diff --git a/pkg/rekor/option.go b/pkg/rekor/option.go new file mode 100644 index 00000000..36d3b12d --- /dev/null +++ b/pkg/rekor/option.go @@ -0,0 +1,45 @@ +// +// Copyright 2023 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rekor + +import ( + "context" + + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/rekor/pkg/client" +) + +type Option func(*options) + +type options struct { + rekorPublicKeys CosignRekorKeyProvider + clientOpts []client.Option +} + +// CosignRekorKeyProvider is a function that returns the Rekor public keys in cosign's specialized format. +type CosignRekorKeyProvider func(ctx context.Context) (*cosign.TrustedTransparencyLogPubKeys, error) + +func WithCosignRekorKeyProvider(f CosignRekorKeyProvider) Option { + return func(o *options) { + o.rekorPublicKeys = f + } +} + +func WithClientOption(opts ...client.Option) Option { + return func(o *options) { + o.clientOpts = opts + } +} diff --git a/pkg/rekor/rekor.go b/pkg/rekor/rekor.go index 6d5a39e4..0429162f 100644 --- a/pkg/rekor/rekor.go +++ b/pkg/rekor/rekor.go @@ -43,7 +43,6 @@ import ( hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1" rekord_v001 "github.com/sigstore/rekor/pkg/types/rekord/v0.0.1" "github.com/sigstore/sigstore/pkg/cryptoutils" - "github.com/sigstore/sigstore/pkg/tuf" ) // Verifier represents a mechanism to get and verify Rekor entries for the given Git data. @@ -64,12 +63,26 @@ type Client struct { publicKeys *cosign.TrustedTransparencyLogPubKeys } +// Deprecated. Use NewWithOptions instead. func New(url string, opts ...rekor.Option) (*Client, error) { - c, err := rekor.GetRekorClient(url, opts...) + return NewWithOptions(context.TODO(), url, WithClientOption(opts...)) +} + +func NewWithOptions(ctx context.Context, url string, opts ...Option) (*Client, error) { + // Defaults + o := &options{ + rekorPublicKeys: cosign.GetRekorPubs, + } + for _, f := range opts { + f(o) + } + + c, err := rekor.GetRekorClient(url, o.clientOpts...) if err != nil { return nil, err } - pubs, err := rekorPubsFromClient(c) + + pubs, err := o.rekorPublicKeys(ctx) if err != nil { return nil, err } @@ -158,21 +171,6 @@ func (c *Client) findTLogEntriesByPayloadAndPK(ctx context.Context, payload, pub return searchIndex.GetPayload(), nil } -// rekorPubsFromClient returns a RekorPubKey keyed by the log ID from the Rekor client. -// NOTE: This **must not** be used in the verification path, but may be used in the -// sign path to validate return responses are consistent from Rekor. -func rekorPubsFromClient(rekorClient *client.Rekor) (*cosign.TrustedTransparencyLogPubKeys, error) { - publicKeys := cosign.NewTrustedTransparencyLogPubKeys() - pubOK, err := rekorClient.Pubkey.GetPublicKey(nil) - if err != nil { - return nil, fmt.Errorf("unable to fetch rekor public key from rekor: %w", err) - } - if err := publicKeys.AddTransparencyLogPubKey([]byte(pubOK.Payload), tuf.Active); err != nil { - return nil, fmt.Errorf("constructRekorPubKey: %w", err) - } - return &publicKeys, nil -} - // Verify verifies a commit using online verification. // // This is done by: