refactor: remove dead code, update docs (#11)

liatrio · May 22, 2023 · 2f37a9a · 2f37a9a
1 parent 5e0a29b
commit 2f37a9a
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 78 deletions.
diff --git a/Makefile b/Makefile
@@ -6,14 +6,13 @@ default:
 .PHONY: github-pull-request
 github-pull-request:
 	go run cmd/attestation.go github-pull-request \
-		--artifact-digest "sha256:90dd2b640aac51d062f4f29bf1f59360e4ad2961939f32c2b93cdd96a2cd3615" \
+		--artifact-digest "sha256:6c3bf887638f7c0d86731e6208befa1b439e465cb435465d982c50609553b514" \
 		--artifact-uri "ghcr.io/liatrio/gh-trusted-builds-app"
 
 .PHONY: vsa
 vsa:
 	go run cmd/attestation.go vsa \
-		--artifact-digest "sha256:90dd2b640aac51d062f4f29bf1f59360e4ad2961939f32c2b93cdd96a2cd3615" \
-        --commit-sha "5b25a576d343d7877753b8c2861860f0599749aa" \
+		--artifact-digest "sha256:6c3bf887638f7c0d86731e6208befa1b439e465cb435465d982c50609553b514" \
         --artifact-uri "ghcr.io/liatrio/gh-trusted-builds-app" \
         --policy-version "v1.1.1" \
         --verifier-id "local-verifier"
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ This is an example of how to create custom attestations using `in-toto` and `cos
 
 Directly from source:
 ```shell
-$ go run cmd/attestor.go <attestation-type> [--flag]
+$ go run cmd/attestation.go <attestation-type> [--flag]
 ```
 
 Downloaded and extracted binary from [GitHub Releases](https://github.com/liatrio/gh-trusted-builds-attestations/releases):
@@ -18,11 +18,16 @@ $ ./attestation <attestation-type> [--flag]
 
 All attestation types may use or require these flags. 
 
-- `--kms-key-uri`: An cloud provider KMS URI, in [`cosign`'s expected format](https://docs.sigstore.dev/cosign/kms_support/).
-  Optional if a Fulcio URL is provided.
-- `--fulcio-url`: The Fulcio CA url for keyless signing.
+- `--fulcio-url`: The Fulcio CA url for keyless signing. Defaults to `https://fulcio.sigstore.dev`.
   Intended only for use with ambient providers like GitHub Actions, as there are no options for overriding the default OIDC settings.
-- `--rekor-url`: **required** The transparency log URL.
+- `--rekor-url`: The transparency log URL. Defaults to `https://rekor.sigstore.dev`.
+- `--oidc-issuer-url`: Defaults to `https://oauth2.sigstore.dev/auth`.
+- `--oidc-client-id`: Defaults to `sigstore`.
+- `--artifact-uri`: **required** URI of the OCI artifact i.e., the subject of the attestation.
+  ex: `ghcr.io/liatrio/gh-trusted-builds-app`
+- `--artifact-digest`: **required**  digest of the OCI artifact.
+  Used for retrieving related artifact attestations, and marking the attestation subject.
+  ex: `sha256:60bcfdd293baac977357527bbd7ec2b5a7584ce276d33de0a4980c8ace6afd67`
 
