Documentation ¶
Index ¶
- Variables
- type ErrHookExists
- type HookType
- type Repository
- func (r *Repository) AddDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ...) error
- func (r *Repository) AddGitHubPullRequestAttestationForCommit(ctx context.Context, signer sslibdsse.SignerVerifier, ...) error
- func (r *Repository) AddGitHubPullRequestAttestationForNumber(ctx context.Context, signer sslibdsse.SignerVerifier, owner, repository string, ...) error
- func (r *Repository) AddKeyToTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ...) error
- func (r *Repository) AddReferenceAuthorization(ctx context.Context, signer sslibdsse.SignerVerifier, ...) error
- func (r *Repository) AddRootKey(ctx context.Context, signer sslibdsse.SignerVerifier, newRootKey *tuf.Key, ...) error
- func (r *Repository) AddTopLevelTargetsKey(ctx context.Context, signer sslibdsse.SignerVerifier, targetsKey *tuf.Key, ...) error
- func (r *Repository) ApplyPolicy(ctx context.Context, signRSLEntry bool) error
- func (r *Repository) CheckRemoteRSLForUpdates(ctx context.Context, remoteName string) (bool, bool, error)
- func (r *Repository) InitializeNamespaces() error
- func (r *Repository) InitializeRoot(ctx context.Context, signer sslibdsse.SignerVerifier, signCommit bool) error
- func (r *Repository) InitializeTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ...) error
- func (r *Repository) ListRules(ctx context.Context, targetRef string) ([]*policy.DelegationWithDepth, error)
- func (r *Repository) PullPolicy(ctx context.Context, remoteName string) error
- func (r *Repository) PullRSL(ctx context.Context, remoteName string) error
- func (r *Repository) PushPolicy(ctx context.Context, remoteName string) error
- func (r *Repository) PushRSL(ctx context.Context, remoteName string) error
- func (r *Repository) RecordRSLAnnotation(rslEntryIDs []string, skip bool, message string, signCommit bool) error
- func (r *Repository) RecordRSLEntryForReference(refName string, signCommit bool) error
- func (r *Repository) RecordRSLEntryForReferenceAtTarget(refName string, targetID string, signingKeyBytes []byte) error
- func (r *Repository) RemoveDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ...) error
- func (r *Repository) RemoveReferenceAuthorization(ctx context.Context, signer sslibdsse.SignerVerifier, ...) error
- func (r *Repository) RemoveRootKey(ctx context.Context, signer sslibdsse.SignerVerifier, keyID string, ...) error
- func (r *Repository) RemoveTopLevelTargetsKey(ctx context.Context, signer sslibdsse.SignerVerifier, targetsKeyID string, ...) error
- func (r *Repository) SignRoot(ctx context.Context, signer sslibdsse.SignerVerifier, signCommit bool) error
- func (r *Repository) SignTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ...) error
- func (r *Repository) UpdateDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ...) error
- func (r *Repository) UpdateHook(hookType HookType, content []byte, force bool) error
- func (r *Repository) UpdateRootThreshold(ctx context.Context, signer sslibdsse.SignerVerifier, threshold int, ...) error
- func (r *Repository) UpdateTopLevelTargetsThreshold(ctx context.Context, signer sslibdsse.SignerVerifier, threshold int, ...) error
- func (r *Repository) VerifyCommit(ctx context.Context, ids ...string) map[string]string
- func (r *Repository) VerifyRef(ctx context.Context, target string, latestOnly bool) error
- func (r *Repository) VerifyRefFromEntry(ctx context.Context, target, entryID string) error
- func (r *Repository) VerifyTag(ctx context.Context, ids []string) map[string]string
Constants ¶
This section is empty.
Variables ¶
var ( ErrPushingPolicy = errors.New("unable to push policy") ErrPullingPolicy = errors.New("unable to pull policy") )
var ( ErrCannotReinitialize = errors.New("cannot reinitialize metadata, it exists already") )
var ( ErrCommitNotInRef = errors.New("specified commit is not in ref") ErrPushingRSL = errors.New("unable to push RSL") ErrPullingRSL = errors.New("unable to pull RSL") )
var ( ErrCloningRepository = errors.New("unable to clone repository") ErrDirExists = errors.New("directory exists") )
var ErrInvalidPolicyName = errors.New("invalid rule or policy file name, cannot be 'root'")
var ErrNotSigningKey = errors.New("expected signing key")
var ErrRefStateDoesNotMatchRSL = errors.New("Git reference's current state does not match latest RSL entry") //nolint:stylecheck
ErrRefStateDoesNotMatchRSL is returned when a Git reference being verified does not have the same tip as identified in the latest RSL entry for the reference. This can happen for a number of reasons such as incorrectly modifying reference state away from what's recorded in the RSL to not creating an RSL entry for some new changes. Depending on the context, one resolution is to update the reference state to match the RSL entry, while another is to create a new RSL entry for the current state.
var HookPrePush = HookType("pre-push")
Functions ¶
This section is empty.
