1
0
Fork 0
mirror of https://github.com/imjasonh/terraform-playground synced 2026-07-08 07:44:57 +00:00

more comments

Signed-off-by: Jason Hall <jason@chainguard.dev>
This commit is contained in:
Jason Hall 2023-08-24 10:55:29 -04:00
parent 745c4ad1c9
commit 20ff65e9d0
Failed to extract signature

View file

@ -57,14 +57,12 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
} }
}() }()
// We expect Chainguard webhooks to pass an Authorization header. // Construct a verifier that ensures tokens are issued by the Chainguard
// issuer we expect and are intended for us.
auth := strings.TrimPrefix(levent.Headers["authorization"], "Bearer ") auth := strings.TrimPrefix(levent.Headers["authorization"], "Bearer ")
if auth == "" { if auth == "" {
return "", fmt.Errorf("auth header missing") return "", fmt.Errorf("auth header missing")
} }
// Construct a verifier that ensures tokens are issued by the Chainguard
// issuer we expect and are intended for a customer webhook.
provider, err := oidc.NewProvider(ctx, env.Issuer) provider, err := oidc.NewProvider(ctx, env.Issuer)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to create provider: %v", err) return "", fmt.Errorf("failed to create provider: %v", err)
@ -78,24 +76,23 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
return "", fmt.Errorf("this token is intended for %s, wanted one for %s", group, env.Group) return "", fmt.Errorf("this token is intended for %s, wanted one for %s", group, env.Group)
} }
// Check that the event is one we care about:
// - It's a registry push event.
// - It's not a push error.
// - It's a tag push.
if levent.Headers["ce-type"] != PushEventType { if levent.Headers["ce-type"] != PushEventType {
// This doesn't represent a push, so there's nothing to do.
log.Printf("event type is %q, skipping", levent.Headers["ce-type"]) log.Printf("event type is %q, skipping", levent.Headers["ce-type"])
return "", nil return "", nil
} }
data := Occurrence{} data := Occurrence{}
if err := json.Unmarshal([]byte(levent.Body), &data); err != nil { if err := json.Unmarshal([]byte(levent.Body), &data); err != nil {
return "", fmt.Errorf("unable to unmarshal event: %w", err) return "", fmt.Errorf("unable to unmarshal event: %w", err)
} }
if data.Body.Error != nil { if data.Body.Error != nil {
// This represents a push error, so there's nothing to do.
log.Printf("event body has error, skipping: %+v", data.Body.Error) log.Printf("event body has error, skipping: %+v", data.Body.Error)
return "", nil return "", nil
} }
if data.Body.Tag == "" || data.Body.Type != "manifest" { if data.Body.Tag == "" || data.Body.Type != "manifest" {
// This doesn't represent a tag push, so there's nothing to sync.
log.Printf("event body is not a tag push, skipping: %q %q", data.Body.Tag, data.Body.Type) log.Printf("event body is not a tag push, skipping: %q %q", data.Body.Tag, data.Body.Type)
return "", nil return "", nil
} }
@ -138,6 +135,10 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
return "", nil return "", nil
} }
// cgKeychain is an authn.Keychain that provides a Chainguard token capable of pulling from cgr.dev.
//
// It does this by first generating an AWS token, then exchanging it for a Chainguard token for the
// specified Chainguard identity, which has been set up to be assumed by the AWS identity.
type cgKeychain struct { type cgKeychain struct {
issuer, region, identity string issuer, region, identity string
} }