From 182949aa5c709f43c349e4a7ac2c33586a1d8951 Mon Sep 17 00:00:00 2001 From: maxgio92 Date: Wed, 21 Jun 2023 12:36:45 +0200 Subject: [PATCH 1/6] disable release.yml trigger Signed-off-by: maxgio92 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1cca462c..34ea1bb0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,7 @@ on: push: tags: # All tags - - '**' + - 'wrong-prefix**' # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: From 4133b59d7b111372835a7fa6df86e80ccb924d95 Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Tue, 18 Jul 2023 19:32:56 +0200 Subject: [PATCH 2/6] feat(pkg/registry): add index entry signature to registry model Signed-off-by: Massimiliano Giovagnoli --- .github/workflows/release.yml | 2 +- build/registry/pkg/registry/types.go | 17 +++++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 34ea1bb0..1cca462c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,7 @@ on: push: tags: # All tags - - 'wrong-prefix**' + - '**' # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: diff --git a/build/registry/pkg/registry/types.go b/build/registry/pkg/registry/types.go index 34e5156d..cac1a0c4 100644 --- a/build/registry/pkg/registry/types.go +++ b/build/registry/pkg/registry/types.go @@ -16,6 +16,10 @@ limitations under the License. package registry +import ( + "github.com/falcosecurity/falcoctl/pkg/index" +) + type SourcingCapability struct { Supported bool `yaml:"supported"` ID uint `yaml:"id"` @@ -41,12 +45,13 @@ type Plugin struct { Email string `yaml:"email"` Name string `yaml:"name"` } `yaml:"maintainers"` - Keywords []string `yaml:"keywords"` - URL string `yaml:"url"` - RulesURL string `yaml:"rules_url"` - License string `yaml:"license"` - Reserved bool `yaml:"reserved"` - Capabilities Capabilities `yaml:"capabilities"` + Keywords []string `yaml:"keywords"` + URL string `yaml:"url"` + RulesURL string `yaml:"rules_url"` + License string `yaml:"license"` + Reserved bool `yaml:"reserved"` + Capabilities Capabilities `yaml:"capabilities"` + Signature *index.Signature `yaml:"signature,omitempty"` } type Registry struct { From 428bdc7cd9d1232d2a9b1fd07ef4874a1ba65a69 Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Wed, 19 Jul 2023 14:59:51 +0200 Subject: [PATCH 3/6] feat(pkg/distribution): generate index with signature from registry model Signed-off-by: Massimiliano Giovagnoli --- build/registry/pkg/distribution/index.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/registry/pkg/distribution/index.go b/build/registry/pkg/distribution/index.go index 5a6290c0..b0f91bc9 100644 --- a/build/registry/pkg/distribution/index.go +++ b/build/registry/pkg/distribution/index.go @@ -46,6 +46,7 @@ func pluginToIndexEntry(p registry.Plugin, registry, repo string) *index.Entry { Name: p.Name, Type: string(falcoctloci.Plugin), Registry: registry, + Signature: p.Signature, Repository: repo, Description: p.Description, Home: p.URL, @@ -61,6 +62,7 @@ func pluginRulesToIndexEntry(p registry.Plugin, registry, repo string) *index.En Name: p.Name + common.RulesArtifactSuffix, Type: string(falcoctloci.Rulesfile), Registry: registry, + Signature: p.Signature, Repository: repo, Description: p.Description, Home: p.URL, From 6202398978a7902bc8b80e16de206ff1005f6b2e Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Wed, 19 Jul 2023 19:45:27 +0200 Subject: [PATCH 4/6] test(pkg/distribution): add initial index-update black box unit tests Signed-off-by: Massimiliano Giovagnoli --- .../distribution/distribution_suite_test.go | 29 ++ build/registry/pkg/distribution/index_test.go | 83 ++++++ .../pkg/distribution/testdata/index.yaml | 233 +++++++++++++++ .../pkg/distribution/testdata/registry.yaml | 270 ++++++++++++++++++ 4 files changed, 615 insertions(+) create mode 100644 build/registry/pkg/distribution/distribution_suite_test.go create mode 100644 build/registry/pkg/distribution/index_test.go create mode 100644 build/registry/pkg/distribution/testdata/index.yaml create mode 100644 build/registry/pkg/distribution/testdata/registry.yaml diff --git a/build/registry/pkg/distribution/distribution_suite_test.go b/build/registry/pkg/distribution/distribution_suite_test.go new file mode 100644 index 00000000..b2e563d3 --- /dev/null +++ b/build/registry/pkg/distribution/distribution_suite_test.go @@ -0,0 +1,29 @@ +/* +Copyright (C) 2022 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package distribution_test + +import ( + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func