feat: blob verify command
#1137
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,162 @@ | ||
| // Copyright The Notary Project Authors. | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package blob | ||
|
|
||
| import ( | ||
| "errors" | ||
| "fmt" | ||
| "os" | ||
| "path/filepath" | ||
| "strings" | ||
|
|
||
| "github.com/notaryproject/notation-core-go/signature/cose" | ||
| "github.com/notaryproject/notation-core-go/signature/jws" | ||
| "github.com/notaryproject/notation-go" | ||
| "github.com/notaryproject/notation/internal/cmd" | ||
| "github.com/notaryproject/notation/internal/ioutil" | ||
| "github.com/spf13/cobra" | ||
| ) | ||
|
|
||
| type blobVerifyOpts struct { | ||
| cmd.LoggingFlagOpts | ||
| blobPath string | ||
| signaturePath string | ||
| pluginConfig []string | ||
| userMetadata []string | ||
| policyStatementName string | ||
| blobMediaType string | ||
| } | ||
|
|
||
| func verifyCommand(opts *blobVerifyOpts) *cobra.Command { | ||
| if opts == nil { | ||
| opts = &blobVerifyOpts{} | ||
| } | ||
| longMessage := `Verify a signature associated with a blob. | ||
|
|
||
| Prerequisite: added a certificate into trust store and created a trust policy. | ||
|
|
||
| Example - Verify a signature on a blob artifact: | ||
| notation blob verify --signature <signature_path> <blob_path> | ||
|
|
||
| Example - Verify the signature on a blob artifact with user metadata: | ||
| notation blob verify --user-metadata <metadata> --signature <signature_path> <blob_path> | ||
|
|
||
| Example - Verify the signature on a blob artifact with media type: | ||
| notation blob verify --media-type <media_type> --signature <signature_path> <blob_path> | ||
|
|
||
| Example - Verify the signature on a blob artifact using a policy statement name: | ||
| notation blob verify --policy-name <policy_name> --signature <signature_path> <blob_path> | ||
| ` | ||
| command := &cobra.Command{ | ||
| Use: "verify [flags] --signature <signature_path> <blob_path>", | ||
| Short: "Verify a signature associated with a blob", | ||
| Long: longMessage, | ||
| Args: func(cmd *cobra.Command, args []string) error { | ||
| if len(args) == 0 { | ||
| return errors.New("missing path to the blob artifact: use `notation blob verify --help` to see what parameters are required") | ||
| } | ||
| opts.blobPath = args[0] | ||
| return nil | ||
| }, | ||
| PreRunE: func(cmd *cobra.Command, args []string) error { | ||
| if opts.signaturePath == "" { | ||
| return errors.New("filepath of the signature cannot be empty") | ||
| } | ||
| if cmd.Flags().Changed("media-type") && opts.blobMediaType == "" { | ||
| return errors.New("--media-type is set but with empty value") | ||
| } | ||
| return nil | ||
| }, | ||
| RunE: func(cmd *cobra.Command, args []string) error { | ||
| return runVerify(cmd, opts) | ||
| }, | ||
| } | ||
| opts.LoggingFlagOpts.ApplyFlags(command.Flags()) | ||
| command.Flags().StringVar(&opts.signaturePath, "signature", "", "filepath of the signature to be verified") | ||
| command.Flags().StringArrayVar(&opts.pluginConfig, "plugin-config", nil, "{key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values") | ||
| command.Flags().StringVar(&opts.blobMediaType, "media-type", "", "media type of the blob to verify") | ||
| command.Flags().StringVar(&opts.policyStatementName, "policy-name", "", "policy name to verify against. If not provided, the global policy is used if exists") | ||
| cmd.SetPflagUserMetadata(command.Flags(), &opts.userMetadata, cmd.PflagUserMetadataVerifyUsage) | ||
| command.MarkFlagRequired("signature") | ||
| return command | ||
| } | ||
|
|
||
| func runVerify(command *cobra.Command, cmdOpts *blobVerifyOpts) error { | ||
| // set log level | ||
| ctx := cmdOpts.LoggingFlagOpts.InitializeLogger(command.Context()) | ||
|
|
||
| // initialize | ||
| blobFile, err := os.Open(cmdOpts.blobPath) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| defer blobFile.Close() | ||
|
|
||
