This repository has been archived by the owner on May 11, 2022. It is now read-only.
/
main.go
90 lines (75 loc) · 1.93 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
package main
import (
"context"
"crypto/ecdsa"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"time"
"github.com/go-logr/logr"
"github.com/go-logr/zapr"
"github.com/sigstore/cosign/pkg/cosign/kubernetes"
"github.com/sozercan/cosign-provider/pkg/provider"
"go.uber.org/zap"
)
var log logr.Logger
const timeout = 3 * time.Second
func main() {
zapLog, err := zap.NewDevelopment()
if err != nil {
panic(fmt.Sprintf("unable to initialize logger: %v", err))
}
log = zapr.NewLogger(zapLog)
log.WithName("cosign-provider")
log.Info("starting server...")
http.HandleFunc("/validate", validate)
if err = http.ListenAndServe(":8090", nil); err != nil {
panic(err)
}
}
func validate(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "application/json")
secretKeyRef := os.Getenv("SECRET_NAME")
body, err := ioutil.ReadAll(req.Body)
if err != nil {
log.Error(err, "unable to read request body")
return
}
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cfg, err := kubernetes.GetKeyPairSecret(ctx, secretKeyRef)
if err != nil {
log.Error(err, "unable to get key pair secret")
return
}
keys := provider.Keys(cfg.Data)
if !valid(ctx, string(body), keys) {
w.WriteHeader(http.StatusOK)
if err = json.NewEncoder(w).Encode("invalid"); err != nil {
log.Error(err, "unable to encode output")
return
}
} else {
w.WriteHeader(http.StatusOK)
if err = json.NewEncoder(w).Encode("valid"); err != nil {
log.Error(err, "unable to encode output")
return
}
}
}
func valid(ctx context.Context, img string, keys []*ecdsa.PublicKey) bool {
for _, k := range keys {
sps, err := provider.Signatures(ctx, img, k)
if err != nil {
fmt.Printf("error while checking signature on image %s. error: %s\n", err, img)
return false
}
if len(sps) > 0 {
fmt.Printf("valid signatures on image %s with key %s\n", img, k)
return true
}
}
return false
}