Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow trusted builders by repo or tag #2266

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
package builder

import (
"github.com/google/go-containerregistry/pkg/name"

"github.com/buildpacks/pack/internal/config"
)

type KnownBuilder struct {
Vendor string
Image string
Expand Down Expand Up @@ -67,11 +73,34 @@ var KnownBuilders = []KnownBuilder{
},
}

var IsKnownTrustedBuilder = func(b string) bool {
func IsKnownTrustedBuilder(builderName string) bool {
for _, knownBuilder := range KnownBuilders {
if b == knownBuilder.Image && knownBuilder.Trusted {
if builderName == knownBuilder.Image && knownBuilder.Trusted {
return true
}
}
return false
}

func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) {
builderReference, err := name.ParseReference(builderName, name.WithDefaultTag(""))
if err != nil {
return false, err
}
for _, trustedBuilder := range cfg.TrustedBuilders {
trustedBuilderReference, err := name.ParseReference(trustedBuilder.Name, name.WithDefaultTag(""))
if err != nil {
return false, err
}
if trustedBuilderReference.Identifier() != "" {
if builderReference.Name() == trustedBuilderReference.Name() {
return true, nil
}
} else {
if builderReference.Context().RepositoryStr() == trustedBuilderReference.Context().RepositoryStr() {
return true, nil
}
}
}
return false, nil
}
102 changes: 102 additions & 0 deletions internal/builder/trusted_builder_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
package builder_test

import (
"testing"

"github.com/heroku/color"
"github.com/sclevine/spec"
"github.com/sclevine/spec/report"

bldr "github.com/buildpacks/pack/internal/builder"
"github.com/buildpacks/pack/internal/config"

h "github.com/buildpacks/pack/testhelpers"
)

func TestTrustedBuilder(t *testing.T) {
color.Disable(true)
defer color.Disable(false)
spec.Run(t, "Trusted Builder", trustedBuilder, spec.Parallel(), spec.Report(report.Terminal{}))
}

func trustedBuilder(t *testing.T, when spec.G, it spec.S) {
when("IsKnownTrustedBuilder", func() {
it("matches exactly", func() {
h.AssertTrue(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base"))
h.AssertFalse(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base:latest"))
h.AssertFalse(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base:1.2.3"))
h.AssertFalse(t, bldr.IsKnownTrustedBuilder("my/private/builder"))
})
})

when("IsTrustedBuilder", func() {
it("trust image without tag", func() {
cfg := config.Config{
TrustedBuilders: []config.TrustedBuilder{
{
Name: "my/trusted/builder-jammy",
},
},
}

trustedBuilders := []string{
"my/trusted/builder-jammy",
"my/trusted/builder-jammy:latest",
"my/trusted/builder-jammy:1.2.3",
}

untrustedBuilders := []string{
"my/private/builder", // random builder
"my/trusted/builder-jammy-base", // shared prefix
}

for _, builder := range trustedBuilders {
isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
h.AssertNil(t, err)
h.AssertTrue(t, isTrusted)
}

for _, builder := range untrustedBuilders {
isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
h.AssertNil(t, err)
h.AssertFalse(t, isTrusted)
}
})
it("trust image with tag", func() {
cfg := config.Config{
TrustedBuilders: []config.TrustedBuilder{
{
Name: "my/trusted/builder-jammy:1.2.3",
},
{
Name: "my/trusted/builder-jammy:latest",
},
},
}

trustedBuilders := []string{
"my/trusted/builder-jammy:1.2.3",
"my/trusted/builder-jammy:latest",
}

untrustedBuilders := []string{
"my/private/builder",
"my/trusted/builder-jammy",
"my/trusted/builder-jammy:2.0.0",
"my/trusted/builder-jammy-base",
}

for _, builder := range trustedBuilders {
isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
h.AssertNil(t, err)
h.AssertTrue(t, isTrusted)
}

for _, builder := range untrustedBuilders {
isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
h.AssertNil(t, err)
h.AssertFalse(t, isTrusted)
}
})
})
}
8 changes: 7 additions & 1 deletion internal/commands/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ import (
"github.com/pkg/errors"
"github.com/spf13/cobra"

bldr "github.com/buildpacks/pack/internal/builder"

"github.com/buildpacks/pack/internal/config"
"github.com/buildpacks/pack/internal/style"
"github.com/buildpacks/pack/pkg/cache"
Expand Down Expand Up @@ -110,7 +112,11 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
return err
}

trustBuilder := isTrustedBuilder(cfg, builder) || flags.TrustBuilder
isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
if err != nil {
return err
}
trustBuilder := isTrusted || bldr.IsKnownTrustedBuilder(builder) || flags.TrustBuilder
if trustBuilder {
logger.Debugf("Builder %s is trusted", style.Symbol(builder))
if flags.LifecycleImage != "" {
Expand Down
9 changes: 8 additions & 1 deletion internal/commands/builder_inspect.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"github.com/buildpacks/pack/internal/config"
"github.com/buildpacks/pack/pkg/client"
"github.com/buildpacks/pack/pkg/logging"

bldr "github.com/buildpacks/pack/internal/builder"
)

type BuilderInspector interface {
Expand Down Expand Up @@ -61,10 +63,15 @@ func inspectBuilder(
inspector BuilderInspector,
writerFactory writer.BuilderWriterFactory,
) error {
isTrusted, err := bldr.IsTrustedBuilder(cfg, imageName)
if err != nil {
return err
}

builderInfo := writer.SharedBuilderInfo{
Name: imageName,
IsDefault: imageName == cfg.DefaultBuilder,
Trusted: isTrustedBuilder(cfg, imageName),
Trusted: isTrusted,
}

localInfo, localErr := inspector.InspectBuilder(imageName, true, client.WithDetectionOrderDepth(flags.Depth))
Expand Down
12 changes: 0 additions & 12 deletions internal/commands/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ import (
"os/signal"
"syscall"

"github.com/buildpacks/pack/internal/builder"

"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/pkg/errors"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -107,16 +105,6 @@ func getMirrors(config config.Config) map[string][]string {
return mirrors
}

func isTrustedBuilder(cfg config.Config, builderName string) bool {
for _, trustedBuilder := range cfg.TrustedBuilders {
if builderName == trustedBuilder.Name {
return true
}
}

return builder.IsKnownTrustedBuilder(builderName)
}

func deprecationWarning(logger logging.Logger, oldCmd, replacementCmd string) {
logger.Warnf("Command %s has been deprecated, please use %s instead", style.Symbol("pack "+oldCmd), style.Symbol("pack "+replacementCmd))
}
Expand Down
6 changes: 5 additions & 1 deletion internal/commands/config_trusted_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,11 @@ func addTrustedBuilder(args []string, logger logging.Logger, cfg config.Config,
imageName := args[0]
builderToTrust := config.TrustedBuilder{Name: imageName}

if isTrustedBuilder(cfg, imageName) {
isTrusted, err := bldr.IsTrustedBuilder(cfg, imageName)
if err != nil {
return err
}
if isTrusted || bldr.IsKnownTrustedBuilder(imageName) {
logger.Infof("Builder %s is already trusted", style.Symbol(imageName))
return nil
}
Expand Down
Loading