cleanup

sigstore · Feb 29, 2024 · a761c16 · a761c16
1 parent d7d4a90
commit a761c16
Showing 1 changed file with 26 additions and 111 deletions.
diff --git a/pkg/cosign/git/github/github.go b/pkg/cosign/git/github/github.go
@@ -44,20 +44,6 @@ func New() *Gh {
 }
 
 func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) error {
-	split := strings.Split(ref, "/")
-
-	if len(split) == 2 {
-		owner, repo := split[0], split[1]
-		return g.putSecretRepo(ctx, pf, owner, repo)
-	} else if len(split) == 1 {
-		owner := split[0]
-		return g.putSecretOrg(ctx, pf, owner)
-	} else {
-		return errors.New("could not parse scheme, use github://<owner> or github://<owner>/<repo> format")
-	}
-}
-
-func (g *Gh) putSecretOrg(ctx context.Context, pf cosign.PassFunc, owner string) error {
 	var httpClient *http.Client
 	if token, ok := env.LookupEnv(env.VariableGitHubToken); ok {
 		ts := oauth2.StaticTokenSource(
@@ -84,13 +70,24 @@ func (g *Gh) putSecretOrg(ctx context.Context, pf cosign.PassFunc, owner string)
 		return fmt.Errorf("generating key pair: %w", err)
 	}
 
-	key, getRepoPubKeyResp, err := client.Actions.GetOrgPublicKey(ctx, owner)
+	var owner, repo string
+	split := strings.Split(ref, "/")
+
+	if len(split) == 2 {
+		owner, repo = split[0], split[1]
+	} else if len(split) == 1 {
+		owner = split[0]
+	} else {
+		return errors.New("could not parse scheme, use github://<owner> or github://<owner>/<repo> format")
+	}
+
+	key, getPubKeyResp, err := g.getPublicKey(client, ctx, owner, repo)
 	if err != nil {
 		return fmt.Errorf("could not get repository public key: %w", err)
 	}
 
-	if getRepoPubKeyResp.StatusCode < 200 && getRepoPubKeyResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(getRepoPubKeyResp.Body)
+	if getPubKeyResp.StatusCode < 200 && getPubKeyResp.StatusCode >= 300 {
+		bodyBytes, _ := io.ReadAll(getPubKeyResp.Body)
 		return fmt.Errorf("%s", bodyBytes)
 	}
 
@@ -99,7 +96,7 @@ func (g *Gh) putSecretOrg(ctx context.Context, pf cosign.PassFunc, owner string)
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	passwordSecretEnvResp, err := client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedCosignPasswd)
+	passwordSecretEnvResp, err := g.createOrUpdateOrgSecret(client, ctx, owner, repo, encryptedCosignPasswd)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PASSWORD\" github actions secret: %w", err)
 	}
@@ -116,7 +113,7 @@ func (g *Gh) putSecretOrg(ctx context.Context, pf cosign.PassFunc, owner string)
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	privateKeySecretEnvResp, err := client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedCosignPrivKey)
+	privateKeySecretEnvResp, err := g.createOrUpdateOrgSecret(client, ctx, owner, repo, encryptedCosignPrivKey)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PRIVATE_KEY\" github actions secret: %w", err)
 	}
@@ -133,7 +130,7 @@ func (g *Gh) putSecretOrg(ctx context.Context, pf cosign.PassFunc, owner string)
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	publicKeySecretEnvResp, err := client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedCosignPubKey)
+	publicKeySecretEnvResp, err := g.createOrUpdateOrgSecret(client, ctx, owner, repo, encryptedCosignPubKey)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PUBLIC_KEY\" github actions secret: %w", err)
 	}
@@ -153,100 +150,18 @@ func (g *Gh) putSecretOrg(ctx context.Context, pf cosign.PassFunc, owner string)
 	return nil
 }
 
