From 8ddbb5888a5d32814ae47d152bde422a11a74b15 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Fri, 28 Jan 2022 09:41:28 -0800 Subject: [PATCH] Add support for index by spinning up redis + e2e tests for it. Signed-off-by: Ville Aikas --- cmd/rekor/checktree/main.go | 79 ++++++++++++++++++- config/rekor/redis/100-namespace.yaml | 7 ++ config/rekor/redis/300-redis.yaml | 37 +++++++++ config/rekor/redis/placeholder.go | 6 ++ config/rekor/rekor/300-rekor.yaml | 6 +- go.mod | 1 + testdata/config/sign-job/sign-job.yaml | 1 + .../github.com/blang/semver/LICENSE | 22 ++++++ .../src/webpki.org/jsoncanonicalizer/LICENSE | 13 +++ .../github.com/jedisct1/go-minisign/LICENSE | 21 +++++ .../go-securesystemslib/cjson/LICENSE | 21 +++++ .../github.com/tent/canonical-json-go/LICENSE | 27 +++++++ .../go-tuf/{encrypted => }/LICENSE | 0 13 files changed, 236 insertions(+), 5 deletions(-) create mode 100644 config/rekor/redis/100-namespace.yaml create mode 100644 config/rekor/redis/300-redis.yaml create mode 100644 config/rekor/redis/placeholder.go create mode 100644 third_party/VENDOR-LICENSE/github.com/blang/semver/LICENSE create mode 100644 third_party/VENDOR-LICENSE/github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer/LICENSE create mode 100644 third_party/VENDOR-LICENSE/github.com/jedisct1/go-minisign/LICENSE create mode 100644 third_party/VENDOR-LICENSE/github.com/secure-systems-lab/go-securesystemslib/cjson/LICENSE create mode 100644 third_party/VENDOR-LICENSE/github.com/tent/canonical-json-go/LICENSE rename third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/{encrypted => }/LICENSE (100%) diff --git a/cmd/rekor/checktree/main.go b/cmd/rekor/checktree/main.go index ba85cf6a2..7541f19d1 100644 --- a/cmd/rekor/checktree/main.go +++ b/cmd/rekor/checktree/main.go @@ -6,12 +6,22 @@ SPDX-License-Identifier: Apache-2.0 package main import ( + "bytes" + "encoding/base64" "flag" + "fmt" "log" + "github.com/go-openapi/runtime" + "github.com/go-openapi/strfmt" "github.com/sigstore/rekor/pkg/client" "github.com/sigstore/rekor/pkg/generated/client/entries" + "github.com/sigstore/rekor/pkg/generated/client/index" + "github.com/sigstore/rekor/pkg/generated/models" + "github.com/sigstore/rekor/pkg/types" + "github.com/sigstore/rekor/pkg/types/hashedrekord" + hrv001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1" "knative.dev/pkg/signals" ) @@ -34,8 +44,73 @@ func main() { if err != nil { log.Panic("Failed to get entry at index 0", err) } - log.Printf("Got Payload: %+v", entries.Payload) - if err := entries.Payload.Validate(strfmt.Default); err != nil { + + payload := entries.GetPayload() + log.Printf("Got Payload: %+v", payload) + if len(payload) != 1 { + log.Panic("Payload map length is not 1") + } + + if err := payload.Validate(strfmt.Default); err != nil { log.Panic("Failed to validate entry: ", err) } + for uuid, v := range payload { + log.Printf("Found UUID: %s", uuid) + // This has the desired side-effect that it loads the support for + // unmarshaling below when we call types.NewEntry + log.Printf("Checking for type: %s version %s", hashedrekord.KIND, hrv001.APIVERSION) + body, ok := v.Body.(string) + if !ok { + log.Panic("Couldn't convert body to string") + } + decBody, err := base64.StdEncoding.DecodeString(body) + if err != nil { + log.Panic("Failed to base64 decode body", err) + } + pe, err := models.UnmarshalProposedEntry(bytes.NewReader(decBody), runtime.JSONConsumer()) + if err != nil { + log.Panic("Failed to unmarshal proposed entry", err) + } + hr, err := types.NewEntry(pe) + if err != nil { + log.Panic("Failed to convert rekord to known type", err) + } + log.Printf("Got TYPE: %+v", hr) + typed, ok := hr.(*hrv001.V001Entry) + if !ok { + log.Panic("Failed to convert rekord to hashrekord", err) + } + if typed.HashedRekordObj.Data == nil { + log.Panic("No data found in hashrekord") + } + if typed.HashedRekordObj.Data.Hash == nil { + log.Panic("No hash found in hashrekord.Data") + } + if typed.HashedRekordObj.Data.Hash.Algorithm == nil { + log.Panic("No hash found in hashrekord.Data.Algorithm") + } + if typed.HashedRekordObj.Data.Hash.Value == nil { + log.Panic("No hash found in hashrekord.Data.Value") + } + + sha := fmt.Sprintf("%s:%s", *typed.HashedRekordObj.Data.Hash.Algorithm, *typed.HashedRekordObj.Data.Hash.Value) + log.Printf("Searching for %s", sha) + + // Now that we found the hash, do a query and make sure we get the + // entry. + indices, err := c.Index.SearchIndex(index.NewSearchIndexParams().WithQuery(&models.SearchIndex{Hash: sha})) + if err != nil { + log.Panic("Failed to query the index: ", err) + } + for _, i := range indices.Payload { + log.Printf("Found index entry: %s", i) + } + if len(indices.Payload) != 1 { + log.Panic("Did not get one entry back from querying the index") + } + if indices.Payload[0] != uuid { + log.Printf("UUIDs do not match, entry %s search returned %s", uuid, indices.Payload[0]) + log.Panic("Did not get expected uuid back from querying the