Delegate to targets/releases per extended MVP

README.md

@@ -101,67 +101,13 @@ INFO[0000] The SHA sums are equal: 540cc4dc213548ebbdffb2ab0ef58729e089d1887edbc
 - Add in-toto metadata when signing a thin bundle:
 
 ```
-$ ./scripts/signy-sign.sh testdata/cnab/bundle.json localhost:5000/thin-intoto:v2 --in-toto --layout testdata/intoto/root.layout --links testdata/intoto --layout-key testdata/intoto/alice.pub
-INFO[0000] Adding In-Toto layout and links metadata to TUF
-INFO[0000] Pushed trust data for localhost:5000/thin-intoto:v2: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
-INFO[0000] Starting to copy image cnab/helloworld:0.1.1
-INFO[0001] Completed image cnab/helloworld:0.1.1 copy
-INFO[0001] Generated relocation map: relocation.ImageRelocationMap{"cnab/helloworld:0.1.1":"localhost:5000/thin-intoto@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6"}
-INFO[0001] Pushed successfully, with digest "sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268"
+$ ./scripts/signy-sign.sh testdata/intoto/minimal/bundle.json localhost:5000/minimal:latest --in-toto --layout testdata/intoto/minimal/root.layout --links testdata/intoto/minimal/d374df2f6946233546bb4ca97dcee3a01fe07aaef11be1fb09abd37ceb4ecfb7/ --layout-key testdata/intoto/minimal/root.layout.pub
 ```
 
 - verifying the signature of a thin bundle and running the in-toto verifications in a container:
 
 ```
-$ ./scripts/signy-verify.sh localhost:5000/thin-intoto:v2 --in-toto
-INFO[0000] Pulled trust data for localhost:5000/thin-intoto:v2, with role targets - SHA256: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
-INFO[0000] Pulling bundle from registry: localhost:5000/thin-intoto:v2
-INFO[0000] Computed SHA: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
-INFO[0000] The SHA sums are equal: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
-INFO[0000] Writing In-Toto metadata files into /tmp/intoto-verification169227773
-INFO[0000] copying file /in-toto/layout.template in container for verification...
-INFO[0000] copying file /in-toto/key.pub in container for verification...
-INFO[0000] copying file in-toto/package.2f89b927.link in container for verification...
-INFO[0000] copying file in-toto/write-code.776a00e2.link in container for verification...
-INFO[0000] copying file in-toto/foo.tar.gz in container for verification...
-INFO[0000] Loading layout...
-INFO[0000] Loading layout key(s)...
-INFO[0000] Verifying layout signatures...
-INFO[0001] Verifying layout expiration...
-INFO[0001] Reading link metadata files...
-INFO[0001] Verifying link metadata signatures...
-INFO[0001] Verifying sublayouts...
-INFO[0001] Verifying alignment of reported commands...
-INFO[0001] Verifying command alignment for 'write-code.776a00e2.link'...
-INFO[0001] Verifying command alignment for 'package.2f89b927.link'...
-INFO[0001] Verifying threshold constraints...
-INFO[0001] Skipping threshold verification for step 'write-code' with threshold '1'...
-INFO[0001] Skipping threshold verification for step 'package' with threshold '1'...
-INFO[0001] Verifying Step rules...
-INFO[0001] Verifying material rules for 'write-code'...
-INFO[0001] Verifying product rules for 'write-code'...
-INFO[0001] Verifying 'ALLOW foo.py'...
-INFO[0001] Verifying material rules for 'package'...
-INFO[0001] Verifying 'MATCH foo.py WITH PRODUCTS FROM write-code'...
-INFO[0001] Verifying 'DISALLOW *'...
-INFO[0001] Verifying product rules for 'package'...
-INFO[0001] Verifying 'ALLOW foo.tar.gz'...
-INFO[0001] Verifying 'ALLOW foo.py'...
-INFO[0001] Executing Inspection commands...
-INFO[0001] Executing command for inspection 'untar'...
-INFO[0001] Running 'untar'...
-INFO[0001] Recording materials '.'...
-INFO[0001] Running command 'tar xfz foo.tar.gz'...
-INFO[0001] Recording products '.'...
-INFO[0001] Creating link metadata...
-INFO[0001] Verifying Inspection rules...
-INFO[0001] Verifying material rules for 'untar'...
-INFO[0001] Verifying 'MATCH foo.tar.gz WITH PRODUCTS FROM package'...
-INFO[0001] Verifying 'DISALLOW foo.tar.gz'...
-INFO[0001] Verifying product rules for 'untar'...
-INFO[0001] Verifying 'MATCH foo.py WITH PRODUCTS FROM write-code'...
-INFO[0001] Verifying 'DISALLOW foo.py'...
-INFO[0001] The software product passed all verification.
+$ ./scripts/signy-verify.sh localhost:5000/minimal:latest --in-toto
 ```
 
 - similarly for a thick bundle:

cmd/sign.go

@@ -1,14 +1,13 @@
 package main
 
 import (
-	"encoding/hex"
 	"fmt"
 