-func (g *Gh) putSecretRepo(ctx context.Context, pf cosign.PassFunc, owner string, repo string) error {
-	var httpClient *http.Client
-	if token, ok := env.LookupEnv(env.VariableGitHubToken); ok {
-		ts := oauth2.StaticTokenSource(
-			&oauth2.Token{AccessToken: token},
-		)
-		httpClient = oauth2.NewClient(ctx, ts)
-	} else {
-		return fmt.Errorf("could not find %q environment variable", env.VariableGitHubToken.String())
-	}
-
-	var client *github.Client
-	if host, ok := env.LookupEnv(env.VariableGitHubHost); ok {
-		var err error
-		client, err = github.NewClient(httpClient).WithEnterpriseURLs(host, host)
-		if err != nil {
-			return fmt.Errorf("could not create github enterprise client: %w", err)
-		}
-	} else {
-		client = github.NewClient(httpClient)
-	}
-
-	keys, err := cosign.GenerateKeyPair(pf)
-	if err != nil {
-		return fmt.Errorf("generating key pair: %w", err)
-	}
-
-	key, getRepoPubKeyResp, err := client.Actions.GetRepoPublicKey(ctx, owner, repo)
-	if err != nil {
-		return fmt.Errorf("could not get repository public key: %w", err)
-	}
-
-	if getRepoPubKeyResp.StatusCode < 200 && getRepoPubKeyResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(getRepoPubKeyResp.Body)
-		return fmt.Errorf("%s", bodyBytes)
-	}
-
-	encryptedCosignPasswd, err := encryptSecretWithPublicKey(key, "COSIGN_PASSWORD", keys.Password())
-	if err != nil {
-		return fmt.Errorf("could not encrypt the secret: %w", err)
-	}
-
-	passwordSecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPasswd)
-	if err != nil {
-		return fmt.Errorf("could not create \"COSIGN_PASSWORD\" github actions secret: %w", err)
-	}
-
-	if passwordSecretEnvResp.StatusCode < 200 && passwordSecretEnvResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(passwordSecretEnvResp.Body)
-		return fmt.Errorf("%s", bodyBytes)
-	}
-
-	fmt.Fprintln(os.Stderr, "Password written to COSIGN_PASSWORD github actions secret")
-
-	encryptedCosignPrivKey, err := encryptSecretWithPublicKey(key, "COSIGN_PRIVATE_KEY", keys.PrivateBytes)
-	if err != nil {
-		return fmt.Errorf("could not encrypt the secret: %w", err)
+func (g *Gh) getPublicKey(client *github.Client, ctx context.Context, owner string, repo string) (*github.PublicKey, *github.Response, error) {
+	if len(repo) > 0 {
+		return client.Actions.GetRepoPublicKey(ctx, owner, repo)
 	}
+	return client.Actions.GetOrgPublicKey(ctx, owner)
+}
 
-	privateKeySecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPrivKey)
-	if err != nil {
-		return fmt.Errorf("could not create \"COSIGN_PRIVATE_KEY\" github actions secret: %w", err)
-	}
-
-	if privateKeySecretEnvResp.StatusCode < 200 && privateKeySecretEnvResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(privateKeySecretEnvResp.Body)
-		return fmt.Errorf("%s", bodyBytes)
-	}
-
-	fmt.Fprintln(os.Stderr, "Private key written to COSIGN_PRIVATE_KEY github actions secret")
-
-	encryptedCosignPubKey, err := encryptSecretWithPublicKey(key, "COSIGN_PUBLIC_KEY", keys.PublicBytes)
-	if err != nil {
-		return fmt.Errorf("could not encrypt the secret: %w", err)
-	}
-
-	publicKeySecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPubKey)
-	if err != nil {
-		return fmt.Errorf("could not create \"COSIGN_PUBLIC_KEY\" github actions secret: %w", err)
-	}
-
-	if publicKeySecretEnvResp.StatusCode < 200 && publicKeySecretEnvResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(publicKeySecretEnvResp.Body)
-		return fmt.Errorf("%s", bodyBytes)
-	}
-
-	fmt.Fprintln(os.Stderr, "Public key written to COSIGN_PUBLIC_KEY github actions secret")
-
-	if err := os.WriteFile("cosign.pub", keys.PublicBytes, 0o600); err != nil {
-		return err
+func (g *Gh) createOrUpdateOrgSecret(client *github.Client, ctx context.Context, owner string, repo string, encryptedCosignPasswd *github.EncryptedSecret) (*github.Response, error) {
+	if len(repo) > 0 {
+		return client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPasswd)
 	}
-	fmt.Fprintln(os.Stderr, "Public key also written to cosign.pub")
-
-	return nil
+	return client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedCosignPasswd)
 }
 
 // NOTE: GetSecret is not implemented for GitHub