeSigningValidator bool
failTimestampingValidator bool
failVerifier bool
httpClient *http.Client
failFetcher bool
httpClient *http.Client
}

func (m mockRevocationFactory) NewFetcher() (corecrl.Fetcher, error) {
Expand All @@ -651,13 +630,3 @@ func (m mockRevocationFactory) NewFetcher() (corecrl.Fetcher, error) {
}
return corecrl.NewHTTPFetcher(m.httpClient)
}

func (m mockRevocationFactory) NewValidator(opts revocation.Options) (revocation.Validator, error) {
if m.failCodeSigningValidator && opts.CertChainPurpose == purpose.CodeSigning {
return nil, fmt.Errorf("failed to create code signing validator")
}
if m.failTimestampingValidator && opts.CertChainPurpose == purpose.Timestamping {
return nil, fmt.Errorf("failed to create timestamping validator")
}
return revocation.NewWithOptions(opts)
}
6 changes: 0 additions & 6 deletions pkg/verifier/notation/notationrevocationfactory.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import (
"net/http"
"sync"

"github.com/notaryproject/notation-core-go/revocation"
corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
"github.com/notaryproject/notation-go/dir"
"github.com/ratify-project/ratify/config"
Expand Down Expand Up @@ -62,8 +61,3 @@ func (h *CRLHandler) NewFetcher() (corecrl.Fetcher, error) {
}
return globalFetcher, nil
}

// NewValidator returns a new validator instance
func (h *CRLHandler) NewValidator(opts revocation.Options) (revocation.Validator, error) {
return revocation.NewWithOptions(opts)
}
9 changes: 0 additions & 9 deletions pkg/verifier/notation/notationrevocationfactory_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
"runtime"
"testing"

"github.com/notaryproject/notation-core-go/revocation"
"github.com/notaryproject/notation-go/dir"
re "github.com/ratify-project/ratify/errors"
"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -72,14 +71,6 @@ func TestNewFetcher(t *testing.T) {
globalFetcher, _ = CreateCRLFetcher(&http.Client{}, dir.PathCRLCache)
}

func TestNewValidator(t *testing.T) {
factory := CreateCRLHandlerFromConfig()
opts := revocation.Options{}

validator, err := factory.NewValidator(opts)
assert.NoError(t, err)
assert.NotNil(t, validator)
}
func TestNewFileCache(t *testing.T) {
tests := []struct {
name string
Expand Down
4 changes: 0 additions & 4 deletions pkg/verifier/notation/revocationfactory.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ import (
"net/http"
"sync"

"github.com/notaryproject/notation-core-go/revocation"
corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
"github.com/notaryproject/notation-go/dir"
"github.com/notaryproject/notation-go/verifier/crl"
Expand All @@ -33,9 +32,6 @@ import (
type RevocationFactory interface {
// NewFetcher returns a new fetcher instance
NewFetcher() (corecrl.Fetcher, error)

// NewValidator returns a new validator instance
NewValidator(revocation.Options) (revocation.Validator, error)
}

// CreateCRLFetcher returns a new fetcher instance
Expand Down

0 comments on commit 5d13f56

Please sign in to comment.