add VerifyImageProvenanceRepo for backward api compatibility

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
slsa-framework · Jan 19, 2024 · c475cc5 · c475cc5
1 parent 2c971c1
commit c475cc5
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 73 deletions.
diff --git a/cli/slsa-verifier/verify/options.go b/cli/slsa-verifier/verify/options.go
@@ -86,34 +86,10 @@ var _ Interface = (*VerifyImageOptions)(nil)
 
 // AddFlags implements Interface.
 func (o *VerifyImageOptions) AddFlags(cmd *cobra.Command) {
-	cmd.Flags().Var(&o.BuildWorkflowInputs, "build-workflow-input",
-		"[optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions).")
-
-	cmd.Flags().StringVar(&o.BuilderID, "builder-id", "", "[optional] the unique builder ID who created the provenance")
-
-	/* Source options */
-	cmd.Flags().StringVar(&o.SourceURI, "source-uri", "",
-		"expected source repository that should have produced the binary, e.g. github.com/some/repo")
-
-	cmd.Flags().StringVar(&o.SourceBranch, "source-branch", "", "[optional] expected branch the binary was compiled from")
-
-	cmd.Flags().StringVar(&o.SourceTag, "source-tag", "", "[optional] expected tag the binary was compiled from")
-
-	cmd.Flags().StringVar(&o.SourceVersionTag, "source-versioned-tag", "",
-		"[optional] expected version the binary was compiled from. Uses semantic version to match the tag")
-
-	/* Other options */
-	cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "",
-		"path to a provenance file")
+	o.VerifyOptions.AddFlags(cmd)
 
 	cmd.Flags().StringVar(&o.ProvenanceRepository, "provenance-repository", "",
 		"image repository for provenance with format: <registry>/<repository>. When set, overrides COSIGN_REPOSITORY environment variable")
-
-	cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false,
-		"[optional] print the verified provenance to stdout")
-
-	cmd.MarkFlagRequired("source-uri")
-	cmd.MarkFlagsMutuallyExclusive("source-versioned-tag", "source-tag")
 }
 
 // VerifyNpmOptions is the top-level options for the `verifyNpmPackage` command.

diff --git a/cli/slsa-verifier/verify/verify_image.go b/cli/slsa-verifier/verify/verify_image.go
@@ -71,12 +71,15 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
 		}
 	}
 
-	var provenanceRepository string
+	var verifiedProvenance []byte
+	var outBuilderID *utils.TrustedBuilderID
+
 	if c.ProvenanceRepository != nil {
-		provenanceRepository = *c.ProvenanceRepository
+		verifiedProvenance, outBuilderID, err = verifiers.VerifyImageProvenanceRepo(ctx, artifacts[0], provenance, *c.ProvenanceRepository, provenanceOpts, builderOpts)
+	} else {
+		verifiedProvenance, outBuilderID, err = verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)
 	}
 
-	verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceRepository, provenanceOpts, builderOpts)
 	if err != nil {
 		return nil, err
 	}

diff --git a/register/register.go b/register/register.go
@@ -24,6 +24,12 @@ type SLSAVerifier interface {
 
 	// VerifyImage verifies a provenance for a supplied OCI image.
 	VerifyImage(ctx context.Context,
+		provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
+		builderOpts *options.BuilderOpts,
+	) ([]byte, *utils.TrustedBuilderID, error)
+
+	// VerifyImageProvenanceRepo verifies a provenance stored in a separate repository for a supplied OCI image.
+	VerifyImageProvenanceRepo(ctx context.Context,
 		provenance []byte, provenanceRepository string,
 		artifactImage string, provenanceOpts *options.ProvenanceOpts,
 		builderOpts *options.BuilderOpts,

diff --git a/verifiers/internal/gcb/verifier.go b/verifiers/internal/gcb/verifier.go
@@ -50,8 +50,7 @@ func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context,
 
 // VerifyImage verifies provenance for an OCI image.
 func (v *GCBVerifier) VerifyImage(ctx context.Context,
-	provenance []byte, provenanceRepository string,
-	artifactImage string, provenanceOpts *options.ProvenanceOpts,
+	provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
 	builderOpts *options.BuilderOpts,
 ) ([]byte, *utils.TrustedBuilderID, error) {
 	prov, err := ProvenanceFromBytes(provenance)
@@ -126,3 +125,12 @@ func (v *GCBVerifier) VerifyImage(ctx context.Context,
 	}
 	return content, builderID, nil
 }
+
+// VerifyImageProvenanceRepo verifies provenance for an OCI image.
+func (v *GCBVerifier) VerifyImageProvenanceRepo(ctx context.Context,
+	provenance []byte, provenanceRepository string,
+	artifactImage string, provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+) ([]byte, *utils.TrustedBuilderID, error) {
+	return v.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
+}
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
@@ -244,48 +244,9 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
 		utils.MergeMaps(defaultArtifactTrustedReusableWorkflows, defaultBYOBReusableWorkflows))
 }
 