Types ¶
type ErrHookExists ¶ added in v0.3.0
type ErrHookExists struct {
HookType HookType
}
func (*ErrHookExists) Error ¶ added in v0.3.0
func (e *ErrHookExists) Error() string
type Repository ¶
type Repository struct {
// contains filtered or unexported fields
}
func Clone ¶
func Clone(ctx context.Context, remoteURL, dir, initialBranch string) (*Repository, error)
Clone wraps a typical git clone invocation, fetching gittuf refs in addition to the standard refs. It performs a verification of the RSL against the specified HEAD after cloning the repository. TODO: resolve how root keys are trusted / bootstrapped.
func LoadRepository ¶
func LoadRepository() (*Repository, error)
func (*Repository) AddDelegation ¶
func (r *Repository) AddDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ruleName string, authorizedKeys []*tuf.Key, rulePatterns []string, threshold int, signCommit bool) error
AddDelegation is the interface for the user to add a new rule to gittuf policy.
func (*Repository) AddGitHubPullRequestAttestationForCommit ¶ added in v0.4.0
func (r *Repository) AddGitHubPullRequestAttestationForCommit(ctx context.Context, signer sslibdsse.SignerVerifier, owner, repository, commitID, baseBranch string, signCommit bool) error
AddGitHubPullRequestAttestationForCommit identifies the pull request for a specified commit ID and triggers AddGitHubPullRequestAttestationForNumber for that pull request. Currently, the authentication token for the GitHub API is read from the GITHUB_TOKEN environment variable.
func (*Repository) AddGitHubPullRequestAttestationForNumber ¶ added in v0.4.0
func (r *Repository) AddGitHubPullRequestAttestationForNumber(ctx context.Context, signer sslibdsse.SignerVerifier, owner, repository string, pullRequestNumber int, signCommit bool) error
AddGitHubPullRequestAttestationForNumber wraps the API response for the specified pull request in an in-toto attestation. `pullRequestID` must be the number of the pull request. Currently, the authentication token for the GitHub API is read from the GITHUB_TOKEN environment variable.
func (*Repository) AddKeyToTargets ¶
func (r *Repository) AddKeyToTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, authorizedKeys []*tuf.Key, signCommit bool) error
AddKeyToTargets is the interface for a user to add a trusted key to the gittuf policy.
func (*Repository) AddReferenceAuthorization ¶ added in v0.3.0
func (r *Repository) AddReferenceAuthorization(ctx context.Context, signer sslibdsse.SignerVerifier, targetRef, featureRef string, signCommit bool) error
AddReferenceAuthorization adds a reference authorization attestation to the repository for the specified target ref. The from ID is identified using the last RSL entry for the target ref. The to ID is that of the expected Git tree created by merging the feature ref into the target ref. The commit used to calculate the merge tree ID is identified using the RSL for the feature ref. Currently, this is limited to developer mode.
func (*Repository) AddRootKey ¶ added in v0.3.0
func (r *Repository) AddRootKey(ctx context.Context, signer sslibdsse.SignerVerifier, newRootKey *tuf.Key, signCommit bool) error
AddRootKey is the interface for the user to add an authorized key for the Root role.
func (*Repository) AddTopLevelTargetsKey ¶
func (r *Repository) AddTopLevelTargetsKey(ctx context.Context, signer sslibdsse.SignerVerifier, targetsKey *tuf.Key, signCommit bool) error
AddTopLevelTargetsKey is the interface for the user to add an authorized key for the top level Targets role / policy file.
func (*Repository) ApplyPolicy ¶ added in v0.4.0
func (r *Repository) ApplyPolicy(ctx context.Context, signRSLEntry bool) error
func (*Repository) CheckRemoteRSLForUpdates ¶
func (r *Repository) CheckRemoteRSLForUpdates(ctx context.Context, remoteName string) (bool, bool, error)
CheckRemoteRSLForUpdates checks if the RSL at the specified remote repository has updated in comparison with the local repository's RSL. This is done by fetching the remote RSL to the local repository's remote RSL tracker. If the remote RSL has been updated, this method also checks if the local and remote RSLs have diverged. In summary, the first return value indicates if there is an update and the second return value indicates if the two RSLs have diverged and need to be reconciled.
func (*Repository) InitializeNamespaces ¶
func (r *Repository) InitializeNamespaces() error
func (*Repository) InitializeRoot ¶
func (r *Repository) InitializeRoot(ctx context.Context, signer sslibdsse.SignerVerifier, signCommit bool) error
InitializeRoot is the interface for the user to create the repository's root of trust.
func (*Repository) InitializeTargets ¶
func (r *Repository) InitializeTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, signCommit bool) error
InitializeTargets is the interface for the user to create the specified policy file.
func (*Repository) ListRules ¶ added in v0.3.0
func (r *Repository) ListRules(ctx context.Context, targetRef string) ([]*policy.DelegationWithDepth, error)
func (*Repository) PullPolicy ¶
func (r *Repository) PullPolicy(ctx context.Context, remoteName string) error
PullPolicy fetches gittuf policy from the specified remote. The fetches is marked as fast forward only to detect divergence. Note that this also fetches the RSL as the policy must be updated in sync with the RSL.
