gh-attestation cmd integration (#8698)

* add attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * update args passed to the attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * rename file Signed-off-by: Meredith Lancaster <malancas@github.com> * use gh-attestation branch for passing iostreams from the root Signed-off-by: Meredith Lancaster <malancas@github.com> * add package security team entry to codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * start moving over verify cmd and general verification code Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up common and verify specific policy code Signed-off-by: Meredith Lancaster <malancas@github.com> * move artifact package over Signed-off-by: Meredith Lancaster <malancas@github.com> * start pulling in the github api client wrapper Signed-off-by: Meredith Lancaster <malancas@github.com> * fix imports Signed-off-by: Meredith Lancaster <malancas@github.com> * add logger and test packages Signed-off-by: Meredith Lancaster <malancas@github.com> * add additional packages to support verify command Signed-off-by: Meredith Lancaster <malancas@github.com> * fix mock api client Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up mock api client Signed-off-by: Meredith Lancaster <malancas@github.com> * include missing fields Signed-off-by: Meredith Lancaster <malancas@github.com> * use correct owner Signed-off-by: Meredith Lancaster <malancas@github.com> * add more mock api client options Signed-off-by: Meredith Lancaster <malancas@github.com> * add download cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add inspect cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * pass factory object to inspect cmd, add inspect sub cmd to attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add verify-tuf-root cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * pass iostream struct from command Signed-off-by: Meredith Lancaster <malancas@github.com> * rename logger pkg to logger Signed-off-by: Meredith Lancaster <malancas@github.com> * fix path in codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * formatter Signed-off-by: Meredith Lancaster <malancas@github.com> * go mod tidy Signed-off-by: Meredith Lancaster <malancas@github.com> * fix printf linter issue Signed-off-by: Meredith Lancaster <malancas@github.com> * fix printf linter issue Signed-off-by: Meredith Lancaster <malancas@github.com> * check user's GH host for compatibility Signed-off-by: Meredith Lancaster <malancas@github.com> * pass oci client to commands directly Signed-off-by: Meredith Lancaster <malancas@github.com> * rename command Signed-off-by: Meredith Lancaster <malancas@github.com> * mark tuf-root-verify cmd hidden Signed-off-by: Meredith Lancaster <malancas@github.com> * move client initialization back to subcommands Signed-off-by: Meredith Lancaster <malancas@github.com> * add more verbose options and logging Signed-off-by: Meredith Lancaster <malancas@github.com> * add missing logger Signed-off-by: Meredith Lancaster <malancas@github.com> * add testing around OCI and API client Signed-off-by: Meredith Lancaster <malancas@github.com> * add integration test Signed-off-by: Meredith Lancaster <malancas@github.com> * fix file path Signed-off-by: Meredith Lancaster <malancas@github.com> * fix command Signed-off-by: Meredith Lancaster <malancas@github.com> * build executable before integration test Signed-off-by: Meredith Lancaster <malancas@github.com> * split integration tests Signed-off-by: Meredith Lancaster <malancas@github.com> * remove integration test steps Signed-off-by: Meredith Lancaster <malancas@github.com> * fix flag value Signed-off-by: Meredith Lancaster <malancas@github.com> * run integration tests on ubuntu for now Signed-off-by: Meredith Lancaster <malancas@github.com> * pull over doc updates Signed-off-by: Meredith Lancaster <malancas@github.com> * delete unused test data Signed-off-by: Meredith Lancaster <malancas@github.com> * remove Go patch version Signed-off-by: Meredith Lancaster <malancas@github.com> * switch assert to require Signed-off-by: Meredith Lancaster <malancas@github.com> * rename file Signed-off-by: Meredith Lancaster <malancas@github.com> * move integration tests to prexisting test workflow Signed-off-by: Meredith Lancaster <malancas@github.com> * use platform matrix for integration tests Signed-off-by: Meredith Lancaster <malancas@github.com> * simplify build step Signed-off-by: Meredith Lancaster <malancas@github.com> * use StringEnumFlag handling Signed-off-by: Meredith Lancaster <malancas@github.com> * typo Signed-off-by: Meredith Lancaster <malancas@github.com> * use the iostreams.Test helper func Signed-off-by: Meredith Lancaster <malancas@github.com> * create interface for oci client Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for oci client Signed-off-by: Meredith Lancaster <malancas@github.com> * rename files Signed-off-by: Meredith Lancaster <malancas@github.com> * format file Signed-off-by: Meredith Lancaster <malancas@github.com> * fix shellcheck issues Signed-off-by: Meredith Lancaster <malancas@github.com> * use testing TempDir method Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup unused tempdir handling Signed-off-by: Meredith Lancaster <malancas@github.com> * use table