= dZddlZddlZddlZddlZddlZddlmZmZm Z ddl m Z ddl m Z ddl mZddl mZddl mZdd l mZdd lmZdd lmZdd lmZdd lmZddlZd ZdZdZdZdZdZ ddZ!GddejDZ#y)zLTool and utils for creating Sigstore attestations stored as a Docker images.N)ListOptionalText) docker_creds) docker_name) docker_digest) docker_http) docker_image)docker_session)metadata)util)Errorz%application/vnd.dsse.envelope.v1+jsonzChttps://binaryauthorization.googleapis.com/policy_verification/v0.1cD|j|r|t|dS|SN) startswithlen)textprefixs Clib/googlecloudsdk/command_lib/container/binauthz/sigstore_image.py _RemovePrefixr+s$ __V F  +c,|ddt| dzzS)Nz===)rencodeds rAddMissingBase64Paddingr1s 5,CL=1,- --rc tj|S#tj$r!tjt |cYSwxYwr)base64 b64decodebinasciirurlsafe_b64decoderrs rStandardOrUrlsafeBase64Decoder"5sEF   G $$ F  # #$;G$D EEFs1A  A ctjt|}tjt|d}dj|ddd|ddddS)aExtract the image url from a DSSE of predicate type https://binaryauthorization.googleapis.com/policy_verification/*. This is a helper function for mapping attestations back to their respective images. Do not use this for signature verification. Args: attestation: The attestation in base64 encoded string form. Returns: The image url referenced in the attestation. payloadz {}@sha256:{}subjectrnamedigestsha256)jsonloadsr"format) attestation deser_att deser_payloads rAttestationToImageUrlr/=sqjj6{CD)**#Ii$89-   Iq!&)Iq!(+H5 rc tj}tjt j |d}tj dj|j|jt|jd}d}|rQtj}|r|j||jtj |j}|t#|tj$rt'j(}t+j,|||t.j05} | j3r=t5|g| } t7j8|||j;|  dddy dddt5|g} t7j8|||j;| y#1swY(>?  # # %E     99  *K=*Ei/5(;BB9M   ' }5)ouh7>>yIs 9AGG ceZdZdZ ddeedeejfdZ deddfdZ de fd Z de fd Z d e defd Zd ZdZy)rGzCreates a new image or appends a layers on top of an existing image. Adheres to the Sigstore Attestation spec: https://github.com/sigstore/cosign/blob/main/specs/ATTESTATION_SPEC.md. Nadditional_blobsbasectjd|D|_|l||_t j |jj |_t j |jj|_ yd|_tjddtjddgd|_t|_ y)zCreates a new Sigstore style image or extends a base image. Args: additional_blobs: additional attestations to be appended to the image. base: optional base DockerImage. c3JK|]}tj||fywr)rSHA256).0blobs r z4SigstoreAttestationImage.__init__..s%57Gt  d #T*7Gs!#Nr1r)r' mediaTypesize)r_ schemaVersionconfiglayers) collections OrderedDict_additional_blobs_baser)r*manifest_base_manifest config_file_base_config_filer OCI_MANIFEST_MIMECONFIG_JSON_MIMEdict)selfrVrWs r__init__z!SigstoreAttestationImage.__init__s)4457G5D dj JJtzz':':'<=d#zz$***@*@*BCddj"44&77  d $vdrr\returncH||jtj|<yr)rfrrZ)ror\s r add_layerz"SigstoreAttestationImage.add_layers9=D=//56rcr|j}tj}|jtj }|j jDcgc]}t|d}}|j|}tj||dd}tj|dScc}w) Override.) created_byr3)rcr1)options architectureoperating_systemT sort_keys) rkr OverridesOverrider USER_AGENTrfkeysrr)dumps)rorj overridesblob_sumrcs rrjz$SigstoreAttestationImage.config_files((K""$I""k.D.D"EI..3355H h *5  ""#I ## K ::kT 22#sB4c tj|j}|jj D]2\}}|dj |t t|dtdd4|j}|jd}tj||dd<t||dd<tj|d S) rurcr1)z"dev.cosignproject.cosign/signature predicateType)r'r_r` annotationsutf8rbr'r`Trz)copydeepcopyrirfitemsappendDSSE_PAYLOAD_TYPErBINAUTHZ_CUSTOM_PREDICATErjencoderrZr)r)rorhrr\rjutf8_encoded_configs rrhz!SigstoreAttestationImage.manifests}}T001H00668$x(d)468 ! 9""$K%,,V4#0#7#78K#LHXx !$%8!9HXv ::h$ //rr'c||jvr|j|S|jr|jj|Stdj |)z$Override. Returns uncompressed blob.zDigest not found: {})rfrgr\rr+)ror's rr\zSigstoreAttestationImage.blobsR '''  # #F ++ zz ZZ__V $$ &--f5 66rc|S)ru)ros r __enter__z"SigstoreAttestationImage.__enter__s Krcy)ruNr)ro unused_type unused_valueunused_tracebacks r__exit__z!SigstoreAttestationImage.__exit__s rr)__name__ __module__ __qualname____doc__rbytesrr DockerImagerprsrrjrhr\rrrrrrGrGs{26&U & \-- .&@>E>d>343200(77%7 rrG)NN)$rrr rdrr)typingrrrcontainerregistry.clientrrcontainerregistry.client.v2_2rr r r containerregistry.transform.v2_2r 'googlecloudsdk.api_lib.container.imagesr -googlecloudsdk.command_lib.container.binauthzr8googlecloudsdk.core.exceptionsrr5rrrrr"r/rTrrGrrrrsS  ''10756858O0<I  .F2FJ6Jrf |77f r