internal

package
v1.4.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 9, 2024 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// EnvelopeMagicBytes is set to ASCII sum of "ECS" = 333(octal) or DB(hex)
	EnvelopeMagicBytes = "\xDBIPC"
	TocFileName        = ".sealpack.toc"
)
View Source
const (
	CompressionGzip  = "gzip"
	CompressionZlib  = "zlib"
	CompressionZip   = "zip"
	CompressionFlate = "flate"
)
View Source
const (
	TmpFolderName          = "crane.dl"
	ContainerDSocketFolder = "/run"
	ContainerDSocketFile   = "containerd.sock"
	LocalContainerRegistry = "local"
)
View Source
const (
	ContainerImagePrefix = ".images"
	OCISuffix            = ".oci"
)
View Source
const (
	DefaultRegistry = "docker.io"
)
View Source
const Delimiter = ":"

Delimiter delimits the file name from its hash

Variables

View Source
var (
	ContainerDSocket = ""
)

Functions

func AddKeys

func AddKeys(recipientPubKeyPaths []string, envelope *Envelope, plainKey []byte) error

AddKeys encrypts the symmetric key for every receiver and attaches them to the envelope

func BytesToTar

func BytesToTar(w *tar.Writer, filename *string, contents []byte) error

BytesToTar adds a file to a writer using a filename and a byte slice with contents to be written.

func CleanupFileWriter

func CleanupFileWriter(output string, f *os.File) error

CleanupFileWriter cleans up temporary files and performs post-finish operations

func CleanupImages

func CleanupImages() error

CleanupImages removes the temp folder where container images are stored.

func CreatePKISigner

func CreatePKISigner(pkeyPath string) (signature.Signer, error)

CreatePKISigner uses the private key to create a signature.Signer instance

func CreatePKIVerifier

func CreatePKIVerifier(skeyPath string) (signature.Verifier, error)

CreatePKIVerifier builds a verifier based on a public key

func CreateSigner

func CreateSigner(privateKeyPath string) (signature.Signer, error)

CreateSigner cheese the correct signature.Signer depending on the private key string

func Encrypt

func Encrypt(unencrypted []byte) ([]byte, []byte, error)

Encrypt the contents of an os.File with a random key and retrieve the results as []byte The asymmetrically encrypted encryption key is attached als the last [ KeySizeBit ] bytes

func EncryptWriter

func EncryptWriter(w io.Writer) (string, io.WriteCloser)

func GetCompressionAlgoIndex

func GetCompressionAlgoIndex(algo string) uint8

GetCompressionAlgoIndex gets the index of an algo name or defaults to 0 (gzip)

func GetCompressionAlgoName

func GetCompressionAlgoName(idx uint8) string

GetCompressionAlgoName gets the name of an algo index or defaults to gzip (0)

func GetContainerDSocket

func GetContainerDSocket() (string, error)

GetContainerDSocket searched for a containerD socket in the /run folder

func GetHashAlgorithm

func GetHashAlgorithm(algo string) crypto.Hash

GetHashAlgorithm retrieves a crypto.Hash for a name. if no available name is provided, SHA512 is returned.

func ImportImage

func ImportImage(namespace, targetRegistry string, tarReader io.ReadCloser, tag *name.Tag) (newImport bool, err error)

ImportImage imports one OCI image into a local containerd storage or a provided registry.

func LoadPrivateKey

func LoadPrivateKey(path string) (interface{}, error)

LoadPrivateKey reads and parses a private key from a file

func LoadPublicKey

func LoadPublicKey(path string) (crypto.PublicKey, error)

LoadPublicKey reads and parses a public key from a file

func NewOutputFile

func NewOutputFile(output string) (*os.File, error)

NewOutputFile creates a new output file depending on the type of output target

func ReadConfiguration

func ReadConfiguration(fileName string, files *[]string, images *[]*ContainerImage) error

ReadConfiguration searches for the latest configuration file and reads the contents. The contents are parsed as a slice of PackageContent from a JSON or YAML file.

func RemoveAll

func RemoveAll(namespace, targetRegistry string, tags []*name.Tag) (err error)

RemoveAll multiple images from a registry or containerD instance defined by slice

func SaveImage

func SaveImage(img *ContainerImage) (result *os.File, err error)

SaveImage with from a registry to a local OCI file.

