pkg/customsignaturestore: Implement signatureStores customization

wking · wking · commit d41d6983191a · 2023-12-04T08:33:35.000-08:00
The verifier Interface's AddStore has always been [1]: // AddStore adds additional stores for signature verification. func (v *releaseVerifier) AddStore(additionalStore store.Store) { v.store = &serial.Store{Stores: []store.Store{additionalStore, v.store}} } since it landed in 2020. We discussed then [2] whether we were comfortable with "always insert the new addition serially in front of the existing stores", and decided that it was good enough then (although we neglected to commit to that implementation in the Interface's Go docs). That history sets up my approach in this commit where I add support for ClusterVersion's new spec.signatureStores. The logic is: 1. Try and find the signature in the local ConfigMaps. * If we error, e.g. by failing to list ConfigMaps, fail out of the ConfigMap store [3], which will fail out of the serial store [4], which will fail verification [5] without further signature traversal. * If we find a valid signature, hooray, we're done [6]. * If we run out of ConfigMap entries to check without finding a valid signature, fall back to... 2. ClusterVersion's spec.signatureStores. * If this property is set to an empty array, fail out. Admins can configure this if they only want to support ConfigMap lookup. * If this property is set to a non-empty array, build a parallel store out of its current contents, and search the new store: * If we error, check in with the call-back function about whether the error should be fatal, e.g. [7]. But the verifier callback is very generous about allowing failures [5], so we'll keep going looking at any later signatures in that sigstore and at the other parallel sigstores. * If we find a valid signature, hooray, we're done [8,9]. * If we run out of sigstore entries to check without finding a valid signature, return an error, without wrapping with the callback, because we want to fail out [4,5] without further signature traversal. Admins who want to check default signature stores as well can configure them explicitly in signatureStores. * If this property is unset, fall back to... 3. The default signature stores [10]. * Same handling as the parallel store in spec.signatureStores, but with the default signature stores. We only fall through to the default stores when ConfigMap lookup is exhausted without finding a valid signature and signatureStores is unset, to support admins who would rather not have the cluster-version operator reach out to one or more of the default stores, whether or not they have local stores they would rather use. This allows admins to construct the set of stores they would like to use, while keeping the API surface down at a single property. Without the AddStore history, it would have been possible to construct simplified stores, like a ConfigMaps store alone in the case where signatureStores is an empty array. We could still pivot to that kind of approach with library-go changes, but for the initial implementation, I'm doing the above dance to work with AddStore as it stands. [1]: https://github.com/openshift/library-go/blame/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/verify.go#L247-L250 [2]: openshift/library-go#910 (comment) [3]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/store/configmap/configmap.go#L100 It's possible we want to wrap these failures in the callback, because the verifier callback is currently very generous about allowing failures and proceeding with subsequent retrieval attempts [5]. For example, it's possible that local ConfigMap listing fails while subsequent sigstore retrieval would succeed, and today the lack of callback-wrapping on that error means we are not making the subsequent sigstore requests. But in practice, I expect local ConfigMap listing fails so rarely that folks are not bothered by the current behavior. [4]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/store/serial/serial.go#L32-L38 [5]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/verify.go#L189-L215 [6]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/store/serial/serial.go#L24-L34 [7]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/store/sigstore/sigstore.go#L119-L121 [8]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/store/sigstore/sigstore.go#L134-L136 [9]: https://github.com/openshift/library-go/blob/08d73a9c798b5698d88efd52232127e443bef9b6/pkg/verify/store/parallel/parallel.go#L61-L66 [10]: https://github.com/openshift/cluster-update-keys/blob/804dfeceb7caa41a6212fb405bbcd3f3139b8a6f/manifests.rhel/0000_90_cluster-update-keys_configmap.yaml#L4-L5
