Add fragment reference from_image command

linter_exclusions.yml

@@ -3504,3 +3504,21 @@ neon postgres organization:
 neon postgres project:
   rule_exclusions:
   - require_wait_command_if_no_wait
+
+confcom fragment push:
+  parameters:
+    signed_fragment:
+      rule_exclusions:
+        - no_positional_parameters
+
+confcom fragment attach:
+  parameters:
+    signed_fragment:
+      rule_exclusions:
+        - no_positional_parameters
+
+confcom fragment references from_image:
+  parameters:
+    image:
+      rule_exclusions:
+        - no_positional_parameters

src/confcom/HISTORY.rst

@@ -3,6 +3,12 @@
 Release History
 ===============
 
+1.5.0
+++++++
+* restored the behaviour of --upload-fragment in acifragmentgen to attach to first image in input
+* added confcom fragment push command to allow explicit uploading of standalone fragments
+* added confcom fragment attach command to allow explicit uploading of image attached fragments
+
 1.4.5
 ++++++
 * Drop the dependency on OPA

src/confcom/azext_confcom/_help.py

@@ -278,3 +278,71 @@
         - name: Input a Kubernetes YAML file with a custom containerd socket path
           text: az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"
 """
+
+helps[
+    "confcom fragment"
+] = """
+    type: group
+    short-summary: Commands to handle Confidential Container Policy Fragments.
+"""
+
+helps[
+    "confcom fragment push"
+] = """
+    type: command
+    short-summary: Push a Confidential Container Policy Fragment to an ORAS registry
+
+    parameters:
+      - name: --manifest-tag
+        type: string
+        short-summary: 'The reference to push the signed fragment to'
+
+    examples:
+        - name: Push a signed fragment to a registry
+          text: az confcom fragment push ./fragment.reg.cose --manifest-tag myregistry.azurecr.io/fragment:latest
+        - name: Push the output of acifragmentgen to a registry
+          text: az confcom acifragmentgen --chain my.cert.pem --key my_key.pem --svn "1" --namespace contoso --feed "test-feed" --input ./fragment_spec.json | az confcom fragment push --manifest-tag myregistry.azurecr.io/fragment:latest
+"""
+
+helps[
+    "confcom fragment attach"
+] = """
+    type: command
+    short-summary: Attach a Confidential Container Policy Fragment to an image in an ORAS registry.
+
+    parameters:
+      - name: --manifest-tag
+        type: string
+        short-summary: 'The reference to attach the signed fragment to'
+
+    examples:
+        - name: Attach a signed fragment to a registry
+          text: az confcom fragment attach ./fragment.reg.cose --manifest-tag myregistry.azurecr.io/image:latest
+        - name: Attach the output of acifragmentgen to a registry
+          text: az confcom acifragmentgen --chain my.cert.pem --key my_key.pem --svn "1" --namespace contoso --feed "test-feed" --input ./fragment_spec.json | az confcom fragment attach --manifest-tag myregistry.azurecr.io/image:latest
+"""
+
+helps[
+    "confcom fragment references"
+] = """
+    type: group
+    short-summary: Commands which generate Security Policy Fragment References.
+"""
+
+
+helps[
+    "confcom fragment references from_image"
+] = """
+    type: command
+    short-summary: Create a Security Policy Fragment Reference based on an image reference.
+
+    parameters:
+        - name: --minimum-svn
+          type: str
+          short-summary: 'The value of the minimum SVN field in the generated fragment reference, defaults to current fragment reference'
+
+
+    examples:
+        - name: Input an image reference and generate fragment reference
+          text: az confcom fragment references from_image my.azurecr.io/myimage:tag
+"""

src/confcom/azext_confcom/_params.py

@@ -5,6 +5,8 @@
 # pylint: disable=line-too-long
 
 import json
+import argparse
+import sys
 from knack.arguments import CLIArgumentType
 from azext_confcom._validators import (
     validate_params_file,
@@ -44,6 +46,32 @@ def load_arguments(self, _):
         c.argument("tags", tags_type)
         c.argument("confcom_name", confcom_name_type, options_list=["--name", "-n"])
 
