feat(graphql & repodb): add info about signature validity

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
project-zot · May 23, 2023 · 752c671 · 752c671
1 parent 83ae1aa
commit 752c671
Show file tree

Hide file tree

Showing 24 changed files with 2,053 additions and 31 deletions.
diff --git a/errors/errors.go b/errors/errors.go
@@ -89,4 +89,7 @@ var (
 	ErrUserDataNotAllowed             = errors.New("repodb: user data operations are not allowed")
 	ErrCouldNotPersistData            = errors.New("repodb: could not persist to db")
 	ErrDedupeRebuild                  = errors.New("dedupe: couldn't rebuild dedupe index")
+	ErrSignConfigDirNotSet            = errors.New("signatures: signature config dir not set")
+	ErrBadManifestDigest              = errors.New("signatures: bad manifest digest")
+	ErrInvalidSignatureType           = errors.New("signatures: invalid signature type")
 )
diff --git a/go.mod b/go.mod
@@ -384,7 +384,7 @@ require (
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/sigstore/fulcio v1.2.0 // indirect
 	github.com/sigstore/rekor v1.1.1 // indirect
-	github.com/sigstore/sigstore v1.6.3 // indirect
+	github.com/sigstore/sigstore v1.6.3
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/smartystreets/assertions v1.13.1 // indirect

diff --git a/pkg/extensions/search/convert/convert_test.go b/pkg/extensions/search/convert/convert_test.go
@@ -385,3 +385,43 @@ func TestLabels(t *testing.T) {
 		So(vendor, ShouldEqual, "zot-vendor")
 	})
 }
+
+func TestGetSignaturesInfo(t *testing.T) {
+	Convey("Test get signatures info - cosign", t, func() {
+		indexDigest := godigest.FromString("123")
+		repoMeta := repodb.RepoMetadata{
+			Signatures: map[string]repodb.ManifestSignatures{string(indexDigest): {"cosign": []repodb.SignatureInfo{{
+				LayersInfo: []repodb.LayerInfo{{LayerContent: []byte{}, LayerDigest: "", SignatureKey: "", Signer: "author"}},
+			}}}},
+		}
+
+		signaturesSummary := convert.GetSignaturesInfo(true, repoMeta, indexDigest)
+		So(signaturesSummary, ShouldNotBeEmpty)
+		So(*signaturesSummary[0].Author, ShouldEqual, "author")
+		So(*signaturesSummary[0].IsTrusted, ShouldEqual, true)
+		So(*signaturesSummary[0].Tool, ShouldEqual, "cosign")
+	})
+
+	Convey("Test get signatures info - notation", t, func() {
+		indexDigest := godigest.FromString("123")
+		repoMeta := repodb.RepoMetadata{
+			Signatures: map[string]repodb.ManifestSignatures{string(indexDigest): {"notation": []repodb.SignatureInfo{{
+				LayersInfo: []repodb.LayerInfo{
+					{
+						LayerContent: []byte{},
+						LayerDigest:  "",
+						SignatureKey: "",
+						Signer:       "author",
+						Date:         time.Now().AddDate(0, 0, -1),
+					},
+				},
+			}}}},
+		}
+
+		signaturesSummary := convert.GetSignaturesInfo(true, repoMeta, indexDigest)
+		So(signaturesSummary, ShouldNotBeEmpty)
+		So(*signaturesSummary[0].Author, ShouldEqual, "author")
+		So(*signaturesSummary[0].IsTrusted, ShouldEqual, false)
+		So(*signaturesSummary[0].Tool, ShouldEqual, "notation")
+	})
+}
diff --git a/pkg/extensions/search/convert/repodb.go b/pkg/extensions/search/convert/repodb.go
@@ -243,6 +243,8 @@ func ImageIndex2ImageSummary(ctx context.Context, repo, tag string, indexDigest
 
 	annotations := GetAnnotations(indexContent.Annotations, map[string]string{})
 
