kubernetes-sigs · k8s-ci-robot · Feb 19, 2022 · Feb 17, 2022
diff --git a/sign/impl.go b/sign/impl.go
@@ -33,9 +33,7 @@ import (
 	"sigs.k8s.io/release-utils/util"
 )
 
-type defaultImpl struct {
-	log *logrus.Logger
-}
+type defaultImpl struct{}
 
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
 //counterfeiter:generate . impl
@@ -50,7 +48,7 @@ type impl interface {
 		recursive bool, attachment string) error
 	Setenv(string, string) error
 	EnvDefault(string, string) string
-	TokenFromProviders(context.Context) (string, error)
+	TokenFromProviders(context.Context, *logrus.Logger) (string, error)
 	FileExists(string) bool
 }
 
@@ -112,9 +110,9 @@ func (*defaultImpl) IsImageSignedInternal(
 
 // TokenFromProviders will try the cosign OIDC providers to get an
 // oidc token from them.
-func (di *defaultImpl) TokenFromProviders(ctx context.Context) (string, error) {
-	if !di.IdentityProvidersEnabled(ctx) {
-		di.log.Warn("No OIDC provider enabled. Token cannot be obtained autmatically.")
+func (d *defaultImpl) TokenFromProviders(ctx context.Context, logger *logrus.Logger) (string, error) {
+	if !d.IdentityProvidersEnabled(ctx) {
+		logger.Warn("No OIDC provider enabled. Token cannot be obtained autmatically.")
 		return "", nil
 	}
 

diff --git a/sign/impl_test.go b/sign/impl_test.go
@@ -21,7 +21,6 @@ import (
 	"os"
 	"testing"
 
-	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
 )
 
@@ -60,7 +59,7 @@ func TestFileExists(t *testing.T) {
 	require.NoError(t, err)
 	defer os.Remove(f.Name())
 	require.NoError(t, os.WriteFile(f.Name(), []byte("hey"), os.FileMode(0o644)))
-	sut := &defaultImpl{log: logrus.New()}
+	sut := &defaultImpl{}
 	require.True(t, sut.FileExists(f.Name()))
 	require.False(t, sut.FileExists(f.Name()+"a"))
 }
diff --git a/sign/options.go b/sign/options.go
@@ -17,6 +17,7 @@ limitations under the License.
 package sign
 
 import (
+	"context"
 	"errors"
 	"time"
 
@@ -27,6 +28,9 @@ import (
 
 // Options can be used to modify the behavior of the signer.
 type Options struct {
+	// Logger is the custom logger to be used for message printing.
+	Logger *logrus.Logger
+
 	// Verbose can be used to enable a higher log verbosity
 	Verbose bool
 
@@ -58,6 +62,7 @@ type Options struct {
 // Default returns a default Options instance.
 func Default() *Options {
 	return &Options{
+		Logger:               logrus.StandardLogger(),
 		Timeout:              3 * time.Minute,
 		PassFunc:             generate.GetPass,
 		EnableTokenProviders: true,
@@ -75,11 +80,14 @@ func (o *Options) verifySignOptions() error {
 	}
 
 	// Ensure that the private key file exists
-	i := defaultImpl{
-		log: logrus.New(),
-	}
+	i := defaultImpl{}
 	if o.PrivateKeyPath != "" && !i.FileExists(o.PrivateKeyPath) {
 		return errors.New("specified private key file not found")
 	}
 	return nil
 }
+
+// context creates a new context with the timeout set within the options.
+func (o *Options) context() (context.Context, context.CancelFunc) {
+	return context.WithTimeout(context.Background(), o.Timeout)
+}
diff --git a/sign/sign.go b/sign/sign.go
@@ -31,24 +31,22 @@ import (
 type Signer struct {
 	impl    impl
 	options *Options
-	log     *logrus.Logger
 }
 
 // New returns a new Signer instance.
 func New(options *Options) *Signer {
-	logger := logrus.New()
+	if options.Logger == nil {
+		options.Logger = logrus.New()
+	}
 
 	if options.Verbose {
 		logs.Debug.SetOutput(os.Stderr)
-		logger.SetLevel(logrus.DebugLevel)
+		options.Logger.SetLevel(logrus.DebugLevel)
 	}
 
 	return &Signer{
-		impl: &defaultImpl{
-			log: logger,
-		},
+		impl:    &defaultImpl{},
 		options: options,
-		log:     logger,
 	}
 }
 
@@ -58,8 +56,13 @@ func (s *Signer) SetImpl(impl impl) {
 	s.impl = impl
 }
 
+// log returns the internally set logger.
+func (s *Signer) log() *logrus.Logger {
+	return s.options.Logger
+}
+
 func (s *Signer) UploadBlob(path string) error {
-	s.log.Infof("Uploading blob: %s", path)
+	s.log().Infof("Uploading blob: %s", path)
 
 	// TODO: unimplemented
 
@@ -69,7 +72,7 @@ func (s *Signer) UploadBlob(path string) error {
 // SignImage can be used to sign any provided container image reference by
 // using keyless signing.
 func (s *Signer) SignImage(reference string) (*SignedObject, error) {
-	s.log.Infof("Signing reference: %s", reference)
+	s.log().Infof("Signing reference: %s", reference)
 
