repository

package

v0.4.0 Latest Latest Go to latest Published: May 7, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gittuf/gittuf

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type ErrHookExists
- func (e *ErrHookExists) Error() string
type HookType
type Repository
- func Clone(ctx context.Context, remoteURL, dir, initialBranch string) (*Repository, error)
- func LoadRepository() (*Repository, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrPushingPolicy = errors.New("unable to push policy")
	ErrPullingPolicy = errors.New("unable to pull policy")
)

View Source

var (
	ErrUnauthorizedKey    = errors.New("unauthorized key presented when updating gittuf metadata")
	ErrCannotReinitialize = errors.New("cannot reinitialize metadata, it exists already")
)

View Source

var (
	ErrCommitNotInRef = errors.New("specified commit is not in ref")
	ErrPushingRSL     = errors.New("unable to push RSL")
	ErrPullingRSL     = errors.New("unable to pull RSL")
)

View Source

var (
	ErrCloningRepository = errors.New("unable to clone repository")
	ErrDirExists         = errors.New("directory exists")
)

View Source

var ErrInvalidPolicyName = errors.New("invalid rule or policy file name, cannot be 'root'")

View Source

var ErrNotSigningKey = errors.New("expected signing key")

View Source

var ErrRefStateDoesNotMatchRSL = errors.New("Git reference's current state does not match latest RSL entry") //nolint:stylecheck

ErrRefStateDoesNotMatchRSL is returned when a Git reference being verified does not have the same tip as identified in the latest RSL entry for the reference. This can happen for a number of reasons such as incorrectly modifying reference state away from what's recorded in the RSL to not creating an RSL entry for some new changes. Depending on the context, one resolution is to update the reference state to match the RSL entry, while another is to create a new RSL entry for the current state.

View Source

var HookPrePush = HookType("pre-push")

Functions ¶

This section is empty.

Types ¶

type ErrHookExists ¶ added in v0.3.0

type ErrHookExists struct {
	HookType HookType
}

func (*ErrHookExists) Error ¶ added in v0.3.0

func (e *ErrHookExists) Error() string

type HookType ¶ added in v0.3.0

type HookType string

type Repository ¶

type Repository struct {
	// contains filtered or unexported fields
}

func Clone ¶

func Clone(ctx context.Context, remoteURL, dir, initialBranch string) (*Repository, error)

Clone wraps a typical git clone invocation, fetching gittuf refs in addition to the standard refs. It performs a verification of the RSL against the specified HEAD after cloning the repository. TODO: resolve how root keys are trusted / bootstrapped.

func LoadRepository ¶

func LoadRepository() (*Repository, error)

func (*Repository) AddDelegation ¶

func (r *Repository) AddDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ruleName string, authorizedKeys []*tuf.Key, rulePatterns []string, threshold int, signCommit bool) error

AddDelegation is the interface for the user to add a new rule to gittuf policy.

func (*Repository) AddGitHubPullRequestAttestationForCommit ¶ added in v0.4.0

func (r *Repository) AddGitHubPullRequestAttestationForCommit(ctx context.Context, signer sslibdsse.SignerVerifier, owner, repository, commitID, baseBranch string, signCommit bool) error

AddGitHubPullRequestAttestationForCommit identifies the pull request for a specified commit ID and triggers AddGitHubPullRequestAttestationForNumber for that pull request. Currently, the authentication token for the GitHub API is read from the GITHUB_TOKEN environment variable.

func (*Repository) AddGitHubPullRequestAttestationForNumber ¶ added in v0.4.0

func (r *Repository) AddGitHubPullRequestAttestationForNumber(ctx context.Context, signer sslibdsse.SignerVerifier, owner, repository string, pullRequestNumber int, signCommit bool) error

AddGitHubPullRequestAttestationForNumber wraps the API response for the specified pull request in an in-toto attestation. `pullRequestID` must be the number of the pull request. Currently, the authentication token for the GitHub API is read from the GITHUB_TOKEN environment variable.

func (*Repository) AddKeyToTargets ¶

func (r *Repository) AddKeyToTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, authorizedKeys []*tuf.Key, signCommit bool) error

