From 1e768d73398f704b66a45b84b2ebae67f30cb1e4 Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Thu, 7 Oct 2021 15:50:44 -0700 Subject: [PATCH] make `COSIGN_REPOSITORY` use explicit again Signed-off-by: Jake Sanders --- cmd/cosign/cli/attach/sig.go | 10 ++- cmd/cosign/cli/attest/attest.go | 10 ++- cmd/cosign/cli/download/sbom.go | 12 ++- cmd/cosign/cli/download/signature.go | 6 +- cmd/cosign/cli/generate/generate.go | 6 +- cmd/cosign/cli/options/registry.go | 13 ++- cmd/cosign/cli/sign/sign.go | 21 +++-- cmd/cosign/cli/triangulate/triangulate.go | 12 ++- cmd/cosign/cli/verify/verify.go | 9 +- cmd/cosign/cli/verify/verify_attestation.go | 7 +- pkg/oci/remote/digest.go | 5 +- pkg/oci/remote/image.go | 5 +- pkg/oci/remote/index.go | 5 +- pkg/oci/remote/options.go | 27 +++--- pkg/oci/remote/options_test.go | 93 +++++++++++++++------ pkg/oci/remote/remote.go | 20 +---- pkg/oci/remote/remote_test.go | 46 +++------- pkg/oci/remote/signatures.go | 5 +- pkg/oci/remote/write.go | 10 +-- 19 files changed, 181 insertions(+), 141 deletions(-) diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go index 13791ab66561..64ca0330d779 100644 --- a/cmd/cosign/cli/attach/sig.go +++ b/cmd/cosign/cli/attach/sig.go @@ -43,7 +43,11 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, if err != nil { return err } - digest, err := ociremote.ResolveDigest(ref, regOpts.ClientOpts(ctx)...) + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return err + } + digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...) if err != nil { return err } @@ -67,7 +71,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, return err } - se, err := ociremote.SignedEntity(digest, regOpts.ClientOpts(ctx)...) + se, err := ociremote.SignedEntity(digest, ociremoteOpts...) if err != nil { return err } @@ -79,7 +83,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, } // Publish the signatures associated with this entity - return ociremote.WriteSignatures(digest.Repository, newSE, regOpts.ClientOpts(ctx)...) + return ociremote.WriteSignatures(digest.Repository, newSE, ociremoteOpts...) } type SignatureArgType uint8 diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index e1daad18487d..a84a4fb22daf 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -86,7 +86,11 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt if err != nil { return errors.Wrap(err, "parsing reference") } - digest, err := ociremote.ResolveDigest(ref, regOpts.ClientOpts(ctx)...) + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return err + } + digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...) if err != nil { return err } @@ -151,7 +155,7 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt return err } - se, err := ociremote.SignedEntity(digest, regOpts.ClientOpts(ctx)...) + se, err := ociremote.SignedEntity(digest, ociremoteOpts...) if err != nil { return err } @@ -163,5 +167,5 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt } // Publish the attestations associated with this entity - return ociremote.WriteAttestations(digest.Repository, newSE, regOpts.ClientOpts(ctx)...) + return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...) } diff --git a/cmd/cosign/cli/download/sbom.go b/cmd/cosign/cli/download/sbom.go index c813fcfe77d5..eb362a9624a1 100644 --- a/cmd/cosign/cli/download/sbom.go +++ b/cmd/cosign/cli/download/sbom.go @@ -23,7 +23,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/sigstore/cosign/cmd/cosign/cli/options" - "github.com/sigstore/cosign/pkg/oci/remote" + ociremote "github.com/sigstore/cosign/pkg/oci/remote" ) func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string, out io.Writer) ([]string, error) { @@ -32,12 +32,16 @@ func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef stri return nil, err } - opts := append(regOpts.ClientOpts(ctx), + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return nil, err + } + ociremoteOpts = append(ociremoteOpts, // TODO(mattmoor): This isn't really "signatures", consider shifting to // an SBOMs accessor? - remote.WithSignatureSuffix(remote.SBOMTagSuffix)) + ociremote.WithSignatureSuffix(ociremote.SBOMTagSuffix)) - se, err := remote.SignedEntity(ref, opts...) + se, err := ociremote.SignedEntity(ref, ociremoteOpts...) if err != nil { return nil, err } diff --git a/cmd/cosign/cli/download/signature.go b/cmd/cosign/cli/download/signature.go index f04bfe2ab353..62b117cb26fb 100644 --- a/cmd/cosign/cli/download/signature.go +++ b/cmd/cosign/cli/download/signature.go @@ -30,7 +30,11 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef if err != nil { return err } - signatures, err := cosign.FetchSignaturesForReference(ctx, ref, regOpts.ClientOpts(ctx)...) + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return err + } + signatures, err := cosign.FetchSignaturesForReference(ctx, ref, ociremoteOpts...) if err != nil { return err } diff --git a/cmd/cosign/cli/generate/generate.go b/cmd/cosign/cli/generate/generate.go index a7897e00dc55..3ad6f29eefb9 100644 --- a/cmd/cosign/cli/generate/generate.go +++ b/cmd/cosign/cli/generate/generate.go @@ -32,7 +32,11 @@ func GenerateCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef if err != nil { return err } - digest, err := ociremote.ResolveDigest(ref, regOpts.ClientOpts(ctx)...) + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return err + } + digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...) if err != nil { return err } diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go index 5e15c461a66e..afc523390ab8 100644 --- a/cmd/cosign/cli/options/registry.go +++ b/cmd/cosign/cli/options/registry.go @@ -1,4 +1,3 @@ -// // Copyright 2021 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,6 +19,7 @@ import ( "crypto/tls" "net/http" + "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" ociremote "github.com/sigstore/cosign/pkg/oci/remote" "github.com/spf13/cobra" @@ -40,12 +40,19 @@ func (o *RegistryOptions) AddFlags(cmd *cobra.Command) { o.RefOpts.AddFlags(cmd) } -func (o *RegistryOptions) ClientOpts(ctx context.Context) []ociremote.Option { +func (o *RegistryOptions) ClientOpts(ctx context.Context) ([]ociremote.Option, error) { opts := []ociremote.Option{ociremote.WithRemoteOptions(o.GetRegistryClientOpts(ctx)...)} if o.RefOpts.TagPrefix != "" { opts = append(opts, ociremote.WithPrefix(o.RefOpts.TagPrefix)) } - return opts + targetRepoOverride, err := ociremote.GetEnvTargetRepository() + if err != nil { + return nil, err + } + if (targetRepoOverride != name.Repository{}) { + opts = append(opts, ociremote.WithTargetRepository(targetRepoOverride)) + } + return opts, nil } func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Option { diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 15be622b3d0e..2be762b7bf45 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -110,12 +110,12 @@ func UploadToTlog(ctx context.Context, sv *CertSignVerifier, rekorURL string, up return Bundle(entry), nil } -func GetAttachedImageRef(ref name.Reference, attachment string, remoteOpts ...remote.Option) (name.Reference, error) { +func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremote.Option) (name.Reference, error) { if attachment == "" { return ref, nil } if attachment == "sbom" { - return ociremote.SBOMTag(ref, ociremote.WithRemoteOptions(remoteOpts...)) + return ociremote.SBOMTag(ref, opts...) } return nil, fmt.Errorf("unknown attachment type %s", attachment) } @@ -133,8 +133,6 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a } } - remoteOpts := regOpts.GetRegistryClientOpts(ctx) - sv, err := SignerFromKeyOpts(ctx, certPath, ko) if err != nil { return errors.Wrap(err, "getting signer") @@ -161,12 +159,16 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a if err != nil { return errors.Wrap(err, "parsing reference") } - ref, err = GetAttachedImageRef(ref, attachment, remoteOpts...) + opts, err := regOpts.ClientOpts(ctx) + if err != nil { + return errors.Wrap(err, "constructing client options") + } + ref, err = GetAttachedImageRef(ref, attachment, opts...) if err != nil { return fmt.Errorf("unable to resolve attachment %s for image %s", attachment, inputImg) } - se, err := ociremote.SignedEntity(ref, regOpts.ClientOpts(ctx)...) + se, err := ociremote.SignedEntity(ref, opts...) if err != nil { return