driven tests Signed-off-by: Meredith Lancaster <malancas@github.com> * check correct cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * support repo option in download sub cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * switch over to using RunE Signed-off-by: Meredith Lancaster <malancas@github.com> * unexport top level subcommand funcs Signed-off-by: Meredith Lancaster <malancas@github.com> * add comment around keychain option Signed-off-by: Meredith Lancaster <malancas@github.com> * update comments Signed-off-by: Meredith Lancaster <malancas@github.com> * fix inconsistent naming Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for CLI commands Signed-off-by: Meredith Lancaster <malancas@github.com> * check for noattestationsfound err Signed-off-by: Meredith Lancaster <malancas@github.com> * try out metadata abstraction instead Signed-off-by: Meredith Lancaster <malancas@github.com> * switch to using MetadataStore abstraction Signed-off-by: Meredith Lancaster <malancas@github.com> * include test case with failing metadata store Signed-off-by: Meredith Lancaster <malancas@github.com> * look for err specific to file write Signed-off-by: Meredith Lancaster <malancas@github.com> * unexport fields Signed-off-by: Meredith Lancaster <malancas@github.com> * return err when an unsupported hash alg is provided Signed-off-by: Meredith Lancaster <malancas@github.com> * PrintTableToStdOut returns err when rendering fails Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding sigstore verifier unit tests Signed-off-by: Meredith Lancaster <malancas@github.com> * add more sigstore verifier specific tests Signed-off-by: Meredith Lancaster <malancas@github.com> * use cli table printer Signed-off-by: Meredith Lancaster <malancas@github.com> * return JSON results in slice instead of table Signed-off-by: Meredith Lancaster <malancas@github.com> * move mock client to test file Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded table printer method Signed-off-by: Meredith Lancaster <malancas@github.com> * add initial tests for tufrootverify cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * formatting Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup method Signed-off-by: Meredith Lancaster <malancas@github.com> * close file in error handling branch Signed-off-by: Meredith Lancaster <malancas@github.com> * normalize artifact path Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded embedded file system Signed-off-by: Meredith Lancaster <malancas@github.com> * include image name reference err Signed-off-by: Meredith Lancaster <malancas@github.com> * use GH_DEBUG value for io handling Signed-off-by: Meredith Lancaster <malancas@github.com> * remove quiet and verbose flags Signed-off-by: Meredith Lancaster <malancas@github.com> * add more tufrootveriify tests Signed-off-by: Meredith Lancaster <malancas@github.com> * GitHubTUFOptions no longer needs to return error Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded slice Signed-off-by: Meredith Lancaster <malancas@github.com> * normalize all relative paths Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up nil client checks Signed-off-by: Meredith Lancaster <malancas@github.com> * set api server based on host Signed-off-by: Meredith Lancaster <malancas@github.com> * add comment about http client Signed-off-by: Meredith Lancaster <malancas@github.com> * use format flag to handle json output in verify cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * use format flag to handle json output Signed-off-by: Meredith Lancaster <malancas@github.com> * use normalized path for cli test arg Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for json output Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup error wrapping Signed-off-by: Meredith Lancaster <malancas@github.com> * use test fixtures correctly by normalizing path Signed-off-by: Meredith Lancaster <malancas@github.com> * dont clean Signed-off-by: Meredith Lancaster <malancas@github.com> * escape backwards slash for windows files with replace Signed-off-by: Meredith Lancaster <malancas@github.com> * use strings.Split func Signed-off-by: Meredith Lancaster <malancas@github.com> * use strings.Replace for all command tests Signed-off-by: Meredith Lancaster <malancas@github.com> * use CLI cache dir to store tuf metadata Signed-off-by: Meredith Lancaster <malancas@github.com> * Tweaked docstrings for gh attestation download * Tweaked docstrings for gh attestation verify * Fix for bug in gh attestation where the wrong hostname was being passed to the API client. * lets hide tuf-root-verify eh? * Forgot verify's short str. * add remote verification test Signed-off-by: Meredith Lancaster <malancas@github.com> * Revert "add remote verification test" This reverts commit c0ceb99. * update json result handling Signed-off-by: Meredith Lancaster <malancas@github.com> * add json tags to struct returned by command Signed-off-by: Meredith Lancaster <malancas@github.com> * fix how json results are handled Signed-off-by: Meredith Lancaster <malancas@github.com> * add test to ensure JSON output is valid Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Phill MV <phillmv@github.com>
cli · Apr 1, 2024 · 90b7bf9 · 90b7bf9
1 parent ec812a1
commit 90b7bf9
Show file tree

