This avoid some unnecessary uses of interface{}, and allows us to
pass existing functions to otherJSONParser without needing an extra
type conversion thunk.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to make policy_config*.go a bit smaller, and to allow sigstore
logic expansion.
Only moves unchanged code, should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
type: cosignSigned, with the usual keyData/keyPath.
Fulcio/Rekor is not currently implemented.
NOTE: This only allows a single public key, not a keyring,
unlike simple signing. That seems problematic, there are
known users of that. But we can fix that later by adding
keyDirectory and the like.
NOTE: Cosign interoperability requires use of
signedIdentity: matchRepository. The fairly useful
signedIdentity: remapIdentity has no repository-match
functionality.
NOTE: Multi-arch images need to be signed by cosign
with --recursive to be accepted; c/image enforces
signatures per platform.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will allow imports of errors and pkg/errors to
coexist in a single package, avoid adding accidental
new uses via errors.New(), make any potential new
additions more visible in reviews.
Files that can import errors only (typically
because they only use errors.New) have been updated to
that import instead of renaming.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Mostly just name changes that should not change behavior,
apart from ioutil.ReadDir -> os.ReadDir avoiding per-item
lstat(2) in some cases.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
DockerReferenceNamespaces will also append wildcarded expressions for
subdomain matching in policy.json.
For example: [foo.example.com *.example.com *.com]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Split defaultPolicyPathWithHomeDir from defaultPolicyPath to allow
testing it without overriding $HOME now that that does not have
an effect during the lifetime of a process.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This allows accepting signatures for a complete or partial
mirror of some other repository namespace in a single step,
similar in signing effect to setting up mirrors in registries.conf,
but letting image consumers to refer to the mirrors directly.
For tag/digest matching, this currently only implemnents the
default matchRepoDigestOrExact-like semantics; it's the right
choice for almost all users, and we can add other alternatives
later if it turned out to be necessary.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add jsonUnmarshalFromObject and assertJSONUnmarshalFromObjectFails
to handle the common pattern of manufacturing a JSON and testing
how it unmarshals.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Most of the UnmarshalJSON tests follow the same structure,
copy&pasting boilerplate all over. Consolidate them into a single
function with named parameters for the specifics.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... so that major-version-aware Go module import
(as opposed to vX.Y.Z+incompatible, which does not allow different
packages to use different versions) works right.
Also requires adding some more GO111MODULE=on options to Makefile.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Network IO paths should react to cancels now.
- File IO paths generally still won't.
- `SystemContext` objects have been renamed to `sys` to leave `ctx`
available for the stdlib context objects.
Signed-off-by: Mike Lundy <mike@fluffypenguin.org>
Be more verbose when erroring out in case we have invalid data in the
policy json file.
Before this patch:
./skopeo copy docker://busybox oci:busybox
FATA[0000] Error loading trust policy: unexpected end of JSON input
After:
./skopeo copy docker://busybox oci:busybox
FATA[0000] Error loading trust policy: invalid policy data in
"/etc/containers/policy.json": unexpected end of JSON input
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This is the new default: tag references require a signature with a
matching repo:tag, digest references require a signature with a matching
repo (and any tag [or digest]), with the digest itself still being
validated in image.UnparsedImage, independently of signature processing.
Users can still opt into strict checking by specifying matchExact
in signedIdentity.
Also update most tests to use matchExactOrSignedDigest, to match
the default.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
As we add more config files, having a single knob to override them all
may simplify usage.
Note that this is not a chroot; it will override e.g. hard-coded /etc,
but $HOME is unaffected.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is the API most applications should use to get the policy for the
current host.
Also adds a types.SystemContext per discussions in
https://github.com/containers/image/pull/41 and elsewhere, to make the
functions testable and usable in special situations like chroots.
(Though, signature.DefaultPolicy() with an override is not that
different from signature.NewPolicyFromFile().)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This e.g. rejects relative paths for directories.
Notably docker: transport is the only one which does not do any real
validation; we could copy&paste the character ranges and lengths
directly from docker/distribution/reference, which feels fairly ugly.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Implement PolicyConfigurationIdentity and PolicyConfigurationNamespaces
for all transports, which makes them all possible to use in policy
configurations.
Then use Transport().Name instead of hard-coded "docker" in policy
transport lookup.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of specific/$dockerreference, use transports/$transport/$policyconfigurationscope
This will allow transport-specific policies in the future.
This changes the data structures and parsing code, but mostly not yet the
functionality; everything is looked up through transports/"docker"/... ,
and Docker-reference-less transports are not yet supported.
The only new functionality is that there is a transport-level default
scope (transports/docker/""); at the moment it is redundant with the
global default, but soon it will not be so.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Using the canonical minimized format of Docker references introduces too
many ambiguities.
This also removes some validation of the scope string, but all that was
really doing was rejecting completely invalid input like uppercase.
Sadly it is not qutie obvious that we can detect and reject mistakes like
using "busybox" as a scope instead of the correct
"docker.io/library/busybox". Perhaps require at least one dot or port
number in the host name?
Sainath Sativar