TUF Integration Proposal

.gitignore

@@ -0,0 +1,19 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# VS Code
+.vscode
+debug
+
+# Jetbrains
+.idea

cmd/nv2/common.go → cmd/nv2/common/flags.go

@@ -1,25 +1,36 @@
-package main
+package common
 
 import "github.com/urfave/cli/v2"
 
+// Common flags
 var (
-	usernameFlag = &cli.StringFlag{
+	UsernameFlag = &cli.StringFlag{
 		Name:    "username",
 		Aliases: []string{"u"},
 		Usage:   "username for generic remote access",
 	}
-	passwordFlag = &cli.StringFlag{
+	PasswordFlag = &cli.StringFlag{
 		Name:    "password",
 		Aliases: []string{"p"},
 		Usage:   "password for generic remote access",
 	}
-	insecureFlag = &cli.BoolFlag{
+	InsecureFlag = &cli.BoolFlag{
 		Name:  "insecure",
 		Usage: "enable insecure remote access",
 	}
-	mediaTypeFlag = &cli.StringFlag{
+	MediaTypeFlag = &cli.StringFlag{
 		Name:  "media-type",
 		Usage: "specify the media type of the manifest read from file or stdin",
 		Value: "application/vnd.docker.distribution.manifest.v2+json",
 	}
+	ExpiryFlag = &cli.DurationFlag{
+		Name:    "expiry",
+		Aliases: []string{"e"},
+		Usage:   "expire duration",
+	}
+	OutputFlag = &cli.StringFlag{
+		Name:    "output",
+		Aliases: []string{"o"},
+		Usage:   "write signature to a specific path",
+	}
 )

cmd/nv2/common/manifest.go

@@ -0,0 +1,74 @@
+package common
+
+import (
+	"fmt"
+	"io"
+	"math"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/notaryproject/nv2/pkg/reference"
+	"github.com/notaryproject/nv2/pkg/registry"
+	"github.com/opencontainers/go-digest"
+	"github.com/urfave/cli/v2"
+)
+
+// GetManifestFromContext reterives the manifest according to CLI context
+func GetManifestFromContext(ctx *cli.Context) (*reference.Manifest, error) {
+	if uri := ctx.Args().First(); uri != "" {
+		return getManfestsFromURI(ctx, uri)
+	}
+	return getManifestFromReader(os.Stdin, ctx.String(MediaTypeFlag.Name))
+}
+
+func getManifestFromReader(r io.Reader, mediaType string) (*reference.Manifest, error) {
+	lr := &io.LimitedReader{
+		R: r,
+		N: math.MaxInt64,
+	}
+	manifestDigest, err := digest.SHA256.FromReader(lr)
+	if err != nil {
+		return nil, err
+	}
+	return &reference.Manifest{
+		Descriptor: reference.Descriptor{
+			MediaType: mediaType,
+			Digests:   []digest.Digest{manifestDigest},
+			Size:      math.MaxInt64 - lr.N,
+		},
+		AccessedAt: time.Now().UTC(),
+	}, nil
+}
+
+func getManfestsFromURI(ctx *cli.Context, uri string) (*reference.Manifest, error) {
+	parsed, err := url.Parse(uri)
+	if err != nil {
+		return nil, err
+	}
+	var r io.Reader
+	switch strings.ToLower(parsed.Scheme) {
+	case "file":
+		path := parsed.Path
+		if parsed.Opaque != "" {
+			path = parsed.Opaque
+		}
+		file, err := os.Open(path)
+		if err != nil {
+			return nil, err
+		}
+		defer file.Close()
+		r = file
+	case "docker", "oci":
+		remote := registry.NewClient(nil, &registry.ClientOptions{
+			Username: ctx.String(UsernameFlag.Name),
+			Password: ctx.String(PasswordFlag.Name),
+			Insecure: ctx.Bool(InsecureFlag.Name),
+		})
+		return remote.GetManifestMetadata(parsed)
+	default:
+		return nil, fmt.Errorf("unsupported URI scheme: %s", parsed.Scheme)
+	}
+	return getManifestFromReader(r, ctx.String(MediaTypeFlag.Name))
+}

cmd/nv2/main.go

@@ -4,23 +4,26 @@ import (
 	"log"
 	"os"
 