AddKeyToTargets is the interface for a user to add a trusted key to the gittuf policy.

func (*Repository) AddReferenceAuthorization ¶ added in v0.3.0

func (r *Repository) AddReferenceAuthorization(ctx context.Context, signer sslibdsse.SignerVerifier, targetRef, featureRef string, signCommit bool) error

AddReferenceAuthorization adds a reference authorization attestation to the repository for the specified target ref. The from ID is identified using the last RSL entry for the target ref. The to ID is that of the expected Git tree created by merging the feature ref into the target ref. The commit used to calculate the merge tree ID is identified using the RSL for the feature ref. Currently, this is limited to developer mode.

func (*Repository) AddRootKey ¶ added in v0.3.0

func (r *Repository) AddRootKey(ctx context.Context, signer sslibdsse.SignerVerifier, newRootKey *tuf.Key, signCommit bool) error

AddRootKey is the interface for the user to add an authorized key for the Root role.

func (*Repository) AddTopLevelTargetsKey ¶

func (r *Repository) AddTopLevelTargetsKey(ctx context.Context, signer sslibdsse.SignerVerifier, targetsKey *tuf.Key, signCommit bool) error

AddTopLevelTargetsKey is the interface for the user to add an authorized key for the top level Targets role / policy file.

func (*Repository) ApplyPolicy ¶ added in v0.4.0

func (r *Repository) ApplyPolicy(ctx context.Context, signRSLEntry bool) error

func (*Repository) CheckRemoteRSLForUpdates ¶

func (r *Repository) CheckRemoteRSLForUpdates(ctx context.Context, remoteName string) (bool, bool, error)

CheckRemoteRSLForUpdates checks if the RSL at the specified remote repository has updated in comparison with the local repository's RSL. This is done by fetching the remote RSL to the local repository's remote RSL tracker. If the remote RSL has been updated, this method also checks if the local and remote RSLs have diverged. In summary, the first return value indicates if there is an update and the second return value indicates if the two RSLs have diverged and need to be reconciled.

func (*Repository) InitializeNamespaces ¶

func (r *Repository) InitializeNamespaces() error

func (*Repository) InitializeRoot ¶

func (r *Repository) InitializeRoot(ctx context.Context, signer sslibdsse.SignerVerifier, signCommit bool) error

InitializeRoot is the interface for the user to create the repository's root of trust.

func (*Repository) InitializeTargets ¶

func (r *Repository) InitializeTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, signCommit bool) error

InitializeTargets is the interface for the user to create the specified policy file.

func (*Repository) ListRules ¶ added in v0.3.0

func (r *Repository) ListRules(ctx context.Context, targetRef string) ([]*policy.DelegationWithDepth, error)

func (*Repository) PullPolicy ¶

func (r *Repository) PullPolicy(ctx context.Context, remoteName string) error

PullPolicy fetches gittuf policy from the specified remote. The fetches is marked as fast forward only to detect divergence. Note that this also fetches the RSL as the policy must be updated in sync with the RSL.

func (*Repository) PullRSL ¶

func (r *Repository) PullRSL(ctx context.Context, remoteName string) error

PullRSL pulls RSL contents from the specified remote to the local RSL. The fetch is marked as fast forward only to detect RSL divergence.

func (*Repository) PushPolicy ¶

func (r *Repository) PushPolicy(ctx context.Context, remoteName string) error

PushPolicy pushes the local gittuf policy to the specified remote. As this push defaults to fast-forward only, divergent policy states are detected. Note that this also pushes the RSL as the policy cannot change without an update to the RSL.

func (*Repository) PushRSL ¶

func (r *Repository) PushRSL(ctx context.Context, remoteName string) error

PushRSL pushes the local RSL to the specified remote. As this push defaults to fast-forward only, divergent RSL states are detected.

func (*Repository) RecordRSLAnnotation ¶

func (r *Repository) RecordRSLAnnotation(rslEntryIDs []string, skip bool, message string, signCommit bool) error

RecordRSLAnnotation is the interface for the user to add an RSL annotation for one or more prior RSL entries.

func (*Repository) RecordRSLEntryForReference ¶

func (r *Repository) RecordRSLEntryForReference(refName string, signCommit bool) error