Hide file tree

Showing 58 changed files with 4,893 additions and 53 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2,3 +2,6 @@
 
 pkg/cmd/codespace/ @cli/codespaces
 internal/codespaces/ @cli/codespaces
+
+# Limit Package Security team ownership to the attestation command package
+pkg/cmd/attestation/ @cli/package-security
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -1,4 +1,4 @@
-name: Tests
+name: Unit and Integration Tests
 on: [push, pull_request]
 
 permissions:
@@ -37,3 +37,27 @@ jobs:
 
       - name: Build
         run: go build -v ./cmd/gh
+
+  integration-tests:
+    env:
+      GH_TOKEN: ${{ github.token }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Set up Go 1.21
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.21
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Build executable
+        run: make
+
+      - name: Run attestation command integration Tests
+        run: ./test/integration/attestation-cmd/download-and-verify-package-attestation.sh
diff --git a/go.mod b/go.mod
@@ -14,33 +14,38 @@ require (
 	github.com/cli/safeexec v1.0.1
 	github.com/cpuguy83/go-md2man/v2 v2.0.4
 	github.com/creack/pty v1.1.21
+	github.com/distribution/reference v0.5.0
 	github.com/gabriel-vasile/mimetype v1.4.3
 	github.com/gdamore/tcell/v2 v2.5.4
-	github.com/google/go-cmp v0.5.9
+	github.com/google/go-cmp v0.6.0
+	github.com/google/go-containerregistry v0.19.0
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/gorilla/websocket v1.4.2
+	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.3.0
 	github.com/henvic/httpretty v0.1.3
+	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/joho/godotenv v1.5.1
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/mattn/go-colorable v0.1.13
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
 	github.com/microsoft/dev-tunnels v0.0.25
 	github.com/muhammadmuzzammil1998/jsonc v0.0.0-20201229145248-615b0916ca38
-	github.com/opentracing/opentracing-go v1.1.0
+	github.com/opentracing/opentracing-go v1.2.0
 	github.com/rivo/tview v0.0.0-20221029100920-c4a7e501810d
 	github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278
-	github.com/spf13/cobra v1.6.1
+	github.com/sigstore/protobuf-specs v0.3.0
+	github.com/sigstore/sigstore-go v0.2.1-0.20240222221148-8bd2a8139edc
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	github.com/zalando/go-keyring v0.2.4
-	golang.org/x/crypto v0.17.0
-	golang.org/x/sync v0.1.0
-	golang.org/x/term v0.15.0
+	golang.org/x/crypto v0.19.0
+	golang.org/x/sync v0.6.0
+	golang.org/x/term v0.17.0
 	golang.org/x/text v0.14.0
-	google.golang.org/grpc v1.56.3
+	google.golang.org/grpc v1.61.0
 	google.golang.org/protobuf v1.33.0
 	gopkg.in/h2non/gock.v1 v1.1.2
 	gopkg.in/yaml.v3 v3.0.1
@@ -49,41 +54,113 @@ require (
 require (
 	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alessio/shellescape v1.4.2 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aymanbagabas/go-osc52 v1.0.3 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cli/browser v1.3.0 // indirect
 	github.com/cli/shurcooL-graphql v0.0.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/danieljoos/wincred v1.2.1 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/fatih/color v1.7.0 // indirect
+	github.com/docker/cli v24.0.0+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker v24.0.7+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.22.0 // indirect
+	github.com/go-openapi/errors v0.21.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/loads v0.21.5 // indirect
+	github.com/go-openapi/runtime v0.27.1 // indirect
+	github.com/go-openapi/spec v0.20.14 // indirect
+	github.com/go-openapi/strfmt v0.22.0 // indirect
+	github.com/go-openapi/swag v0.22.9 // indirect
+	github.com/go-openapi/validate v0.22.6 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/certificate-transparency-go v1.1.7 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/itchyny/gojq v0.12.13 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/klauspost/compress v1.17.0 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.26 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.13.0 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rodaine/table v1.0.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
+	github.com/sigstore/rekor v1.3.5 // indirect
+	github.com/sigstore/sigstore v1.8.1 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/viper v1.18.2 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917 // indirect
 	github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/yuin/goldmark v1.5.2 // indirect
 	github.com/yuin/goldmark-emoji v1.0.1 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	go.mongodb.org/mongo-driver v1.13.1 // indirect
+	go.opentelemetry.io/otel v1.22.0 // indirect
+	go.opentelemetry.io/otel/metric v1.22.0 // indirect
+	go.opentelemetry.io/otel/trace v1.22.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.26.0 // indirect
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
+	golang.org/x/mod v0.15.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
-	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	k8s.io/klog/v2 v2.120.0 // indirect
 )