Intoto v0.0.2

Makefile.swagger

@@ -1,2 +1,2 @@
 # This file is generated after swagger runs as part of the build; do not edit!
-SWAGGER_GEN=pkg/generated/client/entries/create_log_entry_parameters.go pkg/generated/client/entries/create_log_entry_responses.go pkg/generated/client/entries/entries_client.go pkg/generated/client/entries/get_log_entry_by_index_parameters.go pkg/generated/client/entries/get_log_entry_by_index_responses.go pkg/generated/client/entries/get_log_entry_by_uuid_parameters.go pkg/generated/client/entries/get_log_entry_by_uuid_responses.go pkg/generated/client/entries/search_log_query_parameters.go pkg/generated/client/entries/search_log_query_responses.go pkg/generated/client/index/index_client.go pkg/generated/client/index/search_index_parameters.go pkg/generated/client/index/search_index_responses.go pkg/generated/client/pubkey/get_public_key_parameters.go pkg/generated/client/pubkey/get_public_key_responses.go pkg/generated/client/pubkey/pubkey_client.go pkg/generated/client/rekor_client.go pkg/generated/client/server/get_rekor_version_parameters.go pkg/generated/client/server/get_rekor_version_responses.go pkg/generated/client/server/server_client.go pkg/generated/client/tlog/get_log_info_parameters.go pkg/generated/client/tlog/get_log_info_responses.go pkg/generated/client/tlog/get_log_proof_parameters.go pkg/generated/client/tlog/get_log_proof_responses.go pkg/generated/client/tlog/tlog_client.go pkg/generated/models/alpine.go pkg/generated/models/alpine_schema.go pkg/generated/models/alpine_v001_schema.go pkg/generated/models/consistency_proof.go pkg/generated/models/cose.go pkg/generated/models/cose_schema.go pkg/generated/models/cose_v001_schema.go pkg/generated/models/error.go pkg/generated/models/hashedrekord.go pkg/generated/models/hashedrekord_schema.go pkg/generated/models/hashedrekord_v001_schema.go pkg/generated/models/helm.go pkg/generated/models/helm_schema.go pkg/generated/models/helm_v001_schema.go pkg/generated/models/inactive_shard_log_info.go pkg/generated/models/inclusion_proof.go pkg/generated/models/intoto.go pkg/generated/models/intoto_schema.go pkg/generated/models/intoto_v001_schema.go pkg/generated/models/jar.go pkg/generated/models/jar_schema.go pkg/generated/models/jar_v001_schema.go pkg/generated/models/log_entry.go pkg/generated/models/log_info.go pkg/generated/models/proposed_entry.go pkg/generated/models/rekord.go pkg/generated/models/rekord_schema.go pkg/generated/models/rekord_v001_schema.go pkg/generated/models/rekor_version.go pkg/generated/models/rfc3161.go pkg/generated/models/rfc3161_schema.go pkg/generated/models/rfc3161_v001_schema.go pkg/generated/models/rpm.go pkg/generated/models/rpm_schema.go pkg/generated/models/rpm_v001_schema.go pkg/generated/models/search_index.go pkg/generated/models/search_log_query.go pkg/generated/models/tuf.go pkg/generated/models/tuf_schema.go pkg/generated/models/tuf_v001_schema.go pkg/generated/restapi/doc.go pkg/generated/restapi/embedded_spec.go pkg/generated/restapi/operations/entries/create_log_entry.go pkg/generated/restapi/operations/entries/create_log_entry_parameters.go pkg/generated/restapi/operations/entries/create_log_entry_responses.go pkg/generated/restapi/operations/entries/create_log_entry_urlbuilder.go pkg/generated/restapi/operations/entries/get_log_entry_by_index.go pkg/generated/restapi/operations/entries/get_log_entry_by_index_parameters.go pkg/generated/restapi/operations/entries/get_log_entry_by_index_responses.go pkg/generated/restapi/operations/entries/get_log_entry_by_index_urlbuilder.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid_parameters.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid_responses.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid_urlbuilder.go pkg/generated/restapi/operations/entries/search_log_query.go pkg/generated/restapi/operations/entries/search_log_query_parameters.go pkg/generated/restapi/operations/entries/search_log_query_responses.go pkg/generated/restapi/operations/entries/search_log_query_urlbuilder.go pkg/generated/restapi/operations/index/search_index.go pkg/generated/restapi/operations/index/search_index_parameters.go pkg/generated/restapi/operations/index/search_index_responses.go pkg/generated/restapi/operations/index/search_index_urlbuilder.go pkg/generated/restapi/operations/pubkey/get_public_key.go pkg/generated/restapi/operations/pubkey/get_public_key_parameters.go pkg/generated/restapi/operations/pubkey/get_public_key_responses.go pkg/generated/restapi/operations/pubkey/get_public_key_urlbuilder.go pkg/generated/restapi/operations/rekor_server_api.go pkg/generated/restapi/operations/server/get_rekor_version.go pkg/generated/restapi/operations/server/get_rekor_version_parameters.go pkg/generated/restapi/operations/server/get_rekor_version_responses.go pkg/generated/restapi/operations/server/get_rekor_version_urlbuilder.go pkg/generated/restapi/operations/tlog/get_log_info.go pkg/generated/restapi/operations/tlog/get_log_info_parameters.go pkg/generated/restapi/operations/tlog/get_log_info_responses.go pkg/generated/restapi/operations/tlog/get_log_info_urlbuilder.go pkg/generated/restapi/operations/tlog/get_log_proof.go pkg/generated/restapi/operations/tlog/get_log_proof_parameters.go pkg/generated/restapi/operations/tlog/get_log_proof_responses.go pkg/generated/restapi/operations/tlog/get_log_proof_urlbuilder.go pkg/generated/restapi/server.go