func TryUnsealKey

func TryUnsealKey(encrypted []byte, rsaKey *rsa.PrivateKey) (symmecrypt.Key, error)

TryUnsealKey loads a key from JSON without configstore

func WriteFileBytes

func WriteFileBytes(output string, contents []byte) error

WriteFileBytes allows for writing a byte slice to a regular file, S3 bucket or stdout

Types

type ArchiveContents

type ArchiveContents struct {
	Files  []string `json:"files"`
	Images []string `json:"images"`
}

ArchiveContents describes all contents for an archive to provide them as a single file.

type ContainerImage

type ContainerImage struct {
	Registry string `json:"registry"`
	Name     string `json:"name"`
	Tag      string `json:"tag"`
}

ContainerImage describes a container image uniquely

func ParseContainerImage

func ParseContainerImage(name string) *ContainerImage

ParseContainerImage takes a string describing an image and parses the registry, name and tag out of it.

func (*ContainerImage) String

func (i *ContainerImage) String() string

String creates the image URI form the parts.

func (*ContainerImage) ToFileName

func (i *ContainerImage) ToFileName() string

ToFileName creates a file name to store the image archive in.

type Descriptor

type Descriptor struct {
	MediaType string
	Digest    string
	Size      int
}

Descriptor is a standard OCI descriptor. For easier handling, this implementation only contains the necessary properties. @url https://github.com/opencontainers/image-spec/blob/main/descriptor.md

type Envelope

type Envelope struct {
	PayloadLen      int64
	PayloadReader   io.ReadSeeker
	PayloadWriter   *os.File
	HashAlgorithm   crypto.Hash
	CompressionAlgo uint8
	ReceiverKeys    [][]byte
}

Envelope is the package with headers and so on

func ParseEnvelope

func ParseEnvelope(input io.ReadSeeker) (*Envelope, error)

ParseEnvelope tries to extract the information for an Envelope from a byte slice

func (*Envelope) GetPayload

func (e *Envelope) GetPayload(privateKeyPath string) (payload io.Reader, err error)

GetPayload provides the Payload from the envelope

func (*Envelope) String

func (e *Envelope) String() string

String prints a string representation of an Envelope with basic information

func (*Envelope) ToBytes

func (e *Envelope) ToBytes() []byte

ToBytes provides an Envelope as Bytes. Caution: using this method may massively increase memory usage!

func (*Envelope) WriteHeader

func (e *Envelope) WriteHeader(w io.Writer) error

WriteHeader writes the envelope headers to an io.Writer.

func (*Envelope) WriteKeys

func (e *Envelope) WriteKeys(w io.Writer) error

WriteKeys writes encrypted keys to an io.Writer.

func (*Envelope) WriteOutput

func (e *Envelope) WriteOutput(f *os.File, arc *WriteArchive) error

WriteOutput creates an encrypted output file from encrypted payload

type FileSignatures

type FileSignatures map[string]string

A FileSignatures is represented by its path and the hash of the file

func NewSignatureList

func NewSignatureList(algo string) *FileSignatures

NewSignatureList creates a new signature list

func (*FileSignatures) AddFile

func (f *FileSignatures) AddFile(name string, contents []byte) error

AddFile hashes a file and its contents and adds it to the list

func (*FileSignatures) AddFileFromReader

func (f *FileSignatures) AddFileFromReader(name string, contents io.Reader) (err error)

AddFileFromReader hashes a file and its contents and adds it to the list

func (*FileSignatures) Bytes

func (f *FileSignatures) Bytes() []byte

Bytes gets the list formatted as []byte

func (*FileSignatures) Equals

func (f *FileSignatures) Equals(other *FileSignatures) bool

Equals compares 2 FileSignatures for equality

func (*FileSignatures) Save

func (f *FileSignatures) Save(name string) error

Save the signatures list to a file

type ImageContent

type ImageContent struct {
	Name     string `json:"name"`
	Tag      string `json:"tag"`
	Registry string `json:"registry"`
	IsImage  bool   `json:"is_image"`
}

ImageContent represents one component to be included in the upgrade package. If IsImage is set true, the component will be pulled by Name and Tag from the ECR registry. If only name is provided, a static file is expected.

type Manifest

type Manifest struct {
	SchemaVersion int
	Config        Descriptor
	Layers        []Descriptor
	Annotations   map[string]string
}