diff --git a/pkg/customsignaturestore/customsignaturestore.go b/pkg/customsignaturestore/customsignaturestore.go
@@ -0,0 +1,117 @@
+// Package customsignaturestore implements a signature store as configured by ClusterVersion.
+package customsignaturestore
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/url"
+	"strings"
+	"sync"
+
+	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/verify/store"
+	"github.com/openshift/library-go/pkg/verify/store/parallel"
+	"github.com/openshift/library-go/pkg/verify/store/sigstore"
+)
+
+type Store struct {
+	// Name is the name of the ClusterVersion object that configures this store.
+	Name string
+
+	// Lister allows the store to fetch the current ClusterVersion configuration.
+	Lister configv1listers.ClusterVersionLister
+
+	// HTTPClient is called once for each Signatures call to ensure
+	// requests are made with the currently-recommended parameters.
+	HTTPClient sigstore.HTTPClient
+
+	// lock allows the store to be locked while mutating or accessing internal state.
+	lock sync.Mutex
+
+	// customURIs tracks the most-recently retrieved ClusterVersion configuration.
+	customURIs []*url.URL
+}
+
+// Signatures fetches signatures for the provided digest.
+func (s *Store) Signatures(ctx context.Context, name string, digest string, fn store.Callback) error {
+	uris, err := s.refreshConfiguration(ctx)
+	if err != nil {
+		return err
+	}
+
+	if uris == nil {
+		return nil
+	}
+
+	if len(uris) == 0 {
+		return errors.New("ClusterVersion spec.signatureStores is an empty array.  Unset signatureStores entirely if you want to to enable the default signature stores.")
+	}
+
+	allDone := false
+
+	wrapper := func(ctx context.Context, signature []byte, errIn error) (done bool, err error) {
+		done, err = fn(ctx, signature, errIn)
+		if done {
+			allDone = true
+		}
+		return done, err
+	}
+
+	stores := make([]store.Store, 0, len(uris))
+	for i := range uris {
+		uri := *uris[i]
+		stores = append(stores, &sigstore.Store{
+			URI:        &uri,
+			HTTPClient: s.HTTPClient,
+		})
+	}
+	store := &parallel.Store{Stores: stores}
+	if err := store.Signatures(ctx, name, digest, wrapper); err != nil || allDone {
+		return err
+	}
+	return errors.New("ClusterVersion spec.signatureStores exhausted without finding a valid signature.")
+}
+
+func (s *Store) refreshConfiguration(ctx context.Context) ([]*url.URL, error) {
+	var uris []*url.URL
+	config, err := s.Lister.Get(s.Name)
+	if err != nil {
+		return uris, err
+	}
+
+	if config.Spec.SignatureStores != nil {
+		uris = make([]*url.URL, 0, len(config.Spec.SignatureStores))
+		for _, store := range config.Spec.SignatureStores {
+			uri, err := url.Parse(store.URL)
+			if err != nil {
+				return uris, err
+			}
+
+			uris = append(uris, uri)
+		}
+	}
+
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	s.customURIs = uris
+	return uris, err
+}
+
+// String returns a description of where this store finds
+// signatures.
+func (s *Store) String() string {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+
+	if s.customURIs == nil {
+		return "ClusterVersion signatureStores unset, falling back to default stores"
+	} else if len(s.customURIs) == 0 {
+		return "0 ClusterVersion signatureStores"
+	}
+	uris := make([]string, 0, len(s.customURIs))
+	for _, uri := range s.customURIs {
+		uris = append(uris, uri.String())
+	}
+	return fmt.Sprintf("ClusterVersion signatureStores: %s", strings.Join(uris, ", "))
+}
diff --git a/pkg/cvo/cvo.go b/pkg/cvo/cvo.go
@@ -33,6 +33,7 @@ import (
 	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
 	"github.com/openshift/library-go/pkg/manifest"
 	"github.com/openshift/library-go/pkg/verify"
+	"github.com/openshift/library-go/pkg/verify/store"
 	"github.com/openshift/library-go/pkg/verify/store/configmap"
 	"github.com/openshift/library-go/pkg/verify/store/sigstore"
 
