internal

package
v1.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 12, 2024 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// EnvelopeMagicBytes is set to ASCII sum of "ECS" = 333(octal) or DB(hex)
	EnvelopeMagicBytes = "\xDBIPC"
	TocFileName        = ".sealpack.toc"
)
View Source 
const (
	CompressionGzip  = "gzip"
	CompressionZlib  = "zlib"
	CompressionZip   = "zip"
	CompressionFlate = "flate"
)
View Source 
const (
	TmpFolderName          = "crane.dl"
	ContainerDSocketFolder = "/run"
	ContainerDSocketFile   = "containerd.sock"
	LocalContainerRegistry = "local"
)
View Source 
const (
	ContainerImagePrefix = ".images"
	OCISuffix            = ".oci"
)
View Source 
const (
	DefaultRegistry = "docker.io"
)
View Source 
const Delimiter = ":"

Delimiter delimits the file name from its hash

Variables

View Source 
var (
	ContainerDSocket = ""
)

Functions

func AddKeys 

func AddKeys(recipientPubKeyPaths []string, envelope *Envelope, plainKey []byte) error

AddKeys encrypts the symmetric key for every receiver and attaches them to the envelope

func BytesToTar 

func BytesToTar(w *tar.Writer, filename *string, contents []byte) error

BytesToTar adds a file to a writer using a filename and a byte slice with contents to be written.

func CleanupFileWriter 

func CleanupFileWriter(output string, f *os.File) error

CleanupFileWriter cleans up temporary files and performs post-finish operations

func CleanupImages 

func CleanupImages() error

CleanupImages removes the temp folder where container images are stored.

func CreatePKISigner 

func CreatePKISigner(pkeyPath string) (signature.Signer, error)

CreatePKISigner uses the private key to create a signature.Signer instance

func CreatePKIVerifier 

func CreatePKIVerifier(skeyPath string) (signature.Verifier, error)

CreatePKIVerifier builds a verifier based on a public key

func CreateSigner 

func CreateSigner(privateKeyPath string) (signature.Signer, error)

CreateSigner cheese the correct signature.Signer depending on the private key string

func Encrypt 

func Encrypt(unencrypted []byte) ([]byte, []byte, error)

Encrypt the contents of an os.File with a random key and retrieve the results as []byte The asymmetrically encrypted encryption key is attached als the last [ KeySizeBit ] bytes

func EncryptWriter 

func EncryptWriter(w io.Writer) (string, io.WriteCloser)

func GetCompressionAlgoIndex 

func GetCompressionAlgoIndex(algo string) uint8

GetCompressionAlgoIndex gets the index of an algo name or defaults to 0 (gzip)

func GetCompressionAlgoName 

func GetCompressionAlgoName(idx uint8) string

GetCompressionAlgoName gets the name of an algo index or defaults to gzip (0)

func GetContainerDSocket 

func GetContainerDSocket() (string, error)

GetContainerDSocket searched for a containerD socket in the /run folder

func GetHashAlgorithm 

func GetHashAlgorithm(algo string) crypto.Hash

GetHashAlgorithm retrieves a crypto.Hash for a name. if no available name is provided, SHA512 is returned.

func ImportImage 

func ImportImage(namespace, targetRegistry string, tarReader io.ReadCloser, tag *name.Tag) (newImport bool, err error)

ImportImage imports one OCI image into a local containerd storage or a provided registry.

func LoadPrivateKey 

func LoadPrivateKey(path string) (interface{}, error)

LoadPrivateKey reads and parses a private key from a file

func LoadPublicKey 

func LoadPublicKey(path string) (crypto.PublicKey, error)

LoadPublicKey reads and parses a public key from a file

func NewOutputFile 

func NewOutputFile(output string) (*os.File, error)

NewOutputFile creates a new output file depending on the type of output target

func ReadConfiguration 

func ReadConfiguration(fileName string, files *[]string, images *[]*ContainerImage) error

ReadConfiguration searches for the latest configuration file and reads the contents. The contents are parsed as a slice of PackageContent from a JSON or YAML file.

func RemoveAll 

func RemoveAll(namespace, targetRegistry string, tags []*name.Tag) (err error)

RemoveAll multiple images from a registry or containerD instance defined by slice

func SaveImage 

func SaveImage(img *ContainerImage) (result *os.File, err error)

SaveImage with from a registry to a local OCI file.