+	signaturesInfo := GetSignaturesInfo(isSigned, repoMeta, indexDigest)
+
 	indexSummary := gql_generated.ImageSummary{
 		RepoName:      &repo,
 		Tag:           &tag,
@@ -251,6 +253,7 @@ func ImageIndex2ImageSummary(ctx context.Context, repo, tag string, indexDigest
 		Manifests:     manifestSummaries,
 		LastUpdated:   &indexLastUpdated,
 		IsSigned:      &isSigned,
+		SignatureInfo: signaturesInfo,
 		Size:          &indexSize,
 		DownloadCount: &totalDownloadCount,
 		Description:   &annotations.Description,
@@ -354,6 +357,8 @@ func ImageManifest2ImageSummary(ctx context.Context, repo, tag string, digest go
 		}
 	}
 
+	signaturesInfo := GetSignaturesInfo(isSigned, repoMeta, digest)
+
 	imageSummary := gql_generated.ImageSummary{
 		RepoName:  &repoName,
 		Tag:       &tag,
@@ -366,6 +371,7 @@ func ImageManifest2ImageSummary(ctx context.Context, repo, tag string, digest go
 				LastUpdated:   &imageLastUpdated,
 				Size:          &imageSize,
 				IsSigned:      &isSigned,
+				SignatureInfo: signaturesInfo,
 				Platform:      &platform,
 				DownloadCount: &downloadCount,
 				Layers:        getLayersSummaries(manifestContent),
@@ -380,6 +386,7 @@ func ImageManifest2ImageSummary(ctx context.Context, repo, tag string, digest go
 		},
 		LastUpdated:   &imageLastUpdated,
 		IsSigned:      &isSigned,
+		SignatureInfo: signaturesInfo,
 		Size:          &imageSize,
 		DownloadCount: &downloadCount,
 		Description:   &annotations.Description,
@@ -511,6 +518,8 @@ func ImageManifest2ManifestSummary(ctx context.Context, repo, tag string, descri
 		}
 	}
 
+	signaturesInfo := GetSignaturesInfo(isSigned, repoMeta, digest)
+
 	manifestSummary := gql_generated.ManifestSummary{
 		Digest:        &manifestDigestStr,
 		ConfigDigest:  &configDigest,
@@ -521,6 +530,7 @@ func ImageManifest2ManifestSummary(ctx context.Context, repo, tag string, descri
 		Layers:        getLayersSummaries(manifestContent),
 		History:       historyEntries,
 		IsSigned:      &isSigned,
+		SignatureInfo: signaturesInfo,
 		Vulnerabilities: &gql_generated.ImageVulnerabilitySummary{
 			MaxSeverity: &imageCveSummary.MaxSeverity,
 			Count:       &imageCveSummary.Count,
@@ -744,3 +754,44 @@ func GetPreloadString(prefix, name string) string {
 
 	return name
 }
+
+func GetSignaturesInfo(isSigned bool, repoMeta repodb.RepoMetadata, indexDigest godigest.Digest,
+) []*gql_generated.SignatureSummary {
+	signaturesInfo := []*gql_generated.SignatureSummary{}
+
+	if !isSigned {
+		return signaturesInfo
+	}
+
+	for sigType, signatures := range repoMeta.Signatures[indexDigest.String()] {
+		for _, sig := range signatures {
+			for _, layer := range sig.LayersInfo {
+				var (
+					isTrusted bool
+					author    string
+					tool      string
+				)
+
+				if layer.Signer != "" {
+					author = layer.Signer
+
+					if !layer.Date.IsZero() && time.Now().After(layer.Date) {
+						isTrusted = false
+					} else {
+						isTrusted = true
+					}
+				} else {
+					isTrusted = false
+					author = ""
+				}
+
+				tool = sigType
+
+				signaturesInfo = append(signaturesInfo,
+					&gql_generated.SignatureSummary{Tool: &tool, IsTrusted: &isTrusted, Author: &author})
+			}
+		}
+	}
+
+	return signaturesInfo
+}