-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathmain.go
134 lines (121 loc) · 3.29 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/*
Copyright 2023 Chainguard, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package main
import (
"context"
"encoding/json"
"flag"
"fmt"
"log"
"time"
"chainguard.dev/sdk/auth/token"
common "chainguard.dev/sdk/proto/platform/common/v1"
iam "chainguard.dev/sdk/proto/platform/iam/v1"
registry "chainguard.dev/sdk/proto/platform/registry/v1"
"chainguard.dev/sdk/sts"
"github.com/google/go-containerregistry/pkg/name"
)
func main() {
ctx := context.Background()
var group string
flag.StringVar(&group, "group", "chainguard", "group to query")
flag.Parse()
if len(flag.Args()) != 3 {
log.Fatalf("requires 3 arguments: repo name, and previous and current image to diff")
}
if _, err := name.NewDigest("example.com/foo@" + flag.Arg(1)); err != nil {
log.Fatalf("invalid digest: %v", err)
}
if _, err := name.NewDigest("example.com/foo@" + flag.Arg(2)); err != nil {
log.Fatalf("invalid digest: %v", err)
}
repo, left, right := flag.Arg(0), flag.Arg(1), flag.Arg(2)
// Get the Chainguard auth token.
var tok string
audience := "https://console-api.enforce.dev"
{
if token.RemainingLife(audience, time.Minute) < 0 {
// TODO: do a browser flow here.
log.Fatalf("token has expired, please run `chainctl auth login`")
}
tokb, err := token.Load(audience)
if err != nil {
log.Fatalf("loading token: %v", err)
}
tok = string(tokb)
if group == "chainguard" {
// This group is special, since anybody can access it by assuming a
// broadly-assumable identity with permission to view/pull.
issuer := "https://issuer.enforce.dev"
tok, err = sts.New(issuer, audience,
sts.WithIdentity("720909c9f5279097d847ad02a2f24ba8f59de36a/a033a6fabe0bfa0d")).
Exchange(ctx, tok)
if err != nil {
log.Fatalf("exchanging token: %v", err)
}
}
}
// Set up clients.
iamc, err := iam.NewClients(ctx, audience, tok)
if err != nil {
log.Fatalf("creating IAM clients: %v", err)
}
regc, err := registry.NewClients(ctx, audience, tok)
if err != nil {
log.Fatalf("creating Registry clients: %v", err)
}
// Get the group UIDP.
var groupUIDP string
{
if group == "chainguard" {
// This group is special, we'll just hard-code the UIDP.
groupUIDP = "720909c9f5279097d847ad02a2f24ba8f59de36a"
} else {
resp, err := iamc.Groups().List(ctx, &iam.GroupFilter{
Name: group,
})
if err != nil {
log.Fatalf("listing groups: %v", err)
}
if len(resp.Items) != 1 {
log.Fatalf("expected 1 group, got %d", len(resp.Items))
}
groupUIDP = resp.Items[0].Id
}
}
log.Println("group UIDP", groupUIDP)
// Get the repo UIDP.
var repoUIDP string
{
resp, err := regc.Registry().ListRepos(ctx, ®istry.RepoFilter{
Uidp: &common.UIDPFilter{
ChildrenOf: groupUIDP,
},
Name: repo,
})
if err != nil {
log.Fatalf("listing repos: %v", err)
}
if len(resp.Items) != 1 {
log.Fatalf("expected 1 repo, got %d", len(resp.Items))
}
repoUIDP = resp.Items[0].Id
}
log.Println("repo UIDP", repoUIDP)
// Get diff for the digests.
resp, err := regc.Registry().DiffImage(ctx, ®istry.DiffImageRequest{
RepoId: repoUIDP,
FromDigest: left,
ToDigest: right,
})
if err != nil {
log.Fatalf("diff: %v", err)
}
b, err := json.MarshalIndent(resp, "", " ")
if err != nil {
log.Fatalf("marshaling response: %v", err)
}
fmt.Println(string(b))
}