From 87a0f55d91bce176a8cc346894ccffe939292886 Mon Sep 17 00:00:00 2001
From: Matt Moore <mattomata@gmail.com>
Date: Thu, 16 Sep 2021 10:57:19 -0700
Subject: [PATCH] Define interfaces for reasoning about signed images.

This starts to layout our augmented interfaces for reasoning about signed images and indices.  The next step will be to try and shoe-horn some of the implementation of these that we currently use into a new `internal/oci/remote` package.

A couple (seemingly) superficial things about how this is set up:
1. The layout of this reflects the layout of GGCR.  The interfaces there are in `pkg/v1`, and implementations of them in `pkg/v1/<name>`.
2. By embedding `v1.Image` instead of *just* surfacing the higher-level things, we enable folks to `remote.Write` and `tarball.Write` the signatures, which feels useful.

None of this stuff is carved in stone, so we'll see how far off we are as we start to use this first-stab for realz.

Related: https://github.com/sigstore/cosign/issues/666
Signed-off-by: Matt Moore <mattomata@gmail.com>
---
 internal/oci/attestations.go           | 28 ++++++++++++++++++
 internal/oci/image.go                  | 32 +++++++++++++++++++++
 internal/oci/index.go                  | 40 ++++++++++++++++++++++++++
 internal/oci/{oci.go => mediatypes.go} |  0
 internal/oci/signatures.go             | 28 ++++++++++++++++++
 5 files changed, 128 insertions(+)
 create mode 100644 internal/oci/attestations.go
 create mode 100644 internal/oci/image.go
 create mode 100644 internal/oci/index.go
 rename internal/oci/{oci.go => mediatypes.go} (100%)
 create mode 100644 internal/oci/signatures.go

diff --git a/internal/oci/attestations.go b/internal/oci/attestations.go
new file mode 100644
index 00000000000..1552e60d970
--- /dev/null
+++ b/internal/oci/attestations.go
@@ -0,0 +1,28 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// Attestations represents a set of attestations that are associated with a particular
+// v1.Image.
+type Attestations interface {
+	v1.Image // The low-level representation of the attestations
+
+	// TODO(mattmoor): Accessors that build on `v1.Image` to provide
+	// higher-level accessors for the attestation data that is embedded in the
+	// wrapped `v1.Image`
+}
diff --git a/internal/oci/image.go b/internal/oci/image.go
new file mode 100644
index 00000000000..1010df0325b
--- /dev/null
+++ b/internal/oci/image.go
@@ -0,0 +1,32 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// SignedImage represents an OCI Image, complemented with accessors
+// for retrieving signed metadata associated with that image.
+type SignedImage interface {
+	v1.Image
+
+	// Signatures returns the set of signatures currently associated with this
+	// image, or the empty equivalent if none are found.
+	Signatures() (Signatures, error)
+
+	// Attestations returns the set of attestations currently associated with this
+	// image, or the empty equivalent if none are found.
+	Attestations() (Attestations, error)
+}
diff --git a/internal/oci/index.go b/internal/oci/index.go
new file mode 100644
index 00000000000..f94eed5772c
--- /dev/null
+++ b/internal/oci/index.go
@@ -0,0 +1,40 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// SignedIndex represents an OCI ImageIndex, complemented with accessors
+// for retrieving signed metadata associated with that ImageIndex.
+type SignedImageIndex interface {
+	v1.ImageIndex
+
+	// SignedImage is the same as Image, but provides accessors for the nested
+	// image's signed metadata.
+	SignedImage(v1.Hash) (SignedImage, error)
+
+	// SignedImageIndex is the same as ImageIndex, but provides accessors for
+	// the nested image index's signed metadata.
+	SignedImageIndex(v1.Hash) (SignedImageIndex, error)
+
+	// Signatures returns the set of signatures currently associated with this
+	// image, or the empty equivalent if none are found.
+	Signatures() (Signatures, error)
+
+	// Attestations returns the set of attestations currently associated with this
+	// image, or the empty equivalent if none are found.
+	Attestations() (Attestations, error)
+}
diff --git a/internal/oci/oci.go b/internal/oci/mediatypes.go
similarity index 100%
rename from internal/oci/oci.go
rename to internal/oci/mediatypes.go
diff --git a/internal/oci/signatures.go b/internal/oci/signatures.go
new file mode 100644
index 00000000000..d3c1972a951
--- /dev/null
+++ b/internal/oci/signatures.go
@@ -0,0 +1,28 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package oci
+
+import v1 "github.com/google/go-containerregistry/pkg/v1"
+
+// Signatures represents a set of signatures that are associated with a particular
+// v1.Image.
+type Signatures interface {
+	v1.Image // The low-level representation of the signatures
+
+	// TODO(mattmoor): Accessors that build on `v1.Image` to provide
+	// higher-level accessors for the signature data that is embedded
+	// in the wrapped `v1.Image`
+}