| signatureBytes, err := os.ReadFile(cmdOpts.signaturePath) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| blobVerifier, err := cmd.GetVerifier(ctx, true) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| // set up verification plugin config | ||
| pluginConfigs, err := cmd.ParseFlagMap(cmdOpts.pluginConfig, cmd.PflagPluginConfig.Name) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| // set up user metadata | ||
| userMetadata, err := cmd.ParseFlagMap(cmdOpts.userMetadata, cmd.PflagUserMetadata.Name) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| signatureMediaType, err := parseSignatureMediaType(cmdOpts.signaturePath) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| verifyBlobOpts := notation.VerifyBlobOptions{ | ||
| BlobVerifierVerifyOptions: notation.BlobVerifierVerifyOptions{ | ||
| SignatureMediaType: signatureMediaType, | ||
| PluginConfig: pluginConfigs, | ||
| UserMetadata: userMetadata, | ||
| TrustPolicyName: cmdOpts.policyStatementName, | ||
| }, | ||
| ContentMediaType: cmdOpts.blobMediaType, | ||
| } | ||
| _, outcome, err := notation.VerifyBlob(ctx, blobVerifier, blobFile, signatureBytes, verifyBlobOpts) | ||
| outcomes := []*notation.VerificationOutcome{outcome} | ||
| err = ioutil.PrintVerificationFailure(outcomes, cmdOpts.blobPath, err, true) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| ioutil.PrintVerificationSuccess(outcomes, cmdOpts.blobPath) | ||
| return nil | ||
| } | ||
|
|
||
| // parseSignatureMediaType returns the media type of the signature file. | ||
| // `application/jose+json` and `application/cose` are supported. | ||
| func parseSignatureMediaType(signaturePath string) (string, error) { | ||
| signatureFileName := filepath.Base(signaturePath) | ||
| format := strings.Split(signatureFileName, ".")[1] | ||
| switch format { | ||
| case "cose": | ||
| return cose.MediaTypeEnvelope, nil | ||
| case "jws": | ||
| return jws.MediaTypeEnvelope, nil | ||
| } | ||
| return "", fmt.Errorf("unsupported signature format %s", format) | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| // Copyright The Notary Project Authors. | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package blob | ||
|
|
||
| import ( | ||
| "reflect" | ||
| "testing" | ||
| ) | ||
|
|
||
| func TestVerifyCommand_BasicArgs(t *testing.T) { | ||
| opts := &blobVerifyOpts{} | ||
| command := verifyCommand(opts) | ||
| expected := &blobVerifyOpts{ | ||
| blobPath: "blob_path", | ||
| signaturePath: "sig_path", | ||
| } | ||
| if err := command.ParseFlags([]string{ | ||
| expected.blobPath, | ||
| "--signature", expected.signaturePath}); err != nil { | ||
| t.Fatalf("Parse Flag failed: %v", err) | ||
| } | ||
| if err := command.Args(command, command.Flags().Args()); err != nil { | ||
| t.Fatalf("Parse args failed: %v", err) | ||
| } | ||
| if !reflect.DeepEqual(*expected, *opts) { | ||
| t.Fatalf("Expect blob verify opts: %v, got: %v", expected, opts) | ||
| } | ||
| } | ||
|
|
||
| func TestVerifyCommand_MoreArgs(t *testing.T) { | ||
| opts := &blobVerifyOpts{} | ||
| command := verifyCommand(opts) | ||
| expected := &blobVerifyOpts{ | ||
| blobPath: "blob_path", | ||
| signaturePath: "sig_path", | ||
| pluginConfig: []string{"key1=val1", "key2=val2"}, | ||
| } | ||
| if err := command.ParseFlags([]string{ | ||
| expected.blobPath, | ||
| "--signature", expected.signaturePath, | ||
| "--plugin-config", "key1=val1", | ||
| "--plugin-config", "key2=val2", | ||
| }); err != nil { | ||
| t.Fatalf("Parse Flag failed: %v", err) | ||
| } | ||
| if err := command.Args(command, command.Flags().Args()); err != nil { | ||
| t.Fatalf("Parse args failed: %v", err) | ||
| } | ||
| if !reflect.DeepEqual(*expected, *opts) { | ||
| t.Fatalf("Expect verify opts: %v, got: %v", expected, opts) | ||
| } | ||
| } | ||
|
|
||
| func TestVerifyCommand_MissingArgs(t *testing.T) { | ||
| cmd := verifyCommand(nil) | ||
| if err := cmd.ParseFlags(nil); err != nil { | ||
| t.Fatalf("Parse Flag failed: %v", err) | ||
| } | ||
| if err := cmd.Args(cmd, cmd.Flags().Args()); err == nil { | ||
| t.Fatal("Parse Args expected error, but ok") | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line may panic.