feat: add implementation for notation inspect
#528
Conversation
byronchien
force-pushed
the
inspect-impl
branch
from
d1c1baa to
784408e
Compare
priteshbandi
requested review from
shizhMSFT,
patrickzheng200 and
priteshbandi
shizhMSFT
changed the title
notation inspect
byronchien
force-pushed
the
inspect-impl
branch
3 times, most recently
from
555dc3f to
5f4afdf
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #528 +/- ##
==========================================
- Coverage 36.34% 34.36% -1.98%
==========================================
Files 30 32 +2
Lines 1607 1848 +241
==========================================
+ Hits 584 635 +51
- Misses 1002 1192 +190
Partials 21 21
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
byronchien
force-pushed
the
inspect-impl
branch
3 times, most recently
from
15bb78b to
e675c75
Compare
cmd/notation/inspect.go
Outdated
| const ( | ||
| treeItemPrefix = "├──" | ||
| treeItemPrefixLast = "└──" | ||
| subTreePrefix = "│ " | ||
| subTreePrefixLast = " " | ||
| ) |
There was a problem hiding this comment.
Can we use some external library to create this tree structure? If not, can we create one?
There was a problem hiding this comment.
opened issue to track this #545
There was a problem hiding this comment.
+1 on having a new package for tree printing.
There was a problem hiding this comment.
It should be done in this PR instead of refactoring in a later PR for code quality considerations.
Otherwise, the notation inspect code is not maintainable, especially for new contributors.
There was a problem hiding this comment.
If you don't consider printing tree while loading signatures pages, you may consider https://github.com/need-being/go-tree as it is MIT.
There was a problem hiding this comment.
IMO adding not a well known library such as need-being/go-tree is risky and since the amount of code we are taking about is less than 100 lines I would prefer that we we write our own.
| @@ -74,7 +74,7 @@ var _ = Describe("notation quickstart E2E test", Ordered, func() { | |||
|
|
|||
| It("Verify the container image with jws format", func() { | |||
| notation.Exec("verify", artifact.ReferenceWithDigest()). | |||
| MatchContent(fmt.Sprintf("Successfully verified signature for %s\n", artifact.ReferenceWithDigest())) | |||
| MatchKeyWords(fmt.Sprintf("Successfully verified signature for %s\n", artifact.ReferenceWithDigest())) | |||
There was a problem hiding this comment.
Why are we changing this?
There was a problem hiding this comment.
when running the E2E tests, sometimes the tests with user-metadata would run before this one, causing the output to mismatch since the signature with user-metadata would be verified first and cause the output to not match exactly. Changing it so that the test just checks that the verification passes successfully regardless of whether tags are present or not.
| @@ -74,7 +74,7 @@ var _ = Describe("notation quickstart E2E test", Ordered, func() { | |||
|
|
|||
| It("Verify the container image with jws format", func() { | |||
| notation.Exec("verify", artifact.ReferenceWithDigest()). | |||
| MatchContent(fmt.Sprintf("Successfully verified signature for %s\n", artifact.ReferenceWithDigest())) | |||
| MatchKeyWords(fmt.Sprintf("Successfully verified signature for %s\n", artifact.ReferenceWithDigest())) | |||
cmd/notation/inspect.go
Outdated
| const ( | ||
| treeItemPrefix = "├──" | ||
| treeItemPrefixLast = "└──" | ||
| subTreePrefix = "│ " | ||
| subTreePrefixLast = " " | ||
| ) |
There was a problem hiding this comment.
+1 on having a new package for tree printing.
cmd/notation/inspect.go
Outdated
| const ( | ||
| treeItemPrefix = "├──" | ||
| treeItemPrefixLast = "└──" | ||
| subTreePrefix = "│ " | ||
| subTreePrefixLast = " " | ||
| ) |
There was a problem hiding this comment.
It should be done in this PR instead of refactoring in a later PR for code quality considerations.
Otherwise, the notation inspect code is not maintainable, especially for new contributors.
cmd/notation/inspect.go
Outdated
| const ( | ||
| treeItemPrefix = "├──" | ||
| treeItemPrefixLast = "└──" | ||
| subTreePrefix = "│ " | ||
| subTreePrefixLast = " " | ||
| ) |
There was a problem hiding this comment.