+SWAGGER_GEN=pkg/generated/client/entries/create_log_entry_parameters.go pkg/generated/client/entries/create_log_entry_responses.go pkg/generated/client/entries/entries_client.go pkg/generated/client/entries/get_log_entry_by_index_parameters.go pkg/generated/client/entries/get_log_entry_by_index_responses.go pkg/generated/client/entries/get_log_entry_by_uuid_parameters.go pkg/generated/client/entries/get_log_entry_by_uuid_responses.go pkg/generated/client/entries/search_log_query_parameters.go pkg/generated/client/entries/search_log_query_responses.go pkg/generated/client/index/index_client.go pkg/generated/client/index/search_index_parameters.go pkg/generated/client/index/search_index_responses.go pkg/generated/client/pubkey/get_public_key_parameters.go pkg/generated/client/pubkey/get_public_key_responses.go pkg/generated/client/pubkey/pubkey_client.go pkg/generated/client/rekor_client.go pkg/generated/client/server/get_rekor_version_parameters.go pkg/generated/client/server/get_rekor_version_responses.go pkg/generated/client/server/server_client.go pkg/generated/client/tlog/get_log_info_parameters.go pkg/generated/client/tlog/get_log_info_responses.go pkg/generated/client/tlog/get_log_proof_parameters.go pkg/generated/client/tlog/get_log_proof_responses.go pkg/generated/client/tlog/tlog_client.go pkg/generated/models/alpine.go pkg/generated/models/alpine_schema.go pkg/generated/models/alpine_v001_schema.go pkg/generated/models/consistency_proof.go pkg/generated/models/cose.go pkg/generated/models/cose_schema.go pkg/generated/models/cose_v001_schema.go pkg/generated/models/error.go pkg/generated/models/hashedrekord.go pkg/generated/models/hashedrekord_schema.go pkg/generated/models/hashedrekord_v001_schema.go pkg/generated/models/helm.go pkg/generated/models/helm_schema.go pkg/generated/models/helm_v001_schema.go pkg/generated/models/inactive_shard_log_info.go pkg/generated/models/inclusion_proof.go pkg/generated/models/intoto.go pkg/generated/models/intoto_schema.go pkg/generated/models/intoto_v001_schema.go pkg/generated/models/intoto_v002_schema.go pkg/generated/models/jar.go pkg/generated/models/jar_schema.go pkg/generated/models/jar_v001_schema.go pkg/generated/models/log_entry.go pkg/generated/models/log_info.go pkg/generated/models/proposed_entry.go pkg/generated/models/rekord.go pkg/generated/models/rekord_schema.go pkg/generated/models/rekord_v001_schema.go pkg/generated/models/rekor_version.go pkg/generated/models/rfc3161.go pkg/generated/models/rfc3161_schema.go pkg/generated/models/rfc3161_v001_schema.go pkg/generated/models/rpm.go pkg/generated/models/rpm_schema.go pkg/generated/models/rpm_v001_schema.go pkg/generated/models/search_index.go pkg/generated/models/search_log_query.go pkg/generated/models/tuf.go pkg/generated/models/tuf_schema.go pkg/generated/models/tuf_v001_schema.go pkg/generated/restapi/doc.go pkg/generated/restapi/embedded_spec.go pkg/generated/restapi/operations/entries/create_log_entry.go pkg/generated/restapi/operations/entries/create_log_entry_parameters.go pkg/generated/restapi/operations/entries/create_log_entry_responses.go pkg/generated/restapi/operations/entries/create_log_entry_urlbuilder.go pkg/generated/restapi/operations/entries/get_log_entry_by_index.go pkg/generated/restapi/operations/entries/get_log_entry_by_index_parameters.go pkg/generated/restapi/operations/entries/get_log_entry_by_index_responses.go pkg/generated/restapi/operations/entries/get_log_entry_by_index_urlbuilder.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid_parameters.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid_responses.go pkg/generated/restapi/operations/entries/get_log_entry_by_uuid_urlbuilder.go pkg/generated/restapi/operations/entries/search_log_query.go pkg/generated/restapi/operations/entries/search_log_query_parameters.go pkg/generated/restapi/operations/entries/search_log_query_responses.go pkg/generated/restapi/operations/entries/search_log_query_urlbuilder.go pkg/generated/restapi/operations/index/search_index.go pkg/generated/restapi/operations/index/search_index_parameters.go pkg/generated/restapi/operations/index/search_index_responses.go pkg/generated/restapi/operations/index/search_index_urlbuilder.go pkg/generated/restapi/operations/pubkey/get_public_key.go pkg/generated/restapi/operations/pubkey/get_public_key_parameters.go pkg/generated/restapi/operations/pubkey/get_public_key_responses.go pkg/generated/restapi/operations/pubkey/get_public_key_urlbuilder.go pkg/generated/restapi/operations/rekor_server_api.go pkg/generated/restapi/operations/server/get_rekor_version.go pkg/generated/restapi/operations/server/get_rekor_version_parameters.go pkg/generated/restapi/operations/server/get_rekor_version_responses.go pkg/generated/restapi/operations/server/get_rekor_version_urlbuilder.go pkg/generated/restapi/operations/tlog/get_log_info.go pkg/generated/restapi/operations/tlog/get_log_info_parameters.go pkg/generated/restapi/operations/tlog/get_log_info_responses.go pkg/generated/restapi/operations/tlog/get_log_info_urlbuilder.go pkg/generated/restapi/operations/tlog/get_log_proof.go pkg/generated/restapi/operations/tlog/get_log_proof_parameters.go pkg/generated/restapi/operations/tlog/get_log_proof_responses.go pkg/generated/restapi/operations/tlog/get_log_proof_urlbuilder.go pkg/generated/restapi/server.go

