8
"golang.org/x/exp/maps"
11
// Policy describes a basic trust policy configuration
13
Transport string `json:"transport"`
14
Name string `json:"name,omitempty"`
15
RepoName string `json:"repo_name,omitempty"`
16
Keys []string `json:"keys,omitempty"`
17
SignatureStore string `json:"sigstore,omitempty"`
18
Type string `json:"type"`
19
GPGId string `json:"gpg_id,omitempty"`
22
// PolicyDescription returns an user-focused description of the policy in policyPath and registries.d data from registriesDirPath.
23
func PolicyDescription(policyPath, registriesDirPath string) ([]*Policy, error) {
24
return policyDescriptionWithGPGIDReader(policyPath, registriesDirPath, getGPGIdFromKeyPath)
27
// policyDescriptionWithGPGIDReader is PolicyDescription with a gpgIDReader parameter. It exists only to make testing easier.
28
func policyDescriptionWithGPGIDReader(policyPath, registriesDirPath string, idReader gpgIDReader) ([]*Policy, error) {
29
policyContentStruct, err := getPolicy(policyPath)
31
return nil, fmt.Errorf("could not read trust policies: %w", err)
33
res, err := getPolicyShowOutput(policyContentStruct, registriesDirPath, idReader)
35
return nil, fmt.Errorf("could not show trust policies: %w", err)
40
func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirPath string, idReader gpgIDReader) ([]*Policy, error) {
43
registryConfigs, err := loadAndMergeConfig(systemRegistriesDirPath)
48
if len(policyContentStruct.Default) > 0 {
54
output = append(output, descriptionsOfPolicyRequirements(policyContentStruct.Default, template, registryConfigs, "", idReader)...)
56
transports := maps.Keys(policyContentStruct.Transports)
57
sort.Strings(transports)
58
for _, transport := range transports {
59
transval := policyContentStruct.Transports[transport]
60
if transport == "docker" {
61
transport = "repository"
64
scopes := maps.Keys(transval)
66
for _, repo := range scopes {
67
repoval := transval[repo]
73
output = append(output, descriptionsOfPolicyRequirements(repoval, template, registryConfigs, repo, idReader)...)
79
// descriptionsOfPolicyRequirements turns reqs into user-readable policy entries, with Transport/Name/Reponame coming from template, potentially looking up scope (which may be "") in registryConfigs.
80
func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, registryConfigs *registryConfiguration, scope string, idReader gpgIDReader) []*Policy {
83
var lookasidePath string
84
registryNamespace := registriesDConfigurationForScope(registryConfigs, scope)
85
if registryNamespace != nil {
86
if registryNamespace.Lookaside != "" {
87
lookasidePath = registryNamespace.Lookaside
88
} else { // incl. registryNamespace.SigStore == ""
89
lookasidePath = registryNamespace.SigStore
93
for _, repoele := range reqs {
95
entry.Type = trustTypeDescription(repoele.Type)
97
var gpgIDString string
101
if len(repoele.KeyPath) > 0 {
102
uids = append(uids, idReader(repoele.KeyPath)...)
104
for _, path := range repoele.KeyPaths {
105
uids = append(uids, idReader(path)...)
107
if len(repoele.KeyData) > 0 {
108
uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
110
gpgIDString = strings.Join(uids, ", ")
112
case "sigstoreSigned":
113
gpgIDString = "N/A" // We could potentially return key fingerprints here, but they would not be _GPG_ fingerprints.
115
entry.GPGId = gpgIDString
116
entry.SignatureStore = lookasidePath // We do this even for sigstoreSigned and things like type: reject, to show that the sigstore is being read.
117
res = append(res, &entry)