feat(notation): add notation back to ocirepository_controller

During the merge from main the ocirepository_controller.go was moved and git determined the file was delete. I took the changes from main and I have added back the logic for checking against notation.

I have also add the ability to use insecure registries and registries running on localhost:port.

Signed-off-by: Jason <jagoodse@microsoft.com>

Author: JasonTheDeveloper

internal/controller/ocirepository_controller.go

@@ -19,6 +19,7 @@ package controller
 import (
 	"context"
 	cryptotls "crypto/tls"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -35,6 +36,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	gcrv1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -689,6 +691,73 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 		}
 
 		return fmt.Errorf("no matching signatures were found for '%s'", ref)
+
+	case "notation":
+		// get the public keys from the given secret
+		if secretRef := obj.Spec.Verify.SecretRef; secretRef != nil {
+			certSecretName := types.NamespacedName{
+				Namespace: obj.Namespace,
+				Name:      secretRef.Name,
+			}
+
+			var pubSecret corev1.Secret
+			if err := r.Get(ctxTimeout, certSecretName, &pubSecret); err != nil {
+				return err
+			}
+
+			var doc trustpolicy.Document
+
+			signatureVerified := false
+			for k, data := range pubSecret.Data {
+				if strings.HasSuffix(k, ".json") {
+					if err := json.Unmarshal(data, &doc); err != nil {
+						return err
+					}
+				}
+			}
+
+			defaultNotaryOciOpts := []soci.NotationOptions{
+				soci.WithTrustStore(&doc),
+				soci.WithNotaryRemoteOptions(opt...),
+			}
+
+			keychain, err := r.keychain(ctx, obj)
+			if err != nil {
+				e := serror.NewGeneric(
+					fmt.Errorf("failed to get credential: %w", err),
+					sourcev1.AuthenticationFailedReason,
+				)
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+				return e
+			}
+
+			for k, data := range pubSecret.Data {
+				// search for public keys in the secret
+				if strings.HasSuffix(k, ".crt") || strings.HasSuffix(k, ".pem") {
+
+					verifier, err := soci.NewNotaryVerifier(append(defaultNotaryOciOpts, soci.WithNotaryPublicKey(data), soci.WithNotaryKeychain(keychain), soci.WithInsecureRegistry(obj.Spec.Insecure))...)
+					if err != nil {
+						return err
+					}
+
+					signatures, err := verifier.Verify(ctxTimeout, ref)
+					if err != nil {
+						continue
+					}
+
+					if signatures {
+						signatureVerified = true
+						break
+					}
+				}
+			}
+
+			if !signatureVerified {
+				return fmt.Errorf("no matching signatures were found for '%s'", ref)
+			}
+			return nil
+		}
+		return nil
 	}
 
 	return nil

internal/oci/notation.go

@@ -3,7 +3,6 @@ package oci
 import (
 	"context"
 	"fmt"
-	"log"
 	"net/http"
 	"os"
 	"strings"
@@ -30,11 +29,19 @@ type notationOptions struct {
 	TrustStore *trustpolicy.Document
 	Keychain   authn.Keychain
 	ROpt       []remote.Option
+	Insecure   bool
 }
 
 // NotationOptions is a function that configures the options applied to a notation verifier
 type NotationOptions func(opts *notationOptions)
 
+// WithInsecureRegistry sets notation to verify against insecure registry.
+func WithInsecureRegistry(insecure bool) NotationOptions {
+	return func(opts *notationOptions) {
+		opts.Insecure = insecure
+	}
+}
+
 // WithTrustStore sets the trust store configuration.
 func WithTrustStore(trustStore *trustpolicy.Document) NotationOptions {
 	return func(opts *notationOptions) {
@@ -70,6 +77,7 @@ type NotaryVerifier struct {
 	auth     authn.Keychain
 	verifier *notation.Verifier
 	opts     []remote.Option
+	insecure bool
 }
 
 // NewNotaryVerifier initializes a new NotaryVerifier
@@ -99,6 +107,7 @@ func NewNotaryVerifier(opts ...NotationOptions) (*NotaryVerifier, error) {
 		auth:     o.Keychain,
 		verifier: &verifier,
 		opts:     o.ROpt,
+		insecure: o.Insecure,
 	}, nil
 }
 
@@ -111,6 +120,8 @@ func (v *NotaryVerifier) Verify(ctx context.Context, ref name.Reference) (bool,
 	if err != nil {
 		return false, err
 	}
+	remoteRepo.PlainHTTP = v.insecure
+
 	repo := registry.NewRepository(remoteRepo)
 
 	ss := stringResource{url}
@@ -141,13 +152,15 @@ func (v *NotaryVerifier) Verify(ctx context.Context, ref name.Reference) (bool,
 
 	i, err := remote.Image(ref, v.opts...)
 
-	log.Println(i.ConfigFile())
 	d, err := i.Digest()
 
 	repoUrl := ""
 
-	if s := strings.Split(url, ":"); len(s) == 2 && !strings.Contains(url, "@") {
-		repoUrl = fmt.Sprintf("%s@%s", s[0], d)
+	lastIndex := strings.LastIndex(url, ":")
+	firstPart := url[:lastIndex]
+
+	if s := strings.Split(url, ":"); len(s) >= 2 && !strings.Contains(url, "@") {
+		repoUrl = fmt.Sprintf("%s@%s", firstPart, d)
 	}
 
 	verififyOptions := notation.VerifyOptions{