 ### Attestations
 
@@ -45,28 +50,31 @@ It can be used to verify that:
 _type: https://in-toto.io/Statement/v0.1
 predicateType: https://liatr.io/attestations/github-pull-request/v1
 subject:
-  - name: git+https://github.com/liatrio/custom-attestations-poc.git
+  - name: git+https://github.com/liatrio/gh-trusted-builds-app.git
     digest:
-      sha1: ccdb1357fc52fea7cf8204b5f3c8d6eb4e1b8846
+      sha1: e1f1d4396181766e12fca22f2ba856e8154b4304
+  - name: ghcr.io/liatrio/gh-trusted-builds-app
+    digest:
+      sha256: 6c3bf887638f7c0d86731e6208befa1b439e465cb435465d982c50609553b514
 predicate:
-  link: https://github.com/liatrio/custom-attestations-poc/pull/2
-  title: 'docs: save Microsoft a few bytes'
-  author: alexashley
-  mergedBy: alexashley
-  createdAt: '2023-04-24T19:07:47Z'
-  mergedAt: '2023-04-24T19:15:18Z'
+  link: https://github.com/liatrio/gh-trusted-builds-app/pull/1
+  title: 'docs: remove extra newline'
+  author: rcoy-v
+  mergedBy: rcoy-v
+  createdAt: '2023-05-22T15:27:05Z'
+  mergedAt: '2023-05-22T15:27:27Z'
   base: main
-  head: important-work
-  approved: true # true only when the number of approvals is equal to the number of reviewers (excluding comment-only reviews)
+  head: rcoy-v-patch-1
+  approved: true
   reviewers:
-    - name: rcoy-v
+    - name: alexashley
       approved: true
       reviewLink: >-
-        https://github.com/liatrio/custom-attestations-poc/pull/2#pullrequestreview-1398643433
-      timestamp: '2023-04-24T19:12:11Z'
+        https://github.com/liatrio/gh-trusted-builds-app/pull/1#pullrequestreview-1436887240
+      timestamp: '2023-05-22T15:27:18Z'
   contributors:
-    - name: alexashley
-  predicateCreatedAt: '2023-04-25T19:52:43.3419Z'
+    - name: rcoy-v
+  predicateCreatedAt: '2023-05-22T15:28:48.369418041Z'
 ```
 
 The attestor expects to run inside a Git repository, as it will use the `HEAD` sha to lookup pull requests.
@@ -101,17 +109,6 @@ The following process is used to create a VSA:
 
 ##### Command Flags
 
-`--artifact-digest`: Sha256 digest of the OCI artifact.
-Used for retrieving related artifact attestations, and marking the VSA subject.
-ex: `60bcfdd293baac977357527bbd7ec2b5a7584ce276d33de0a4980c8ace6afd67`
-
-`--artifact-uri`: URI of the OCI artifact i.e., the subject of the VSA.
-ex: `agplatformrnim.azurecr.io/liatrio/gh-trusted-builds-app`
-
-`--commit-sha`: Sha1 git commit that the artifact was built from.
-Used for retrieving source attestations related to the artifact.
-ex: `24d01c0c9f456f0d0fac8de7f18dc09d5d554ce9`
-
 `--policy-version`: GitHub release version of the governance policy to download from [gh-trusted-builds-policy](https://github.com/liatrio/gh-trusted-builds-policy).
 This is the OPA bundle that will be used at runtime to determine the VSA `verification_result`.
 ex: `v1.0.0`

diff --git a/internal/attestors/github_pull_request.go b/internal/attestors/github_pull_request.go
@@ -34,7 +34,7 @@ type GitHubPullRequestAttestor struct {
 }
 
 func NewGitHubPullRequestAttestor(ctx context.Context, opts *config.GitHubPullRequestCommandOptions) (*GitHubPullRequestAttestor, error) {
-	githubClient, err := gh.New(ctx, opts.GithubToken)
+	githubClient, err := gh.New(ctx, opts.GitHubToken)
 	if err != nil {
 		return nil, err
 	}

diff --git a/internal/attestors/vsa/vsa.go b/internal/attestors/vsa/vsa.go
@@ -164,7 +164,7 @@ func evaluatePolicy(ctx context.Context, opts *config.VsaCommandOptions, attesta
 
