pass http client for use with tuf

malancas · malancas · commit 6b226754fdf6 · 2025-05-07T09:18:43.000-06:00
Signed-off-by: Meredith Lancaster &lt;malancas@github.com&gt;
diff --git a/pkg/cmd/attestation/trustedroot/trustedroot.go b/pkg/cmd/attestation/trustedroot/trustedroot.go
@@ -122,7 +122,7 @@ func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error {
 	var tufOptions []tufConfig
 	var defaultTR = "trusted_root.json"
 
-	tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string]())
+	tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string](), nil)
 	// Disable local caching, so we get up-to-date response from TUF repository
 	tufOpt.CacheValidity = 0
 
@@ -151,7 +151,7 @@ func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error {
 			targets:    []string{defaultTR},
 		})
 
-		tufOpt = verification.GitHubTUFOptions(o.None[string]())
+		tufOpt = verification.GitHubTUFOptions(o.None[string](), nil)
 		tufOpt.CacheValidity = 0
 		tufOptions = append(tufOptions, tufConfig{
 			tufOptions: tufOpt,
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
@@ -73,7 +73,7 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, erro
 		return liveVerifier, nil
 	}
 	if !config.NoPublicGood {
-		publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir)
+		publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir, config.HttpClient)
 		if err != nil {
 			return nil, err
 		}
@@ -350,8 +350,8 @@ func newGitHubVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verify.Si
 	return gv, nil
 }
 
-func newPublicGoodVerifier(tufMetadataDir o.Option[string]) (*verify.SignedEntityVerifier, error) {
-	opts := DefaultOptionsWithCacheSetting(tufMetadataDir)
+func newPublicGoodVerifier(tufMetadataDir o.Option[string], hc *http.Client) (*verify.SignedEntityVerifier, error) {
+	opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc)
 	client, err := tuf.New(opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUF client: %v", err)
diff --git a/pkg/cmd/attestation/verification/tuf.go b/pkg/cmd/attestation/verification/tuf.go
@@ -2,9 +2,11 @@ package verification
 
 import (
 	_ "embed"
+	"net/http"
 	"os"
 	"path/filepath"
 
+	"github.com/cenkalti/backoff/v5"
 	o "github.com/cli/cli/v2/pkg/option"
 	"github.com/cli/go-gh/v2/pkg/config"
 	"github.com/sigstore/sigstore-go/pkg/tuf"
@@ -43,7 +45,7 @@ func DefaultOptionsWithCacheSetting(tufMetadataDir o.Option[string], hc *http.Cl
 }
 
 func GitHubTUFOptions(tufMetadataDir o.Option[string], hc *http.Client) *tuf.Options {
-	opts := DefaultOptionsWithCacheSetting(tufMetadataDir)
+	opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc)
 
 	opts.Root = githubRoot
 	opts.RepositoryBaseURL = GitHubTUFMirror
diff --git a/pkg/cmd/attestation/verification/tuf_test.go b/pkg/cmd/attestation/verification/tuf_test.go
@@ -12,7 +12,7 @@ import (
 
 func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) {
 	os.Setenv("CODESPACES", "true")
-	opts := GitHubTUFOptions(o.None[string]())
+	opts := GitHubTUFOptions(o.None[string](), nil)
 
 	require.Equal(t, GitHubTUFMirror, opts.RepositoryBaseURL)
 	require.NotNil(t, opts.Root)
@@ -21,6 +21,6 @@ func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) {
 }
 
 func TestGitHubTUFOptionsWithMetadataDir(t *testing.T) {
-	opts := GitHubTUFOptions(o.Some("anything"))
+	opts := GitHubTUFOptions(o.Some("anything"), nil)
 	require.Equal(t, "anything", opts.CachePath)
 }

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, erro`
`73`	`73`	`return liveVerifier, nil`
`74`	`74`	`}`
`75`	`75`	`if !config.NoPublicGood {`
`76`		`- publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir)`
	`76`	`+ publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir, config.HttpClient)`
`77`	`77`	`if err != nil {`
`78`	`78`	`return nil, err`
`79`	`79`	`}`
`@@ -350,8 +350,8 @@ func newGitHubVerifierWithTrustedRoot(trustedRoot root.TrustedRoot) (verify.Si`
`350`	`350`	`return gv, nil`
`351`	`351`	`}`
`352`	`352`
`353`		`-func newPublicGoodVerifier(tufMetadataDir o.Option[string]) (*verify.SignedEntityVerifier, error) {`
`354`		`- opts := DefaultOptionsWithCacheSetting(tufMetadataDir)`
	`353`	`+func newPublicGoodVerifier(tufMetadataDir o.Option[string], hc http.Client) (verify.SignedEntityVerifier, error) {`
	`354`	`+ opts := DefaultOptionsWithCacheSetting(tufMetadataDir, hc)`
`355`	`355`	`client, err := tuf.New(opts)`
`356`	`356`	`if err != nil {`
`357`	`357`	`return nil, fmt.Errorf("failed to create TUF client: %v", err)`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import (`
`12`	`12`
`13`	`13`	`func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) {`
`14`	`14`	`os.Setenv("CODESPACES", "true")`
`15`		`- opts := GitHubTUFOptions(o.None[string]())`
	`15`	`+ opts := GitHubTUFOptions(o.None[string](), nil)`
`16`	`16`
`17`	`17`	`require.Equal(t, GitHubTUFMirror, opts.RepositoryBaseURL)`
`18`	`18`	`require.NotNil(t, opts.Root)`
`@@ -21,6 +21,6 @@ func TestGitHubTUFOptionsNoMetadataDir(t *testing.T) {`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`func TestGitHubTUFOptionsWithMetadataDir(t *testing.T) {`
`24`		`- opts := GitHubTUFOptions(o.Some("anything"))`
	`24`	`+ opts := GitHubTUFOptions(o.Some("anything"), nil)`
`25`	`25`	`require.Equal(t, "anything", opts.CachePath)`
`26`	`26`	`}`