index") + } + } } diff --git a/config/rekor/redis/100-namespace.yaml b/config/rekor/redis/100-namespace.yaml new file mode 100644 index 000000000..e368fe105 --- /dev/null +++ b/config/rekor/redis/100-namespace.yaml @@ -0,0 +1,7 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +kind: Namespace +apiVersion: v1 +metadata: + name: rekor-system diff --git a/config/rekor/redis/300-redis.yaml b/config/rekor/redis/300-redis.yaml new file mode 100644 index 000000000..4131dbceb --- /dev/null +++ b/config/rekor/redis/300-redis.yaml @@ -0,0 +1,37 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: rekor-system +spec: + ports: + - port: 6379 + selector: + app: redis + clusterIP: None + +--- + +apiVersion: v1 +kind: Pod +metadata: + name: redis + namespace: rekor-system + labels: + app: redis +spec: + containers: + - image: docker.io/redis:5.0.10 + name: redis + args: [ + "--bind", + "0.0.0.0", + "--appendonly", + "yes" + ] + ports: + - containerPort: 6379 + name: redis diff --git a/config/rekor/redis/placeholder.go b/config/rekor/redis/placeholder.go new file mode 100644 index 000000000..f0a475c12 --- /dev/null +++ b/config/rekor/redis/placeholder.go @@ -0,0 +1,6 @@ +/* +Copyright 2022 Chainguard, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package redis diff --git a/config/rekor/rekor/300-rekor.yaml b/config/rekor/rekor/300-rekor.yaml index c753ed883..2c4e47b01 100644 --- a/config/rekor/rekor/300-rekor.yaml +++ b/config/rekor/rekor/300-rekor.yaml @@ -28,9 +28,9 @@ spec: "--trillian_log_server.address=log-server.trillian-system.svc", "--trillian_log_server.port=80", "--rekor_server.address=0.0.0.0", -# "--redis_server.address=10.234.175.59", -# "--redis_server.port=6379", - "--enable_retrieve_api=false", + "--redis_server.address=redis.rekor-system.svc", + "--redis_server.port=6379", + "--enable_retrieve_api=true", "--trillian_log_server.tlog_id=$(TREE_ID)", "--log_type=prod", "--rekor_server.signer=memory", diff --git a/go.mod b/go.mod index c6f7dc8e3..4ebdb86a8 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/vaikas/sigstore-scaffolding go 1.16 require ( + github.com/go-openapi/runtime v0.21.0 github.com/go-openapi/strfmt v0.21.1 github.com/go-sql-driver/mysql v1.6.0 github.com/golang/glog v1.0.0 diff --git a/testdata/config/sign-job/sign-job.yaml b/testdata/config/sign-job/sign-job.yaml index c5e76666f..43f4590bf 100644 --- a/testdata/config/sign-job/sign-job.yaml +++ b/testdata/config/sign-job/sign-job.yaml @@ -17,6 +17,7 @@ spec: "sign", "--fulcio-url", "http://fulcio.fulcio-system.svc", "--rekor-url", "http://rekor.rekor-system.svc", + "--force", "ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree", ] env: diff --git a/third_party/VENDOR-LICENSE/github.com/blang/semver/LICENSE b/third_party/VENDOR-LICENSE/github.com/blang/semver/LICENSE new file mode 100644 index 000000000..5ba5c86fc --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/blang/semver/LICENSE @@ -0,0 +1,22 @@ +The MIT License + +Copyright (c) 2014 Benedikt Lang + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + diff --git a/third_party/VENDOR-LICENSE/github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer/LICENSE b/third_party/VENDOR-LICENSE/github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer/LICENSE new file mode 100644 index 000000000..591211595 --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer/LICENSE @@ -0,0 +1,13 @@ + Copyright 2018 Anders Rundgren + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/third_party/VENDOR-LICENSE/github.com/jedisct1/go-minisign/LICENSE b/third_party/VENDOR-LICENSE/github.com/jedisct1/go-minisign/LICENSE new file mode 100644 index 000000000..010ad6e7a --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/jedisct1/go-minisign/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2018-2021 Frank Denis + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/third_party/VENDOR-LICENSE/github.com/secure-systems-lab/go-securesystemslib/cjson/LICENSE b/third_party/VENDOR-LICENSE/github.com/secure-systems-lab/go-securesystemslib/cjson/LICENSE new file mode 100644 index 000000000..e51324f9b --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/secure-systems-lab/go-securesystemslib/cjson/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2021 NYU Secure Systems Lab + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/third_party/VENDOR-LICENSE/github.com/tent/canonical-json-go/LICENSE b/third_party/VENDOR-LICENSE/github.com/tent/canonical-json-go/LICENSE new file mode 100644 index 000000000..744875676 --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/tent/canonical-json-go/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2012 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/encrypted/LICENSE b/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/LICENSE similarity index 100% rename from third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/encrypted/LICENSE rename to third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/LICENSE