TestDistribution(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Distribution Suite") +} diff --git a/build/registry/pkg/distribution/index_test.go b/build/registry/pkg/distribution/index_test.go new file mode 100644 index 00000000..3d4d855c --- /dev/null +++ b/build/registry/pkg/distribution/index_test.go @@ -0,0 +1,83 @@ +/* +Copyright (C) 2022 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package distribution_test + +import ( + "github.com/falcosecurity/plugins/build/registry/pkg/distribution" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "os" +) + +const ( + indexFile = "testdata/index.yaml" + wrongIndexFile = "testdata/wrong-index.yaml" + registryFile = "testdata/registry.yaml" + wrongRegistryFile = "testdata/wrong-registry.yaml" + registryUser = "falcosecurity" + registry = "ghcr.io" +) + +var _ = Describe("Update index", func() { + var ( + err error + ) + Context("with registry file", func() { + BeforeEach(func() { + os.Setenv("REGISTRY_USER", registryUser) + os.Setenv("REGISTRY", registry) + }) + Context("with index file", func() { + BeforeEach(func() { + err = distribution.DoUpdateIndex(registryFile, indexFile) + }) + It("Should not fail", func() { + Expect(err).To(BeNil()) + }) + }) + Context("without index file", func() { + BeforeEach(func() { + err = distribution.DoUpdateIndex(registryFile, wrongIndexFile) + }) + It("Should fail", func() { + Expect(err).ToNot(BeNil()) + }) + }) + }) + Context("without registry file", func() { + BeforeEach(func() { + os.Setenv("REGISTRY_USER", registryUser) + os.Setenv("REGISTRY", registry) + }) + Context("with index file", func() { + BeforeEach(func() { + err = distribution.DoUpdateIndex(wrongRegistryFile, indexFile) + }) + It("Should fail", func() { + Expect(err).ToNot(BeNil()) + }) + }) + Context("without index file", func() { + BeforeEach(func() { + err = distribution.DoUpdateIndex(wrongRegistryFile, wrongIndexFile) + }) + It("Should fail", func() { + Expect(err).ToNot(BeNil()) + }) + }) + }) +}) diff --git a/build/registry/pkg/distribution/testdata/index.yaml b/build/registry/pkg/distribution/testdata/index.yaml new file mode 100644 index 00000000..00fdea43 --- /dev/null +++ b/build/registry/pkg/distribution/testdata/index.yaml @@ -0,0 +1,233 @@ +- name: application-rules + type: rulesfile + registry: ghcr.io + repository: falcosecurity/rules/application-rules + description: Application rules + home: https://github.com/falcosecurity/rules/blob/main/rules/application_rules.yaml + keywords: + - application-rules + license: apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/rules/blob/main/rules/application_rules.yaml +- name: cloudtrail + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/cloudtrail + description: Reads Cloudtrail JSON logs from files/S3 and injects as events + home: https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail + keywords: + - audit + - user-activity + - api-usage + - aws + - cloudtrail + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail +- name: cloudtrail-rules + type: rulesfile + registry: ghcr.io + repository: falcosecurity/plugins/ruleset/cloudtrail + description: Reads Cloudtrail JSON logs from files/S3 and injects as events + home: https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail + keywords: + - audit + - user-activity + - api-usage + - aws + - cloudtrail-rules + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail/rules +- name: dummy + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/dummy + description: Reference plugin used to document interface + home: https://github.com/falcosecurity/plugins/tree/master/plugins/dummy + keywords: + - dummy + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/dummy +- name: dummy_c + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/dummy_c + description: Like dummy, but written in C++ + home: https://github.com/falcosecurity/plugins/tree/master/plugins/dummy_c + keywords: + - dummy_c + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/dummy_c +- name: falco-rules + type: rulesfile + registry: ghcr.io + repository: falcosecurity/rules/falco-rules + description: Falco rules that are loaded by default + home: https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml + keywords: + - falco-rules + license: apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml +- name: github + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/github + description: Github Webhook Events + home: https://github.com/falcosecurity/plugins/tree/master/plugins/github + keywords: + - audit + - log-events + - webhook + - github-activity + - github + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/github +- name: github-rules + type: rulesfile + registry: ghcr.io + repository: falcosecurity/plugins/ruleset/github + description: Github Webhook Events + home: https://github.com/falcosecurity/plugins/tree/master/plugins/github + keywords: + - audit + - log-events + - webhook + - github-activity + - github + - github-rules + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/github/rules +- name: json + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/json + description: Extract values from any JSON payload + home: https://github.com/falcosecurity/plugins/tree/master/plugins/json + keywords: + - json-events + - json-payload + - extractor + - json + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/json +- name: k8saudit + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/k8saudit + description: Read Kubernetes Audit Events and monitor Kubernetes Clusters + home: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit + keywords: + - audit + - audit-log + - audit-events + - kubernetes + - k8saudit + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit +- name: k8saudit-eks + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/k8saudit-eks + description: Read Kubernetes Audit Events from AWS EKS Clusters + home: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit-eks + keywords: + - audit + - audit-log + - audit-events + - kubernetes + - eks + - aws + - k8saudit-eks + license: Apache-2.0 + maintainers: [] + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit-eks +- name: k8saudit-rules + type: rulesfile + registry: ghcr.io + repository: falcosecurity/plugins/ruleset/k8saudit + description: Read Kubernetes Audit Events and monitor Kubernetes Clusters + home: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit + keywords: + - audit + - audit-log + - audit-events + - kubernetes + - k8saudit-rules + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit/rules +- name: okta + type: plugin + registry: ghcr.io + repository: falcosecurity/plugins/plugin/okta + description: Okta Log Events + home: https://github.com/falcosecurity/plugins/tree/master/plugins/okta + keywords: + - audit + - log-events + - okta + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/okta +- name: okta-rules + type: rulesfile + registry: ghcr.io + repository: falcosecurity/plugins/ruleset/okta + description: Okta Log Events + home: https://github.com/falcosecurity/plugins/tree/master/plugins/okta + keywords: + - audit + - log-events + - okta + - okta-rules + license: Apache-2.0 + maintainers: + - email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors + sources: + - https://github.com/falcosecurity/plugins/tree/master/plugins/okta/rules diff --git a/build/registry/pkg/distribution/testdata/registry.yaml b/build/registry/pkg/distribution/testdata/registry.yaml new file mode 100644 index 00000000..ebca737a --- /dev/null +++ b/build/registry/pkg/distribution/testdata/registry.yaml @@ -0,0 +1,270 @@ +# +# Copyright (C) 2022 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# The list of the data sources not allowed in plugins, since they are already +# used in Falco. +reserved_sources: ["syscall", "internal", "plugins"] + +# The list of plugins officially recognized by the Falcosecurity organization. +# Registering your plugin here is required to reserve a given name, source, or id. +# +# License IDs refer to the SPDX License List at https://spdx.org/licenses +plugins: + - name: k8saudit + description: Read Kubernetes Audit Events and monitor Kubernetes Clusters + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + keywords: + - audit + - audit-log + - audit-events + - kubernetes + url: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit + rules_url: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 1 + source: k8s_audit + extraction: + supported: true + - name: cloudtrail + description: Reads Cloudtrail JSON logs from files/S3 and injects as events + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + keywords: + - audit + - user-activity + - api-usage + - aws + url: https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail + rules_url: https://github.com/falcosecurity/plugins/tree/master/plugins/cloudtrail/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 2 + source: aws_cloudtrail + extraction: + supported: true + - name: json + description: Extract values from any JSON payload + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + keywords: + - json-events + - json-payload + - extractor + url: https://github.com/falcosecurity/plugins/tree/master/plugins/json + license: Apache-2.0 + capabilities: + extraction: + supported: true + - name: dummy + description: Reference plugin used to document interface + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + url: https://github.com/falcosecurity/plugins/tree/master/plugins/dummy + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 3 + source: dummy + extraction: + supported: true + - name: dummy_c + description: Like dummy, but written in C++ + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + url: https://github.com/falcosecurity/plugins/tree/master/plugins/dummy_c + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 4 + source: dummy_c + extraction: + supported: true + - name: docker + description: Docker Events + authors: Thomas Labarussias + contact: https://github.com/Issif + maintainers: + - name: Thomas Labarussias + email: issif_github@gadz.org + keywords: + - docker-events + url: https://github.com/Issif/docker-plugin + rules_url: https://github.com/Issif/docker-plugin/tree/main/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 5 + source: docker + extraction: + supported: true + - name: seccompagent + description: Seccomp Agent Events + authors: Alban Crequy + contact: https://github.com/kinvolk/seccompagent + url: https://github.com/kinvolk/seccompagent + keywords: + - seccomp + - kinvolk + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 6 + source: seccompagent + extraction: + supported: true + - name: okta + description: Okta Log Events + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + keywords: + - audit + - log-events + - okta + url: https://github.com/falcosecurity/plugins/tree/master/plugins/okta + rules_url: https://github.com/falcosecurity/plugins/tree/master/plugins/okta/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 7 + source: okta + extraction: + supported: true + signature: + cosign: + certificate-oidc-issuer: https://token.actions.githubusercontent.com + certificate-identity-regexp: https://github.com/LucaGuerra/cool-falco-ruleset/ + - name: github + description: Github Webhook Events + authors: The Falco Authors + contact: https://falco.org/community + maintainers: + - name: The Falco Authors + email: cncf-falco-dev@lists.cncf.io + keywords: + - audit + - log-events + - webhook + - github-activity + - github + url: https://github.com/falcosecurity/plugins/tree/master/plugins/github + rules_url: https://github.com/falcosecurity/plugins/tree/master/plugins/github/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 8 + source: github + extraction: + supported: true + - name: k8saudit-eks + description: Read Kubernetes Audit Events from AWS EKS Clusters + authors: The Falco Authors + contact: https://falco.org/community + url: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit-eks + rules_url: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit/rules + license: Apache-2.0 + keywords: + - audit + - audit-log + - audit-events + - kubernetes + - eks + - aws + capabilities: + sourcing: + supported: true + id: 9 + source: k8s_audit + extraction: + supported: true + - name: nomad + description: Read Hashicorp Nomad Events Stream + authors: Alberto Llamas + contact: https://github.com/albertollamaso/nomad-plugin/issues + maintainers: + - name: Alberto Llamas + keywords: + - audit + - audit-events + - nomad + url: https://github.com/albertollamaso/nomad-plugin/tree/main + rules_url: https://github.com/albertollamaso/nomad-plugin/tree/main/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 10 + source: nomad + extraction: + supported: true + - name: dnscollector + description: DNS Collector Events + authors: Daniel Moloney + contact: https://github.com/SysdigDan/dnscollector-falco-plugin/issues + maintainers: + - name: Daniel Moloney + keywords: + - audit + - log-events + - dns + url: https://github.com/SysdigDan/dnscollector-falco-plugin + rules_url: https://github.com/SysdigDan/dnscollector-falco-plugin/tree/master/rules + license: Apache-2.0 + capabilities: + sourcing: + supported: true + id: 11 + source: dnscollector + extraction: + supported: true + - name: test + description: This ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID + reserved: true + capabilities: + sourcing: + supported: true + id: 999 + source: test