Support GitHub attestation endpoint (#2195)

* Pass in auth method to sigstore container verification Instead of hardcoding a single token-based authentication, let's pass a slice of authMethods the called wants to be used. The verifier will pick an available verification method based on the authentication method provided by the caller. Related: stacklok/epics#174 * Support GitHub attestation endpoint In addition to fetching provenance attestations from an OCI image, let's also support the GitHub attestation endpoint as a fallback (a fallback since it's not GA yet). The attestation reply is unmarshalled into a protobuf representation and passed to sigstore-go. Fixes: stacklok/epics#174 * Handle no auth token provided Related: stacklok/epics#174 * go mod tidy
mindersec · Jan 25, 2024 · 514c630 · 514c630
1 parent 740b151
commit 514c630
Show file tree

Hide file tree

Showing 7 changed files with 275 additions and 21 deletions.
diff --git a/cmd/dev/app/container/cmd_verify.go b/cmd/dev/app/container/cmd_verify.go
@@ -17,17 +17,22 @@ package container
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
+	"github.com/stacklok/minder/internal/db"
+	"github.com/stacklok/minder/internal/providers"
 	"github.com/stacklok/minder/internal/verifier"
+	"github.com/stacklok/minder/internal/verifier/sigstore/container"
+	provifv1 "github.com/stacklok/minder/pkg/providers/v1"
 )
 
-// CmdVerify returns the verify container command
+// CmdVerify is the root command for the container verify subcommands
 func CmdVerify() *cobra.Command {
 	var verifyCmd = &cobra.Command{
 		Use:          "verify",
@@ -39,6 +44,8 @@ func CmdVerify() *cobra.Command {
 	verifyCmd.Flags().StringP("owner", "o", "", "owner of the artifact")
 	verifyCmd.Flags().StringP("name", "n", "", "name of the artifact")
 	verifyCmd.Flags().StringP("digest", "s", "", "digest of the artifact")
+	verifyCmd.Flags().StringP("token", "t", "", "token to authenticate to the provider."+
+		"Can also be set via the AUTH_TOKEN environment variable.")
 
 	if err := verifyCmd.MarkFlagRequired("owner"); err != nil {
 		fmt.Fprintf(os.Stderr, "Error marking flag as required: %s\n", err)
@@ -55,6 +62,11 @@ func CmdVerify() *cobra.Command {
 		os.Exit(1)
 	}
 
+	if err := viper.BindPFlag("auth.token", verifyCmd.Flags().Lookup("token")); err != nil {
+		fmt.Fprintf(os.Stderr, "Error binding flag: %s\n", err)
+		os.Exit(1)
+	}
+
 	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 
 	return verifyCmd
@@ -67,7 +79,14 @@ func runCmdVerify(cmd *cobra.Command, _ []string) error {
 
 	token := viper.GetString("auth.token")
 
-	artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, token)
+	ghcli, err := buildGitHubClient(context.Background(), token)
+	if err != nil {
+		return fmt.Errorf("cannot build github client: %w", err)
+	}
+
+	artifactVerifier, err := verifier.NewVerifier(
+		verifier.VerifierSigstore,
+		container.WithAccessToken(token), container.WithGitHubClient(ghcli))
 	if err != nil {
 		return fmt.Errorf("error getting sigstore verifier: %w", err)
 	}
@@ -85,3 +104,25 @@ func runCmdVerify(cmd *cobra.Command, _ []string) error {
 
 	return nil
 }
+
+func buildGitHubClient(ctx context.Context, token string) (provifv1.GitHub, error) {
+	pbuild := providers.NewProviderBuilder(
+		&db.Provider{
+			Name:    "test",
+			Version: "v1",
+			Implements: []db.ProviderType{
+				"rest",
+				"git",
+				"github",
+			},
+			Definition: json.RawMessage(`{
+				"rest": {},
+				"github": {}
+			}`),
+		},
+		db.ProviderAccessToken{},
+		token,
+	)
+
+	return pbuild.GetGitHub(ctx)
+}
diff --git a/go.mod b/go.mod
@@ -197,7 +197,7 @@ require (
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.1 // indirect

diff --git a/internal/controlplane/handlers_githubwebhooks.go b/internal/controlplane/handlers_githubwebhooks.go
@@ -48,6 +48,7 @@ import (
 	"github.com/stacklok/minder/internal/reconcilers"
 	"github.com/stacklok/minder/internal/util"
 	"github.com/stacklok/minder/internal/verifier"
+	"github.com/stacklok/minder/internal/verifier/sigstore/container"
 	pb "github.com/stacklok/minder/pkg/api/protobuf/go/minder/v1"
 	provifv1 "github.com/stacklok/minder/pkg/providers/v1"
 )
@@ -745,7 +746,9 @@ func storeSignatureAndWorkflowInVersion(
 	version *pb.ArtifactVersion,
 ) error {
 	// get the verifier for sigstore
-	artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, client.GetToken())
+	artifactVerifier, err := verifier.NewVerifier(
+		verifier.VerifierSigstore,
+		container.WithAccessToken(client.GetToken()), container.WithGitHubClient(client))
 	if err != nil {
 		return fmt.Errorf("error getting sigstore verifier: %w", err)
 	}

diff --git a/internal/reconcilers/artifacts.go b/internal/reconcilers/artifacts.go
@@ -36,6 +36,7 @@ import (
 	"github.com/stacklok/minder/internal/providers/github"
 	"github.com/stacklok/minder/internal/util"
 	"github.com/stacklok/minder/internal/verifier"
+	"github.com/stacklok/minder/internal/verifier/sigstore/container"
 	pb "github.com/stacklok/minder/pkg/api/protobuf/go/minder/v1"
 )
 
@@ -153,7 +154,9 @@ func (e *Reconciler) handleArtifactsReconcilerEvent(ctx context.Context, evt *Re
 	}
 
 	// create artifact verifier
-	artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, cli.GetToken())
+	artifactVerifier, err := verifier.NewVerifier(
+		verifier.VerifierSigstore,
+		container.WithAccessToken(cli.GetToken()), container.WithGitHubClient(cli))
 	if err != nil {
 		return fmt.Errorf("error getting sigstore verifier: %w", err)
 	}