send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests (#1131)

* send User-Agent string w/ rekor, fulcio, and ggcr HTTP requests

Signed-off-by: Jake Sanders <jsand@google.com>

* centralize rekor client construction

Signed-off-by: Jake Sanders <jsand@google.com>

* also migrate policy-init

Signed-off-by: Jake Sanders <jsand@google.com>

* add tests to `fulcio.NewClient`

Signed-off-by: Jake Sanders <jsand@google.com>

cmd/cosign/cli/attest/attest.go

@@ -29,6 +29,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
@@ -39,7 +40,6 @@ import (
 	"github.com/sigstore/cosign/pkg/oci/static"
 	sigs "github.com/sigstore/cosign/pkg/signature"
 	"github.com/sigstore/cosign/pkg/types"
-	rekPkgClient "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
@@ -77,7 +77,7 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string,
 		rekorBytes = pemBytes
 	}
 
-	rekorClient, err := rekPkgClient.GetRekorClient(rekorURL)
+	rekorClient, err := rekor.NewClient(rekorURL)
 	if err != nil {
 		return nil, err
 	}

cmd/cosign/cli/fulcio/fulcio.go

@@ -25,6 +25,7 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"net/url"
 	"os"
 
 	"github.com/go-openapi/runtime"
@@ -34,7 +35,9 @@ import (
 	"golang.org/x/term"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots"
+	clioptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/pkg/cosign"
+	fulcPkgClient "github.com/sigstore/fulcio/pkg/client"
 	fulcioClient "github.com/sigstore/fulcio/pkg/generated/client"
 	"github.com/sigstore/fulcio/pkg/generated/client/operations"
 	"github.com/sigstore/fulcio/pkg/generated/models"
@@ -196,3 +199,12 @@ var _ signature.Signer = &Signer{}
 func GetRoots() *x509.CertPool {
 	return fulcioroots.Get()
 }
+
+func NewClient(fulcioURL string) (*fulcioClient.Fulcio, error) {
+	fulcioServer, err := url.Parse(fulcioURL)
+	if err != nil {
+		return nil, err
+	}
+	fClient := fulcPkgClient.New(fulcioServer, fulcPkgClient.WithUserAgent(clioptions.UserAgent()))
+	return fClient, nil
+}

cmd/cosign/cli/fulcio/fulcio_test.go

@@ -21,10 +21,13 @@ import (
 	"crypto/rand"
 	"encoding/pem"
 	"errors"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/go-openapi/runtime"
 
+	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/fulcio/pkg/generated/client/operations"
 	"github.com/sigstore/sigstore/pkg/oauthflow"
 )
@@ -138,3 +141,33 @@ func TestGetCertForOauthID(t *testing.T) {
 		})
 	}
 }
+
+func TestNewClient(t *testing.T) {
+	t.Parallel()
+	expectedUserAgent := options.UserAgent()
+	requestReceived := false
+	testServer := httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			requestReceived = true
+			file := []byte{}
+
+			got := r.UserAgent()
+			if got != expectedUserAgent {
+				t.Errorf("wanted User-Agent %q, got %q", expectedUserAgent, got)
+			}
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write(file)
+		}))
+	defer testServer.Close()
+
+	client, err := NewClient(testServer.URL)
+	if err != nil {
+		t.Error(err)
+	}
+
+	_, _ = client.Operations.SigningCert(nil, nil)
+
+	if !requestReceived {
+		t.Fatal("no requests were received")
+	}
+}

cmd/cosign/cli/options/registry.go

@@ -25,8 +25,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/spf13/cobra"
-
-	"github.com/sigstore/cosign/pkg/version"
 )
 
 // RegistryOptions is the wrapper for the registry options.
@@ -67,7 +65,7 @@ func (o *RegistryOptions) ClientOpts(ctx context.Context) ([]ociremote.Option, e
 func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Option {
 	opts := []remote.Option{
 		remote.WithContext(ctx),
-		remote.WithUserAgent("cosign/" + version.GetVersionInfo().GitVersion),
+		remote.WithUserAgent(UserAgent()),
 	}
 
 	if o.KubernetesKeychain {

cmd/cosign/cli/options/useragent.go

@@ -0,0 +1,33 @@
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package options
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/sigstore/cosign/pkg/version"
+)
+
+var (
+	// uaString is meant to resemble the User-Agent sent by browsers with requests.
+	// See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
+	uaString = fmt.Sprintf("cosign/%s (%s; %s)", version.GitVersion, runtime.GOOS, runtime.GOARCH)
+)
+
+// UserAgent returns the User-Agent string which `cosign` should send with HTTP requests.ß
+func UserAgent() string {
+	return uaString
+}

cmd/cosign/cli/policy_init.go

@@ -33,9 +33,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/cmd/cosign/cli/upload"
-	rekorClient "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 
 	"github.com/sigstore/cosign/pkg/cosign"
@@ -252,7 +252,7 @@ func signPolicy() *cobra.Command {
 			if options.EnableExperimental() {
 				// TODO: Refactor with sign.go
 				rekorBytes := sv.Cert
-				rekorClient, err := rekorClient.GetRekorClient(o.Rekor.URL)
+				rekorClient, err := rekor.NewClient(o.Rekor.URL)
 				if err != nil {
 					return err
 				}