 func downloadOPABundle(ctx context.Context, opts *config.VsaCommandOptions) error {
 	ts := oauth2.StaticTokenSource(
-		&oauth2.Token{AccessToken: opts.GithubToken},
+		&oauth2.Token{AccessToken: opts.GitHubToken},
 	)
 	tc := oauth2.NewClient(ctx, ts)
 

diff --git a/internal/config/github_pull_request.go b/internal/config/github_pull_request.go
@@ -7,7 +7,7 @@ import (
 type GitHubPullRequestCommandOptions struct {
 	GlobalOptions
 	fs          *flag.FlagSet
-	GithubToken string
+	GitHubToken string
 }
 
 func NewGitHubPullRequestCommandOptions() *GitHubPullRequestCommandOptions {
@@ -26,7 +26,7 @@ func (c *GitHubPullRequestCommandOptions) Parse(args []string) error {
 	if err != nil {
 		return err
 	}
-	c.GithubToken = githubToken
+	c.GitHubToken = githubToken
 	err = c.fs.Parse(args)
 	if err != nil {
 		return err

diff --git a/internal/config/global.go b/internal/config/global.go
@@ -18,24 +18,6 @@ type GlobalOptions struct {
 	ArtifactDigest *Digest
 }
 
-func (g *GlobalOptions) Parse() error {
-	return g.ArtifactDigest.Parse()
-}
-
-func (g *GlobalOptions) FullArtifactId() string {
-	return fmt.Sprintf("%s@%s", g.ArtifactUri, g.ArtifactDigest.Value)
-}
-
-func (g *GlobalOptions) KeyOpts() options.KeyOpts {
-	return options.KeyOpts{
-		OIDCIssuer:       g.OidcIssuerUrl,
-		OIDCClientID:     g.OidcClientId,
-		FulcioURL:        g.FulcioUrl,
-		RekorURL:         g.RekorUrl,
-		SkipConfirmation: true,
-	}
-}
-
 func NewGlobalOptions() GlobalOptions {
 	return GlobalOptions{
 		FulcioUrl:      "https://fulcio.sigstore.dev",
@@ -45,6 +27,14 @@ func NewGlobalOptions() GlobalOptions {
 	}
 }
 
+func (g *GlobalOptions) Parse() error {
+	return g.ArtifactDigest.Parse()
+}
+
+func (g *GlobalOptions) FullArtifactId() string {
+	return fmt.Sprintf("%s@%s", g.ArtifactUri, g.ArtifactDigest.Value)
+}
+
 func (g *GlobalOptions) AddFlags(fs *flag.FlagSet) {
 	fs.Func("rekor-url", "Rekor server URL", func(s string) error {
 		u, err := url.ParseRequestURI(s)
@@ -78,6 +68,15 @@ func (g *GlobalOptions) AddFlags(fs *flag.FlagSet) {
 	fs.StringVar(&g.ArtifactUri, "artifact-uri", "", "URI of the OCI artifact")
 }
 
+func (g *GlobalOptions) KeyOpts() options.KeyOpts {
+	return options.KeyOpts{
+		OIDCIssuer:   g.OidcIssuerUrl,
+		OIDCClientID: g.OidcClientId,
+		FulcioURL:    g.FulcioUrl,
+		RekorURL:     g.RekorUrl,
+	}
+}
+
 func GetGitHubEnvToken() (string, error) {
 	githubToken, githubTokenExists := os.LookupEnv("GITHUB_TOKEN")
 

diff --git a/internal/config/vsa.go b/internal/config/vsa.go
@@ -25,10 +25,9 @@ func (d *Digest) Parse() error {
 type VsaCommandOptions struct {
 	GlobalOptions
 	fs *flag.FlagSet
-	CommitSha,
 	PolicyVersion,
 	VerifierId,
-	GithubToken string
+	GitHubToken string
 }
 
 func NewVsaCommandOptions() *VsaCommandOptions {
@@ -37,7 +36,6 @@ func NewVsaCommandOptions() *VsaCommandOptions {
 	}
 
 	c.fs = flag.NewFlagSet("vsa", flag.ContinueOnError)
-	c.fs.StringVar(&c.CommitSha, "commit-sha", "", "Git commit associated with the artifact")
 	c.fs.StringVar(&c.PolicyVersion, "policy-version", "", "GitHub release version of OPA bundle")
 	c.fs.StringVar(&c.VerifierId, "verifier-id", "", "ID of entity verifying policy for the VSA")
 	c.AddFlags(c.fs)
@@ -50,7 +48,7 @@ func (c *VsaCommandOptions) Parse(args []string) error {
 	if err != nil {
 		return err
 	}
-	c.GithubToken = githubToken
+	c.GitHubToken = githubToken
 	if err = c.fs.Parse(args); err != nil {
 		return err
 	}

diff --git a/internal/util/list.go b/internal/util/list.go