From 2a5a666e561e83927bc4b284486600c4d949c220 Mon Sep 17 00:00:00 2001
From: saisatishkarra <saisatish.karra@konghq.com>
Date: Mon, 22 Jan 2024 10:34:11 -0600
Subject: [PATCH] Avoid breaking change for provenanceRepository cli option

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
---
 cli/slsa-verifier/verify/verify_image.go |  19 ++--
 options/options.go                       |   3 +
 register/register.go                     |   7 --
 verifiers/internal/gha/verifier.go       | 109 +++++++++--------------
 verifiers/verifier.go                    |  13 ---
 5 files changed, 53 insertions(+), 98 deletions(-)

diff --git a/cli/slsa-verifier/verify/verify_image.go b/cli/slsa-verifier/verify/verify_image.go
index 63434eee9..a1207446b 100644
--- a/cli/slsa-verifier/verify/verify_image.go
+++ b/cli/slsa-verifier/verify/verify_image.go
@@ -51,12 +51,13 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
 	}
 
 	provenanceOpts := &options.ProvenanceOpts{
-		ExpectedSourceURI:      c.SourceURI,
-		ExpectedBranch:         c.SourceBranch,
-		ExpectedDigest:         digest,
-		ExpectedVersionedTag:   c.SourceVersionTag,
-		ExpectedTag:            c.SourceTag,
-		ExpectedWorkflowInputs: c.BuildWorkflowInputs,
+		ExpectedSourceURI:            c.SourceURI,
+		ExpectedBranch:               c.SourceBranch,
+		ExpectedDigest:               digest,
+		ExpectedVersionedTag:         c.SourceVersionTag,
+		ExpectedTag:                  c.SourceTag,
+		ExpectedProvenanceRepository: c.ProvenanceRepository,
+		ExpectedWorkflowInputs:       c.BuildWorkflowInputs,
 	}
 
 	builderOpts := &options.BuilderOpts{
@@ -74,11 +75,7 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
 	var verifiedProvenance []byte
 	var outBuilderID *utils.TrustedBuilderID
 
-	if c.ProvenanceRepository != nil {
-		verifiedProvenance, outBuilderID, err = verifiers.VerifyImageProvenanceRepo(ctx, artifacts[0], provenance, *c.ProvenanceRepository, provenanceOpts, builderOpts)
-	} else {
-		verifiedProvenance, outBuilderID, err = verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)
-	}
+	verifiedProvenance, outBuilderID, err = verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)
 
 	if err != nil {
 		return nil, err
diff --git a/options/options.go b/options/options.go
index 11ef9fb4a..c3b68442f 100644
--- a/options/options.go
+++ b/options/options.go
@@ -27,6 +27,9 @@ type ProvenanceOpts struct {
 	ExpectedPackageName *string
 
 	ExpectedPackageVersion *string
+
+	// ExpectedProvenanceRepository is the provenance repository that is passed from user and not verified
+	ExpectedProvenanceRepository *string
 }
 
 // BuildOpts are the options for checking the builder.
diff --git a/register/register.go b/register/register.go
index bbd6b1b38..3290b9d82 100644
--- a/register/register.go
+++ b/register/register.go
@@ -28,13 +28,6 @@ type SLSAVerifier interface {
 		builderOpts *options.BuilderOpts,
 	) ([]byte, *utils.TrustedBuilderID, error)
 
-	// VerifyImageProvenanceRepo verifies a provenance stored in a separate repository for a supplied OCI image.
-	VerifyImageProvenanceRepo(ctx context.Context,
-		provenance []byte, provenanceRepository string,
-		artifactImage string, provenanceOpts *options.ProvenanceOpts,
-		builderOpts *options.BuilderOpts,
-	) ([]byte, *utils.TrustedBuilderID, error)
-
 	VerifyNpmPackage(ctx context.Context,
 		attestations []byte, tarballHash string,
 		provenanceOpts *options.ProvenanceOpts,
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
index 18261ba94..b6d0fc7c0 100644
--- a/verifiers/internal/gha/verifier.go
+++ b/verifiers/internal/gha/verifier.go
@@ -244,9 +244,48 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
 		utils.MergeMaps(defaultArtifactTrustedReusableWorkflows, defaultBYOBReusableWorkflows))
 }
 
