From b36a1d1b79d7579738430adfd0696c324c3dacc0 Mon Sep 17 00:00:00 2001
From: Miloslav Trmač <mitr@redhat.com>
Date: Wed, 24 Aug 2022 20:45:57 +0200
Subject: BREAKING CHANGE: Change how (podman image trust show) represents
 multiple requirements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently
- the output uses the first entry's type, even if the requirements are different
  (notably signedBy + sigstoreSIgned)
- all public keys IDs are collected to a single line, even if some of them
  are interchangeable, and some are required (e.g. two signedBy requirements
  could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2)

So, stop collapsing the requirements, and return a separate entry for each one. Multiple
GPG IDs on a single line used to mean AND or OR, now they always mean AND.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 pkg/trust/trust.go      | 14 ++++-----
 pkg/trust/trust_test.go | 80 +++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 84 insertions(+), 10 deletions(-)

(limited to 'pkg/trust')

diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index 7b1b798ca..5f292083f 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -96,21 +96,21 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 		}
 	}
 
-	entry := template
-	entry.Type = trustTypeDescription(reqs[0].Type)
-	uids := []string{}
 	for _, repoele := range reqs {
+		entry := template
+		entry.Type = trustTypeDescription(repoele.Type)
+
+		uids := []string{}
 		if len(repoele.KeyPath) > 0 {
 			uids = append(uids, idReader(repoele.KeyPath)...)
 		}
 		if len(repoele.KeyData) > 0 {
 			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
 		}
+		entry.GPGId = strings.Join(uids, ", ")
+		entry.SignatureStore = lookasidePath
+		res = append(res, &entry)
 	}
-	entry.GPGId = strings.Join(uids, ", ")
-	entry.SignatureStore = lookasidePath
-
-	res = append(res, &entry)
 
 	return res
 }
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index d04e9f211..edafeb5c1 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -67,7 +67,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "quay.io/multi-signed",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/multi-signed",
+					RepoName:       "quay.io/multi-signed",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
 				},
 				{
 					Transport:      "repository",
@@ -93,7 +101,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "default",
 					Type:           "signed",
 					SignatureStore: "",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "all",
+					Name:           "* (default)",
+					RepoName:       "default",
+					Type:           "signed",
+					SignatureStore: "",
+					GPGId:          "2, 3",
 				},
 			},
 		},
@@ -188,7 +204,65 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					RepoName:       "repoName",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
+				},
+			},
+		},
+		{ // Multiple kinds of requirements are represented individually.
+			"registry.redhat.io",
+			signature.PolicyRequirements{
+				signature.NewPRReject(),
+				signature.NewPRInsecureAcceptAnything(),
+				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "reject",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "accept",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "2, 3",
 				},
 			},
 		},
-- 
cgit v1.2.3-54-g00ecf