From 5ab0463550e9e72b7466454ad57e3a4814f5c555 Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Wed, 19 Jul 2023 20:57:26 +0200 Subject: [PATCH 5/6] test(pkg/distribution): add initial index entry signature unit test Signed-off-by: Massimiliano Giovagnoli --- build/registry/pkg/distribution/index.go | 8 +-- .../pkg/distribution/index_internal_test.go | 61 +++++++++++++++++++ build/registry/pkg/distribution/index_test.go | 12 ++-- 3 files changed, 72 insertions(+), 9 deletions(-) create mode 100644 build/registry/pkg/distribution/index_internal_test.go diff --git a/build/registry/pkg/distribution/index.go b/build/registry/pkg/distribution/index.go index b0f91bc9..e2d06cb4 100644 --- a/build/registry/pkg/distribution/index.go +++ b/build/registry/pkg/distribution/index.go @@ -41,7 +41,7 @@ const ( GHOrg = "falcosecurity" ) -func pluginToIndexEntry(p registry.Plugin, registry, repo string) *index.Entry { +func PluginToIndexEntry(p registry.Plugin, registry, repo string) *index.Entry { return &index.Entry{ Name: p.Name, Type: string(falcoctloci.Plugin), @@ -57,7 +57,7 @@ func pluginToIndexEntry(p registry.Plugin, registry, repo string) *index.Entry { } } -func pluginRulesToIndexEntry(p registry.Plugin, registry, repo string) *index.Entry { +func PluginRulesToIndexEntry(p registry.Plugin, registry, repo string) *index.Entry { return &index.Entry{ Name: p.Name + common.RulesArtifactSuffix, Type: string(falcoctloci.Rulesfile), @@ -91,13 +91,13 @@ func upsertIndex(r *registry.Registry, ociArtifacts map[string]string, indexPath tokens := strings.Split(refPlugin, "/") ociRegistry := tokens[0] ociRepo := filepath.Join(tokens[1:]...) - i.Upsert(pluginToIndexEntry(p, ociRegistry, ociRepo)) + i.Upsert(PluginToIndexEntry(p, ociRegistry, ociRepo)) } if refRulesfile, ok := ociArtifacts[p.Name+common.RulesArtifactSuffix]; ok { tokens := strings.Split(refRulesfile, "/") ociRegistry := tokens[0] ociRepo := filepath.Join(tokens[1:]...) - i.Upsert(pluginRulesToIndexEntry(p, ociRegistry, ociRepo)) + i.Upsert(PluginRulesToIndexEntry(p, ociRegistry, ociRepo)) } } diff --git a/build/registry/pkg/distribution/index_internal_test.go b/build/registry/pkg/distribution/index_internal_test.go new file mode 100644 index 00000000..4e5ba7f1 --- /dev/null +++ b/build/registry/pkg/distribution/index_internal_test.go @@ -0,0 +1,61 @@ +/* +Copyright (C) 2022 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package distribution_test + +import ( + "reflect" + "testing" + + "github.com/falcosecurity/falcoctl/pkg/index" + + "github.com/falcosecurity/plugins/build/registry/pkg/distribution" + "github.com/falcosecurity/plugins/build/registry/pkg/registry" +) + +func TestPluginToIndexEntrySignature(t *testing.T) { + t.Parallel() + + signature := &index.Signature{ + Cosign: &index.CosignSignature{}, + } + + expected := signature + + p := registry.Plugin{Signature: signature} + + entry := distribution.PluginToIndexEntry(p, "", "") + if !reflect.DeepEqual(entry.Signature, expected) { + t.Fatalf("Index entry signature: expected %#v, got %v", expected, entry.Signature) + } +} + +func TestPluginRulesToIndexEntrySignature(t *testing.T) { + t.Parallel() + + signature := &index.Signature{ + Cosign: &index.CosignSignature{}, + } + + expected := signature + + p := registry.Plugin{Signature: signature} + + entry := distribution.PluginRulesToIndexEntry(p, "", "") + if !reflect.DeepEqual(entry.Signature, expected) { + t.Fatalf("Index entry signature: expected %#v, got %v", expected, entry.Signature) + } +} diff --git a/build/registry/pkg/distribution/index_test.go b/build/registry/pkg/distribution/index_test.go index 3d4d855c..da06d4f7 100644 --- a/build/registry/pkg/distribution/index_test.go +++ b/build/registry/pkg/distribution/index_test.go @@ -17,10 +17,12 @@ limitations under the License. package distribution_test import ( - "github.com/falcosecurity/plugins/build/registry/pkg/distribution" + "os" + . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "os" + + "github.com/falcosecurity/plugins/build/registry/pkg/distribution" ) const ( @@ -29,7 +31,7 @@ const ( registryFile = "testdata/registry.yaml" wrongRegistryFile = "testdata/wrong-registry.yaml" registryUser = "falcosecurity" - registry = "ghcr.io" + registryName = "ghcr.io" ) var _ = Describe("Update index", func() { @@ -39,7 +41,7 @@ var _ = Describe("Update index", func() { Context("with registry file", func() { BeforeEach(func() { os.Setenv("REGISTRY_USER", registryUser) - os.Setenv("REGISTRY", registry) + os.Setenv("REGISTRY", registryName) }) Context("with index file", func() { BeforeEach(func() { @@ -61,7 +63,7 @@ var _ = Describe("Update index", func() { Context("without registry file", func() { BeforeEach(func() { os.Setenv("REGISTRY_USER", registryUser) - os.Setenv("REGISTRY", registry) + os.Setenv("REGISTRY", registryName) }) Context("with index file", func() { BeforeEach(func() { From a3d915077583ac1574fa8f3c8b347c7a21b770a5 Mon Sep 17 00:00:00 2001 From: Massimiliano Giovagnoli Date: Mon, 18 Sep 2023 20:00:19 +0200 Subject: [PATCH 6/6] deps: bump falcoctl to v0.6.1 Signed-off-by: Massimiliano Giovagnoli --- build/registry/go.mod | 2 +- build/registry/go.sum | 4 ++-- .../pkg/distribution/index_internal_test.go | 2 +- .../registry/pkg/distribution/testdata/index.yaml | 14 ++++++++++++++ build/registry/pkg/registry/types.go | 2 +- 5 files changed, 19 insertions(+), 5 deletions(-) diff --git a/build/registry/go.mod b/build/registry/go.mod index 33c6eab3..44024b2b 100644 --- a/build/registry/go.mod +++ b/build/registry/go.mod @@ -7,7 +7,7 @@ require ( github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.81 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 github.com/blang/semver v3.5.1+incompatible - github.com/falcosecurity/falcoctl v0.6.0 + github.com/falcosecurity/falcoctl v0.6.1 github.com/falcosecurity/plugin-sdk-go v0.7.3 github.com/onsi/ginkgo/v2 v2.10.0 github.com/onsi/gomega v1.27.8 diff --git a/build/registry/go.sum b/build/registry/go.sum index 2bff1ec4..2c3afa30 100644 --- a/build/registry/go.sum +++ b/build/registry/go.sum @@ -148,8 +148,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/falcosecurity/falcoctl v0.6.0 h1:+VW6/HJ9mWU2p8apiTQuKRHFsBngfG1s35ao4X2BEfc= -github.com/falcosecurity/falcoctl v0.6.0/go.mod h1:4Hx4h3KtcaQzPKxvYn5S9x4IHxwd6QRK9Gu04HHNbhE= +github.com/falcosecurity/falcoctl v0.6.1 h1:Klg3jHi/PL1Inw9DO9kGpzL6ka+TjI4oDl6kvm1I+VY= +github.com/falcosecurity/falcoctl v0.6.1/go.mod h1:4Hx4h3KtcaQzPKxvYn5S9x4IHxwd6QRK9Gu04HHNbhE= github.com/falcosecurity/plugin-sdk-go v0.7.3 h1:nmlBUmeAgEhcEHhSDWeEYgD9WdiHR9uMWyog5Iv7GIA= github.com/falcosecurity/plugin-sdk-go v0.7.3/go.mod h1:NP+y22DYOS+G3GDXIXNmzf0CBL3nfPPMoQuHvAzfitQ= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= diff --git a/build/registry/pkg/distribution/index_internal_test.go b/build/registry/pkg/distribution/index_internal_test.go index 4e5ba7f1..b8856c2c 100644 --- a/build/registry/pkg/distribution/index_internal_test.go +++ b/build/registry/pkg/distribution/index_internal_test.go @@ -20,7 +20,7 @@ import ( "reflect" "testing" - "github.com/falcosecurity/falcoctl/pkg/index" + "github.com/falcosecurity/falcoctl/pkg/index/index" "github.com/falcosecurity/plugins/build/registry/pkg/distribution" "github.com/falcosecurity/plugins/build/registry/pkg/registry" diff --git a/build/registry/pkg/distribution/testdata/index.yaml b/build/registry/pkg/distribution/testdata/index.yaml index 00fdea43..8ad5b1f6 100644 --- a/build/registry/pkg/distribution/testdata/index.yaml +++ b/build/registry/pkg/distribution/testdata/index.yaml @@ -202,6 +202,13 @@ type: plugin registry: ghcr.io repository: falcosecurity/plugins/plugin/okta + signature: + cosign: + certificate-oidc-issuer: https://token.actions.githubusercontent.com + certificate-oidc-issuer-regexp: "" + certificate-identity: "" + certificate-identity-regexp: https://github.com/LucaGuerra/cool-falco-ruleset/ + certificate-github-workflow: "" description: Okta Log Events home: https://github.com/falcosecurity/plugins/tree/master/plugins/okta keywords: @@ -218,6 +225,13 @@ type: rulesfile registry: ghcr.io repository: falcosecurity/plugins/ruleset/okta + signature: + cosign: + certificate-oidc-issuer: https://token.actions.githubusercontent.com + certificate-oidc-issuer-regexp: "" + certificate-identity: "" + certificate-identity-regexp: https://github.com/LucaGuerra/cool-falco-ruleset/ + certificate-github-workflow: "" description: Okta Log Events home: https://github.com/falcosecurity/plugins/tree/master/plugins/okta keywords: diff --git a/build/registry/pkg/registry/types.go b/build/registry/pkg/registry/types.go index cac1a0c4..35e708d8 100644 --- a/build/registry/pkg/registry/types.go +++ b/build/registry/pkg/registry/types.go @@ -17,7 +17,7 @@ limitations under the License. package registry import ( - "github.com/falcosecurity/falcoctl/pkg/index" + "github.com/falcosecurity/falcoctl/pkg/index/index" ) type SourcingCapability struct {