cmd/rekor-cli/app/pflag_groups.go

@@ -69,7 +69,7 @@ func addArtifactPFlags(cmd *cobra.Command) error {
 			false,
 		},
 		"public-key": {
-			fileOrURLFlag,
+			multiFileOrURLFlag,
 			"path or URL to public key file",
 			false,
 		},
@@ -149,12 +149,18 @@ func CreatePropsFromPflags() *types.ArtifactProperties {
 	}
 
 	publicKeyString := viper.GetString("public-key")
-	if publicKeyString != "" {
-		if isURL(publicKeyString) {
-			props.PublicKeyPath, _ = url.Parse(publicKeyString)
-		} else {
-			props.PublicKeyPath = &url.URL{Path: publicKeyString}
+	splitPubKeyString := strings.Split(publicKeyString, ",")
+	if len(splitPubKeyString) > 0 {
+		collectedKeys := []*url.URL{}
+		for _, key := range splitPubKeyString {
+			if isURL(key) {
+				keyPath, _ := url.Parse(key)
+				collectedKeys = append(collectedKeys, keyPath)
+			} else {
+				collectedKeys = append(collectedKeys, &url.URL{Path: key})
+			}
 		}
+		props.PublicKeyPaths = collectedKeys
 	}
 
 	props.PKIFormat = viper.GetString("pki-format")

cmd/rekor-cli/app/pflags.go

@@ -35,20 +35,21 @@ import (
 type FlagType string
 
 const (
-	uuidFlag      FlagType = "uuid"
-	shaFlag       FlagType = "sha"
-	emailFlag     FlagType = "email"
-	operatorFlag  FlagType = "operator"
-	logIndexFlag  FlagType = "logIndex"
-	pkiFormatFlag FlagType = "pkiFormat"
-	typeFlag      FlagType = "type"
-	fileFlag      FlagType = "file"
-	urlFlag       FlagType = "url"
-	fileOrURLFlag FlagType = "fileOrURL"
-	oidFlag       FlagType = "oid"
-	formatFlag    FlagType = "format"
-	timeoutFlag   FlagType = "timeout"
-	base64Flag    FlagType = "base64"
+	uuidFlag           FlagType = "uuid"
+	shaFlag            FlagType = "sha"
+	emailFlag          FlagType = "email"
+	operatorFlag       FlagType = "operator"
+	logIndexFlag       FlagType = "logIndex"
+	pkiFormatFlag      FlagType = "pkiFormat"
+	typeFlag           FlagType = "type"
+	fileFlag           FlagType = "file"
+	urlFlag            FlagType = "url"
+	fileOrURLFlag      FlagType = "fileOrURL"
+	multiFileOrURLFlag FlagType = "multiFileOrURL"
+	oidFlag            FlagType = "oid"
+	formatFlag         FlagType = "format"
+	timeoutFlag        FlagType = "timeout"
+	base64Flag         FlagType = "base64"
 )
 
 type newPFlagValueFunc func() pflag.Value
@@ -100,6 +101,10 @@ func initializePFlagMap() {
 			// applies logic of fileFlag OR urlFlag validators from above
 			return valueFactory(fileOrURLFlag, validateFileOrURL, "")
 		},
+		multiFileOrURLFlag: func() pflag.Value {
+			// applies logic of fileFlag OR urlFlag validators from above for multi file and URL
+			return multiValueFactory(multiFileOrURLFlag, validateFileOrURL, []string{})
+		},
 		oidFlag: func() pflag.Value {
 			// this validates for an OID, which is a sequence of positive integers separated by periods
 			return valueFactory(oidFlag, validateOID, "")
@@ -142,6 +147,38 @@ func valueFactory(flagType FlagType, v validationFunc, defaultVal string) pflag.
 	}
 }
 
+func multiValueFactory(flagType FlagType, v validationFunc, defaultVal []string) pflag.Value {
+	return &multiBaseValue{
+		flagType:       flagType,
+		validationFunc: v,
+		value:          defaultVal,
+	}
+}
+
+// multiBaseValue implements pflag.Value
+type multiBaseValue struct {
+	flagType       FlagType
+	value          []string
+	validationFunc validationFunc
+}
+
+func (b *multiBaseValue) String() string {
+	return strings.Join(b.value, ",")
+}
+
+// Type returns the type of this Value
+func (b multiBaseValue) Type() string {
+	return string(b.flagType)
+}
+
+func (b *multiBaseValue) Set(value string) error {
+	if err := b.validationFunc(value); err != nil {
+		return err
+	}
+	b.value = append(b.value, value)
+	return nil
+}
+
 // baseValue implements pflag.Value
 type baseValue struct {
 	flagType       FlagType

cmd/rekor-cli/app/pflags_test.go

@@ -37,6 +37,7 @@ func TestArtifactPFlags(t *testing.T) {
 		artifact              string
 		signature             string
 		publicKey             string
+		multiPublicKey        []string
 		uuid                  string
 		aad                   string
 		uuidRequired          bool
@@ -373,6 +374,22 @@ func TestArtifactPFlags(t *testing.T) {
 			expectParseSuccess:    true,
 			expectValidateSuccess: false,
 		},
+		{
+			caseDesc:              "valid intoto - one keys",
+			typeStr:               "intoto",
+			artifact:              "../../../tests/intoto_dsse.json",
+			publicKey:             "../../../tests/intoto_dsse.pem",
+			expectParseSuccess:    true,
+			expectValidateSuccess: true,
+		},
+		{
+			caseDesc:              "valid intoto - multi keys",
+			typeStr:               "intoto",
+			artifact:              "../../../tests/intoto_multi_dsse.json",
+			multiPublicKey:        []string{"../../../tests/intoto_dsse.pem", "../../../tests/intoto_multi_pub2.pem"},
+			expectParseSuccess:    true,
+			expectValidateSuccess: true,
+		},
 	}
 
