config: sign Azure versions on upload & verify on fetch (#1836)

* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-05-04 15:25:00 -04:00 · 2023-06-01 13:55:46 +02:00 · 2023-06-01 13:55:46 +02:00 · b51cc52945
commit b51cc52945
parent e0285c122e
55 changed files with 752 additions and 308 deletions
--- a/internal/api/fetcher/fetcher.go
+++ b/internal/api/fetcher/fetcher.go
@ -17,7 +17,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
+	"net/url"
 )

 // fetcher fetches versions API resources without authentication.
@ -46,6 +48,24 @@ type apiObject interface {
 	URL() (string, error)
 }

+// getFromURL fetches the content from the given URL and returns the content as a byte slice.
+func getFromURL(ctx context.Context, client HTTPClient, sourceURL *url.URL) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, sourceURL.String(), http.NoBody)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("http status code: %d", resp.StatusCode)
+	}
+	return io.ReadAll(resp.Body)
+}
+
 func fetch[T apiObject](ctx context.Context, c HTTPClient, obj T) (T, error) {
 	if err := obj.ValidateRequest(); err != nil {
 		return *new(T), fmt.Errorf("validating request for %T: %w", obj, err)