Manifest represents an OCI image manifest, typically provided as json. For easier handling, this implementation only contains the necessary properties. @url https://github.com/opencontainers/image-spec/blob/main/manifest.md

type OutManifest

type OutManifest struct {
	Config   string   `json:"Config"`
	RepoTags []string `json:"RepoTags"`
	Layers   []string `json:"Layers"`
}

OutManifest is the manifest in docker (moby) image format. For easier handling, this implementation only contains the necessary properties. @url https://github.com/moby/moby/blob/master/image/tarexport/tarexport.go#L18-L24

type PackageContent

type PackageContent interface {
	PackagePath() string
}

type ReadArchive

type ReadArchive struct {
	TarReader *tar.Reader
	// contains filtered or unexported fields
}

func OpenArchive

func OpenArchive(data []byte, compressionAlgo uint8) (arc *ReadArchive, err error)

OpenArchive opens a compressed tar archive for reading

func OpenArchiveReader

func OpenArchiveReader(r io.Reader, compressionAlgo uint8) (arc *ReadArchive, err error)

OpenArchiveReader opens a compressed tar archive for reading from a reader

func (*ReadArchive) InitializeCompression

func (arc *ReadArchive) InitializeCompression(r io.Reader, compressionAlgo uint8) (err error)

InitializeCompression creates a compression writer based on selected algorithm

func (*ReadArchive) Unpack

func (arc *ReadArchive) Unpack(signingKeyPath, hashingAlgorithm, outputPath, namespace, targetRegistry string) (err error)

type Signer

type Signer struct {
	Signer *signature.SignerVerifier
}

type Verifier

type Verifier struct {
	Signatures *FileSignatures
	// contains filtered or unexported fields
}

Verifier contains all data necessary to verify the archive's integrity

func NewVerifier

func NewVerifier(signingKeyPath, hashingAlgorithm string) (*Verifier, error)

NewVerifier Creates a new sealpack integrity verifier structure

func (*Verifier) AddTocComponent

func (v *Verifier) AddTocComponent(h *tar.Header, r io.Reader) (err error)

AddTocComponent adds a TOC or TOC-Signature from a tar reader

func (*Verifier) AddUnsafeTag

func (v *Verifier) AddUnsafeTag(t *name.Tag)

AddUnsafeTag adds an unsafe tag to the list

func (*Verifier) Verify

func (v *Verifier) Verify(outputPath, namespace, targetRegistry string) (err error)

Verify checks the final integrity of the sealed archive. Rolls back files or tags if integrity was not verified

type WriteArchive

type WriteArchive struct {
	EncryptionKey string
	// contains filtered or unexported fields
}

func CreateArchiveWriter

func CreateArchiveWriter(public bool, compressionAlgo uint8) *WriteArchive

CreateArchiveWriter opens a stream of writers (tar to gzip to buffer) and funnel to a csutom writer.

func (*WriteArchive) AddContents

func (arc *WriteArchive) AddContents(files []string, images []*ContainerImage, signatures *FileSignatures) (err error)

AddContents adds first files, secondly images to the WriteArchive providing FileSignatures for verification

func (*WriteArchive) AddToArchive

func (arc *WriteArchive) AddToArchive(imgName string, contents []byte) error

AddToArchive adds a new file identified by its name to the tar.gz archive. The contents are added as byte slices.

func (*WriteArchive) AddToc

func (arc *WriteArchive) AddToc(privateKeyPath string, signatures *FileSignatures) (err error)

AddToc adds signatures to the archive

func (*WriteArchive) Cleanup

func (arc *WriteArchive) Cleanup() error

Cleanup closes streams and removes temporary files

func (*WriteArchive) Finalize

func (arc *WriteArchive) Finalize() (int64, error)

Finalize closes the tar and gzip writers and retrieves the archive. Additionally, it returns the size of the payload.

func (*WriteArchive) InitializeCompression

func (arc *WriteArchive) InitializeCompression(w io.WriteCloser, compressionAlgo uint8)

InitializeCompression creates a compression writer based on selected algorithm

func (*WriteArchive) WriteToArchive

func (arc *WriteArchive) WriteToArchive(fileName string, contents *os.File) error

WriteToArchive adds a new file identified by its name to the tar.gz archive. The contents are added as reader resource.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL