Feat: Support to accept the response of signing result from RADAS

Author: yma955

charon/config.py

@@ -39,6 +39,14 @@ def __init__(self, data: Dict):
         self.__ignore_signature_suffix: Dict = data.get("ignore_signature_suffix", None)
         self.__signature_command: str = data.get("detach_signature_command", None)
         self.__aws_cf_enable: bool = data.get("aws_cf_enable", False)
+        self.__amqp_queue: str = data.get("amqp_queue", None)
+        self.__sign_result_loc: str = data.get("sign_result_loc", None)
+        self.__quay_radas_auth_enabled: bool = data.get("quay_radas_auth_enabled", False)
+        self.__quay_radas_registry: str = data.get("quay_radas_registry", None)
+        self.__quay_radas_username: str = data.get("quay_radas_username", None)
+        self.__quay_radas_password: str = data.get("quay_radas_password", None)
+        self.__radas_sign_timeout_count: int = data.get("radas_sign_timeout_count", 10)
+        self.__radas_sign_wait_interval_sec: int = data.get("radas_sign_wait_interval_sec", 60)
 
     def get_ignore_patterns(self) -> List[str]:
         return self.__ignore_patterns
@@ -67,6 +75,29 @@ def get_detach_signature_command(self) -> str:
     def is_aws_cf_enable(self) -> bool:
         return self.__aws_cf_enable
 
+    def get_amqp_queue(self) -> str:
+        return self.__amqp_queue
+
+    def get_sign_result_loc(self) -> str:
+        return self.__sign_result_loc
+
+    def is_quay_radas_auth_enabled(self) -> bool:
+        return self.__quay_radas_auth_enabled
+
+    def get_quay_radas_registry(self) -> str:
+        return self.__quay_radas_registry
+
+    def get_quay_radas_username(self) -> str:
+        return self.__quay_radas_username
+
+    def get_quay_radas_password(self) -> str:
+        return self.__quay_radas_password
+
+    def get_radas_sign_timeout_count(self) -> int:
+        return self.__radas_sign_timeout_count
+
+    def get_radas_sign_wait_interval_sec(self) -> int:
+        return self.__radas_sign_wait_interval_sec
 
 def get_config(cfgPath=None) -> CharonConfig:
     config_file_path = cfgPath

charon/constants.py

@@ -175,3 +175,6 @@
 DEFAULT_ERRORS_LOG = "errors.log"
 
 DEFAULT_REGISTRY = "localhost"
+DEFAULT_SIGN_RESULT_LOC = "/tmp/sign"
+DEFAULT_RADAS_SIGN_TIMEOUT_COUNT = 10
+DEFAULT_RADAS_SIGN_WAIT_INTERVAL_SEC = 60

charon/pkgs/maven.py

@@ -16,6 +16,7 @@
 from charon.utils.files import HashType
 import charon.pkgs.indexing as indexing
 import charon.pkgs.signature as signature
+import charon.pkgs.radas_signature_handler as radas_signature
 from charon.utils.files import overwrite_file, digest, write_manifest
 from charon.utils.archive import extract_zip_all
 from charon.utils.strings import remove_prefix
@@ -408,11 +409,35 @@ def handle_maven_uploading(
                 if cf_enable:
                     cf_invalidate_paths.extend(archetype_files)
 
-        # 10. Generate signature file if contain_signature is set to True
-        if gen_sign:
-            conf = get_config(config)
-            if not conf:
-                sys.exit(1)
+        # 10. Generate signature file if radas sign is enabled, or do detached sign if contain_signature is set to True
+        conf = get_config(config)
+        if not conf:
+            sys.exit(1)
+
+        if conf.get_radas_sign_enabled():
+            logger.info("Start generating radas signature files for s3 bucket %s\n", bucket_name)
+            (_failed_metas, _generated_signs) = radas_signature.generate_radas_sign(top_level)
+            if not _generated_signs:
+                logger.error(
+                    "No sign result files were downloaded, "
+                    "please make sure the sign process is already done and without timeout")
+                return (tmp_root, False)
+
+            failed_metas.extend(_failed_metas)
+            generated_signs.extend(_generated_signs)
+            logger.info("Singature generation against radas done.\n")
+
+            logger.info("Start upload radas singature files to s3 bucket %s\n", bucket_name)
+            _failed_metas = s3_client.upload_signatures(
+                meta_file_paths=generated_signs,
+                target=(bucket_name, prefix),
+                product=None,
+                root=top_level
+            )
+            failed_metas.extend(_failed_metas)
+            logger.info("Signature files uploading against radas done.\n")
+
+        elif gen_sign:
             suffix_list = __get_suffix(PACKAGE_TYPE_MAVEN, conf)
             command = conf.get_detach_signature_command()
             artifacts = [s for s in valid_mvn_paths if not s.endswith(tuple(suffix_list))]

