1
0
Fork 0
mirror of https://github.com/imjasonh/terraform-playground synced 2026-07-16 12:42:57 +00:00

fit and finish

Signed-off-by: Jason Hall <jason@chainguard.dev>
This commit is contained in:
Jason Hall 2023-08-24 10:16:43 -04:00
parent 144f1f8388
commit b025e5ec4d
Failed to extract signature

View file

@ -30,31 +30,37 @@ import (
"github.com/kelseyhightower/envconfig"
)
type envConfig struct {
var amazonKeychain authn.Keychain = authn.NewKeychainFromHelper(ecrcreds.NewECRHelper(ecrcreds.WithLogger(log.Writer())))
var env = struct {
Issuer string `envconfig:"ISSUER_URL" required:"true"`
Group string `envconfig:"GROUP" required:"true"`
Identity string `envconfig:"IDENTITY" required:"true"`
Region string `envconfig:"REGION" required:"true"`
DstRepo string `envconfig:"DST_REPO" required:"true"`
FullDstRepo string `envconfig:"FULL_DST_REPO" required:"true"`
}
}{}
var amazonKeychain authn.Keychain = authn.NewKeychainFromHelper(ecrcreds.NewECRHelper(ecrcreds.WithLogger(log.Writer())))
func main() {
lambda.Start(handler)
func init() {
if err := envconfig.Process("", &env); err != nil {
log.Fatalf("failed to process env var: %s", err)
}
}
func main() { lambda.Start(handler) }
func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp string, err error) {
defer func() {
if err != nil {
log.Println("=== GOT ERROR:", err)
log.Printf("=== GOT ERROR: %v", err)
log.Printf("body: %+v", levent.Body)
log.Printf("env: %+v", env)
}
}()
var env envConfig
if err := envconfig.Process("", &env); err != nil {
return "", fmt.Errorf("failed to process env var: %s", err)
// We expect Chainguard webhooks to pass an Authorization header.
auth := strings.TrimPrefix(levent.Headers["authorization"], "Bearer ")
if auth == "" {
return "", fmt.Errorf("auth header missing")
}
// Construct a verifier that ensures tokens are issued by the Chainguard
@ -63,17 +69,7 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
if err != nil {
return "", fmt.Errorf("failed to create provider: %v", err)
}
verifier := provider.Verifier(&oidc.Config{
ClientID: "customer",
})
// We expect Chainguard webhooks to pass an Authorization header.
auth := strings.TrimPrefix(levent.Headers["authorization"], "Bearer ")
if auth == "" {
return "", fmt.Errorf("auth header missing")
}
// Verify that the token is well-formed, and in fact intended for us!
verifier := provider.Verifier(&oidc.Config{ClientID: "customer"})
if tok, err := verifier.Verify(ctx, auth); err != nil {
return "", fmt.Errorf("unable to verify token: %w", err)
} else if !strings.HasPrefix(tok.Subject, "webhook:") {
@ -82,8 +78,8 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
return "", fmt.Errorf("this token is intended for %s, wanted one for %s", group, env.Group)
}
// We are handling a specific event type, so filter the rest.
if levent.Headers["ce-type"] != PushEventType {
// This doesn't represent a push, so there's nothing to do.
log.Printf("event type is %q, skipping", levent.Headers["ce-type"])
return "", nil
}
@ -93,8 +89,6 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
return "", fmt.Errorf("unable to unmarshal event: %w", err)
}
log.Printf("got event: %+v", data)
if data.Body.Error != nil {
// This represents a push error, so there's nothing to do.
log.Printf("event body has error, skipping: %+v", data.Body.Error)
@ -129,7 +123,8 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
log.Printf("Created ECR repo %s", repo)
}
src := "cgr.dev/" + data.Body.Repository
// Sync src:tag to dst:tag.
src := "cgr.dev/" + data.Body.Repository + ":" + data.Body.Tag
dst := filepath.Join(env.FullDstRepo, filepath.Base(data.Body.Repository)) + ":" + data.Body.Tag
log.Printf("Copying %s to %s...", src, dst)
if err := crane.Copy(src, dst,