add -allow-insecure-registry flag to permit unsecured container reg…

…istries (#669) Signed-off-by: Jake Sanders <jsand@google.com>
sigstore · Sep 16, 2021 · cd781b5 · cd781b5
1 parent 5851fdd
commit cd781b5
Show file tree

Hide file tree

Showing 21 changed files with 158 additions and 98 deletions.
diff --git a/cmd/cosign/cli/attach/sbom.go b/cmd/cosign/cli/attach/sbom.go
@@ -44,7 +44,9 @@ func SBOM() *ffcli.Command {
 		flagset  = flag.NewFlagSet("cosign attach sbom", flag.ExitOnError)
 		sbom     = flagset.String("sbom", "", "path to the sbom, or {-} for stdin")
 		sbomType = flagset.String("type", "spdx", "type of sbom (spdx|cyclonedx), default spdx")
+		regOpts  cli.RegistryOpts
 	)
+	cli.ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "sbom",
 		ShortUsage: "cosign attach sbom <image uri>",
@@ -60,12 +62,12 @@ func SBOM() *ffcli.Command {
 				return flag.ErrHelp
 			}
 
-			return SBOMCmd(ctx, *sbom, mt, args[0])
+			return SBOMCmd(ctx, regOpts, *sbom, mt, args[0])
 		},
 	}
 }
 
-func SBOMCmd(ctx context.Context, sbomRef, sbomType, imageRef string) error {
+func SBOMCmd(ctx context.Context, regOpts cli.RegistryOpts, sbomRef, sbomType, imageRef string) error {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return err
@@ -76,13 +78,15 @@ func SBOMCmd(ctx context.Context, sbomRef, sbomType, imageRef string) error {
 		return err
 	}
 
-	dstRef, err := cli.AttachedImageTag(ctx, ref, cosign.SBOMTagSuffix)
+	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
+
+	dstRef, err := cli.AttachedImageTag(ref, cosign.SBOMTagSuffix, remoteOpts...)
 	if err != nil {
 		return err
 	}
 
 	fmt.Fprintf(os.Stderr, "Uploading SBOM file for [%s] to [%s] with mediaType [%s].\n", ref.Name(), dstRef.Name(), sbomType)
-	if _, err := cremote.UploadFile(b, dstRef, types.MediaType(sbomType), types.OCIConfigJSON, cli.DefaultRegistryClientOpts(ctx)...); err != nil {
+	if _, err := cremote.UploadFile(b, dstRef, types.MediaType(sbomType), types.OCIConfigJSON, remoteOpts...); err != nil {
 		return err
 	}
 

diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go
@@ -38,7 +38,9 @@ func Signature() *ffcli.Command {
 		flagset   = flag.NewFlagSet("cosign attach signature", flag.ExitOnError)
 		signature = flagset.String("signature", "", "the signature, path to the signature, or {-} for stdin")
 		payload   = flagset.String("payload", "", "path to the payload covered by the signature (if using another format)")
+		regOpts   cli.RegistryOpts
 	)
+	cli.ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "signature",
 		ShortUsage: "cosign attach signature <image uri>",
@@ -49,12 +51,12 @@ func Signature() *ffcli.Command {
 				return flag.ErrHelp
 			}
 
-			return SignatureCmd(ctx, *signature, *payload, args[0])
+			return SignatureCmd(ctx, regOpts, *signature, *payload, args[0])
 		},
 	}
 }
 
-func SignatureCmd(ctx context.Context, sigRef, payloadRef, imageRef string) error {
+func SignatureCmd(ctx context.Context, regOpts cli.RegistryOpts, sigRef, payloadRef, imageRef string) error {
 	b64SigBytes, err := signatureBytes(sigRef)
 	if err != nil {
 		return err
@@ -67,12 +69,14 @@ func SignatureCmd(ctx context.Context, sigRef, payloadRef, imageRef string) erro
 		return err
 	}
 
-	h, err := cli.Digest(ctx, ref)
+	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
+
+	h, err := cli.Digest(ref, remoteOpts...)
 	if err != nil {
 		return err
 	}
 