RecordRSLEntryForReference is the interface for the user to add an RSL entry for the specified Git reference.

func (*Repository) RecordRSLEntryForReferenceAtTarget ¶ added in v0.3.0

func (r *Repository) RecordRSLEntryForReferenceAtTarget(refName string, targetID string, signingKeyBytes []byte) error

RecordRSLEntryForReferenceAtTarget is a special version of RecordRSLEntryForReference used for evaluation. It is only invoked when gittuf is explicitly set in developer mode.

func (*Repository) RemoveDelegation ¶

func (r *Repository) RemoveDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ruleName string, signCommit bool) error

RemoveDelegation is the interface for a user to remove a rule from gittuf policy.

func (*Repository) RemoveReferenceAuthorization ¶ added in v0.3.0

func (r *Repository) RemoveReferenceAuthorization(ctx context.Context, signer sslibdsse.SignerVerifier, targetRef, fromID, toID string, signCommit bool) error

RemoveReferenceAuthorization removes a previously issued authorization for the specified parameters. The issuer of the authorization is identified using their key. Currently, this is limited to developer mode.

func (*Repository) RemoveRootKey ¶ added in v0.3.0

func (r *Repository) RemoveRootKey(ctx context.Context, signer sslibdsse.SignerVerifier, keyID string, signCommit bool) error

RemoveRootKey is the interface for the user to de-authorize a key trusted to sign the Root role.

func (*Repository) RemoveTopLevelTargetsKey ¶

func (r *Repository) RemoveTopLevelTargetsKey(ctx context.Context, signer sslibdsse.SignerVerifier, targetsKeyID string, signCommit bool) error

RemoveTopLevelTargetsKey is the interface for the user to de-authorize a key trusted to sign the top level Targets role / policy file.

func (*Repository) SignRoot ¶ added in v0.4.0

func (r *Repository) SignRoot(ctx context.Context, signer sslibdsse.SignerVerifier, signCommit bool) error

SignRoot adds a signature to the Root envelope. Note that the metadata itself is not modified, so its version remains the same.

func (*Repository) SignTargets ¶ added in v0.3.0

func (r *Repository) SignTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, signCommit bool) error

SignTargets adds a signature to specified Targets role's envelope. Note that the metadata itself is not modified, so its version remains the same.

func (*Repository) UpdateDelegation ¶ added in v0.4.0

func (r *Repository) UpdateDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ruleName string, authorizedKeys []*tuf.Key, rulePatterns []string, threshold int, signCommit bool) error

UpdateDelegation is the interface for the user to update a rule to gittuf policy.

func (*Repository) UpdateHook ¶ added in v0.3.0

func (r *Repository) UpdateHook(hookType HookType, content []byte, force bool) error

UpdateHook updates a git hook in the repositorie's .git/hooks folder. Existing hook files are not overwritten, unless force flag is set.

func (*Repository) UpdateRootThreshold ¶ added in v0.4.0

func (r *Repository) UpdateRootThreshold(ctx context.Context, signer sslibdsse.SignerVerifier, threshold int, signCommit bool) error

UpdateRootThreshold sets the threshold of valid signatures required for the Root role.

func (*Repository) UpdateTopLevelTargetsThreshold ¶ added in v0.4.0

func (r *Repository) UpdateTopLevelTargetsThreshold(ctx context.Context, signer sslibdsse.SignerVerifier, threshold int, signCommit bool) error

UpdateTopLevelTargetsThreshold sets the threshold of valid signatures required for the top level Targets role.

func (*Repository) VerifyCommit ¶

func (r *Repository) VerifyCommit(ctx context.Context, ids ...string) map[string]string

func (*Repository) VerifyRef ¶

func (r *Repository) VerifyRef(ctx context.Context, target string, latestOnly bool) error

func (*Repository) VerifyRefFromEntry ¶ added in v0.4.0

func (r *Repository) VerifyRefFromEntry(ctx context.Context, target, entryID string) error

func (*Repository) VerifyTag ¶

func (r *Repository) VerifyTag(ctx context.Context, ids []string) map[string]string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL