Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: add search support for sha512 #1142

Merged
merged 4 commits into from Oct 23, 2022
Merged

Feature: add search support for sha512 #1142

merged 4 commits into from Oct 23, 2022

Conversation

kommendorkapten
Copy link
Member

Summary

This commit introduces the possibility to search via sha512 digests. Example of how this could be useful is for the npm ecosystem. npm often relies on sha512 digests, and provenance attestations in intoto format may use sha512 digests as the subject. Subjects are extract during uploads and added as index keys, which are then stored in Redis. This feature lets the cli accept sha512 digests, and the server to accept them to use when searching in the Redis cache.

Signed-off-by: Fredrik Skogman kommendorkapten@github.com

Release Note

Rekor entries can now be searched by SHA512 digests (if they appear as subjects in an intoto attestation).

Documentation

Don't think so. The rekor cli help is updated for search.

@kommendorkapten
Feature: add search support for sha512
e834d74 
This commit introduces the possibility to *search* via sha512 digests.
Example of how this could be useful is for the npm ecosystem. npm often relies
on sha512 digests, and provenance attestations in intoto format may use
sha512 digests as the subject. Subjects are extract during uploads and added
as index keys, which are then stored in Redis. This feature lets the cli
accept sha512 digests, and the server to accept them to use when searching in
the Redis cache.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@kommendorkapten
Added SHA512 to the cli help
39562d2 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@kommendorkapten kommendorkapten requested a review from a team as a code owner October 21, 2022 11:32
@codecov-commenter
Copy link

codecov-commenter commented Oct 21, 2022
edited

Codecov Report

Merging #1142 (3487b3f) into main (e41b4cb) will increase coverage by 23.30%.
The diff coverage is 100.00%.

@@             Coverage Diff             @@
##             main    #1142       +/-   ##
===========================================
+ Coverage   40.82%   64.13%   +23.30%     
===========================================
  Files          74       82        +8     
  Lines        7174     7620      +446     
===========================================
+ Hits         2929     4887     +1958     
+ Misses       3935     2109     -1826     
- Partials      310      624      +314
Flag Coverage Δ
e2etests 48.89% <74.35%> (?)
unittests 41.56% <97.43%> (+0.73%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cmd/rekor-cli/app/pflags.go 90.30% <100.00%> (+1.82%) ⬆️
cmd/rekor-cli/app/search.go 57.85% <100.00%> (+37.85%) ⬆️
pkg/api/index.go 71.17% <100.00%> (+29.72%) ⬆️
pkg/util/sha.go 100.00% <100.00%> (+100.00%) ⬆️
pkg/util/validate.go 100.00% <100.00%> (+55.88%) ⬆️
pkg/client/rekor_client.go 86.36% <0.00%> (-0.60%) ⬇️
cmd/rekor-server/app/root.go 56.66% <0.00%> (ø)
pkg/storage/storage.go 45.71% <0.00%> (ø)
cmd/rekor-cli/app/format/wrap.go 59.09% <0.00%> (ø)
cmd/rekor-server/app/version.go 100.00% <0.00%> (ø)
... and 54 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@kommendorkapten
Copy link
Member Author

Hm, I don't get any updates to the generated files when I'm running things locally. I'm using a mac, not Linux, but that shouldn't matter? The differences in the files are mostly on how the comments are formatted.

$ ./hack/tools/bin/swagger generate client -f openapi.yaml -q -r COPYRIGHT.txt -t pkg/generated --additional-initialism=TUF
$ ./hack/tools/bin/swagger generate server -f openapi.yaml -q -r COPYRIGHT.txt -t pkg/generated --exclude-main -A rekor_server --flag-strategy=pflag --default-produces application/json --additional-initialism=TUF
$ git status
On branch feat_search_sha512
nothing to commit, working tree clean
$ touch openapi.yaml
$ make
/Users/kommendorkapten/git/rekor/hack/tools/bin/swagger validate openapi.yaml
2022/10/21 13:53:05
The swagger spec at "openapi.yaml" is valid against swagger specification 2.0
...
CGO_ENABLED=0 go build -trimpath -ldflags "-X sigs.k8s.io/release-utils/version.gitVersion=v0.12.0-67-g39562d2 -X sigs.k8s.io/release-utils/version.gitCommit=39562d2a3e3d0133e3aa3a042b2882d83432691a -X sigs.k8s.io/release-utils/version.gitTreeState="clean" -X sigs.k8s.io/release-utils/version.buildDate=2022-10-21T11:30:17Z" -o rekor-server ./cmd/rekor-server
$ git status
On branch feat_search_sha512
nothing to commit, working tree clean

@bobcallaway
Copy link
Member

Hm, I don't get any updates to the generated files when I'm running things locally. I'm using a mac, not Linux, but that shouldn't matter? The differences in the files are mostly on how the comments are formatted.

$ ./hack/tools/bin/swagger generate client -f openapi.yaml -q -r COPYRIGHT.txt -t pkg/generated --additional-initialism=TUF
$ ./hack/tools/bin/swagger generate server -f openapi.yaml -q -r COPYRIGHT.txt -t pkg/generated --exclude-main -A rekor_server --flag-strategy=pflag --default-produces application/json --additional-initialism=TUF
$ git status
On branch feat_search_sha512
nothing to commit, working tree clean
$ touch openapi.yaml
$ make
/Users/kommendorkapten/git/rekor/hack/tools/bin/swagger validate openapi.yaml
2022/10/21 13:53:05
The swagger spec at "openapi.yaml" is valid against swagger specification 2.0
...
CGO_ENABLED=0 go build -trimpath -ldflags "-X sigs.k8s.io/release-utils/version.gitVersion=v0.12.0-67-g39562d2 -X sigs.k8s.io/release-utils/version.gitCommit=39562d2a3e3d0133e3aa3a042b2882d83432691a -X sigs.k8s.io/release-utils/version.gitTreeState="clean" -X sigs.k8s.io/release-utils/version.buildDate=2022-10-21T11:30:17Z" -o rekor-server ./cmd/rekor-server
$ git status
On branch feat_search_sha512
nothing to commit, working tree clean

try make clean-gen followed by make?

@kommendorkapten
Copy link
Member Author

No :(

Same:

$ make clean-gen && make
rm -rf dist
rm -rf hack/tools/bin
rm -rf rekor-cli rekor-server
rm -f *fuzz.zip
rm -rf pkg/generated/client/entries/create_log_entry_parameters.go pkg/generated/client/entries/create_log_entry_responses.go pkg/generated/client/entries/entries_client.go pkg/generated/client/entries/get_log_entry_by_index_parameters.go pkg/generated/client/entries/get_log_entry_by_index_responses.go pkg/generated/client/entries/get_
...
CGO_ENABLED=0 go build -trimpath -ldflags "-X sigs.k8s.io/release-utils/version.gitVersion=v0.12.0-67-g39562d2 -X sigs.k8s.io/release-utils/version.gitCommit=39562d2a3e3d0133e3aa3a042b2882d83432691a -X sigs.k8s.io/release-utils/version.gitTreeState="clean" -X sigs.k8s.io/release-utils/version.buildDate=2022-10-21T11:30:17Z" -o rekor-server ./cmd/rekor-server
$ git status
On branch feat_search_sha512
nothing to commit, working tree clean

@kommendorkapten
Copy link
Member Author

Booted a linux container (ubuntu) and ran the commands:

$ uname -a
Linux 0f0cec2ab8f3 5.10.104-linuxkit #1 SMP PREEMPT Wed Mar 9 19:01:25 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
$ go version
go version go1.18.1 linux/arm64
$ make clean-gen && make
rm -rf dist
rm -rf hack/tools/bin
rm -rf rekor-cli rekor-server
rm -f *fuzz.zip
...
$ git status
On branch feat_search_sha512
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   hack/tools/go.sum

So no changes to the generated files, only the go.sum for the tool. Will dig deeper into what version(s) the runner is using.

asraa
asraa previously approved these changes Oct 21, 2022
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes otherwise lgtm besides the swagger issues :/

You should be able to add a CLI test, since intoto attestations index sha512's if present similar to

rekor/tests/e2e_test.go

Line 813 in e41b4cb

out = runCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha[:])))

@bobcallaway
Copy link
Member

the builder is using go 1.19.2 vs your ubuntu container using 1.18.1.

on my mac with go 1.19, when I do make clean && make i do get the changes shown in the CI test so I think its that.

@bobcallaway
Copy link
Member

and +1 to @asraa 's comment about adding a cli test, otherwise code LGTM

@kommendorkapten
Re-ran code generation.
4282434 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@kommendorkapten
Copy link
Member Author

Great find @bobcallaway, thanks.
Yes, I'll add an cli test too as @asraa proposed!

@kommendorkapten
Added e2e tests that uploads an intoto attestation, with a SHA512 sub…
3487b3f 
…ject.

The tests then verifies that the entry can be found via the SHA512 digest.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@dlorenc
Copy link
Member

dlorenc commented Oct 22, 2022

Nice work!

@dlorenc dlorenc merged commit f8ae9ba into sigstore:main Oct 23, 2022
@github-actions github-actions bot added this to the v1.1.0 milestone Oct 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

@asraa asraa asraa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kommendorkapten @codecov-commenter @bobcallaway @dlorenc @asraa