Support images as well as indexes in ImageDetailResolvers (#183)

* build: Generate test data for unsigned and no provenance image indexes
* feat: Add function to build index without SBOM or provenance for linux/amd64 platform
* feat: add build_image function to build image without SBOM or provenance for linux/amd64
* feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR
* feat: support images in details resolvers

Author: kipz

attestation/attestation_test.go

@@ -12,7 +12,7 @@ import (
 const ExpectedStatements = 4
 
 func TestExtractAnnotatedStatements(t *testing.T) {
-	statements, err := attestation.ExtractAnnotatedStatements(test.UnsignedTestImage(".."), intoto.PayloadType)
+	statements, err := attestation.ExtractAnnotatedStatements(test.UnsignedTestIndex(".."), intoto.PayloadType)
 	assert.NoError(t, err)
 	assert.Equalf(t, len(statements), ExpectedStatements, "expected %d statement, got %d", ExpectedStatements, len(statements))
 }

attestation/example_attestation_manifest_test.go

@@ -31,7 +31,7 @@ func ExampleManifest() {
 
 	ref := "docker/image-signer-verifier:latest"
 
-	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+	digest, err := v1.NewHash("sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390")
 	if err != nil {
 		panic(err)
 	}

attestation/layout.go

@@ -14,6 +14,9 @@ import (
 )
 
 // implementation of Resolver that closes over attestations from an oci layout.
+
+var _ Resolver = (*LayoutResolver)(nil)
+
 type LayoutResolver struct {
 	*Manifest
 	*oci.ImageSpec
@@ -86,38 +89,49 @@ func (r *LayoutResolver) ImagePlatform(_ context.Context) (*v1.Platform, error)
 }
 
 func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error) {
-	idx, err := layout.ImageIndexFromPath(path)
+	layoutIndex, err := layout.ImageIndexFromPath(path)
 	if err != nil {
 		return nil, err
 	}
 
-	idxm, err := idx.IndexManifest()
+	layoutIndexManifest, err := layoutIndex.IndexManifest()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get digest: %w", err)
 	}
 
-	idxDescriptor := idxm.Manifests[0]
-	idxDigest := idxDescriptor.Digest
-	subjectName := idxDescriptor.Annotations[ocispec.AnnotationRefName]
+	layoutDescriptor := layoutIndexManifest.Manifests[0]
+	layoutDescriptorDigest := layoutDescriptor.Digest
+	subjectName := layoutDescriptor.Annotations[ocispec.AnnotationRefName]
 	if _, err := reference.ParseNamed(subjectName); err != nil {
 		// try the containerd annotation if the org.opencontainers.image.ref.name is not a full name
-		subjectName = idxDescriptor.Annotations[containerd.AnnotationImageName]
+		subjectName = layoutDescriptor.Annotations[containerd.AnnotationImageName]
 		if _, err := reference.ParseNamed(subjectName); err != nil {
 			return nil, fmt.Errorf("failed to find subject name in annotations")
 		}
 	}
 
-	mfs, err := idx.ImageIndex(idxDigest)
+	// check if digest refers to an image or an index
+	_, err = layoutIndex.Image(layoutDescriptorDigest)
+	if err == nil {
+		return &Manifest{
+			OriginalLayers:     nil,
+			OriginalDescriptor: nil,
+			SubjectName:        subjectName,
+			SubjectDescriptor:  &layoutDescriptor,
+		}, nil
+	}
+
+	subjectIndex, err := layoutIndex.ImageIndex(layoutDescriptorDigest)
 	if err != nil {
-		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", idxDigest.String(), err)
+		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", layoutDescriptorDigest.String(), err)
 	}
-	mfs2, err := mfs.IndexManifest()
+	subjectIndexManifest, err := subjectIndex.IndexManifest()
 	if err != nil {
 		return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err)
 	}
 	var subjectDescriptor *v1.Descriptor
-	for i := range mfs2.Manifests {
-		manifest := &mfs2.Manifests[i]
+	for i := range subjectIndexManifest.Manifests {
+		manifest := &subjectIndexManifest.Manifests[i]
 		if manifest.Platform != nil {
 			if manifest.Platform.Equals(*platform) {
 				subjectDescriptor = manifest
@@ -128,8 +142,8 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 	if subjectDescriptor == nil {
 		return nil, fmt.Errorf("platform not found in index")
 	}
-	for i := range mfs2.Manifests {
-		mf := &mfs2.Manifests[i]
+	for i := range subjectIndexManifest.Manifests {
+		mf := &subjectIndexManifest.Manifests[i]
 		if mf.Annotations[DockerReferenceType] != AttestationManifestType {
 			continue
 		}
@@ -138,7 +152,7 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 			continue
 		}
 
-		attestationImage, err := mfs.Image(mf.Digest)
+		attestationImage, err := subjectIndex.Image(mf.Digest)
 		if err != nil {
 			return nil, fmt.Errorf("failed to extract attestation image with digest %s: %w", mf.Digest.String(), err)
 		}

attestation/layout_test.go

@@ -1,6 +1,7 @@
 package attestation_test
 
 import (
+	"context"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -25,7 +26,7 @@ func TestAttestationFromOCILayout(t *testing.T) {
 	}
 