charon/pkgs/oras_client.py

@@ -0,0 +1,64 @@
+"""
+Copyright (C) 2022 Red Hat, Inc. (https://github.com/Commonjava/charon)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+"""
+import oras.client
+import logging
+from charon.config import get_config
+from typing import List
+
+logger = logging.getLogger(__name__)
+
+class OrasClient:
+    """
+    Wrapper for oras‑py’s OrasClient, deciding whether to login based on config.
+    """
+
+    def __init__(self):
+        self.conf = get_config()
+        self.client = oras.client.OrasClient()
+
+    def login_if_needed(self) -> None:
+        """
+        If quay_radas_auth_enabled is true, call login to authenticate.
+        """
+
+        if self.conf and self.conf.is_quay_radas_auth_enabled():
+            logger.info("Logging in to registry.")
+            res = self.client.login(
+                hostname=self.conf.get_quay_radas_registry(),
+                username=self.conf.get_quay_radas_username(),
+                password=self.conf.get_quay_radas_password(),
+            )
+            logger.info(res)
+        else:
+            logger.info("Registry auth not enabled, skip login.")
+
+    def pull(self, result_reference_url: str, sign_result_loc: str) -> List[str]:
+        """
+        Call oras‑py’s pull method to pull the remote file to local.
+        Args:
+            result_reference_url (str): Reference of the remote file (e.g. “quay.io/repository/signing/radas@hash”).
+            sign_result_loc (str): Local save path (e.g. “/tmp/sign”).
+        """
+        files = []
+        try:
+            self.login_if_needed()
+            # the filename should be possibly named by the digest hash value based on the oras source code
+            files = self.client.pull(target=result_reference_url, outdir=sign_result_loc)
+            logger.info("Pull file from %s to %s", result_reference_url, sign_result_loc)
+        except Exception as e:
+            logger.error("Failed to pull file from %s to %s: %s", result_reference_url, sign_result_loc, e)
+        finally:
+            return files

