opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-04 01:48:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Split descriptionsOfPolicyRequirements out of getPolicyShowOutput

Browse Source 
This will evetually allow us to use it for the default scope
as well, which currently uses a simplified version.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
2022-08-24 20:07:18 +02:00
parent d4c5217280
commit 51064acc49
2 changed files with 124 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/trust/trust.go
View File

@ -72,14 +72,23 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
sort.Strings(scopes) sort.Strings(scopes)
for _, repo := range scopes { for _, repo := range scopes {
repoval := transval[repo] repoval := transval[repo]
tempTrustShowOutput := Policy{ template := Policy{
Transport: transport,
Name: repo, Name: repo,
RepoName: repo, RepoName: repo,
Transport: transport,
Type: trustTypeDescription(repoval[0].Type),
} }
output = append(output, descriptionsOfPolicyRequirements(repoval, template, registryConfigs, repo, idReader)...)
}
}
return output, nil
}
// descriptionsOfPolicyRequirements turns reqs into user-readable policy entries, with Transport/Name/Reponame coming from template, potentially looking up scope in registryConfigs.
func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, registryConfigs *registryConfiguration, scope string, idReader gpgIDReader) []*Policy {
tempTrustShowOutput := template
tempTrustShowOutput.Type = trustTypeDescription(reqs[0].Type)
uids := []string{} uids := []string{}
for _, repoele := range repoval { for _, repoele := range reqs {
if len(repoele.KeyPath) > 0 { if len(repoele.KeyPath) > 0 {
uids = append(uids, idReader(repoele.KeyPath)...) uids = append(uids, idReader(repoele.KeyPath)...)
} }
@ -89,7 +98,7 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
} }
tempTrustShowOutput.GPGId = strings.Join(uids, ", ") tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
registryNamespace := haveMatchRegistry(repo, registryConfigs) registryNamespace := haveMatchRegistry(scope, registryConfigs)
if registryNamespace != nil { if registryNamespace != nil {
if registryNamespace.Lookaside != "" { if registryNamespace.Lookaside != "" {
tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside tempTrustShowOutput.SignatureStore = registryNamespace.Lookaside
@ -97,8 +106,5 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
tempTrustShowOutput.SignatureStore = registryNamespace.SigStore tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
} }
} }
output = append(output, &tempTrustShowOutput) return []*Policy{&tempTrustShowOutput}
}
}
return output, nil
} }

95
pkg/trust/trust_test.go
View File

@ -90,3 +90,98 @@ func TestPolicyDescription(t *testing.T) {
assert.Equal(t, c.expected, res) assert.Equal(t, c.expected, res)
} }
} }
func TestDescriptionsOfPolicyRequirements(t *testing.T) {
// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
idReader := func(keyPath string) []string {
require.True(t, strings.HasPrefix(keyPath, "/"))
require.True(t, strings.HasSuffix(keyPath, ".pub"))
return strings.Split(keyPath[1:len(keyPath)-4], ",")
}
template := Policy{
Transport: "transport",
Name: "name",
RepoName: "repoName",
}
registryConfigs, err := loadAndMergeConfig("./testdata")
require.NoError(t, err)
for _, c := range []struct {
scope string
reqs signature.PolicyRequirements
expected []*Policy
}{
{
"",
signature.PolicyRequirements{
signature.NewPRReject(),
},
[]*Policy{
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "reject",
},
},
},
{
"quay.io/accepted",
signature.PolicyRequirements{
signature.NewPRInsecureAcceptAnything(),
},
[]*Policy{
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "accept",
},
},
},
{
"registry.redhat.io",
signature.PolicyRequirements{
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
[]*Policy{
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "signed",
SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "redhat",
},
},
},
{
"quay.io/multi-signed",
signature.PolicyRequirements{
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
[]*Policy{
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "signed",
SignatureStore: "https://quay.example.com/sigstore",
GPGId: "1, 2, 3",
},
},
},
} {
reqsJSON, err := json.Marshal(c.reqs)
require.NoError(t, err)
var parsedRegs []repoContent
err = json.Unmarshal(reqsJSON, &parsedRegs)
require.NoError(t, err)
res := descriptionsOfPolicyRequirements(parsedRegs, template, registryConfigs, c.scope, idReader)
assert.Equal(t, c.expected, res)
}
}