Replace docker client with crane

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Jan 25, 2022 · 1d1afcf · 1d1afcf
1 parent 6d36724
commit 1d1afcf
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 130 deletions.
diff --git a/cmd/slsa-provenance/cli/container.go b/cmd/slsa-provenance/cli/container.go
@@ -3,7 +3,6 @@ package cli
 import (
 	"fmt"
 
-	"github.com/docker/docker/client"
 	"github.com/spf13/cobra"
 
 	"github.com/philips-labs/slsa-provenance-action/cmd/slsa-provenance/cli/options"
@@ -54,11 +53,7 @@ func OCI() *cobra.Command {
 				return err
 			}
 
-			cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-			if err != nil {
-				return err
-			}
-			subjecter := oci.NewContainerSubjecter(cli, repo, digest, tags...)
+			subjecter := oci.NewContainerSubjecter(repo, digest, tags...)
 
 			env := &github.Environment{
 				Context: gh,

diff --git a/go.mod b/go.mod
@@ -4,16 +4,27 @@ go 1.17
 
 require (
 	github.com/docker/docker v20.10.12+incompatible
+	github.com/google/go-containerregistry v0.8.0
 	github.com/google/go-github/v41 v41.0.0
 	github.com/spf13/cobra v1.3.0
 	github.com/stretchr/testify v1.7.0
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 )
 
 require (
-	github.com/Microsoft/go-winio v0.4.17 // indirect
-	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+)
+
+require (
+	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/containerd/containerd v1.5.8 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v20.10.12+incompatible // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
@@ -22,20 +33,18 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa // indirect
-	golang.org/x/net v0.0.0-20211108170745-6635138e15ea // indirect
-	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect
+	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
+	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.42.0 // indirect
+	google.golang.org/grpc v1.43.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/lib/oci/registry.go b/lib/oci/registry.go
diff --git a/lib/oci/registry_test.go b/lib/oci/registry_test.go
diff --git a/lib/oci/subjects.go b/lib/oci/subjects.go
@@ -1,21 +1,19 @@
 package oci
 
 import (
-	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"strings"
 
-	"github.com/docker/docker/client"
+	"github.com/google/go-containerregistry/pkg/crane"
 
 	"github.com/philips-labs/slsa-provenance-action/lib/intoto"
 )
 
 // ContainerSubjecter implements Subjector to retrieve Subject from given container
 // if digest is given, it will also compare matches with the given digest
 type ContainerSubjecter struct {
-	cli    *client.Client
 	repo   string
 	digest string
 	tags   []string
@@ -24,23 +22,27 @@ type ContainerSubjecter struct {
 // NewContainerSubjecter walks the docker tags to retrieve the digests.
 // If digest is non empty string it will be used to compare the rerieved digest
 // to match the given digest
-func NewContainerSubjecter(cli *client.Client, repo, digest string, tags ...string) *ContainerSubjecter {
-	return &ContainerSubjecter{cli, repo, digest, tags}
+func NewContainerSubjecter(repo, digest string, tags ...string) *ContainerSubjecter {
+	return &ContainerSubjecter{repo, digest, tags}
 }
 
 // Subjects walks the file or directory at "root" and hashes all files.
 func (c *ContainerSubjecter) Subjects() ([]intoto.Subject, error) {
-	digest, err := c.pullRepoTags(context.TODO(), c.repo, c.tags...)
-	if err != nil {
-		return nil, err
-	}
-	if c.digest != "" && c.digest != digest {
-		return nil, fmt.Errorf("did not get expected digest, got %s, expected %s", digest, c.digest)
-	}
-	digestParts := strings.Split(digest, ":")
 	subjects := make([]intoto.Subject, len(c.tags))
 
+	if c.tags == nil || len(c.tags) == 0 {
+		c.tags = []string{"latest"}
+	}
+
 	for i, t := range c.tags {
+		digest, err := crane.Digest(fmt.Sprintf("%s:%s", c.repo, t))
+		if err != nil {
+			return nil, err
+		}
+		if c.digest != "" && c.digest != digest {
+			return nil, fmt.Errorf("did not get expected digest, got %s, expected %s", digest, c.digest)
+		}
+		digestParts := strings.Split(digest, ":")
 		subjects[i] = intoto.Subject{
 			Name:   fmt.Sprintf("%s:%s", c.repo, t),
 			Digest: intoto.DigestSet{digestParts[0]: digestParts[1]},

diff --git a/lib/oci/subjects_test.go b/lib/oci/subjects_test.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/philips-labs/slsa-provenance-action/lib/intoto"
@@ -14,11 +13,6 @@ import (
 func TestSubjects(t *testing.T) {
 	assert := assert.New(t)
 
-	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if !assert.NoError(err) {
-		return
-	}
-
 	repo := "ghcr.io/philips-labs/slsa-provenance"
 
 	errorCases := []struct {
@@ -33,14 +27,14 @@ func TestSubjects(t *testing.T) {
 			repo:   "",
 			tags:   nil,
 			digest: "",
-			err:    "invalid reference format",
+			err:    "parsing reference \":latest\": could not parse reference: :latest",
 		},
 		{
 			name:   "with non existing tag",
 			repo:   repo,
 			tags:   []string{"non-existing"},
 			digest: "",
-			err:    "Error response from daemon: manifest unknown",
+			err:    "GET https://ghcr.io/v2/philips-labs/slsa-provenance/manifests/non-existing: MANIFEST_UNKNOWN: manifest unknown",
 		},
 		{
 			name:   "invalid digest",
@@ -77,7 +71,7 @@ func TestSubjects(t *testing.T) {
 
 	for _, tc := range happyCases {
 		t.Run(tc.name, func(tt *testing.T) {
-			subjecter := NewContainerSubjecter(cli, repo, tc.digest, tc.tags...)
+			subjecter := NewContainerSubjecter(repo, tc.digest, tc.tags...)
 			s, err := subjecter.Subjects()
 			assert.NoError(err)
 			assert.NotNil(s)
@@ -91,7 +85,7 @@ func TestSubjects(t *testing.T) {
 
 	for _, tc := range errorCases {
 		t.Run(tc.name, func(tt *testing.T) {
-			subjecter := NewContainerSubjecter(cli, tc.repo, tc.digest, tc.tags...)
+			subjecter := NewContainerSubjecter(tc.repo, tc.digest, tc.tags...)
 			s, err := subjecter.Subjects()
 			assert.EqualError(err, tc.err)
 			assert.Nil(s)