kyverno/pkg/imageverifiers/notary/repo.go

package notary

import (
	"context"
	"fmt"

	"github.com/kyverno/kyverno/pkg/imagedataloader"
	notationregistry "github.com/notaryproject/notation-go/registry"
	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)

type repositoryClient struct {
	image *imagedataloader.ImageData
}

func NewRepository(image *imagedataloader.ImageData) notationregistry.Repository {
	return &repositoryClient{
		image: image,
	}
}

func (c *repositoryClient) Resolve(_ context.Context, img string) (ocispec.Descriptor, error) {
	fmt.Println(img)
	return c.image.FetchReference(img)
}

func (c *repositoryClient) ListSignatures(ctx context.Context, desc ocispec.Descriptor, fn func(signatureManifests []ocispec.Descriptor) error) error {
	gcrDesc, err := c.image.FetchRefererrsForDigest(desc.Digest.String(), notationregistry.ArtifactTypeNotation)
	if err != nil {
		return err
	}

	descriptorList := make([]ocispec.Descriptor, 0, len(gcrDesc))
	for _, d := range gcrDesc {
		descriptorList = append(descriptorList, imagedataloader.GCRtoOCISpecDesc(d))
	}

	return fn(descriptorList)
}

func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.Descriptor) ([]byte, ocispec.Descriptor, error) {
	gcrDesc, err := imagedataloader.OCISpectoGCRDesc(desc)
	if err != nil {
		return nil, ocispec.Descriptor{}, err
	}

	data, layerDesc, err := c.image.FetchReferrerData(*gcrDesc)
	if err != nil {
		return nil, ocispec.Descriptor{}, err
	}

	return data, imagedataloader.GCRtoOCISpecDesc(*layerDesc), nil
}

func (c *repositoryClient) PushSignature(ctx context.Context, mediaType string, blob []byte, subject ocispec.Descriptor, annotations map[string]string) (blobDesc, manifestDesc ocispec.Descriptor, err error) {
	return ocispec.Descriptor{}, ocispec.Descriptor{}, fmt.Errorf("push signature is not implemented")
}
feat: add notary verifier with tsa support (#12160) * feat: add notary repository Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add notary verifier Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: update types Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-02-18 12:53:39 +05:30			`package notary`

			`import (`
			`"context"`
			`"fmt"`

			`"github.com/kyverno/kyverno/pkg/imagedataloader"`
			`notationregistry "github.com/notaryproject/notation-go/registry"`
			`ocispec "github.com/opencontainers/image-spec/specs-go/v1"`
			`)`

			`type repositoryClient struct {`
			`image *imagedataloader.ImageData`
			`}`

			`func NewRepository(image *imagedataloader.ImageData) notationregistry.Repository {`
			`return &repositoryClient{`
			`image: image,`
			`}`
			`}`

			`func (c *repositoryClient) Resolve(_ context.Context, img string) (ocispec.Descriptor, error) {`
			`fmt.Println(img)`
			`return c.image.FetchReference(img)`
			`}`

			`func (c *repositoryClient) ListSignatures(ctx context.Context, desc ocispec.Descriptor, fn func(signatureManifests []ocispec.Descriptor) error) error {`
			`gcrDesc, err := c.image.FetchRefererrsForDigest(desc.Digest.String(), notationregistry.ArtifactTypeNotation)`
			`if err != nil {`
			`return err`
			`}`

			`descriptorList := make([]ocispec.Descriptor, 0, len(gcrDesc))`
			`for _, d := range gcrDesc {`
			`descriptorList = append(descriptorList, imagedataloader.GCRtoOCISpecDesc(d))`
			`}`

			`return fn(descriptorList)`
			`}`

			`func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.Descriptor) ([]byte, ocispec.Descriptor, error) {`
			`gcrDesc, err := imagedataloader.OCISpectoGCRDesc(desc)`
			`if err != nil {`
			`return nil, ocispec.Descriptor{}, err`
			`}`

			`data, layerDesc, err := c.image.FetchReferrerData(*gcrDesc)`
			`if err != nil {`
			`return nil, ocispec.Descriptor{}, err`
			`}`

			`return data, imagedataloader.GCRtoOCISpecDesc(*layerDesc), nil`
			`}`

			`func (c *repositoryClient) PushSignature(ctx context.Context, mediaType string, blob []byte, subject ocispec.Descriptor, annotations map[string]string) (blobDesc, manifestDesc ocispec.Descriptor, err error) {`
			`return ocispec.Descriptor{}, ocispec.Descriptor{}, fmt.Errorf("push signature is not implemented")`
			`}`