feat: by default do not show signagures inside of inspect output

By default do not show the Sigstore signatures of a policy when the `inspect` command is used. Introduce a new cli flag `--show-signatures` that causes `inspect` to show them. The signatures were causing a lot of noise and are not providing that much value. Signed-off-by: Flavio Castelli <fcastelli@suse.com>
kubewarden · Jan 17, 2024 · 9d47470 · 9d47470
1 parent 2d1ded4
commit 9d47470
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 21 deletions.
diff --git a/src/cli.rs b/src/cli.rs
@@ -384,6 +384,10 @@ fn subcommand_inspect() -> Command {
             .long("docker-config-json-path")
             .value_name("PATH")
             .help("Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details"),
+        Arg::new("show-signatures")
+            .long("show-signatures")
+            .num_args(0)
+            .help("Show sigstore signatures"),
     ];
     args.sort_by(|a, b| a.get_id().cmp(b.get_id()));
     args.push(

diff --git a/src/inspect.rs b/src/inspect.rs
@@ -1,32 +1,36 @@
 use crate::{Registry, Sources};
 use anyhow::{anyhow, Result};
-use policy_evaluator::policy_fetcher::oci_distribution::secrets::RegistryAuth;
-use policy_evaluator::policy_fetcher::{
-    oci_distribution::manifest::{OciImageManifest, OciManifest},
-    sigstore::{
-        cosign::{ClientBuilder, CosignCapabilities},
-        registry::{Auth, ClientConfig},
-    },
-};
 use policy_evaluator::{
-    constants::*, policy_evaluator::PolicyExecutionMode,
-    policy_fetcher::sigstore::registry::oci_reference::OciReference, policy_metadata::Metadata,
+    constants::*,
+    policy_evaluator::PolicyExecutionMode,
+    policy_fetcher::{
+        oci_distribution::{
+            manifest::{OciImageManifest, OciManifest},
+            secrets::RegistryAuth,
+        },
+        sigstore::{
+            cosign::{ClientBuilder, CosignCapabilities},
+            registry::{oci_reference::OciReference, Auth, ClientConfig},
+        },
+    },
+    policy_metadata::Metadata,
 };
 use prettytable::{format::FormatBuilder, Table};
 use pulldown_cmark::{Options, Parser};
-use pulldown_cmark_mdcat::TerminalCapabilities;
 use pulldown_cmark_mdcat::{
     resources::NoopResourceHandler,
     terminal::{TerminalProgram, TerminalSize},
+    TerminalCapabilities,
 };
-use std::{convert::TryFrom, str::FromStr};
+use std::{collections::HashMap, convert::TryFrom, str::FromStr};
 use syntect::parsing::SyntaxSet;
 
 pub(crate) async fn inspect(
     uri_or_sha_prefix: &str,
     output: OutputType,
     sources: Option<Sources>,
     no_color: bool,
+    no_signatures: bool,
 ) -> Result<()> {
     let uri = crate::utils::map_path_to_uri(uri_or_sha_prefix)?;
     let wasm_path = crate::utils::wasm_path(&uri)?;
@@ -35,8 +39,6 @@ pub(crate) async fn inspect(
     let metadata = Metadata::from_path(&wasm_path)
         .map_err(|e| anyhow!("Error parsing policy metadata: {}", e))?;
 
-    let signatures = fetch_signatures_manifest(&uri, sources).await;
-
     match metadata {
         Some(metadata) => metadata_printer.print(&metadata, no_color)?,
         None => return Err(anyhow!(
@@ -45,6 +47,11 @@ pub(crate) async fn inspect(
         )),
     };
 
+    if no_signatures {
+        return Ok(());
+    }
+
+    let signatures = fetch_signatures_manifest(&uri, sources).await;
     match signatures {
         Ok(signatures) => {
             if let Some(signatures) = signatures {
@@ -105,7 +112,7 @@ impl MetadataPrinter {
         match self {
             MetadataPrinter::Yaml => {
                 let metadata_yaml = serde_yaml::to_string(metadata)?;
-                println!("{metadata_yaml}");
+                print!("{metadata_yaml}");
                 Ok(())
             }
             MetadataPrinter::Pretty => {
@@ -300,9 +307,12 @@ impl SignaturesPrinter {
     fn print(&self, signatures: &OciImageManifest) {
         match self {
             SignaturesPrinter::Yaml => {
-                let signatures_yaml = serde_yaml::to_string(signatures);
+                let mut doc_entry: HashMap<String, &OciImageManifest> = HashMap::new();
+                doc_entry.insert("signatures".to_string(), signatures);
+
+                let signatures_yaml = serde_yaml::to_string(&doc_entry);
                 if let Ok(signatures_yaml) = signatures_yaml {
-                    println!("{signatures_yaml}")
+                    print!("{signatures_yaml}")
                 }
             }
             SignaturesPrinter::Pretty => {

diff --git a/src/main.rs b/src/main.rs
@@ -319,8 +319,12 @@ async fn main() -> Result<()> {
                     matches.get_one::<String>("output").map(|s| s.as_str()),
                 )?;
                 let sources = remote_server_options(matches)?;
-
-                inspect::inspect(uri_or_sha_prefix, output, sources, no_color).await?;
+                let no_signatures = !matches
+                    .get_one::<bool>("show-signatures")
+                    .unwrap_or(&false)
+                    .to_owned();
+                inspect::inspect(uri_or_sha_prefix, output, sources, no_color, no_signatures)
+                    .await?;
             };
             Ok(())
         }

diff --git a/tests/e2e.rs b/tests/e2e.rs
@@ -340,7 +340,7 @@ fn test_push() {
 
     let sources_yaml = format!(
         r#"
-        insecure_sources: 
+        insecure_sources:
             - "localhost:{}"
         "#,
         port
@@ -402,7 +402,7 @@ fn test_scaffold_manifest() {
 #[rstest]
 #[case::correct("rego-annotate/metadata-correct.yml", true, is_empty())]
 #[case::wrong(
-    "rego-annotate/metadata-wrong.yml", 
+    "rego-annotate/metadata-wrong.yml",
     false,
     contains("Error: Wrong value inside of policy's metatada for 'executionMode'. This policy has been created using Rego")
 )]
@@ -429,3 +429,30 @@ fn test_annotate_rego(
         cmd.assert().stderr(predicate);
     }
 }
+
+#[rstest]
+#[case::show_signatures(true)]
+#[case::hide_signatures(false)]
+fn test_inspect_policy_yml_output(#[case] show_signatures: bool) {
+    let uri = "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5";
+
+    let tempdir = tempdir().unwrap();
+
+    let mut cmd = setup_command(tempdir.path());
+    cmd.arg("pull").arg(uri);
+
+    cmd.assert().success();
+
+    let mut cmd = setup_command(tempdir.path());
+    cmd.arg("inspect").arg("-o").arg("yaml");
+
+    if show_signatures {
+        cmd.arg("--show-signatures");
+    }
+    cmd.arg(uri);
+
+    cmd.assert().success();
+    let report: serde_yaml::Mapping = serde_yaml::from_slice(&cmd.assert().get_output().stdout)
+        .expect("a valid yaml document was expected");
+    assert_eq!(show_signatures, report.contains_key("signatures"))
+}