+    with self.argument_context("confcom fragment attach") as c:
+        c.positional(
+            "signed_fragment",
+            nargs='?',
+            type=argparse.FileType('rb'),
+            default=sys.stdin.buffer,
+            help="Signed fragment to attach",
+        )
+        c.argument(
+            "manifest_tag",
+            help="Manifest tag for the fragment",
+        )
+
+    with self.argument_context("confcom fragment push") as c:
+        c.positional(
+            "signed_fragment",
+            nargs='?',
+            type=argparse.FileType('rb'),
+            default=sys.stdin.buffer,
+            help="Signed fragment to push",
+        )
+        c.argument(
+            "manifest_tag",
+            help="Manifest tag for the fragment",
+        )
+
     with self.argument_context("confcom acipolicygen") as c:
         c.argument(
             "input_path",
@@ -207,6 +235,14 @@ def load_arguments(self, _):
             required=False,
             help='Container definitions to include in the policy'
         )
+        c.argument(
+            "fragment_definitions",
+            options_list=['--with-fragments'],
+            action='append',
+            type=json.loads,
+            required=False,
+            help='Fragment definitions to include in the policy'
+        )
 
     with self.argument_context("confcom acifragmentgen") as c:
         c.argument(
@@ -362,6 +398,13 @@ def load_arguments(self, _):
             type=json.loads,
             help='Container definitions to include in the policy'
         )
+        c.argument(
+            "out_signed_fragment",
+            action="store_true",
+            default=False,
+            required=False,
+            help="Emit only the signed fragment bytes",
+        )
 
     with self.argument_context("confcom katapolicygen") as c:
         c.argument(
@@ -434,3 +477,16 @@ def load_arguments(self, _):
             help="Path to containerd socket if not using the default",
             validator=validate_katapolicygen_input,
         )
+
+    with self.argument_context("confcom fragment references from_image") as c:
+        c.positional(
+            "image",
+            type=str,
+            help="Image to create container definition from",
+        )
+        c.argument(
+            "minimum_svn",
+            required=False,
+            type=str,
+            help="Minimum Allowed Software Version Number for Fragment",
+        )

src/confcom/azext_confcom/command/fragment_attach.py

@@ -0,0 +1,46 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import os
+import subprocess
+import tempfile
+from typing import BinaryIO
+
+
+def oras_attach(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+    subprocess.run(
+        [
+            "oras",
+            "attach",
+            "--artifact-type", "application/x-ms-ccepolicy-frag",
+            manifest_tag,
+            os.path.relpath(signed_fragment.name, start=os.getcwd()),
+        ],
+        check=True,
+        timeout=120,
+    )
+
+
+def fragment_attach(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+
+    if signed_fragment.name == "<stdin>":
+        with tempfile.NamedTemporaryFile(delete=True) as temp_signed_fragment:
+            temp_signed_fragment.write(signed_fragment.read())
+            temp_signed_fragment.flush()
+            oras_attach(
+                signed_fragment=temp_signed_fragment,
+                manifest_tag=manifest_tag,
+            )
+    else:
+        oras_attach(
+            signed_fragment=signed_fragment,
+            manifest_tag=manifest_tag,
+        )

src/confcom/azext_confcom/command/fragment_push.py

@@ -0,0 +1,46 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import os
+import subprocess
+import tempfile
+from typing import BinaryIO
+
+
+def oras_push(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+    subprocess.run(
+        [
+            "oras",
+            "push",
+            "--artifact-type", "application/x-ms-ccepolicy-frag",
+            manifest_tag,
+            os.path.relpath(signed_fragment.name, start=os.getcwd()),
+        ],
+        check=True,
+        timeout=120,
+    )
+
+
+def fragment_push(
+    signed_fragment: BinaryIO,
+    manifest_tag: str,
+) -> None:
+
+    if signed_fragment.name == "<stdin>":
+        with tempfile.NamedTemporaryFile(delete=True) as temp_signed_fragment:
+            temp_signed_fragment.write(signed_fragment.read())
+            temp_signed_fragment.flush()
+            oras_push(
+                signed_fragment=temp_signed_fragment,
+                manifest_tag=manifest_tag,
+            )
+    else:
+        oras_push(
+            signed_fragment=signed_fragment,
+            manifest_tag=manifest_tag,
+        )

src/confcom/azext_confcom/command/fragment_references_from_image.py

@@ -0,0 +1,14 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import json
+
+from typing import Optional
+
+from azext_confcom.lib.fragment_references import from_image as lib_fragment_references_from_image
+
+
+def fragment_references_from_image(image: str, minimum_svn: Optional[str]) -> str:
+    return print(json.dumps(list(lib_fragment_references_from_image(image, minimum_svn))))

src/confcom/azext_confcom/commands.py

@@ -11,5 +11,12 @@ def load_command_table(self, _):
         g.custom_command("acifragmentgen", "acifragmentgen_confcom")
         g.custom_command("katapolicygen", "katapolicygen_confcom")
 
+    with self.command_group("confcom fragment") as g:
+        g.custom_command("attach", "fragment_attach", is_preview=True)
+        g.custom_command("push", "fragment_push", is_preview=True)
+
     with self.command_group("confcom"):
         pass
+
+    with self.command_group("confcom fragment references") as g:
+        g.custom_command("from_image", "fragment_references_from_image")