BREAKING CHANGE: Change how (podman image trust show) represents multiple requirements

Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
author: Miloslav Trmač <mitr@redhat.com> 2022-08-24 20:45:57 +0200
committer: Miloslav Trmač <mitr@redhat.com> 2022-08-29 17:55:39 +0200
commit: 551850df8a2baaa0c789a34b62785fe379083e84 (patch)
tree: f69488f3e9bb7222655b83f7adc854ae7eeb47ac /pkg
parent: 62499f4a2555031fccc0cc82feda15293759d058 (diff)
download: podman-551850df8a2baaa0c789a34b62785fe379083e84.tar.gz
podman-551850df8a2baaa0c789a34b62785fe379083e84.tar.bz2
podman-551850df8a2baaa0c789a34b62785fe379083e84.zip
2 files changed, 84 insertions, 10 deletions
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index 7b1b798ca..5f292083f 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -96,21 +96,21 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 		}
 	}
 
-	entry := template
-	entry.Type = trustTypeDescription(reqs[0].Type)
-	uids := []string{}
 	for _, repoele := range reqs {
+		entry := template
+		entry.Type = trustTypeDescription(repoele.Type)
+
+		uids := []string{}
 		if len(repoele.KeyPath) > 0 {
 			uids = append(uids, idReader(repoele.KeyPath)...)
 		}
 		if len(repoele.KeyData) > 0 {
 			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
 		}
+		entry.GPGId = strings.Join(uids, ", ")
+		entry.SignatureStore = lookasidePath
+		res = append(res, &entry)
 	}
-	entry.GPGId = strings.Join(uids, ", ")
-	entry.SignatureStore = lookasidePath
-
-	res = append(res, &entry)
 
 	return res
 }
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index d04e9f211..edafeb5c1 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -67,7 +67,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "quay.io/multi-signed",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/multi-signed",
+					RepoName:       "quay.io/multi-signed",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
 				},
 				{
 					Transport:      "repository",
@@ -93,7 +101,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "default",
 					Type:           "signed",
 					SignatureStore: "",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "all",
+					Name:           "* (default)",
+					RepoName:       "default",
+					Type:           "signed",
+					SignatureStore: "",
+					GPGId:          "2, 3",
 				},
 			},
 		},
@@ -188,7 +204,65 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					RepoName:       "repoName",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
+				},
+			},
+		},
+		{ // Multiple kinds of requirements are represented individually.
+			"registry.redhat.io",
+			signature.PolicyRequirements{
+				signature.NewPRReject(),
+				signature.NewPRInsecureAcceptAnything(),
+				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "reject",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "accept",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "2, 3",
 				},
 			},
 		},
author	Miloslav Trmač <mitr@redhat.com>	2022-08-24 20:45:57 +0200
committer	Miloslav Trmač <mitr@redhat.com>	2022-08-29 17:55:39 +0200
commit	551850df8a2baaa0c789a34b62785fe379083e84 (patch)
tree	f69488f3e9bb7222655b83f7adc854ae7eeb47ac /pkg
parent	62499f4a2555031fccc0cc82feda15293759d058 (diff)
download	podman-551850df8a2baaa0c789a34b62785fe379083e84.tar.gz podman-551850df8a2baaa0c789a34b62785fe379083e84.tar.bz2 podman-551850df8a2baaa0c789a34b62785fe379083e84.zip