 	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 	require.NoError(t, err)
 	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
@@ -74,7 +75,7 @@ func TestSubjectNameAnnotations(t *testing.T) {
 		ociLayoutPath string
 		errorStr      string
 	}{
-		{name: "oci annotation", ociLayoutPath: test.UnsignedTestImage("..")},
+		{name: "oci annotation", ociLayoutPath: test.UnsignedTestIndex("..")},
 		{name: "containerd annotation", ociLayoutPath: filepath.Join("..", "test", "testdata", "containerd-subject-layout")},
 		{name: "missing subject name", ociLayoutPath: filepath.Join("..", "test", "testdata", "missing-subject-layout"), errorStr: "failed to find subject name in annotations"},
 	}
@@ -93,3 +94,14 @@ func TestSubjectNameAnnotations(t *testing.T) {
 		})
 	}
 }
+
+func TestImageDetailsFromImageLayout(t *testing.T) {
+	spec, err := oci.ParseImageSpec(oci.LocalPrefix+test.UnsignedTestImage(".."), oci.WithPlatform("linux/arm64"))
+	require.NoError(t, err)
+	resolver, err := policy.CreateImageDetailsResolver(spec)
+	require.NoError(t, err)
+	desc, err := resolver.ImageDescriptor(context.Background())
+	require.NoError(t, err)
+	digest := desc.Digest.String()
+	assert.Equal(t, "sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390", digest)
+}

attestation/mock.go

@@ -3,6 +3,7 @@ package attestation
 import (
 	"context"
 
+	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
@@ -36,7 +37,7 @@ func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)
 	if r.DescriptorFn != nil {
 		return r.DescriptorFn()
 	}
-	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+	digest, err := v1.NewHash(test.UnsignedLinuxAMD64ImageDigest)
 	if err != nil {
 		return nil, err
 	}

attestation/referrers_test.go

@@ -89,7 +89,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			require.NoError(t, err)
 
 			opts := &attestation.SigningOptions{}
-			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+			attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 			require.NoError(t, err)
 
 			indexName := fmt.Sprintf("%s/repo:root", u.Host)
@@ -209,7 +209,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 		require.NoError(t, err)
 
 		opts := &attestation.SigningOptions{}
-		attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+		attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 		require.NoError(t, err)
 
 		indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
@@ -233,7 +233,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			require.NoError(t, err)
 
 			opts := &attestation.SigningOptions{}
-			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+			attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 			require.NoError(t, err)
 
 			indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
@@ -286,7 +286,7 @@ func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
 	repoName := "repo"
 
 	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 	require.NoError(t, err)
 
 	indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)

attestation/registry_test.go

@@ -24,7 +24,7 @@ func TestRegistry(t *testing.T) {
 	require.NoError(t, err)
 
 	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 	require.NoError(t, err)
 	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
@@ -46,4 +46,14 @@ func TestRegistry(t *testing.T) {
 	require.NoError(t, err)
 	digest := desc.Digest.String()
 	assert.True(t, strings.Contains(digest, "sha256:"))
+
+	// resolver also works with platform specific digest
+	spec, err = oci.ParseImageSpec(fmt.Sprintf("%s@%s", indexName, digest))
+	require.NoError(t, err)
+
+	resolver, err = policy.CreateImageDetailsResolver(spec)
+	require.NoError(t, err)
+	desc, err = resolver.ImageDescriptor(ctx)
+	require.NoError(t, err)
+	assert.Equal(t, desc.Digest.String(), digest)
 }

attestation/sign_test.go

@@ -249,7 +249,7 @@ func TestSimpleStatementSigning(t *testing.T) {
 					PredicateType: attestation.VSAPredicateType,
 				},
 			}
-			digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+			digest, err := v1.NewHash(test.UnsignedLinuxAMD64ImageDigest)
 			require.NoError(t, err)
 			subject := &v1.Descriptor{
 				MediaType: "application/vnd.oci.image.manifest.v1+json",

internal/test/test.go

@@ -23,14 +23,20 @@ import (
 )
 
 const (
-	UseMockKMS = true
-
-	AWSRegion    = "us-east-1"
-	AWSKMSKeyARN = "arn:aws:kms:us-east-1:175142243308:alias/doi-signing" // sandbox
+	UseMockKMS                    = true
+	AWSRegion                     = "us-east-1"
+	AWSKMSKeyARN                  = "arn:aws:kms:us-east-1:175142243308:alias/doi-signing" // sandbox
+	UnsignedLinuxAMD64ImageDigest = "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620"
+	UnsignedLinuxArm64ImageDigest = "sha256:7a76cec943853f9f7105b1976afa1bf7cd5bb6afc4e9d5852dd8da7cf81ae86e"
 )
 
+func UnsignedTestIndex(rel ...string) string {
+	rel = append(rel, "test", "testdata", "unsigned-index")
+	return filepath.Join(rel...)
+}
+
 func UnsignedTestImage(rel ...string) string {
-	rel = append(rel, "test", "testdata", "unsigned-test-image")
+	rel = append(rel, "test", "testdata", "unsigned-image")
 	return filepath.Join(rel...)
 }
 

oci/authn_test.go

@@ -12,7 +12,7 @@ import (
 )
 
 func TestRegistryAuth(t *testing.T) {
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 	require.NoError(t, err)
 	// test cases for ecr, gcr and dockerhub
 	testCases := []struct {