-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbundle.go
More file actions
149 lines (127 loc) · 3.25 KB
/
bundle.go
File metadata and controls
149 lines (127 loc) · 3.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package play
import (
"io/fs"
"path"
)
// Bundle represents a STIM bundle loaded from a filesystem.
type Bundle struct {
Path string
Manifest Manifest
files fs.FS
}
// LoadBundle loads a STIM bundle from the provided filesystem.
func LoadBundle(filesystem fs.FS, bundlePath string) (Bundle, error) {
cleanPath, err := cleanBundlePath(bundlePath)
if err != nil {
return Bundle{}, err
}
bundleFiles := filesystem
if cleanPath != "." {
bundleFiles, err = fs.Sub(filesystem, cleanPath)
if err != nil {
return Bundle{}, err
}
}
manifestData, err := fs.ReadFile(bundleFiles, "manifest.yaml")
if err != nil {
return Bundle{}, err
}
manifest, err := LoadManifest(manifestData)
if err != nil {
return Bundle{}, err
}
return Bundle{
Path: cleanPath,
Manifest: manifest,
files: bundleFiles,
}, nil
}
// Validate reports structural and manifest issues for a loaded bundle.
func (bundle Bundle) Validate() ValidationErrors {
var issues ValidationErrors
issues = append(issues, bundle.Manifest.Validate()...)
requiredFiles := []validationTarget{
{
Field: "runtime.config",
Code: "bundle/runtime-config-missing",
Message: "runtime config file is required",
Path: bundle.Manifest.Runtime.Config,
},
{
Field: "verification.chain",
Code: "bundle/verification-chain-missing",
Message: "verification chain file is required",
Path: bundle.Manifest.Verification.Chain,
},
{
Field: "verification.sbom",
Code: "bundle/sbom-missing",
Message: "SBOM file is required",
Path: bundle.Manifest.Verification.SBOM,
},
{
Field: "artefact.path",
Code: "bundle/artefact-missing",
Message: "artefact file is required",
Path: bundle.Manifest.Artefact.Path,
},
}
for _, target := range requiredFiles {
if !validBundlePath(target.Path) {
continue
}
if _, err := fs.Stat(bundle.files, normaliseBundlePath(target.Path)); err != nil {
issues = append(issues, ValidationIssue{
Code: target.Code,
Field: target.Field,
Message: target.Message,
})
}
}
return issues
}
type validationTarget struct {
Field string
Code string
Message string
Path string
}
func cleanBundlePath(bundlePath string) (string, error) {
if bundlePath == "" || bundlePath == "." || bundlePath == "./" {
return ".", nil
}
if len(bundlePath) > 2 && bundlePath[0] == '.' && bundlePath[1] == '/' {
bundlePath = bundlePath[2:]
}
cleanPath, ok := canonicalBundlePath(bundlePath)
if !ok {
return "", PathError{
Kind: "bundle/path-invalid",
Path: bundlePath,
Message: "bundle path must stay within the provided filesystem",
}
}
return cleanPath, nil
}
func normaliseBundlePath(value string) string {
return path.Clean(value)
}
func bundleFileData(bundle Bundle, filePath string) ([]byte, bool) {
if bundle.files == nil || !validBundlePath(filePath) {
return nil, false
}
data, err := fs.ReadFile(bundle.files, normaliseBundlePath(filePath))
if err != nil {
return nil, false
}
return data, true
}
// PathError reports invalid bundle or manifest paths.
type PathError struct {
Kind string
Path string
Message string
}
func (pathError PathError) Error() string {
return pathError.Kind + ": " + pathError.Path + ": " + pathError.Message
}