cmd/cosign/cli/rekor/rekor.go

@@ -0,0 +1,30 @@
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rekor
+
+import (
+	rekor "github.com/sigstore/rekor/pkg/client"
+	"github.com/sigstore/rekor/pkg/generated/client"
+
+	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+)
+
+func NewClient(rekorURL string) (*client.Rekor, error) {
+	rekorClient, err := rekor.GetRekorClient(rekorURL, rekor.WithUserAgent(options.UserAgent()))
+	if err != nil {
+		return nil, err
+	}
+	return rekorClient, nil
+}

cmd/cosign/cli/rekor/rekor_test.go

@@ -0,0 +1,52 @@
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rekor
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+)
+
+func TestNewClient(t *testing.T) {
+	t.Parallel()
+	expectedUserAgent := options.UserAgent()
+	requestReceived := false
+	testServer := httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			requestReceived = true
+			file := []byte{}
+
+			got := r.UserAgent()
+			if got != expectedUserAgent {
+				t.Errorf("wanted User-Agent %q, got %q", expectedUserAgent, got)
+			}
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write(file)
+		}))
+	defer testServer.Close()
+
+	client, err := NewClient(testServer.URL)
+	if err != nil {
+		t.Error(err)
+	}
+	_, _ = client.Tlog.GetLogInfo(nil)
+
+	if !requestReceived {
+		t.Fatal("no requests were received")
+	}
+}

cmd/cosign/cli/sign/sign.go

@@ -23,7 +23,6 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -36,6 +35,7 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	icos "github.com/sigstore/cosign/internal/pkg/cosign"
 	ifulcio "github.com/sigstore/cosign/internal/pkg/cosign/fulcio"
 	ipayload "github.com/sigstore/cosign/internal/pkg/cosign/payload"
@@ -51,8 +51,6 @@ import (
 	"github.com/sigstore/cosign/pkg/oci/walk"
 	providers "github.com/sigstore/cosign/pkg/providers/all"
 	sigs "github.com/sigstore/cosign/pkg/signature"
-	fulcPkgClient "github.com/sigstore/fulcio/pkg/client"
-	rekorClient "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
@@ -209,7 +207,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO
 	s = ipayload.NewSigner(sv, nil, nil)
 	s = ifulcio.NewSigner(s, sv.Cert, sv.Chain)
 	if ShouldUploadToTlog(ctx, digest, force, ko.RekorURL) {
-		rClient, err := rekorClient.GetRekorClient(ko.RekorURL)
+		rClient, err := rekor.NewClient(ko.RekorURL)
 		if err != nil {
 			return err
 		}
@@ -387,11 +385,10 @@ func signerFromKeyRef(ctx context.Context, certPath, keyRef string, passFunc cos
 }
 
 func keylessSigner(ctx context.Context, ko KeyOpts) (*SignerVerifier, error) {
-	fulcioServer, err := url.Parse(ko.FulcioURL)
+	fClient, err := fulcio.NewClient(ko.FulcioURL)
 	if err != nil {
-		return nil, errors.Wrap(err, "parsing Fulcio URL")
+		return nil, errors.Wrap(err, "creating Fulcio client")
 	}
-	fClient := fulcPkgClient.New(fulcioServer)
 	tok := ko.IDToken
 	if providers.Enabled(ctx) {
 		tok, err = providers.Provide(ctx, "sigstore")

cmd/cosign/cli/sign/sign_blob.go

@@ -28,8 +28,8 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/pkg/cosign"
-	rekorClient "github.com/sigstore/rekor/pkg/client"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -87,7 +87,7 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 		if err != nil {
 			return nil, err
 		}
-		rekorClient, err := rekorClient.GetRekorClient(ko.RekorURL)
+		rekorClient, err := rekor.NewClient(ko.RekorURL)
 		if err != nil {
 			return nil, err
 		}

cmd/cosign/cli/verify/verify.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
@@ -94,7 +95,13 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
 	}
 	if options.EnableExperimental() {
-		co.RekorURL = c.RekorURL
+		if c.RekorURL != "" {
+			rekorClient, err := rekor.NewClient(c.RekorURL)
+			if err != nil {
+				return errors.Wrap(err, "creating Rekor client")
+			}
+			co.RekorClient = rekorClient
+		}
 		co.RootCerts = fulcio.GetRoots()
 	}
 	keyRef := c.KeyRef
@@ -163,7 +170,7 @@ func PrintVerificationHeader(imgRef string, co *cosign.CheckOpts, bundleVerified
 	}
 	if bundleVerified {
 		fmt.Fprintln(os.Stderr, "  - Existence of the claims in the transparency log was verified offline")
-	} else if co.RekorURL != "" {
+	} else if co.RekorClient != nil {
 		fmt.Fprintln(os.Stderr, "  - The claims were present in the transparency log")
 		fmt.Fprintln(os.Stderr, "  - The signatures were integrated into the transparency log when the certificate was valid")
 	}

cmd/cosign/cli/verify/verify_attestation.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/cue"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
@@ -74,7 +75,13 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
 	}
 	if options.EnableExperimental() {
-		co.RekorURL = c.RekorURL
+		if c.RekorURL != "" {
+			rekorClient, err := rekor.NewClient(c.RekorURL)
+			if err != nil {
+				return errors.Wrap(err, "creating Rekor client")
+			}
+			co.RekorClient = rekorClient
+		}
 		co.RootCerts = fulcio.GetRoots()
 	}
 	keyRef := c.KeyRef