refactor: cosign package logger (#3773)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-05-02 22:03:44 +02:00 · 2022-05-02 22:03:44 +02:00 · a592dad2aa
commit a592dad2aa
parent 3e2c9b25c9
4 changed files with 19 additions and 23 deletions
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -9,7 +9,6 @@ import (
 	"fmt"
 	"strings"

-	"github.com/go-logr/logr"
 	"github.com/google/go-containerregistry/pkg/name"
 	gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/in-toto/in-toto-golang/in_toto"
@ -45,12 +44,10 @@ type Options struct {
 	Annotations          map[string]string
 	Repository           string
 	RekorURL             string
-	Log                  logr.Logger
 }

 // VerifySignature verifies that the image has the expected signatures
 func VerifySignature(opts Options) (digest string, err error) {
-	log := opts.Log
 	ctx := context.Background()
 	var remoteOpts []remote.Option
 	ro := options.RegistryOptions{}
@ -122,7 +119,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 	signatures, bundleVerified, err := client.VerifyImageSignatures(ctx, ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
-		log.Info("image verification failed", "error", msg)
+		logger.Info("image verification failed", "error", msg)
 		if strings.Contains(msg, "failed to verify signature") {
 			return "", fmt.Errorf("signature mismatch")
 		} else if strings.Contains(msg, "no matching signatures") {
@ -132,7 +129,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", err
 	}

-	log.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified)
+	logger.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified)
 	pld, err := extractPayload(signatures)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to get pld")
@ -142,7 +139,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", err
 	}

-	if err := matchExtensions(signatures, opts.AdditionalExtensions, log); err != nil {
+	if err := matchExtensions(signatures, opts.AdditionalExtensions); err != nil {
 		return "", errors.Wrap(err, "extensions mismatch")
 	}

@ -151,7 +148,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", errors.Wrap(err, "annotation mismatch")
 	}

-	digest, err = extractDigest(opts.ImageRef, pld, log)
+	digest, err = extractDigest(opts.ImageRef, pld)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to get digest")
 	}
@ -178,7 +175,7 @@ func loadCertPool(roots []byte) (*x509.CertPool, error) {

 // FetchAttestations retrieves signed attestations and decodes them into in-toto statements
 // https://github.com/in-toto/attestation/blob/main/spec/README.md#statement
-func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
+func FetchAttestations(imageRef string, imageVerify v1.ImageVerification) ([]map[string]interface{}, error) {
 	ctx := context.Background()
 	var err error

@ -228,7 +225,7 @@ func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log lo
 	signatures, bundleVerified, err := client.VerifyImageAttestations(context.Background(), ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
-		log.Info("failed to fetch attestations", "error", msg)
+		logger.Info("failed to fetch attestations", "error", msg)
 		if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") {
 			return nil, fmt.Errorf("not found")
 		}
@ -236,7 +233,7 @@ func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log lo
 		return nil, err
 	}

-	log.V(3).Info("verified images", "count", len(signatures), "bundleVerified", bundleVerified)
+	logger.V(3).Info("verified images", "count", len(signatures), "bundleVerified", bundleVerified)
 	inTotoStatements, err := decodeStatements(signatures)
 	if err != nil {
 		return nil, err
@ -367,12 +364,12 @@ func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, e
 	return sigPayloads, nil
 }

-func extractDigest(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
+func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (string, error) {
 	for _, p := range payload {
 		if digest := p.Critical.Image.DockerManifestDigest; digest != "" {
 			return digest, nil
 		} else {
-			log.Info("failed to extract image digest from verification response", "image", imgRef, "payload", p)
+			logger.Info("failed to extract image digest from verification response", "image", imgRef, "payload", p)
 			return "", fmt.Errorf("unknown image response for " + imgRef)
 		}
 	}
@ -408,7 +405,7 @@ func matchSubjectAndIssuer(signatures []oci.Signature, subject, issuer string) e
 	return fmt.Errorf("subject mismatch: expected %s, got %s", s, subject)
 }

-func matchExtensions(signatures []oci.Signature, requiredExtensions map[string]string, log logr.Logger) error {
+func matchExtensions(signatures []oci.Signature, requiredExtensions map[string]string) error {
 	if len(requiredExtensions) == 0 {
 		return nil
 	}
--- a/pkg/cosign/cosign_test.go
+++ b/pkg/cosign/cosign_test.go
@ -3,10 +3,8 @@ package cosign
 import (
 	"testing"

-	"github.com/sigstore/cosign/pkg/oci"
-
-	"github.com/go-logr/logr"
 	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/pkg/oci"
 	"gotest.tools/assert"
 )

@ -43,7 +41,6 @@ const tektonPayload = `{
 }`

 func TestCosignPayload(t *testing.T) {
-	var log logr.Logger = logr.Discard()
 	image := "registry-v2.nirmata.io/pause"
 	signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
 	p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}})
@ -51,7 +48,7 @@ func TestCosignPayload(t *testing.T) {
 	a := map[string]string{"foo": "bar"}
 	err = checkAnnotations(p, a)
 	assert.NilError(t, err)
-	d, err := extractDigest(image, p, log)
+	d, err := extractDigest(image, p)
 	assert.NilError(t, err)
 	assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")

@ -61,18 +58,16 @@ func TestCosignPayload(t *testing.T) {
 	p2, err := extractPayload(signatures2)
 	assert.NilError(t, err)

-	d2, err := extractDigest(image2, p2, log)
+	d2, err := extractDigest(image2, p2)
 	assert.NilError(t, err)
 	assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816")
 }

 func TestCosignKeyless(t *testing.T) {
-	var log logr.Logger = logr.Discard()
 	opts := Options{
 		ImageRef: "ghcr.io/jimbugwadia/pause2",
 		Issuer:   "https://github.com/",
 		Subject:  "jim",
-		Log:      log,
 	}

 	_, err := VerifySignature(opts)
--- a/pkg/cosign/log.go
+++ b/pkg/cosign/log.go
@ -0,0 +1,5 @@
+package cosign
+
+import "sigs.k8s.io/controller-runtime/pkg/log"
+
+var logger = log.Log.WithName("cosign")
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -437,7 +437,6 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify v
 		ImageRef:    image,
 		Repository:  imageVerify.Repository,
 		Annotations: imageVerify.Annotations,
-		Log:         iv.logger,
 	}

 	if imageVerify.Roots != "" {
@ -492,7 +491,7 @@ func (iv *imageVerifier) verifyAttestations(imageVerify v1.ImageVerification, im
 	image := imageInfo.String()
 	start := time.Now()

-	statements, err := cosign.FetchAttestations(image, imageVerify, iv.logger)
+	statements, err := cosign.FetchAttestations(image, imageVerify)
 	if err != nil {
 		iv.logger.Info("failed to fetch attestations", "image", image, "error", err, "duration", time.Since(start).Seconds())
 		return ruleError(iv.rule, response.ImageVerify, fmt.Sprintf("failed to fetch attestations for %s", image), err)