 	// Ensure options to sign are correct
 	if err := s.options.verifySignOptions(); err != nil {
@@ -82,12 +85,15 @@ func (s *Signer) SignImage(reference string) (*SignedObject, error) {
 	}
 	defer resetFn()
 
+	ctx, cancel := s.options.context()
+	defer cancel()
+
 	// If we don't have a key path, we must ensure we can get an OIDC
 	// token or there is no way to sign. Depending on the options set,
 	// we may get the ID token from the cosign providers
 	identityToken := ""
 	if s.options.PrivateKeyPath == "" {
-		tok, err := s.identityToken()
+		tok, err := s.identityToken(ctx)
 		if err != nil {
 			return nil, errors.Wrap(err, "getting identity token for keyless signing")
 		}
@@ -126,9 +132,6 @@ func (s *Signer) SignImage(reference string) (*SignedObject, error) {
 		outputCertificate = s.options.OutputCertificatePath
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), s.options.Timeout)
-	defer cancel()
-
 	if err := s.impl.SignImageInternal(ctx, ko, regOpts,
 		s.options.Annotations, images, "", true, outputSignature,
 		outputCertificate, "", true, false, "",
@@ -147,7 +150,7 @@ func (s *Signer) SignImage(reference string) (*SignedObject, error) {
 // SignFile can be used to sign any provided file path by using keyless
 // signing.
 func (s *Signer) SignFile(path string) (*SignedObject, error) {
-	s.log.Infof("Signing file path: %s", path)
+	s.log().Infof("Signing file path: %s", path)
 
 	// TODO: unimplemented
 
@@ -161,16 +164,17 @@ func (s *Signer) SignFile(path string) (*SignedObject, error) {
 // VerifyImage can be used to validate any provided container image reference by
 // using keyless signing.
 func (s *Signer) VerifyImage(reference string) (*SignedObject, error) {
-	s.log.Infof("Verifying reference: %s", reference)
+	s.log().Infof("Verifying reference: %s", reference)
 
 	resetFn, err := s.enableExperimental()
 	if err != nil {
 		return nil, err
 	}
 	defer resetFn()
 
-	ctx, cancel := context.WithTimeout(context.Background(), s.options.Timeout)
+	ctx, cancel := s.options.context()
 	defer cancel()
+
 	images := []string{reference}
 	object, err := s.impl.VerifyImageInternal(ctx, s.options.PublicKeyPath, images)
 	if err != nil {
@@ -181,7 +185,7 @@ func (s *Signer) VerifyImage(reference string) (*SignedObject, error) {
 
 // VerifyFile can be used to validate any provided file path.
 func (s *Signer) VerifyFile(path string) (*SignedObject, error) {
-	s.log.Infof("Verifying file path: %s", path)
+	s.log().Infof("Verifying file path: %s", path)
 
 	// TODO: unimplemented
 
@@ -198,7 +202,7 @@ func (s *Signer) enableExperimental() (resetFn func(), err error) {
 	}
 	return func() {
 		if err := s.impl.Setenv(key, previousValue); err != nil {
-			s.log.Errorf("Unable to reset cosign experimental mode: %v", err)
+			s.log().Errorf("Unable to reset cosign experimental mode: %v", err)
 		}
 	}, nil
 }
@@ -207,7 +211,7 @@ func (s *Signer) enableExperimental() (resetFn func(), err error) {
 // signatures available for it. It makes no signature verification, only
 // checks to see if more than one signature is available.
 func (s *Signer) IsImageSigned(imageRef string) (bool, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), s.options.Timeout)
+	ctx, cancel := s.options.context()
 	defer cancel()
 
 	return s.impl.IsImageSignedInternal(ctx, imageRef)
@@ -217,17 +221,17 @@ func (s *Signer) IsImageSigned(imageRef string) (bool, error) {
 // If there is one set in the options we will use that one. If not,
 // signer will try to get one from the cosign OIDC identity providers
 // if options.EnableTokenProviders is set
-func (s *Signer) identityToken() (string, error) {
+func (s *Signer) identityToken(ctx context.Context) (string, error) {
 	tok := s.options.IdentityToken
 	if s.options.PrivateKeyPath == "" && s.options.IdentityToken == "" {
 		// We only attempt to pull from the providers if the option is set
 		if !s.options.EnableTokenProviders {
-			logrus.Warn("No token set in options and OIDC providers are disabled")
+			s.log().Warn("No token set in options and OIDC providers are disabled")
 			return "", nil
 		}
 
-		logrus.Info("No identity token was provided. Attempting to get one from supported providers.")
-		token, err := s.impl.TokenFromProviders(context.Background())
+		s.log().Info("No identity token was provided. Attempting to get one from supported providers.")
+		token, err := s.impl.TokenFromProviders(ctx, s.log())
 		if err != nil {
 			return "", errors.Wrap(err, "getting identity token from providers")
 		}

diff --git a/sign/signfakes/fake_impl.go b/sign/signfakes/fake_impl.go