@@ -41,6 +42,7 @@ import (
 	"github.com/openshift/cluster-version-operator/lib/validation"
 	"github.com/openshift/cluster-version-operator/pkg/clusterconditions"
 	"github.com/openshift/cluster-version-operator/pkg/clusterconditions/standard"
+	"github.com/openshift/cluster-version-operator/pkg/customsignaturestore"
 	cvointernal "github.com/openshift/cluster-version-operator/pkg/cvo/internal"
 	"github.com/openshift/cluster-version-operator/pkg/cvo/internal/dynamicclient"
 	"github.com/openshift/cluster-version-operator/pkg/internal"
@@ -292,8 +294,14 @@ func (optr *Operator) InitializeFromPayload(ctx context.Context, restConfig *res
 		return fmt.Errorf("unable to create a configuration client: %v", err)
 	}
 
+	customSignatureStore := &customsignaturestore.Store{
+		Lister:     optr.cvLister,
+		Name:       optr.name,
+		HTTPClient: httpClientConstructor.HTTPClient,
+	}
+
 	// attempt to load a verifier as defined in the payload
-	verifier, signatureStore, err := loadConfigMapVerifierDataFromUpdate(update, httpClientConstructor.HTTPClient, configClient)
+	verifier, signatureStore, err := loadConfigMapVerifierDataFromUpdate(update, httpClientConstructor.HTTPClient, configClient, customSignatureStore)
 	if err != nil {
 		return err
 	}
@@ -360,7 +368,7 @@ func (optr *Operator) ownerReferenceModifier(object metav1.Object) {
 // It returns an error if the data is not valid, or no verifier if no config map is found. See the verify
 // package for more details on the algorithm for verification. If the annotation is set, a verifier or error
 // is always returned.
-func loadConfigMapVerifierDataFromUpdate(update *payload.Update, clientBuilder sigstore.HTTPClient, configMapClient coreclientsetv1.ConfigMapsGetter) (verify.Interface, *verify.StorePersister, error) {
+func loadConfigMapVerifierDataFromUpdate(update *payload.Update, clientBuilder sigstore.HTTPClient, configMapClient coreclientsetv1.ConfigMapsGetter, customSignatureStore store.Store) (verify.Interface, *verify.StorePersister, error) {
 	verifier, err := verify.NewFromManifests(update.Manifests, clientBuilder)
 	if err != nil {
 		return nil, nil, err
@@ -369,6 +377,8 @@ func loadConfigMapVerifierDataFromUpdate(update *payload.Update, clientBuilder s
 		return nil, nil, nil
 	}
 
+	verifier.AddStore(customSignatureStore)
+
 	// allow the verifier to consult the cluster for signature data, and also configure
 	// a process that writes signatures back to that store
 	signatureStore := configmap.NewStore(configMapClient, nil)
diff --git a/pkg/cvo/cvo_test.go b/pkg/cvo/cvo_test.go
@@ -42,6 +42,7 @@ import (
 
 	"github.com/openshift/cluster-version-operator/pkg/payload"
 	"github.com/openshift/library-go/pkg/manifest"
+	"github.com/openshift/library-go/pkg/verify/store/serial"
 	"github.com/openshift/library-go/pkg/verify/store/sigstore"
 )
 
@@ -4203,7 +4204,7 @@ func Test_loadReleaseVerifierFromConfigMap(t *testing.T) {
 		}
 		t.Run(tt.name, func(t *testing.T) {
 			f := kfake.NewSimpleClientset()
-			got, store, err := loadConfigMapVerifierDataFromUpdate(tt.update, sigstore.DefaultClient, f.CoreV1())
+			got, store, err := loadConfigMapVerifierDataFromUpdate(tt.update, sigstore.DefaultClient, f.CoreV1(), &serial.Store{})
 			if err == nil {
 				if tt.expectedError != "" {
 					t.Fatalf("loadConfigMapVerifierDataFromUpdate succeeded when we expected error \"%s\"", tt.expectedError)

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ import (`
`42`	`42`
`43`	`43`	`"github.com/openshift/cluster-version-operator/pkg/payload"`
`44`	`44`	`"github.com/openshift/library-go/pkg/manifest"`
	`45`	`+ "github.com/openshift/library-go/pkg/verify/store/serial"`
`45`	`46`	`"github.com/openshift/library-go/pkg/verify/store/sigstore"`
`46`	`47`	`)`
`47`	`48`
`@@ -4203,7 +4204,7 @@ func Test_loadReleaseVerifierFromConfigMap(t *testing.T) {`
`4203`	`4204`	`}`
`4204`	`4205`	`t.Run(tt.name, func(t *testing.T) {`
`4205`	`4206`	`f := kfake.NewSimpleClientset()`
`4206`		`- got, store, err := loadConfigMapVerifierDataFromUpdate(tt.update, sigstore.DefaultClient, f.CoreV1())`
	`4207`	`+ got, store, err := loadConfigMapVerifierDataFromUpdate(tt.update, sigstore.DefaultClient, f.CoreV1(), &serial.Store{})`
`4207`	`4208`	`if err == nil {`
`4208`	`4209`	`if tt.expectedError != "" {`
`4209`	`4210`	`t.Fatalf("loadConfigMapVerifierDataFromUpdate succeeded when we expected error \"%s\"", tt.expectedError)`