func TryUnsealKey 

func TryUnsealKey(encrypted []byte, rsaKey *rsa.PrivateKey) (symmecrypt.Key, error)

TryUnsealKey loads a key from JSON without configstore

func WriteFileBytes 

func WriteFileBytes(output string, contents []byte) error

WriteFileBytes allows for writing a byte slice to a regular file, S3 bucket or stdout

Types

type ArchiveContents 

type ArchiveContents struct {
	Files  []string `json:"files"`
	Images []string `json:"images"`
}

ArchiveContents describes all contents for an archive to provide them as a single file.

type ContainerImage 

type ContainerImage struct {
	Registry string `json:"registry"`
	Name     string `json:"name"`
	Tag      string `json:"tag"`
}

ContainerImage describes a container image uniquely

func ParseContainerImage 

func ParseContainerImage(name string) *ContainerImage

ParseContainerImage takes a string describing an image and parses the registry, name and tag out of it.

func (*ContainerImage) String 

func (i *ContainerImage) String() string

String creates the image URI form the parts.

func (*ContainerImage) ToFileName 

func (i *ContainerImage) ToFileName() string

ToFileName creates a file name to store the image archive in.

type Descriptor 

type Descriptor struct {
	MediaType string
	Digest    string
	Size      int
}

Descriptor is a standard OCI descriptor. For easier handling, this implementation only contains the necessary properties. @url https://github.com/opencontainers/image-spec/blob/main/descriptor.md

type Envelope 

type Envelope struct {
	PayloadLen      int64
	PayloadReader   io.ReadSeeker
	PayloadWriter   *os.File
	HashAlgorithm   crypto.Hash
	CompressionAlgo uint8
	ReceiverKeys    [][]byte
}

Envelope is the package with headers and so on

func ParseEnvelope 

func ParseEnvelope(input io.ReadSeeker) (*Envelope, error)

ParseEnvelope tries to extract the information for an Envelope from a byte slice

func (*Envelope) GetPayload 

func (e *Envelope) GetPayload(privateKeyPath string) (payload io.Reader, err error)

GetPayload provides the Payload from the envelope

func (*Envelope) String 

func (e *Envelope) String() string

String prints a string representation of an Envelope with basic information

func (*Envelope) ToBytes 

func (e *Envelope) ToBytes() []byte

ToBytes provides an Envelope as Bytes. Caution: using this method may massively increase memory usage!

func (*Envelope) WriteHeader 

func (e *Envelope) WriteHeader(w io.Writer) error

WriteHeader writes the envelope headers to an io.Writer.

func (*Envelope) WriteKeys 

func (e *Envelope) WriteKeys(w io.Writer) error

WriteKeys writes encrypted keys to an io.Writer.

func (*Envelope) WriteOutput 

func (e *Envelope) WriteOutput(f *os.File, arc *WriteArchive) error

WriteOutput creates an encrypted output file from encrypted payload

type FileSignatures 

type FileSignatures map[string]string

A FileSignatures is represented by its path and the hash of the file

func NewSignatureList 

func NewSignatureList(algo string) *FileSignatures

NewSignatureList creates a new signature list

func (*FileSignatures) AddFile 

func (f *FileSignatures) AddFile(name string, contents []byte) error

AddFile hashes a file and its contents and adds it to the list

func (*FileSignatures) AddFileFromReader 

func (f *FileSignatures) AddFileFromReader(name string, contents io.Reader) (err error)

AddFileFromReader hashes a file and its contents and adds it to the list

func (*FileSignatures) Bytes 

func (f *FileSignatures) Bytes() []byte

Bytes gets the list formatted as []byte

func (*FileSignatures) Equals 

func (f *FileSignatures) Equals(other *FileSignatures) bool

Equals compares 2 FileSignatures for equality

func (*FileSignatures) Save 

func (f *FileSignatures) Save(name string) error

Save the signatures list to a file

type ImageContent 

type ImageContent struct {
	Name     string `json:"name"`
	Tag      string `json:"tag"`
	Registry string `json:"registry"`
	IsImage  bool   `json:"is_image"`
}

ImageContent represents one component to be included in the upgrade package. If IsImage is set true, the component will be pulled by Name and Tag from the ECR registry. If only name is provided, a static file is expected.

type Manifest 

type Manifest struct {
	SchemaVersion int
	Config        Descriptor
	Layers        []Descriptor
	Annotations   map[string]string
}

Manifest represents an OCI image manifest, typically provided as json. For easier handling, this implementation only contains the necessary properties. @url https://github.com/opencontainers/image-spec/blob/main/manifest.md

type OutManifest 

type OutManifest struct {
	Config   string   `json:"Config"`
	RepoTags []string `json:"RepoTags"`
	Layers   []string `json:"Layers"`
}

OutManifest is the manifest in docker (moby) image format. For easier handling, this implementation only contains the necessary properties. @url https://github.com/moby/moby/blob/master/image/tarexport/tarexport.go#L18-L24

type PackageContent 

type PackageContent interface {
	PackagePath() string
}

type ReadArchive 

type ReadArchive struct {
	TarReader *tar.Reader
	// contains filtered or unexported fields
}

func OpenArchive 

func OpenArchive(data []byte, compressionAlgo uint8) (arc *ReadArchive, err error)

OpenArchive opens a compressed tar archive for reading

func OpenArchiveReader 

func OpenArchiveReader(r io.Reader, compressionAlgo uint8) (arc *ReadArchive, err error)

OpenArchiveReader opens a compressed tar archive for reading from a reader

func (*ReadArchive) InitializeCompression 

func (arc *ReadArchive) InitializeCompression(r io.Reader, compressionAlgo uint8) (err error)

InitializeCompression creates a compression writer based on selected algorithm

func (*ReadArchive) Unpack 

func (arc *ReadArchive) Unpack(signingKeyPath, hashingAlgorithm, outputPath, namespace, targetRegistry string) (err error)

type Signer 

type Signer struct {
	Signer *signature.SignerVerifier
}

type Verifier 

type Verifier struct {
	Signatures *FileSignatures
	// contains filtered or unexported fields
}

Verifier contains all data necessary to verify the archive's integrity

func NewVerifier 

func NewVerifier(signingKeyPath, hashingAlgorithm string) (*Verifier, error)

NewVerifier Creates a new sealpack integrity verifier structure

func (*Verifier) AddTocComponent 

func (v *Verifier) AddTocComponent(h *tar.Header, r io.Reader) (err error)

AddTocComponent adds a TOC or TOC-Signature from a tar reader

func (*Verifier) AddUnsafeTag 

func (v *Verifier) AddUnsafeTag(t *name.Tag)

AddUnsafeTag adds an unsafe tag to the list

func (*Verifier) Verify 

func (v *Verifier) Verify(outputPath, namespace, targetRegistry string) (err error)

Verify checks the final integrity of the sealed archive. Rolls back files or tags if integrity was not verified

type WriteArchive 

type WriteArchive struct {
	EncryptionKey string
	// contains filtered or unexported fields
}

func CreateArchiveWriter 

func CreateArchiveWriter(public bool, compressionAlgo uint8) *WriteArchive

CreateArchiveWriter opens a stream of writers (tar to gzip to buffer) and funnel to a csutom writer.

func (*WriteArchive) AddContents 

func (arc *WriteArchive) AddContents(files []string, images []*ContainerImage, signatures *FileSignatures) (err error)

AddContents adds first files, secondly images to the WriteArchive providing FileSignatures for verification

func (*WriteArchive) AddToArchive 

func (arc *WriteArchive) AddToArchive(imgName string, contents []byte) error

AddToArchive adds a new file identified by its name to the tar.gz archive. The contents are added as byte slices.

func (*WriteArchive) AddToc 

func (arc *WriteArchive) AddToc(privateKeyPath string, signatures *FileSignatures) (err error)

AddToc adds signatures to the archive

func (*WriteArchive) Cleanup 

func (arc *WriteArchive) Cleanup() error

Cleanup closes streams and removes temporary files

func (*WriteArchive) Finalize 

func (arc *WriteArchive) Finalize() (int64, error)

Finalize closes the tar and gzip writers and retrieves the archive. Additionally, it returns the size of the payload.

func (*WriteArchive) InitializeCompression 

func (arc *WriteArchive) InitializeCompression(w io.WriteCloser, compressionAlgo uint8)

InitializeCompression creates a compression writer based on selected algorithm

func (*WriteArchive) WriteToArchive 

func (arc *WriteArchive) WriteToArchive(fileName string, contents *os.File) error

WriteToArchive adds a new file identified by its name to the tar.gz archive. The contents are added as reader resource.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.