-// verifyImageWithOptions abstracts the cosign options and returns verified provenance for an artifact.
-func verifyImageWithOptions(ctx context.Context, artifactImage string, provenanceOpts *options.ProvenanceOpts,
-	builderOpts *options.BuilderOpts, opts *cosign.CheckOpts) ([]byte, *utils.TrustedBuilderID, error) {
+// VerifyImage verifies provenance for an OCI image.
+func (v *GHAVerifier) VerifyImage(ctx context.Context,
+	provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+) ([]byte, *utils.TrustedBuilderID, error) {
+	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
+	trustedRoot, err := TrustedRootSingleton(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var provenanceTargetRepository name.Repository
+	// Consume input for --provenance-repository when set
+	if *provenanceOpts.ExpectedProvenanceRepository != "" {
+		provenanceTargetRepository, err = name.NewRepository(*provenanceOpts.ExpectedProvenanceRepository)
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
+		provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	registryClientOpts := []ociremote.Option{}
+
+	// Append target repository to OCI Registry opts
+	// Must be authenticated against the specified target repository externally
+	if provenanceTargetRepository.Name() != "" {
+		registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
+	}
+
+	opts := &cosign.CheckOpts{
+		RegistryClientOpts: registryClientOpts,
+		RootCerts:          trustedRoot.FulcioRoot,
+		IntermediateCerts:  trustedRoot.FulcioIntermediates,
+		RekorPubKeys:       trustedRoot.RekorPubKeys,
+		CTLogPubKeys:       trustedRoot.CTPubKeys,
+	}
+
 	atts, _, err := container.RunCosignImageVerification(ctx,
 		artifactImage, opts)
 	if err != nil {
@@ -293,70 +332,6 @@ func verifyImageWithOptions(ctx context.Context, artifactImage string, provenanc
 	return nil, nil, fmt.Errorf("%w", serrors.ErrorNoValidSignature)
 }
 
-// VerifyImage verifies provenance for an OCI image.
-func (v *GHAVerifier) VerifyImage(ctx context.Context,
-	provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
-	builderOpts *options.BuilderOpts,
-) ([]byte, *utils.TrustedBuilderID, error) {
-	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
-	trustedRoot, err := TrustedRootSingleton(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-	opts := &cosign.CheckOpts{
-		RootCerts:         trustedRoot.FulcioRoot,
-		IntermediateCerts: trustedRoot.FulcioIntermediates,
-		RekorPubKeys:      trustedRoot.RekorPubKeys,
-		CTLogPubKeys:      trustedRoot.CTPubKeys,
-	}
-	return verifyImageWithOptions(ctx, artifactImage, provenanceOpts, builderOpts, opts)
-}
-
-// VerifyImageProvenanceRepo verifies provenance from a separate store for an OCI image.
-func (v *GHAVerifier) VerifyImageProvenanceRepo(ctx context.Context,
-	provenance []byte, provenanceRepository string,
-	artifactImage string, provenanceOpts *options.ProvenanceOpts,
-	builderOpts *options.BuilderOpts,
-) ([]byte, *utils.TrustedBuilderID, error) {
-	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
-	trustedRoot, err := TrustedRootSingleton(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var provenanceTargetRepository name.Repository
-	// Consume input for --provenance-repository when set
-	if provenanceRepository != "" {
-		provenanceTargetRepository, err = name.NewRepository(provenanceRepository)
-		if err != nil {
-			return nil, nil, err
-		}
-	} else {
-		// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
-		provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
-	registryClientOpts := []ociremote.Option{}
-
-	// Append target repository to OCI Registry opts
-	// Must be authenticated against the specified target repository externally
-	if provenanceTargetRepository.Name() != "" {
-		registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
-	}
-
-	opts := &cosign.CheckOpts{
-		RegistryClientOpts: registryClientOpts,
-		RootCerts:          trustedRoot.FulcioRoot,
-		IntermediateCerts:  trustedRoot.FulcioIntermediates,
-		RekorPubKeys:       trustedRoot.RekorPubKeys,
-		CTLogPubKeys:       trustedRoot.CTPubKeys,
-	}
-	return verifyImageWithOptions(ctx, artifactImage, provenanceOpts, builderOpts, opts)
-}
-
 // VerifyNpmPackage verifies an npm package tarball.
 func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
 	attestations []byte, tarballHash string,
diff --git a/verifiers/verifier.go b/verifiers/verifier.go
index 8abd162ed..745523d09 100644
--- a/verifiers/verifier.go
+++ b/verifiers/verifier.go
@@ -47,19 +47,6 @@ func VerifyImage(ctx context.Context, artifactImage string,
 	return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
 }
 
-func VerifyImageProvenanceRepo(ctx context.Context, artifactImage string,
-	provenance []byte,
-	provenanceRepository string,
-	provenanceOpts *options.ProvenanceOpts,
-	builderOpts *options.BuilderOpts,
-) ([]byte, *utils.TrustedBuilderID, error) {
-	verifier, err := getVerifier(builderOpts)
-	if err != nil {
-		return nil, nil, err
-	}
-	return verifier.VerifyImageProvenanceRepo(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts)
-}
-
 func VerifyArtifact(ctx context.Context,
 	provenance []byte, artifactHash string,
 	provenanceOpts *options.ProvenanceOpts,