If you don't consider printing tree while loading signatures pages, you may consider https://github.com/need-being/go-tree as it is MIT.
byronchien
force-pushed
the
inspect-impl
branch
from
4ab2a4d to
a8e2dc0
Compare
cmd/notation/inspect.go
Outdated
| const ( | ||
| NotarySignatureMediaType = "application/vnd.cncf.notary.signature" | ||
| ) |
There was a problem hiding this comment.
You can directly reference registry.ArtifactTypeNotation from notation-go.
go.mod
Outdated
| @@ -4,6 +4,7 @@ go 1.20 | |||
|
|
|||
| require ( | |||
| github.com/docker/docker-credential-helpers v0.7.0 | |||
| github.com/need-being/go-tree v0.1.0 | |||
There was a problem hiding this comment.
Adding not a well known library such as need-being/go-tree is risky and since the amount of code we are taking about is less than 100 lines I would prefer that we we write our own.
There was a problem hiding this comment.
Since it is MIT, we can borrow their code.
go.mod
Outdated
| @@ -4,6 +4,7 @@ go 1.20 | |||
|
|
|||
| require ( | |||
| github.com/docker/docker-credential-helpers v0.7.0 | |||
| github.com/need-being/go-tree v0.1.0 | |||
There was a problem hiding this comment.
Since it is MIT, we can borrow their code.
byronchien
dismissed stale reviews from priteshbandi and shizhMSFT
via
5025773
byronchien
dismissed stale reviews from shizhMSFT, patrickzheng200, and priteshbandi
via
84b6753
byronchien
force-pushed
the
inspect-impl
branch
from
84b6753 to
d30f9bf
Compare
Signed-off-by: Byron Chien <byronc@ucla.edu>
byronchien
dismissed stale reviews from patrickzheng200, shizhMSFT, and priteshbandi
via
00896e4
byronchien
force-pushed
the
inspect-impl
branch
from
d30f9bf to
00896e4
Compare
Adds support for `notation inspect` ([spechere](https://github.com/notaryproject/notation/blob/main/specs/commandline/inspect.md)) Example output: ``` chienb@a07817b52895 notation % ./bin/notation inspect $IMAGE localhost:5000/net-monitor@sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b └── application/vnd.cncf.notary.signature └── sha256:34e5843a1a8b1607d2ba7da9b61c6a5b3953f5680751c160fb944df87b01b2b2 ├── signature algorithm : RSASSA-PSS-SHA-256 ├── signed attributes │ ├── expiry : 0001-01-01 00:00:00 +0000 UTC │ ├── signingScheme : notary.x509 │ └── signingTime : 2023-01-27 17:02:22 -0800 PST ├── user defined attributes │ └── io.wabbit-networks.buildId : 123 ├── unsigned attributes │ └── signingAgent : Notation/1.0.0 ├── certificates │ └── SHA1 fingerprint e1ef7b0f984d1f8222d6bf297e1ad10047997b54 │ ├── issued to : CN=byron.test,O=Notary,L=Seattle,ST=WA,C=US │ ├── issued by : CN=byron.test,O=Notary,L=Seattle,ST=WA,C=US │ └── expiry : 2023-01-29 01:02:13 +0000 UTC └── signed artifact ├── media type : application/vnd.docker.distribution.manifest.v2+json ├── digest : sha256:5a07385af4e6b6af81b0ebfd435aedccdfa3507f0609c658209e1aba57159b2b └── size : 942 ``` Signed-off-by: Byron Chien <chienb@amazon.com> Signed-off-by: Josh Duffney <jduffney@microsoft.com>
Adds support for
notation inspect(spec here)Example output:
NOTE: this PR is on top of the changes for user-metadata verifictation and json output from there PRs:
notation verify#527suggested order for review: notation-go #261 => notation-core-go #111 => notation #527 =>notation #528 (this one)
Signed-off-by: Byron Chien chienb@amazon.com