charon/pkgs/radas_signature_handler.py

@@ -0,0 +1,210 @@
+"""
+Copyright (C) 2022 Red Hat, Inc. (https://github.com/Commonjava/charon)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+"""
+import proton
+import proton.handlers
+import threading
+import logging
+import json
+import os
+import asyncio
+from typing import List, Any, Tuple, Callable, Dict
+from charon.config import get_config
+from charon.constants import DEFAULT_SIGN_RESULT_LOC
+from charon.constants import DEFAULT_RADAS_SIGN_TIMEOUT_COUNT
+from charon.constants import DEFAULT_RADAS_SIGN_WAIT_INTERVAL_SEC
+from charon.pkgs.oras_client import OrasClient
+
+logger = logging.getLogger(__name__)
+
+class SignHandler:
+    """
+    Handle the sign result status management
+    """
+    _is_processing: bool = True
+    _downloaded_files: List[str] = []
+
+    @classmethod
+    def is_processing(cls) -> bool:
+        return cls._is_processing
+
+    @classmethod
+    def get_downloaded_files(cls) -> List[str]:
+        return cls._downloaded_files.copy()
+
+    @classmethod
+    def set_processing(cls, value: bool) -> None:
+        cls._is_processing = value
+
+    @classmethod
+    def set_downloaded_files(cls, files: List[str]) -> None:
+        cls._downloaded_files = files
+
+class UmbListener(proton.handlers.MessagingHandler):
+    """
+    UmbListener class (AMQP version), register this when setup UmbClient
+    """
+
+    def __init__(self) -> None:
+        super().__init__()
+
+    def on_start(self, event: proton.Event) -> None:
+        """
+        On start callback
+        """
+        conf = get_config()
+        if not conf:
+            sys.exit(1)
+        event.container.create_receiver(conf.get_amqp_queue())
+
+    def on_message(self, event: proton.Event) -> None:
+        """
+        On message callback
+        """
+        # handle response from radas in a thread
+        thread = threading.Thread(
+            target=self._process_message,
+            args=[event.message.body]
+        )
+        thread.start()
+
+    def on_error(self, event: proton.Event) -> None:
+        """
+        On error callback
+        """
+        logger.error("Received an error event:\n%s", event)
+
+    def on_disconnected(self, event: proton.Event) -> None:
+        """
+        On disconnected callback
+        """
+        logger.error("Disconnected from AMQP broker.")
+
+    def _process_message(msg: Any) -> None:
+        """
+        Process a message received from UMB
+        Args:
+            msg: The message body received
+        """
+        try:
+            msg_dict = json.loads(msg)
+            result_reference_url = msg_dict.get("result_reference")
+
+            if not result_reference_url:
+                 logger.warning("Not found result_reference in message，ignore.")
+                 return
+
+            conf = get_config()
+            if not conf:
+                sign_result_loc = DEFAULT_SIGN_RESULT_LOC
+            sign_result_loc = os.getenv("SIGN_RESULT_LOC") or conf.get_sign_result_loc()
+            logger.info("Using SIGN RESULT LOC: %s", sign_result_loc)
+
+            sign_result_parent_dir = os.path.dirname(sign_result_loc)
+            os.makedirs(sign_result_parent_dir, exist_ok=True)
+
+            oras_client = OrasClient()
+            files = oras_client.pull(
+                result_reference_url=result_reference_url,
+                sign_result_loc=sign_result_loc
+            )
+            SignHandler.set_downloaded_files(files)
+        finally:
+            SignHandler.set_processing(False)
+
+def generate_radas_sign(top_level: str) -> Tuple[List[str], List[str]]:
+    """
+    Generate .asc files based on RADAS sign result json file
+    """
+    conf = get_config()
+    timeout_count = conf.get_radas_sign_timeout_count() if conf else DEFAULT_RADAS_SIGN_TIMEOUT_COUNT
+    wait_interval_sec = conf.get_radas_sign_wait_interval_sec() if conf else DEFAULT_RADAS_SIGN_WAIT_INTERVAL_SEC
+    wait_count = 0
+    while SignHandler.is_processing():
+        wait_count += 1
+        if wait_count > timeout_count:
+            logger.warning("Timeout when waiting for sign response.")
+            break
+        time.sleep(wait_interval_sec)
+
+    files = SignHandler.get_downloaded_files()
+    if not files:
+        return [], []
+
+    # should only have the single sign result json file from the radas registry
+    json_file_path = files[0]
+    try:
+        with open(json_file_path, 'r') as f:
+            data = json.load(f)
+    except Exception as e:
+        logger.error(f"Failed to read or parse the JSON file: {e}")
+        raise
+
+    async def generate_single_sign_file(
+        file_path: str, signature: str, failed_paths: List[str], generated_signs: List[str],
+        sem: asyncio.BoundedSemaphore
+    ):
+        async with sem:
+            if not file_path or not signature:
+                logger.error(f"Invalid JSON entry")
+                return
+            # remove the root path maven-repository
+            filename = file_path.split("/", 1)[1]
+            signature = item.get("signature")
+
+            artifact_path = os.path.join(top_level, filename)
+            asc_filename = f"{filename}.asc"
+            signature_path = os.path.join(top_level, asc_filename)
+
+            if not os.path.isfile(artifact_path):
+                logger.warning("Artifact missing, skip signature file generation")
+                return
+
+            try:
+                with open(signature_path, 'w') as asc_file:
+                    asc_file.write(signature)
+                generated_signs.append(signature_path)
+                logger.info(f"Generated .asc file: {signature_path}")
+            except Exception as e:
+                failed_paths.append(signature_path)
+                logger.error(f"Failed to write .asc file for {artifact_path}: {e}")
+
+    result = data.get("result", [])
+    return __do_path_cut_and(
+            path_handler=generate_single_sign_file,
+            data=result
+        )
+
+def __do_path_cut_and(
+    path_handler: Callable,
+    data: List[Dict[str, str]]
+) -> Tuple[List[str], List[str]]:
+
+    failed_paths: List[str] = []
+    generated_signs: List[str] = []
+    tasks = []
+    sem = asyncio.BoundedSemaphore(10)
+    for item in data:
+        file_path = item.get("file")
+        signature = item.get("signature")
+        tasks.append(
+            asyncio.ensure_future(
+                path_handler(file_path, signature, failed_paths, generated_signs, sem)
+            )
+        )
+
+    loop = asyncio.get_event_loop()
+    loop.run_until_complete(asyncio.gather(*tasks))
+    return (failed_paths, generated_signs)

requirements.txt

@@ -9,3 +9,5 @@ subresource-integrity>=0.2
 jsonschema>=4.9.1
 urllib3>=1.25.10
 semantic-version>=2.10.0
+oras>=0.2.31
+python-qpid-proton>=0.39.0