+	"github.com/notaryproject/nv2/cmd/nv2/signature"
+	"github.com/notaryproject/nv2/cmd/nv2/tuf"
 	"github.com/urfave/cli/v2"
 )
 
 func main() {
 	app := &cli.App{
 		Name:    "nv2",
 		Usage:   "Notary V2 - Prototype",
-		Version: "0.2.0",
+		Version: "0.3.2",
 		Authors: []*cli.Author{
 			{
 				Name:  "Shiwei Zhang",
 				Email: "shizh@microsoft.com",
 			},
 		},
 		Commands: []*cli.Command{
-			signCommand,
-			verifyCommand,
+			signature.SignCommand,
+			signature.VerifyCommand,
+			tuf.TUFCommand,
 		},
 	}
 	if err := app.Run(os.Args); err != nil {

cmd/nv2/sign.go → cmd/nv2/signature/sign.go

@@ -1,19 +1,21 @@
-package main
+package signature
 
 import (
 	"fmt"
 	"io/ioutil"
 	"strings"
 	"time"
 
+	"github.com/notaryproject/nv2/cmd/nv2/common"
 	"github.com/notaryproject/nv2/pkg/signature"
 	"github.com/notaryproject/nv2/pkg/signature/x509"
 	"github.com/urfave/cli/v2"
 )
 
 const signerID = "nv2"
 
-var signCommand = &cli.Command{
+// SignCommand defines sign command
+var SignCommand = &cli.Command{
 	Name:      "sign",
 	Usage:     "signs OCI Artifacts",
 	ArgsUsage: "[<scheme://reference>]",
@@ -36,25 +38,17 @@ var signCommand = &cli.Command{
 			Usage:     "signing cert [x509]",
 			TakesFile: true,
 		},
-		&cli.DurationFlag{
-			Name:    "expiry",
-			Aliases: []string{"e"},
-			Usage:   "expire duration",
-		},
 		&cli.StringSliceFlag{
 			Name:    "reference",
 			Aliases: []string{"r"},
 			Usage:   "original references",
 		},
-		&cli.StringFlag{
-			Name:    "output",
-			Aliases: []string{"o"},
-			Usage:   "write signature to a specific path",
-		},
-		usernameFlag,
-		passwordFlag,
-		insecureFlag,
-		mediaTypeFlag,
+		common.ExpiryFlag,
+		common.OutputFlag,
+		common.MediaTypeFlag,
+		common.UsernameFlag,
+		common.PasswordFlag,
+		common.InsecureFlag,
 	},
 	Action: runSign,
 }
@@ -77,7 +71,7 @@ func runSign(ctx *cli.Context) error {
 	}
 
 	// write out
-	path := ctx.String("output")
+	path := ctx.String(common.OutputFlag.Name)
 	if path == "" {
 		path = strings.Split(claims.Manifest.Digest, ":")[1] + ".nv2"
 	}
@@ -90,18 +84,20 @@ func runSign(ctx *cli.Context) error {
 }
 
 func prepareClaimsForSigning(ctx *cli.Context) (signature.Claims, error) {
-	manifest, err := getManifestFromContext(ctx)
+	manifest, err := common.GetManifestFromContext(ctx)
 	if err != nil {
 		return signature.Claims{}, err
 	}
-	manifest.References = ctx.StringSlice("reference")
 	now := time.Now()
 	nowUnix := now.Unix()
 	claims := signature.Claims{
-		Manifest: manifest,
+		Manifest: signature.Manifest{
+			Descriptor: signature.DescriptorFromReference(manifest.Descriptor),
+			References: ctx.StringSlice("reference"),
+		},
 		IssuedAt: nowUnix,
 	}
-	if expiry := ctx.Duration("expiry"); expiry != 0 {
+	if expiry := ctx.Duration(common.ExpiryFlag.Name); expiry != 0 {
 		claims.NotBefore = nowUnix
 		claims.Expiration = now.Add(expiry).Unix()
 	}