From a592dad2aa08ee617dd51f14a73daaee6bb44bf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 2 May 2022 22:03:44 +0200 Subject: [PATCH] refactor: cosign package logger (#3773) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- pkg/cosign/cosign.go | 23 ++++++++++------------- pkg/cosign/cosign_test.go | 11 +++-------- pkg/cosign/log.go | 5 +++++ pkg/engine/imageVerify.go | 3 +-- 4 files changed, 19 insertions(+), 23 deletions(-) create mode 100644 pkg/cosign/log.go diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 325afd9a7c..e5e5b89543 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -9,7 +9,6 @@ import ( "fmt" "strings" - "github.com/go-logr/logr" "github.com/google/go-containerregistry/pkg/name" gcrremote "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/in-toto/in-toto-golang/in_toto" @@ -45,12 +44,10 @@ type Options struct { Annotations map[string]string Repository string RekorURL string - Log logr.Logger } // VerifySignature verifies that the image has the expected signatures func VerifySignature(opts Options) (digest string, err error) { - log := opts.Log ctx := context.Background() var remoteOpts []remote.Option ro := options.RegistryOptions{} @@ -122,7 +119,7 @@ func VerifySignature(opts Options) (digest string, err error) { signatures, bundleVerified, err := client.VerifyImageSignatures(ctx, ref, cosignOpts) if err != nil { msg := err.Error() - log.Info("image verification failed", "error", msg) + logger.Info("image verification failed", "error", msg) if strings.Contains(msg, "failed to verify signature") { return "", fmt.Errorf("signature mismatch") } else if strings.Contains(msg, "no matching signatures") { @@ -132,7 +129,7 @@ func VerifySignature(opts Options) (digest string, err error) { return "", err } - log.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified) + logger.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified) pld, err := extractPayload(signatures) if err != nil { return "", errors.Wrap(err, "failed to get pld") @@ -142,7 +139,7 @@ func VerifySignature(opts Options) (digest string, err error) { return "", err } - if err := matchExtensions(signatures, opts.AdditionalExtensions, log); err != nil { + if err := matchExtensions(signatures, opts.AdditionalExtensions); err != nil { return "", errors.Wrap(err, "extensions mismatch") } @@ -151,7 +148,7 @@ func VerifySignature(opts Options) (digest string, err error) { return "", errors.Wrap(err, "annotation mismatch") } - digest, err = extractDigest(opts.ImageRef, pld, log) + digest, err = extractDigest(opts.ImageRef, pld) if err != nil { return "", errors.Wrap(err, "failed to get digest") } @@ -178,7 +175,7 @@ func loadCertPool(roots []byte) (*x509.CertPool, error) { // FetchAttestations retrieves signed attestations and decodes them into in-toto statements // https://github.com/in-toto/attestation/blob/main/spec/README.md#statement -func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) { +func FetchAttestations(imageRef string, imageVerify v1.ImageVerification) ([]map[string]interface{}, error) { ctx := context.Background() var err error @@ -228,7 +225,7 @@ func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log lo signatures, bundleVerified, err := client.VerifyImageAttestations(context.Background(), ref, cosignOpts) if err != nil { msg := err.Error() - log.Info("failed to fetch attestations", "error", msg) + logger.Info("failed to fetch attestations", "error", msg) if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") { return nil, fmt.Errorf("not found") } @@ -236,7 +233,7 @@ func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log lo return nil, err } - log.V(3).Info("verified images", "count", len(signatures), "bundleVerified", bundleVerified) + logger.V(3).Info("verified images", "count", len(signatures), "bundleVerified", bundleVerified) inTotoStatements, err := decodeStatements(signatures) if err != nil { return nil, err @@ -367,12 +364,12 @@ func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, e return sigPayloads, nil } -func extractDigest(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) { +func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (string, error) { for _, p := range payload { if digest := p.Critical.Image.DockerManifestDigest; digest != "" { return digest, nil } else { - log.Info("failed to extract image digest from verification response", "image", imgRef, "payload", p) + logger.Info("failed to extract image digest from verification response", "image", imgRef, "payload", p) return "", fmt.Errorf("unknown image response for " + imgRef) } } @@ -408,7 +405,7 @@ func matchSubjectAndIssuer(signatures []oci.Signature, subject, issuer string) e return fmt.Errorf("subject mismatch: expected %s, got %s", s, subject) } -func matchExtensions(signatures []oci.Signature, requiredExtensions map[string]string, log logr.Logger) error { +func matchExtensions(signatures []oci.Signature, requiredExtensions map[string]string) error { if len(requiredExtensions) == 0 { return nil } diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 24e45e16af..21b4b1cf6e 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -3,10 +3,8 @@ package cosign import ( "testing" - "github.com/sigstore/cosign/pkg/oci" - - "github.com/go-logr/logr" "github.com/sigstore/cosign/pkg/cosign" + "github.com/sigstore/cosign/pkg/oci" "gotest.tools/assert" ) @@ -43,7 +41,6 @@ const tektonPayload = `{ }` func TestCosignPayload(t *testing.T) { - var log logr.Logger = logr.Discard() image := "registry-v2.nirmata.io/pause" signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)} p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}}) @@ -51,7 +48,7 @@ func TestCosignPayload(t *testing.T) { a := map[string]string{"foo": "bar"} err = checkAnnotations(p, a) assert.NilError(t, err) - d, err := extractDigest(image, p, log) + d, err := extractDigest(image, p) assert.NilError(t, err) assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108") @@ -61,18 +58,16 @@ func TestCosignPayload(t *testing.T) { p2, err := extractPayload(signatures2) assert.NilError(t, err) - d2, err := extractDigest(image2, p2, log) + d2, err := extractDigest(image2, p2) assert.NilError(t, err) assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816") } func TestCosignKeyless(t *testing.T) { - var log logr.Logger = logr.Discard() opts := Options{ ImageRef: "ghcr.io/jimbugwadia/pause2", Issuer: "https://github.com/", Subject: "jim", - Log: log, } _, err := VerifySignature(opts) diff --git a/pkg/cosign/log.go b/pkg/cosign/log.go new file mode 100644 index 0000000000..5fd5a6ac4a --- /dev/null +++ b/pkg/cosign/log.go @@ -0,0 +1,5 @@ +package cosign + +import "sigs.k8s.io/controller-runtime/pkg/log" + +var logger = log.Log.WithName("cosign") diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index 8c19ac4d50..6ffbd77f57 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -437,7 +437,6 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify v ImageRef: image, Repository: imageVerify.Repository, Annotations: imageVerify.Annotations, - Log: iv.logger, } if imageVerify.Roots != "" { @@ -492,7 +491,7 @@ func (iv *imageVerifier) verifyAttestations(imageVerify v1.ImageVerification, im image := imageInfo.String() start := time.Now() - statements, err := cosign.FetchAttestations(image, imageVerify, iv.logger) + statements, err := cosign.FetchAttestations(image, imageVerify) if err != nil { iv.logger.Info("failed to fetch attestations", "image", image, "error", err, "duration", time.Since(start).Seconds()) return ruleError(iv.rule, response.ImageVerify, fmt.Sprintf("failed to fetch attestations for %s", image), err)