 	for _, tc := range tests {
@@ -405,6 +422,11 @@ func TestArtifactPFlags(t *testing.T) {
 		if tc.publicKey != "" {
 			args = append(args, "--public-key", tc.publicKey)
 		}
+		if len(tc.multiPublicKey) > 0 {
+			for _, key := range tc.multiPublicKey {
+				args = append(args, "--public-key", key)
+			}
+		}
 		if tc.uuid != "" {
 			args = append(args, "--uuid", tc.uuid)
 		}
@@ -740,6 +762,11 @@ func TestParseTypeFlag(t *testing.T) {
 		{
 			caseDesc:      "explicit intoto v0.0.1",
 			typeStr:       "intoto:0.0.1",
+			expectSuccess: false,
+		},
+		{
+			caseDesc:      "explicit intoto v0.0.2",
+			typeStr:       "intoto:0.0.2",
 			expectSuccess: true,
 		},
 		{

cmd/rekor-cli/app/root.go

@@ -32,6 +32,7 @@ import (
 	_ "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/helm/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"
+	_ "github.com/sigstore/rekor/pkg/types/intoto/v0.0.2"
 	_ "github.com/sigstore/rekor/pkg/types/jar/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/rekord/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/rfc3161/v0.0.1"

cmd/rekor-cli/app/search.go

@@ -164,15 +164,20 @@ var searchCmd = &cobra.Command{
 			default:
 				return nil, fmt.Errorf("unknown pki-format %v", pkiFormat)
 			}
-			publicKeyStr := viper.GetString("public-key")
-			if isURL(publicKeyStr) {
-				params.Query.PublicKey.URL = strfmt.URI(publicKeyStr)
-			} else {
-				keyBytes, err := ioutil.ReadFile(filepath.Clean(publicKeyStr))
-				if err != nil {
-					return nil, fmt.Errorf("error reading public key file: %w", err)
+
+			splitPubKeyString := strings.Split(publicKeyStr, ",")
+			if len(splitPubKeyString) == 1 {
+				if isURL(splitPubKeyString[0]) {
+					params.Query.PublicKey.URL = strfmt.URI(splitPubKeyString[0])
+				} else {
+					keyBytes, err := ioutil.ReadFile(filepath.Clean(splitPubKeyString[0]))
+					if err != nil {
+						return nil, fmt.Errorf("error reading public key file: %w", err)
+					}
+					params.Query.PublicKey.Content = strfmt.Base64(keyBytes)
 				}
-				params.Query.PublicKey.Content = strfmt.Base64(keyBytes)
+			} else {
+				return nil, errors.New("only one public key must be provided")
 			}
 		}
 

cmd/rekor-server/app/serve.go

@@ -39,6 +39,7 @@ import (
 	helm_v001 "github.com/sigstore/rekor/pkg/types/helm/v0.0.1"
 	"github.com/sigstore/rekor/pkg/types/intoto"
 	intoto_v001 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"
+	intoto_v002 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.2"
 	"github.com/sigstore/rekor/pkg/types/jar"
 	jar_v001 "github.com/sigstore/rekor/pkg/types/jar/v0.0.1"
 	"github.com/sigstore/rekor/pkg/types/rekord"
@@ -84,17 +85,17 @@ var serveCmd = &cobra.Command{
 		//TODO: add command line option to print versions supported in binary
 
 		// these trigger loading of package and therefore init() methods to run
-		pluggableTypeMap := map[string]string{
-			rekord.KIND:       rekord_v001.APIVERSION,
-			rpm.KIND:          rpm_v001.APIVERSION,
-			jar.KIND:          jar_v001.APIVERSION,
-			intoto.KIND:       intoto_v001.APIVERSION,
-			cose.KIND:         cose_v001.APIVERSION,
-			rfc3161.KIND:      rfc3161_v001.APIVERSION,
-			alpine.KIND:       alpine_v001.APIVERSION,
-			helm.KIND:         helm_v001.APIVERSION,
-			tuf.KIND:          tuf_v001.APIVERSION,
-			hashedrekord.KIND: hashedrekord_v001.APIVERSION,
+		pluggableTypeMap := map[string][]string{
+			rekord.KIND:       {rekord_v001.APIVERSION},
+			rpm.KIND:          {rpm_v001.APIVERSION},
+			jar.KIND:          {jar_v001.APIVERSION},
+			intoto.KIND:       {intoto_v001.APIVERSION, intoto_v002.APIVERSION},
+			cose.KIND:         {cose_v001.APIVERSION},
+			rfc3161.KIND:      {rfc3161_v001.APIVERSION},
+			alpine.KIND:       {alpine_v001.APIVERSION},
+			helm.KIND:         {helm_v001.APIVERSION},
+			tuf.KIND:          {tuf_v001.APIVERSION},
+			hashedrekord.KIND: {hashedrekord_v001.APIVERSION},
 		}
 
 		for k, v := range pluggableTypeMap {