Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

webhooks: Handle the case where a signature arrives after an unsigned artifact had been stored #919

Merged
merged 2 commits into from
Sep 9, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion database/mock/store.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion database/query/artifact_versions.sql
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ RETURNING *;
SELECT * FROM artifact_versions WHERE id = $1;

-- name: GetArtifactVersionBySha :one
SELECT * FROM artifact_versions WHERE artifact_id = $1 AND sha = $2;
SELECT * FROM artifact_versions WHERE sha = $1;

-- name: ListArtifactVersionsByArtifactID :many
SELECT * FROM artifact_versions
Expand Down
2 changes: 1 addition & 1 deletion internal/reconcilers/artifacts.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ func (e *Reconciler) handleArtifactsReconcilerEvent(ctx context.Context, prov st
}

tags := version.Metadata.Container.Tags
if container.TagIsSignature(tags) {
if container.TagsContainSignature(tags) {
continue
}
sort.Strings(tags)
Expand Down
15 changes: 13 additions & 2 deletions pkg/container/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -460,9 +460,9 @@ func VerifyFromIdentity(ctx context.Context, imageRef string, owner string, toke
return is_verified, bundleVerified, imageKeys, err
}

// TagIsSignature if tag contains the .sig suffix it's a signature, as cosign
// TagsContainSignature if tag contains the .sig suffix it's a signature, as cosign
// stores signatures in that format
func TagIsSignature(tags []string) bool {
func TagsContainSignature(tags []string) bool {
// if the artifact has a .sig tag it's a signature, skip it
found := false
for _, tag := range tags {
Expand All @@ -473,3 +473,14 @@ func TagIsSignature(tags []string) bool {
}
return found
}

// FindSignatureTag returns the signature tag for a given image if exists
func FindSignatureTag(tags []string) string {
// if the artifact has a .sig tag it's a signature, skip it
for _, tag := range tags {
if strings.HasSuffix(tag, ".sig") {
return tag
}
}
return ""
}
138 changes: 110 additions & 28 deletions pkg/controlplane/handlers_githubwebhooks.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,19 @@ import (
// CONTAINER_TYPE is the type for container artifacts
var CONTAINER_TYPE = "container"

type tagIsASignatureError struct {
message string
signatureTag string
}

func (e *tagIsASignatureError) Error() string {
return e.message
}

func newTagIsASignatureError(msg, signatureTag string) *tagIsASignatureError {
return &tagIsASignatureError{message: msg, signatureTag: signatureTag}
}

// Repository represents a GitHub repository
type Repository struct {
Owner string
Expand Down Expand Up @@ -365,7 +378,7 @@ func parseArtifactPublishedEvent(
return fmt.Errorf("error building client: %w", err)
}

versionedArtifact, err := gatherVersionedArtifact(ctx, cli, whPayload)
versionedArtifact, err := gatherVersionedArtifact(ctx, cli, store, whPayload)
if err != nil {
return fmt.Errorf("error gathering versioned artifact: %w", err)
}
Expand Down Expand Up @@ -506,6 +519,44 @@ func gatherArtifactInfo(
return artifact, nil
}

func transformTag(tag string) string {
// Define the prefix to match and its replacement
const prefixToMatch = "sha256-"
const prefixReplacement = "sha256:"

// If the tag starts with the prefix to match, replace it with the replacement prefix
if strings.HasPrefix(tag, prefixToMatch) {
tag = prefixReplacement + tag[len(prefixToMatch):]
}

// If the tag has a trailing ".sig", strip it off
return strings.TrimSuffix(tag, ".sig")
}

// handles the case when we get a notification about an image,
// but a signature arrives a bit later. In that case, we need to:
// -- search for a version whose sha matches the signature tag
// -- if found, update the signature verification field
func lookUpVersionBySignature(
ctx context.Context,
store db.Store,
sigTag string,
) (*pb.ArtifactVersion, error) {
storedVersion, err := store.GetArtifactVersionBySha(ctx, transformTag(sigTag))
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
} else if err != nil {
return nil, fmt.Errorf("error looking up version by signature: %w", err)
}

return &pb.ArtifactVersion{
VersionId: int64(storedVersion.Version),
Tags: strings.Split(storedVersion.Tags.String, ","),
Sha: storedVersion.Sha,
CreatedAt: timestamppb.New(storedVersion.CreatedAt),
}, nil
}

func gatherArtifactVersionInfo(
ctx context.Context,
cli ghclient.RestAPI,
Expand All @@ -530,21 +581,38 @@ func gatherArtifactVersionInfo(
func gatherVersionedArtifact(
ctx context.Context,
cli ghclient.RestAPI,
store db.Store,
payload map[string]any,
) (*pb.VersionedArtifact, error) {
artifact, err := gatherArtifactInfo(ctx, cli, payload)
if err != nil {
return nil, fmt.Errorf("error gatherinfo artifact info: %w", err)
}

var tagIsSigErr *tagIsASignatureError
version, err := gatherArtifactVersionInfo(ctx, cli, payload, artifact.Owner, artifact.Name)
if err != nil {
return nil, fmt.Errorf("error extracting artifact from payload: %w", err)
}
if errors.As(err, &tagIsSigErr) {
storedVersion, lookupErr := lookUpVersionBySignature(ctx, store, tagIsSigErr.signatureTag)
if lookupErr != nil {
return nil, fmt.Errorf("error looking up version by signature tag: %w", lookupErr)
}
if storedVersion == nil {
// not much we can do about the version not being there, let's hope the signed container arrives later
// but don't return nil, there's no point in retrying either
return nil, nil
}
// let's continue with the stored version

if version == nil {
// no point in storing and evaluating just the .sig
return nil, nil
// now get information for signature and workflow
err = storeSignatureAndWorkflowInVersion(
ctx, cli, artifact.Owner, artifact.Name, transformTag(tagIsSigErr.signatureTag), storedVersion)
if err != nil {
return nil, fmt.Errorf("error storing signature and workflow in version: %w", err)
}

version = storedVersion
} else if err != nil {
return nil, fmt.Errorf("error extracting artifact from payload: %w", err)
}

return &pb.VersionedArtifact{
Expand All @@ -553,6 +621,34 @@ func gatherVersionedArtifact(
}, nil
}

func storeSignatureAndWorkflowInVersion(
ctx context.Context,
client ghclient.RestAPI,
artifactOwnerLogin, artifactName, packageVersionName string,
version *pb.ArtifactVersion,
) error {
// now get information for signature and workflow
sigInfo, workflowInfo, err := container.GetArtifactSignatureAndWorkflowInfo(
ctx, client, artifactOwnerLogin, artifactName, packageVersionName)
if err != nil {
return fmt.Errorf("error getting signature and workflow info: %w", err)
}

ghWorkflow := &pb.GithubWorkflow{}
if err := protojson.Unmarshal(workflowInfo, ghWorkflow); err != nil {
return err
}

sigVerification := &pb.SignatureVerification{}
if err := protojson.Unmarshal(sigInfo, sigVerification); err != nil {
return err
}

version.SignatureVerification = sigVerification
version.GithubWorkflow = ghWorkflow
return nil
}

func updateArtifactVersionFromRegistry(
ctx context.Context,
client ghclient.RestAPI,
Expand All @@ -574,33 +670,19 @@ func updateArtifactVersionFromRegistry(
}

tags := ghVersion.Metadata.Container.Tags
if container.TagIsSignature(tags) {
// we don't care about signatures
return nil
if container.TagsContainSignature(tags) {
// handle the case where a signature arrives later than the image
return newTagIsASignatureError("version is a signature", container.FindSignatureTag(tags))
}
sort.Strings(tags)

// now get information for signature and workflow
sigInfo, workflowInfo, err := container.GetArtifactSignatureAndWorkflowInfo(
ctx, client, artifactOwnerLogin, artifactName, packageVersionName)
if errors.Is(err, container.ErrSigValidation) || errors.Is(err, container.ErrProtoParse) {
return err
} else if err != nil {
return err
}

ghWorkflow := &pb.GithubWorkflow{}
if err := protojson.Unmarshal(workflowInfo, ghWorkflow); err != nil {
return err
}

sigVerification := &pb.SignatureVerification{}
if err := protojson.Unmarshal(sigInfo, sigVerification); err != nil {
return err
err = storeSignatureAndWorkflowInVersion(
ctx, client, artifactOwnerLogin, artifactName, packageVersionName, version)
if err != nil {
return fmt.Errorf("error storing signature and workflow in version: %w", err)
}

version.SignatureVerification = sigVerification
version.GithubWorkflow = ghWorkflow
version.Tags = tags
if ghVersion.CreatedAt != nil {
version.CreatedAt = timestamppb.New(*ghVersion.CreatedAt.GetTime())
Expand Down
11 changes: 3 additions & 8 deletions pkg/db/artifact_versions.sql.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/db/querier.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.