-	dstRef, err := cli.AttachedImageTag(ctx, ref, cosign.SignatureTagSuffix)
+	dstRef, err := cli.AttachedImageTag(ref, cosign.SignatureTagSuffix, remoteOpts...)
 	if err != nil {
 		return err
 	}
@@ -93,8 +97,7 @@ func SignatureCmd(ctx context.Context, sigRef, payloadRef, imageRef string) erro
 	if err != nil {
 		return err
 	}
-	regClientOpts := cli.DefaultRegistryClientOpts(ctx)
-	if _, err := cremote.UploadSignature(sigBytes, payload, dstRef, cremote.UploadOpts{RemoteOpts: regClientOpts}); err != nil {
+	if _, err := cremote.UploadSignature(sigBytes, payload, dstRef, cremote.UploadOpts{RemoteOpts: remoteOpts}); err != nil {
 		return err
 	}
 	return nil

diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go
@@ -51,7 +51,9 @@ func Attest() *ffcli.Command {
 		force         = flagset.Bool("f", false, "skip warnings and confirmations")
 		idToken       = flagset.String("identity-token", "", "[EXPERIMENTAL] identity token to use for certificate from fulcio")
 		predicateType = flagset.String("type", "custom", "specify predicate type (default: custom) (slsaprovenance|link|spdx)")
+		regOpts       RegistryOpts
 	)
+	ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "attest",
 		ShortUsage: "cosign attest -key <key path>|<kms uri> [-predicate <path>] [-a key=value] [-upload=true|false] [-f] [-r] <image uri>",
@@ -94,7 +96,7 @@ EXAMPLES
 				IDToken:  *idToken,
 			}
 			for _, img := range args {
-				if err := AttestCmd(ctx, ko, img, *cert, *upload, *predicatePath, *force, *predicateType); err != nil {
+				if err := AttestCmd(ctx, ko, regOpts, img, *cert, *upload, *predicatePath, *force, *predicateType); err != nil {
 					return errors.Wrapf(err, "signing %s", img)
 				}
 			}
@@ -117,7 +119,7 @@ var predicateTypeMap = map[string]string{
 	predicateLink:   in_toto.PredicateLinkV1,
 }
 
-func AttestCmd(ctx context.Context, ko KeyOpts, imageRef string, certPath string,
+func AttestCmd(ctx context.Context, ko KeyOpts, regOpts RegistryOpts, imageRef string, certPath string,
 	upload bool, predicatePath string, force bool, predicateType string) error {
 	// A key file or token is required unless we're in experimental mode!
 	if EnableExperimental() {
@@ -135,13 +137,13 @@ func AttestCmd(ctx context.Context, ko KeyOpts, imageRef string, certPath string
 		return fmt.Errorf("invalid predicate type: %s", predicateType)
 	}
 
-	remoteOpts := DefaultRegistryClientOpts(ctx)
+	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
 
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return errors.Wrap(err, "parsing reference")
 	}
-	h, err := Digest(ctx, ref)
+	h, err := Digest(ref, remoteOpts...)
 	if err != nil {
 		return err
 	}
@@ -178,7 +180,7 @@ func AttestCmd(ctx context.Context, ko KeyOpts, imageRef string, certPath string
 		return nil
 	}
 
-	attRef, err := AttachedImageTag(ctx, ref, cosign.AttestationTagSuffix)
+	attRef, err := AttachedImageTag(ref, cosign.AttestationTagSuffix, remoteOpts...)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/cosign/cli/clean.go b/cmd/cosign/cli/clean.go
@@ -31,8 +31,9 @@ import (
 func Clean() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign clean", flag.ExitOnError)
+		regOpts RegistryOpts
 	)
-
+	ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "clean",
 		ShortUsage: "cosign clean <image uri>",
@@ -43,26 +44,27 @@ func Clean() *ffcli.Command {
 				return flag.ErrHelp
 			}
 
-			return CleanCmd(ctx, args[0])
+			return CleanCmd(ctx, regOpts, args[0])
 		},
 	}
 }
 
-func CleanCmd(ctx context.Context, imageRef string) error {
+func CleanCmd(ctx context.Context, regOpts RegistryOpts, imageRef string) error {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return err
 	}
 
-	sigRef, err := AttachedImageTag(ctx, ref, cosign.SignatureTagSuffix)
+	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
+	sigRef, err := AttachedImageTag(ref, cosign.SignatureTagSuffix, remoteOpts...)
 	if err != nil {
 		return err
 	}
 	fmt.Println(sigRef)
 
 	fmt.Fprintln(os.Stderr, "Deleting signature metadata...")
 
-	err = remote.Delete(sigRef, DefaultRegistryClientOpts(ctx)...)
+	err = remote.Delete(sigRef, remoteOpts...)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/cosign/cli/copy.go b/cmd/cosign/cli/copy.go
@@ -32,7 +32,9 @@ func Copy() *ffcli.Command {
 		flagset     = flag.NewFlagSet("cosign copy", flag.ExitOnError)
 		sigOnlyFlag = flagset.Bool("sig-only", false, "only copy the image signature")
 		forceFlag   = flagset.Bool("f", false, "overwrite destination image(s), if necessary")
+		regOpts     RegistryOpts
 	)
+	ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "copy",
 		ShortUsage: "cosign copy <source image> <destination image>",
@@ -54,12 +56,12 @@ EXAMPLES
 			if len(args) != 2 {
 				return flag.ErrHelp
 			}
-			return CopyCmd(ctx, args[0], args[1], *sigOnlyFlag, *forceFlag)
+			return CopyCmd(ctx, regOpts, args[0], args[1], *sigOnlyFlag, *forceFlag)
 		},
 	}
 }
 
-func CopyCmd(ctx context.Context, srcImg, dstImg string, sigOnly, force bool) error {
+func CopyCmd(ctx context.Context, regOpts RegistryOpts, srcImg, dstImg string, sigOnly, force bool) error {
 	srcRef, err := name.ParseReference(srcImg)
 	if err != nil {
 		return err
@@ -69,21 +71,20 @@ func CopyCmd(ctx context.Context, srcImg, dstImg string, sigOnly, force bool) er
 		return err
 	}
 
-	sigSrcRef, err := AttachedImageTag(ctx, srcRef, cosign.SignatureTagSuffix)
+	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
+	sigSrcRef, err := AttachedImageTag(srcRef, cosign.SignatureTagSuffix, remoteOpts...)
 	if err != nil {
 		return err
 	}
 
 	dstRepoRef := dstRef.Context()
 	sigDstRef := dstRepoRef.Tag(sigSrcRef.Identifier())
-
-	regClientOpts := DefaultRegistryClientOpts(ctx)
-	if err := copyImage(sigSrcRef, sigDstRef, force, regClientOpts...); err != nil {
+	if err := copyImage(sigSrcRef, sigDstRef, force, remoteOpts...); err != nil {
 		return err
 	}
 
 	if !sigOnly {
-		if err := copyImage(srcRef, dstRef, force, regClientOpts...); err != nil {
+		if err := copyImage(srcRef, dstRef, force, remoteOpts...); err != nil {
 			return err
 		}
 	}

diff --git a/cmd/cosign/cli/digest.go b/cmd/cosign/cli/digest.go
@@ -15,8 +15,6 @@
 package cli
 
 import (
-	"context"
-
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -26,11 +24,11 @@ import (
 //
 // If the reference is by digest already, it simply extracts the digest.
 // Otherwise, it looks up the digest from the registry.
-func Digest(ctx context.Context, ref name.Reference) (v1.Hash, error) {
+func Digest(ref name.Reference, remoteOpts ...remote.Option) (v1.Hash, error) {
 	if d, ok := ref.(name.Digest); ok {
 		return v1.NewHash(d.DigestStr())
 	}
-	desc, err := remote.Get(ref, DefaultRegistryClientOpts(ctx)...)
+	desc, err := remote.Get(ref, remoteOpts...)
 	if err != nil {
 		return v1.Hash{}, err
 	}

diff --git a/cmd/cosign/cli/download/sbom.go b/cmd/cosign/cli/download/sbom.go
@@ -34,7 +34,9 @@ import (
 func SBOM() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign download sbom", flag.ExitOnError)
+		regOpts cli.RegistryOpts
 	)
+	cli.ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "sbom",
 		ShortUsage: "cosign download sbom <image uri>",
@@ -44,23 +46,25 @@ func SBOM() *ffcli.Command {
 			if len(args) != 1 {
 				return flag.ErrHelp
 			}
-			_, err := SBOMCmd(ctx, args[0], os.Stdout)
+			_, err := SBOMCmd(ctx, regOpts, args[0], os.Stdout)
 			return err
 		},
 	}
 }
 
-func SBOMCmd(ctx context.Context, imageRef string, out io.Writer) ([]string, error) {
+func SBOMCmd(ctx context.Context, regOpts cli.RegistryOpts, imageRef string, out io.Writer) ([]string, error) {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return nil, err
 	}
 
-	dstRef, err := cli.AttachedImageTag(ctx, ref, cosign.SBOMTagSuffix)
+	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
+
+	dstRef, err := cli.AttachedImageTag(ref, cosign.SBOMTagSuffix, remoteOpts...)
 	if err != nil {
 		return nil, err
 	}
-	img, err := remote.Image(dstRef, cli.DefaultRegistryClientOpts(ctx)...)
+	img, err := remote.Image(dstRef, remoteOpts...)
 	if err != nil {
 		return nil, err
 	}

diff --git a/cmd/cosign/cli/download/signature.go b/cmd/cosign/cli/download/signature.go
@@ -31,7 +31,9 @@ import (
 func Signature() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign download signature", flag.ExitOnError)
+		regOpts cli.RegistryOpts
 	)
+	cli.ApplyRegistryFlags(&regOpts, flagset)
 	return &ffcli.Command{
 		Name:       "signature",
 		ShortUsage: "cosign download signature <image uri>",
@@ -41,12 +43,12 @@ func Signature() *ffcli.Command {
 			if len(args) != 1 {
 				return flag.ErrHelp
 			}
-			return SignatureCmd(ctx, args[0])
+			return SignatureCmd(ctx, regOpts, args[0])
 		},
 	}
 }
 
-func SignatureCmd(ctx context.Context, imageRef string) error {
+func SignatureCmd(ctx context.Context, regOpts cli.RegistryOpts, imageRef string) error {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return err
@@ -55,7 +57,7 @@ func SignatureCmd(ctx context.Context, imageRef string) error {
 	if err != nil {
 		return err
 	}
-	regClientOpts := cli.DefaultRegistryClientOpts(ctx)
+	regClientOpts := regOpts.GetRegistryClientOpts(ctx)
 	signatures, err := cosign.FetchSignaturesForImage(ctx, ref, sigRepo, cosign.SignatureTagSuffix, regClientOpts...)
 	if err != nil {
 		return err

diff --git a/cmd/cosign/cli/flags.go b/cmd/cosign/cli/flags.go
@@ -15,7 +15,15 @@
 
 package cli
 
-import "reflect"
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"net/http"
+	"reflect"
+
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
 
 // oneOf ensures that only one of the supplied interfaces is set to a non-zero value.
 func oneOf(args ...interface{}) bool {
@@ -32,3 +40,19 @@ func nOf(args ...interface{}) int {
 	}
 	return n
 }
+
+type RegistryOpts struct {
+	AllowInsecure bool
+}
+
+func (co *RegistryOpts) GetRegistryClientOpts(ctx context.Context) []remote.Option {
+	opts := defaultRegistryClientOpts(ctx)
+	if co != nil && co.AllowInsecure {
+		opts = append(opts, remote.WithTransport(&http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}})) // #nosec G402
+	}
+	return opts
+}
+
+func ApplyRegistryFlags(regOpts *RegistryOpts, fs *flag.FlagSet) {
+	fs.BoolVar(&regOpts.AllowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
+}