-// VerifyImage verifies provenance for an OCI image.
-func (v *GHAVerifier) VerifyImage(ctx context.Context,
-	provenance []byte, provenanceRepository string,
-	artifactImage string, provenanceOpts *options.ProvenanceOpts,
-	builderOpts *options.BuilderOpts,
-) ([]byte, *utils.TrustedBuilderID, error) {
-	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
-	trustedRoot, err := TrustedRootSingleton(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var provenanceTargetRepository name.Repository
-	// Consume input for --provenance-repository when set
-	if provenanceRepository != "" {
-		provenanceTargetRepository, err = name.NewRepository(provenanceRepository)
-		if err != nil {
-			return nil, nil, err
-		}
-	} else {
-		// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
-		provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
-	registryClientOpts := []ociremote.Option{}
-
-	// Append target repository to OCI Registry opts
-	// Must be authenticated against the specified target repository externally
-	if provenanceTargetRepository.Name() != "" {
-		registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
-	}
-
-	opts := &cosign.CheckOpts{
-		RegistryClientOpts: registryClientOpts,
-		RootCerts:          trustedRoot.FulcioRoot,
-		IntermediateCerts:  trustedRoot.FulcioIntermediates,
-		RekorPubKeys:       trustedRoot.RekorPubKeys,
-		CTLogPubKeys:       trustedRoot.CTPubKeys,
-	}
+// verifyImageWithOptions abstracts the cosign options and returns verified provenance for an artifact.
+func verifyImageWithOptions(ctx context.Context, artifactImage string, provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts, opts *cosign.CheckOpts) ([]byte, *utils.TrustedBuilderID, error) {
 	atts, _, err := container.RunCosignImageVerification(ctx,
 		artifactImage, opts)
 	if err != nil {
@@ -332,6 +293,70 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context,
 	return nil, nil, fmt.Errorf("%w", serrors.ErrorNoValidSignature)
 }
 
+// VerifyImage verifies provenance for an OCI image.
+func (v *GHAVerifier) VerifyImage(ctx context.Context,
+	provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+) ([]byte, *utils.TrustedBuilderID, error) {
+	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
+	trustedRoot, err := TrustedRootSingleton(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts := &cosign.CheckOpts{
+		RootCerts:         trustedRoot.FulcioRoot,
+		IntermediateCerts: trustedRoot.FulcioIntermediates,
+		RekorPubKeys:      trustedRoot.RekorPubKeys,
+		CTLogPubKeys:      trustedRoot.CTPubKeys,
+	}
+	return verifyImageWithOptions(ctx, artifactImage, provenanceOpts, builderOpts, opts)
+}
+
+// VerifyImageProvenanceRepo verifies provenance from a separate store for an OCI image.
+func (v *GHAVerifier) VerifyImageProvenanceRepo(ctx context.Context,
+	provenance []byte, provenanceRepository string,
+	artifactImage string, provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+) ([]byte, *utils.TrustedBuilderID, error) {
+	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
+	trustedRoot, err := TrustedRootSingleton(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var provenanceTargetRepository name.Repository
+	// Consume input for --provenance-repository when set
+	if provenanceRepository != "" {
+		provenanceTargetRepository, err = name.NewRepository(provenanceRepository)
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
+		provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	registryClientOpts := []ociremote.Option{}
+
+	// Append target repository to OCI Registry opts
+	// Must be authenticated against the specified target repository externally
+	if provenanceTargetRepository.Name() != "" {
+		registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
+	}
+
+	opts := &cosign.CheckOpts{
+		RegistryClientOpts: registryClientOpts,
+		RootCerts:          trustedRoot.FulcioRoot,
+		IntermediateCerts:  trustedRoot.FulcioIntermediates,
+		RekorPubKeys:       trustedRoot.RekorPubKeys,
+		CTLogPubKeys:       trustedRoot.CTPubKeys,
+	}
+	return verifyImageWithOptions(ctx, artifactImage, provenanceOpts, builderOpts, opts)
+}
+
 // VerifyNpmPackage verifies an npm package tarball.
 func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
 	attestations []byte, tarballHash string,

diff --git a/verifiers/verifier.go b/verifiers/verifier.go
@@ -36,6 +36,18 @@ func getVerifier(builderOpts *options.BuilderOpts) (register.SLSAVerifier, error
 }
 
 func VerifyImage(ctx context.Context, artifactImage string,
+	provenance []byte,
+	provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+) ([]byte, *utils.TrustedBuilderID, error) {
+	verifier, err := getVerifier(builderOpts)
+	if err != nil {
+		return nil, nil, err
+	}
+	return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
+}
+
+func VerifyImageProvenanceRepo(ctx context.Context, artifactImage string,
 	provenance []byte,
 	provenanceRepository string,
 	provenanceOpts *options.ProvenanceOpts,
@@ -45,7 +57,7 @@ func VerifyImage(ctx context.Context, artifactImage string,
 	if err != nil {
 		return nil, nil, err
 	}
-	return verifier.VerifyImage(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts)
+	return verifier.VerifyImageProvenanceRepo(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts)
 }
 
 func VerifyArtifact(ctx context.Context,