err } @@ -232,8 +234,13 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a return err } + walkOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return errors.Wrap(err, "constructing client options") + } + // Publish the signatures associated with this entity - if err := ociremote.WriteSignatures(digest.Repository, newSE, regOpts.ClientOpts(ctx)...); err != nil { + if err := ociremote.WriteSignatures(digest.Repository, newSE, walkOpts...); err != nil { return err } return ErrDone diff --git a/cmd/cosign/cli/triangulate/triangulate.go b/cmd/cosign/cli/triangulate/triangulate.go index f0b88e37b8c5..b223d128518a 100644 --- a/cmd/cosign/cli/triangulate/triangulate.go +++ b/cmd/cosign/cli/triangulate/triangulate.go @@ -20,6 +20,7 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" + "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/cosign" ociremote "github.com/sigstore/cosign/pkg/oci/remote" @@ -31,14 +32,19 @@ func MungeCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef str return err } + ociremoteOpts, err := regOpts.ClientOpts(ctx) + if err != nil { + return errors.Wrap(err, "constructing client options") + } + var dstRef name.Tag switch attachmentType { case cosign.Signature: - dstRef, err = ociremote.SignatureTag(ref, regOpts.ClientOpts(ctx)...) + dstRef, err = ociremote.SignatureTag(ref, ociremoteOpts...) case cosign.SBOM: - dstRef, err = ociremote.SBOMTag(ref, regOpts.ClientOpts(ctx)...) + dstRef, err = ociremote.SBOMTag(ref, ociremoteOpts...) case cosign.Attestation: - dstRef, err = ociremote.AttestationTag(ref, regOpts.ClientOpts(ctx)...) + dstRef, err = ociremote.AttestationTag(ref, ociremoteOpts...) default: err = fmt.Errorf("unknown attachment type %s", attachmentType) } diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index df2c90394e0e..23d1b5cdc01f 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -68,10 +68,13 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if !options.OneOf(c.KeyRef, c.Sk) && !options.EnableExperimental() { return &options.KeyParseError{} } - + ociremoteOpts, err := c.ClientOpts(ctx) + if err != nil { + return errors.Wrap(err, "constructing client options") + } co := &cosign.CheckOpts{ Annotations: c.Annotations.Annotations, - RegistryClientOpts: c.RegistryOptions.ClientOpts(ctx), + RegistryClientOpts: ociremoteOpts, CertEmail: c.CertEmail, } if c.CheckClaims { @@ -108,7 +111,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if err != nil { return errors.Wrap(err, "parsing reference") } - ref, err = sign.GetAttachedImageRef(ref, c.Attachment, c.RegistryOptions.GetRegistryClientOpts(ctx)...) + ref, err = sign.GetAttachedImageRef(ref, c.Attachment, ociremoteOpts...) if err != nil { return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img) } diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 008e5a59d1ea..e87a70c68ff0 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -66,8 +66,13 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return &options.KeyParseError{} } + ociremoteOpts, err := c.ClientOpts(ctx) + if err != nil { + return errors.Wrap(err, "constructing client options") + } + co := &cosign.CheckOpts{ - RegistryClientOpts: c.ClientOpts(ctx), + RegistryClientOpts: ociremoteOpts, } if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier diff --git a/pkg/oci/remote/digest.go b/pkg/oci/remote/digest.go index 5b58b126c955..204f2ba675d0 100644 --- a/pkg/oci/remote/digest.go +++ b/pkg/oci/remote/digest.go @@ -23,10 +23,7 @@ import ( // If the reference is by digest already, it simply extracts the digest. // Otherwise, it looks up the digest from the registry. func ResolveDigest(ref name.Reference, opts ...Option) (name.Digest, error) { - o, err := makeOptions(ref.Context(), opts...) - if err != nil { - return name.Digest{}, err - } + o := makeOptions(ref.Context(), opts...) if d, ok := ref.(name.Digest); ok { return d, nil } diff --git a/pkg/oci/remote/image.go b/pkg/oci/remote/image.go index c925f8761e30..887ee97959eb 100644 --- a/pkg/oci/remote/image.go +++ b/pkg/oci/remote/image.go @@ -23,10 +23,7 @@ import ( // SignedImage provides access to a remote image reference, and its signatures. func SignedImage(ref name.Reference, options ...Option) (oci.SignedImage, error) { - o, err := makeOptions(ref.Context(), options...) - if err != nil { - return nil, err - } + o := makeOptions(ref.Context(), options...) ri, err := remoteImage(ref, o.ROpt...) if err != nil { return nil, err diff --git a/pkg/oci/remote/index.go b/pkg/oci/remote/index.go index 2032d2960ed0..245511561885 100644 --- a/pkg/oci/remote/index.go +++ b/pkg/oci/remote/index.go @@ -23,10 +23,7 @@ import ( // SignedImageIndex provides access to a remote index reference, and its signatures. func SignedImageIndex(ref name.Reference, options ...Option) (oci.SignedImageIndex, error) { - o, err := makeOptions(ref.Context(), options...) - if err != nil { - return nil, err - } + o := makeOptions(ref.Context(), options...) ri, err := remoteIndex(ref, o.ROpt...) if err != nil { return nil, err diff --git a/pkg/oci/remote/options.go b/pkg/oci/remote/options.go index e906e60024d0..f807eb432641 100644 --- a/pkg/oci/remote/options.go +++ b/pkg/oci/remote/options.go @@ -21,6 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/pkg/errors" ) const ( @@ -29,7 +30,7 @@ const ( AttestationTagSuffix = "att" CustomTagPrefix = "" - RepoOverrideKey = "COSIGN_REPOSITORY" + RepoOverrideEnvKey = "COSIGN_REPOSITORY" ) // Option is a functional option for remote operations. @@ -51,7 +52,7 @@ var defaultOptions = []remote.Option{ // TODO(mattmoor): Incorporate user agent. } -func makeOptions(target name.Repository, opts ...Option) (*options, error) { +func makeOptions(target name.Repository, opts ...Option) *options { o := &options{ SignatureSuffix: SignatureTagSuffix, AttestationSuffix: AttestationTagSuffix, @@ -65,20 +66,11 @@ func makeOptions(target name.Repository, opts ...Option) (*options, error) { OriginalOptions: opts, } - // Before applying options, allow the environment to override things. - if ro := os.Getenv(RepoOverrideKey); ro != "" { - repo, err := name.NewRepository(ro) - if err != nil { - return nil, err - } - o.TargetRepository = repo - } - for _, option := range opts { option(o) } - return o, nil + return o } // WithPrefix is a functional option for overriding the default @@ -128,3 +120,14 @@ func WithTargetRepository(repo name.Repository) Option { o.TargetRepository = repo } } + +// GetEnvTargetRepository returns the Repository specified by +// `os.Getenv(RepoOverrideEnvKey)`, or the empty value if not set. +// Returns an error if the value is set but cannot be parsed. +func GetEnvTargetRepository() (name.Repository, error) { + if ro := os.Getenv(RepoOverrideEnvKey); ro != "" { + repo, err := name.NewRepository(ro) + return repo, errors.Wrap(err, "parsing $"+RepoOverrideEnvKey) + } + return name.Repository{}, nil +} diff --git a/pkg/oci/remote/options_test.go b/pkg/oci/remote/options_test.go index a9fcc5561df9..0d708f78ec29 100644 --- a/pkg/oci/remote/options_test.go +++ b/pkg/oci/remote/options_test.go @@ -23,13 +23,10 @@ import ( "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/pkg/errors" ) func TestOptions(t *testing.T) { - ev := os.Getenv(RepoOverrideKey) - defer os.Setenv(RepoOverrideKey, ev) - os.Setenv(RepoOverrideKey, "gcr.io/distroless") - repo, err := name.NewRepository("gcr.io/projectsigstore") if err != nil { t.Errorf("NewRepository() = %v", err) @@ -40,11 +37,6 @@ func TestOptions(t *testing.T) { t.Errorf("NewRepository() = %v", err) } - otherRepo, err := name.NewRepository("ghcr.io/distroful") - if err != nil { - t.Errorf("NewRepository() = %v", err) - } - otherROpt := []remote.Option{ remote.WithAuthFromKeychain(authn.DefaultKeychain), // TODO(mattmoor): Incorporate user agent. @@ -60,47 +52,47 @@ func TestOptions(t *testing.T) { SignatureSuffix: SignatureTagSuffix, AttestationSuffix: AttestationTagSuffix, SBOMSuffix: SBOMTagSuffix, - TargetRepository: overrideRepo, + TargetRepository: repo, ROpt: defaultOptions, }, }, { name: "signature option", - opts: []Option{WithSignatureSuffix(".pig")}, + opts: []Option{WithSignatureSuffix("pig")}, want: &options{ - SignatureSuffix: ".pig", + SignatureSuffix: "pig", AttestationSuffix: AttestationTagSuffix, SBOMSuffix: SBOMTagSuffix, - TargetRepository: overrideRepo, + TargetRepository: repo, ROpt: defaultOptions, }, }, { name: "attestation option", - opts: []Option{WithAttestationSuffix(".pig")}, + opts: []Option{WithAttestationSuffix("pig")}, want: &options{ SignatureSuffix: SignatureTagSuffix, - AttestationSuffix: ".pig", + AttestationSuffix: "pig", SBOMSuffix: SBOMTagSuffix, - TargetRepository: overrideRepo, + TargetRepository: repo, ROpt: defaultOptions, }, }, { name: "sbom option", - opts: []Option{WithSBOMSuffix(".pig")}, + opts: []Option{WithSBOMSuffix("pig")}, want: &options{ SignatureSuffix: SignatureTagSuffix, AttestationSuffix: AttestationTagSuffix, - SBOMSuffix: ".pig", - TargetRepository: overrideRepo, + SBOMSuffix: "pig", + TargetRepository: repo, ROpt: defaultOptions, }, }, { name: "target repo option", - opts: []Option{WithTargetRepository(otherRepo)}, + opts: []Option{WithTargetRepository(overrideRepo)}, want: &options{ SignatureSuffix: SignatureTagSuffix, AttestationSuffix: AttestationTagSuffix, SBOMSuffix: SBOMTagSuffix, - TargetRepository: otherRepo, + TargetRepository: overrideRepo, ROpt: defaultOptions, }, }, { @@ -110,17 +102,14 @@ func TestOptions(t *testing.T) { SignatureSuffix: SignatureTagSuffix, AttestationSuffix: AttestationTagSuffix, SBOMSuffix: SBOMTagSuffix, - TargetRepository: overrideRepo, + TargetRepository: repo, ROpt: otherROpt, }, }} for _, test := range tests { t.Run(test.name, func(t *testing.T) { - got, err := makeOptions(repo, test.opts...) - if err != nil { - t.Fatalf("makeOptions() = %v", err) - } + got := makeOptions(repo, test.opts...) test.want.OriginalOptions = test.opts if !reflect.DeepEqual(got, test.want) { @@ -129,3 +118,55 @@ func TestOptions(t *testing.T) { }) } } + +func TestGetEnvTargetRepository(t *testing.T) { + tests := []struct { + desc string + + envVal string + + want name.Repository + wantErr error + }{ + { + desc: "good", + + envVal: "gcr.io/distroless", + + want: name.MustParseReference("gcr.io/distroless").Context(), + }, + { + desc: "bad", + + envVal: "bad$repo", + wantErr: errors.New("parsing $COSIGN_REPOSITORY: repository can only contain the runes `abcdefghijklmnopqrstuvwxyz0123456789_-./`: bad$repo"), + }, + { + desc: "empty", + + envVal: "", + want: name.Repository{}, + }, + } + + for _, tc := range tests { + t.Run(tc.desc, func(t *testing.T) { + ev := os.Getenv(RepoOverrideEnvKey) + defer os.Setenv(RepoOverrideEnvKey, ev) + os.Setenv(RepoOverrideEnvKey, tc.envVal) + + got, err := GetEnvTargetRepository() + + if !errors.Is(err, tc.wantErr) { + if tc.wantErr == nil || err == nil || tc.wantErr.Error() != err.Error() { + t.Fatalf("GetEnvTargetRepository() returned error %v, wanted %v", err, tc.wantErr) + } + return + } + + if tc.want != got { + t.Errorf("GetEnvTargetRepository() returned %#v, wanted %#v", got, tc.want) + } + }) + } +} diff --git a/pkg/oci/remote/remote.go b/pkg/oci/remote/remote.go index 2c007f95b7da..68b780eda718 100644 --- a/pkg/oci/remote/remote.go +++ b/pkg/oci/remote/remote.go @@ -43,10 +43,7 @@ var ( // SignedEntity provides access to a remote reference, and its signatures. // The SignedEntity will be one of SignedImage or SignedImageIndex. func SignedEntity(ref name.Reference, options ...Option) (oci.SignedEntity, error) { - o, err := makeOptions(ref.Context(), options...) - if err != nil { - return nil, err - } + o := makeOptions(ref.Context(), options...) got, err := remoteGet(ref, o.ROpt...) if err != nil { @@ -91,28 +88,19 @@ func normalize(h v1.Hash, prefix string, suffix string) string { // SignatureTag returns the name.Tag that associated signatures with a particular digest. func SignatureTag(ref name.Reference, opts ...Option) (name.Tag, error) { - o, err := makeOptions(ref.Context(), opts...) - if err != nil { - return name.Tag{}, err - } + o := makeOptions(ref.Context(), opts...) return suffixTag(ref, o.SignatureSuffix, o) } // AttestationTag returns the name.Tag that associated attestations with a particular digest. func AttestationTag(ref name.Reference, opts ...Option) (name.Tag, error) { - o, err := makeOptions(ref.Context(), opts...) - if err != nil { - return name.Tag{}, err - } + o := makeOptions(ref.Context(), opts...) return suffixTag(ref, o.AttestationSuffix, o) } // SBOMTag returns the name.Tag that associated SBOMs with a particular digest. func SBOMTag(ref name.Reference, opts ...Option) (name.Tag, error) { - o, err := makeOptions(ref.Context(), opts...) - if err != nil { - return name.Tag{}, err - } + o := makeOptions(ref.Context(), opts...) return suffixTag(ref, o.SBOMSuffix, o) } diff --git a/pkg/oci/remote/remote_test.go b/pkg/oci/remote/remote_test.go index 434d46af2600..b070d8c518bd 100644 --- a/pkg/oci/remote/remote_test.go +++ b/pkg/oci/remote/remote_test.go @@ -17,7 +17,6 @@ package remote import ( "encoding/base64" - "os" "testing" "github.com/google/go-containerregistry/pkg/name" @@ -139,42 +138,21 @@ func TestTagMethodErrors(t *testing.T) { } tests := []struct { - name string - setenv bool - fn func(name.Reference, ...Option) (name.Tag, error) - ref name.Reference - want error - }{{ - name: "signature passed a tag", - fn: SignatureTag, - ref: name.MustParseReference("gcr.io/distroless/static:nonroot"), - want: errRemoteGet, - }, { - name: "signature with bad target env var", - fn: SignatureTag, - setenv: true, - ref: name.MustParseReference("gcr.io/distroless/static:nonroot"), - want: errors.New("repository can only contain the runes `abcdefghijklmnopqrstuvwxyz0123456789_-./`: bad$repo"), - }, { - name: "attestation with bad target env var", - fn: AttestationTag, - setenv: true, - ref: name.MustParseReference("gcr.io/distroless/static:nonroot"), - want: errors.New("repository can only contain the runes `abcdefghijklmnopqrstuvwxyz0123456789_-./`: bad$repo"), - }, { - name: "sbom with bad target env var", - fn: SBOMTag, - setenv: true, - ref: name.MustParseReference("gcr.io/distroless/static:nonroot"), - want: errors.New("repository can only contain the runes `abcdefghijklmnopqrstuvwxyz0123456789_-./`: bad$repo"), - }} + name string + fn func(name.Reference, ...Option) (name.Tag, error) + ref name.Reference + want error + }{ + { + name: "signature passed a tag", + fn: SignatureTag, + ref: name.MustParseReference("gcr.io/distroless/static:nonroot"), + want: errRemoteGet, + }, + } for _, test := range tests { t.Run(test.name, func(t *testing.T) { - if test.setenv { - os.Setenv(RepoOverrideKey, "bad$repo") - defer os.Unsetenv(RepoOverrideKey) - } tag, got := test.fn(test.ref) if got == nil { t.Fatalf("fn() = %v, wanted %v", tag, test.want) diff --git a/pkg/oci/remote/signatures.go b/pkg/oci/remote/signatures.go index 81b0b595bdac..e2b7000f46c9 100644 --- a/pkg/oci/remote/signatures.go +++ b/pkg/oci/remote/signatures.go @@ -29,10 +29,7 @@ import ( // Signatures fetches the signatures image represented by the named reference. // If the tag is not found, this returns an empty oci.Signatures. func Signatures(ref name.Reference, opts ...Option) (oci.Signatures, error) { - o, err := makeOptions(ref.Context(), opts...) - if err != nil { - return nil, err - } + o := makeOptions(ref.Context(), opts...) img, err := remoteImage(ref, o.ROpt...) var te *transport.Error if errors.As(err, &te) { diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go index 4861902acb7c..3d6719077f97 100644 --- a/pkg/oci/remote/write.go +++ b/pkg/oci/remote/write.go @@ -23,10 +23,7 @@ import ( // WriteSignature publishes the signatures attached to the given entity // into the provided repository. func WriteSignatures(repo name.Repository, se oci.SignedEntity, opts ...Option) error { - o, err := makeOptions(repo, opts...) - if err != nil { - return err - } + o := makeOptions(repo, opts...) // Access the signature list to publish sigs, err := se.Signatures() @@ -48,10 +45,7 @@ func WriteSignatures(repo name.Repository, se oci.SignedEntity, opts ...Option) // WriteAttestations publishes the attestations attached to the given entity // into the provided repository. func WriteAttestations(repo name.Repository, se oci.SignedEntity, opts ...Option) error { - o, err := makeOptions(repo, opts...) - if err != nil { - return err - } + o := makeOptions(repo, opts...) // Access the signature list to publish atts, err := se.Attestations()