func (*Repository) PullRSL ¶
func (r *Repository) PullRSL(ctx context.Context, remoteName string) error
PullRSL pulls RSL contents from the specified remote to the local RSL. The fetch is marked as fast forward only to detect RSL divergence.
func (*Repository) PushPolicy ¶
func (r *Repository) PushPolicy(ctx context.Context, remoteName string) error
PushPolicy pushes the local gittuf policy to the specified remote. As this push defaults to fast-forward only, divergent policy states are detected. Note that this also pushes the RSL as the policy cannot change without an update to the RSL.
func (*Repository) PushRSL ¶
func (r *Repository) PushRSL(ctx context.Context, remoteName string) error
PushRSL pushes the local RSL to the specified remote. As this push defaults to fast-forward only, divergent RSL states are detected.
func (*Repository) RecordRSLAnnotation ¶
func (r *Repository) RecordRSLAnnotation(rslEntryIDs []string, skip bool, message string, signCommit bool) error
RecordRSLAnnotation is the interface for the user to add an RSL annotation for one or more prior RSL entries.
func (*Repository) RecordRSLEntryForReference ¶
func (r *Repository) RecordRSLEntryForReference(refName string, signCommit bool) error
RecordRSLEntryForReference is the interface for the user to add an RSL entry for the specified Git reference.
func (*Repository) RecordRSLEntryForReferenceAtTarget ¶ added in v0.3.0
func (r *Repository) RecordRSLEntryForReferenceAtTarget(refName string, targetID string, signingKeyBytes []byte) error
RecordRSLEntryForReferenceAtTarget is a special version of RecordRSLEntryForReference used for evaluation. It is only invoked when gittuf is explicitly set in developer mode.
func (*Repository) RemoveDelegation ¶
func (r *Repository) RemoveDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ruleName string, signCommit bool) error
RemoveDelegation is the interface for a user to remove a rule from gittuf policy.
func (*Repository) RemoveReferenceAuthorization ¶ added in v0.3.0
func (r *Repository) RemoveReferenceAuthorization(ctx context.Context, signer sslibdsse.SignerVerifier, targetRef, fromID, toID string, signCommit bool) error
RemoveReferenceAuthorization removes a previously issued authorization for the specified parameters. The issuer of the authorization is identified using their key. Currently, this is limited to developer mode.
func (*Repository) RemoveRootKey ¶ added in v0.3.0
func (r *Repository) RemoveRootKey(ctx context.Context, signer sslibdsse.SignerVerifier, keyID string, signCommit bool) error
RemoveRootKey is the interface for the user to de-authorize a key trusted to sign the Root role.
func (*Repository) RemoveTopLevelTargetsKey ¶
func (r *Repository) RemoveTopLevelTargetsKey(ctx context.Context, signer sslibdsse.SignerVerifier, targetsKeyID string, signCommit bool) error
RemoveTopLevelTargetsKey is the interface for the user to de-authorize a key trusted to sign the top level Targets role / policy file.
func (*Repository) SignRoot ¶ added in v0.4.0
func (r *Repository) SignRoot(ctx context.Context, signer sslibdsse.SignerVerifier, signCommit bool) error
SignRoot adds a signature to the Root envelope. Note that the metadata itself is not modified, so its version remains the same.
func (*Repository) SignTargets ¶ added in v0.3.0
func (r *Repository) SignTargets(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, signCommit bool) error
SignTargets adds a signature to specified Targets role's envelope. Note that the metadata itself is not modified, so its version remains the same.
func (*Repository) UpdateDelegation ¶ added in v0.4.0
func (r *Repository) UpdateDelegation(ctx context.Context, signer sslibdsse.SignerVerifier, targetsRoleName string, ruleName string, authorizedKeys []*tuf.Key, rulePatterns []string, threshold int, signCommit bool) error
UpdateDelegation is the interface for the user to update a rule to gittuf policy.
func (*Repository) UpdateHook ¶ added in v0.3.0
func (r *Repository) UpdateHook(hookType HookType, content []byte, force bool) error
UpdateHook updates a git hook in the repositorie's .git/hooks folder. Existing hook files are not overwritten, unless force flag is set.
func (*Repository) UpdateRootThreshold ¶ added in v0.4.0
func (r *Repository) UpdateRootThreshold(ctx context.Context, signer sslibdsse.SignerVerifier, threshold int, signCommit bool) error
UpdateRootThreshold sets the threshold of valid signatures required for the Root role.
func (*Repository) UpdateTopLevelTargetsThreshold ¶ added in v0.4.0
func (r *Repository) UpdateTopLevelTargetsThreshold(ctx context.Context, signer sslibdsse.SignerVerifier, threshold int, signCommit bool) error
UpdateTopLevelTargetsThreshold sets the threshold of valid signatures required for the top level Targets role.
func (*Repository) VerifyCommit ¶
func (*Repository) VerifyRefFromEntry ¶ added in v0.4.0
func (r *Repository) VerifyRefFromEntry(ctx context.Context, target, entryID string) error