-	canonicaljson "github.com/docker/go/canonical/json"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"github.com/cnabio/signy/pkg/cnab"
+	"github.com/cnabio/signy/pkg/docker"
 	"github.com/cnabio/signy/pkg/intoto"
 	"github.com/cnabio/signy/pkg/tuf"
 )
@@ -89,40 +88,59 @@ INFO[0001] Pushed successfully, with digest "sha256:b4936e42304c184bafc9b06dde9e
 }
 
 func (s *signCmd) run() error {
-	var cm *canonicaljson.RawMessage
+	var publicKeys intoto.PublicKeys
+	var rootLayout intoto.RootLayout
+	var links intoto.Links
+	var bundleCustom intoto.Custom
+
+	gun, err := docker.GetGUN(s.ref)
+	if err != nil {
+		return fmt.Errorf("cannot initialize GUN from %s: %v", s.ref, err)
+	}
+
 	if s.intoto {
 		if s.layout == "" || s.layoutKey == "" || s.linkDir == "" {
 			return fmt.Errorf("required in-toto metadata not found")
 		}
 		log.Infof("Adding In-Toto layout and links metadata to TUF")
+
 		err := intoto.ValidateFromPath(s.layout)
 		if err != nil {
 			return fmt.Errorf("validation for in-toto metadata failed: %v", err)
 		}
-		custom, err := intoto.GetMetadataRawMessage(s.layout, s.linkDir, s.layoutKey)
+
+		publicKeys, err = intoto.GetPublicKeys(gun, s.layoutKey)
+		if err != nil {
+			return fmt.Errorf("cannot read public keys: %v", err)
+		}
+
+		rootLayout, err = intoto.GetRootLayout(gun, s.layout, publicKeys)
 		if err != nil {
-			return fmt.Errorf("cannot get metadata message: %v", err)
+			return fmt.Errorf("cannot read root layout: %v", err)
 		}
-		// TODO: Radu M
-		// Refactor GetMatedataRawMessage to return a pointer to a raw message
-		cm = &custom
+
+		links, err = intoto.GetLinks(gun, s.linkDir)
+		if err != nil {
+			return fmt.Errorf("cannot read links: %v", err)
+		}
+
+		bundleCustom = intoto.GetBundleCustom(rootLayout, links)
 	}
 
 	// NOTE: We first push to the Registry, and then Notary. This is so that if we modify the bundle locally,
 	// we will not invalidate its signature by first pushing to Notary, and then the Registry.
-
 	// We push only thin bundles to the Registry.
 	if !s.thick {
 		if err := cnab.Push(s.file, s.ref); err != nil {
 			return err
 		}
 	}
 
-	target, err := tuf.SignAndPublish(trustDir, trustServer, s.ref, s.file, tlscacert, s.rootKey, timeout, cm)
+	bundleDigest, err := tuf.SignAndPublish(trustDir, trustServer, s.ref, s.file, tlscacert, s.rootKey, timeout, rootLayout, publicKeys, links, bundleCustom)
 	if err != nil {
 		return fmt.Errorf("cannot sign and publish trust data: %v", err)
 	}
 
-	log.Infof("Pushed trust data for %v: %v\n", s.ref, hex.EncodeToString(target.Hashes["sha256"]))
+	log.Infof("Pushed trust data for %v: %v\n", s.ref, bundleDigest)
 	return nil
 }

pkg/docker/docker.go

@@ -32,6 +32,19 @@ const (
 	workingDir = "/in-toto" // Where we expect to copy in-toto artifacts to
 )
 
+// GetGUN returns the Globally Unique Name for a reference image name
+func GetGUN(name string) (string, error) {
+	r, err := reference.ParseNormalizedNamed(name)
+	if err != nil {
+		return "", err
+	}
+	repo, err := registry.ParseRepositoryInfo(r)
+	if err != nil {
+		return "", err
+	}
+	return repo.Name.Name(), nil
+}
+
 // Run will start a container, copy all In-Toto metadata in /in-toto
 // then run in-toto-verification
 func Run(verificationImage, verificationDir, logLevel string) error {

pkg/docker/docker_test.go

@@ -7,11 +7,42 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-var testDir = "../../testdata/intoto"
+var testDir = "../../testdata/intoto/minimal"
 
 func TestRun(t *testing.T) {
 	// NOTE: Tag will be empty since we cannot inject build-time variables during testing.
 	// Therefore, we shall use the "latest" tag.
 	err := Run(VerificationImage+"latest", testDir, log.InfoLevel.String())
 	assert.NoError(t, err)
 }
+
+func TestParseReference(t *testing.T) {
+	tests := []struct {
+		input string
+		gun   string
+	}{
+		{
+			input: "localhost:5000/local-test-simple:v1",
+			gun:   "localhost:5000/local-test-simple",
+		},
+		{
+			input: "localhost:5000/multi-path/some/bundle:v1",
+			gun:   "localhost:5000/multi-path/some/bundle",
+		},
+		{
+			input: "dockerhubusername/bundle:v3",
+			gun:   "docker.io/dockerhubusername/bundle",
+		},
+		{
+			input: "mycnabregistry.azurecr.io/org/sub-org/bundle:latest",
+			gun:   "mycnabregistry.azurecr.io/org/sub-org/bundle",
+		},
+	}
+
+	is := assert.New(t)
+	for _, test := range tests {
+		gun, err := GetGUN(test.input)
+		is.NoError(err)
+		is.Equal(test.gun, gun)
+	}
+}