feat: add blob policy import and show commands

cmd/notation/blob/cmd.go

@@ -0,0 +1,32 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package blob provides the command for blob trust policy configuration.
+package blob
+
+import "github.com/spf13/cobra"
+
+// Cmd returns the command for blob
+func Cmd() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "blob [commnad]",
+		Short: "Sign, verify and inspect singatures associated with blobs",
+		Long:  "Sign, inspect, and verify signatures and configure trust policies.",
+	}
+
+	command.AddCommand(
+		policyCmd(),
+	)
+
+	return command
+}

cmd/notation/blob/policy.go

@@ -0,0 +1,86 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package blob
+
+import (
+	"fmt"
+
+	"github.com/notaryproject/notation/cmd/notation/internal/policy"
+	"github.com/spf13/cobra"
+)
+
+func policyCmd() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "policy [command]",
+		Short: "manage trust policy configuration for signed blobs",
+		Long:  "Manage trust policy configuration for arbitrary blob signature verification.",
+	}
+
+	command.AddCommand(
+		importCmd(),
+		showCmd(),
+	)
+
+	return command
+}
+
+type importOpts struct {
+	filePath string
+	force    bool
+}
+
+func importCmd() *cobra.Command {
+	var opts importOpts
+	command := &cobra.Command{
+		Use:   "import [flags] <file_path>",
+		Short: "import trust policy configuration from a JSON file",
+		Long: `Import blob trust policy configuration from a JSON file.
+
+Example - Import trust policy configuration from a file:
+  notation blob policy import my_policy.json
+`,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("requires 1 argument but received %d.\nUsage: notation blob policy import <path-to-policy.json>\nPlease specify a trust policy file location as the argument", len(args))
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.filePath = args[0]
+			return policy.Import(opts.filePath, opts.force, false)
+		},
+	}
+	command.Flags().BoolVar(&opts.force, "force", false, "override the existing trust policy configuration, never prompt")
+	return command
+}
+
+func showCmd() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "show [flags]",
+		Short: "show trust policy configuration",
+		Long: `Show blob trust policy configuration.
+
+Example - Show current blob trust policy configuration:
+  notation blob policy show
+
+Example - Save current blob trust policy configuration to a file:
+  notation blob policy show > my_policy.json
+`,
+		Args: cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return policy.Show(false)
+		},
+	}
+	return command
+}

cmd/notation/internal/policy/import.go

@@ -0,0 +1,102 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/notaryproject/notation/cmd/notation/internal/cmdutil"
+	"github.com/notaryproject/notation/internal/osutil"
+)
+
+type policy interface {
+	Validate() error
+}
+
+// Import imports trust policy configuration from a JSON file.
+//
+// - If force is true, it will override the existing trust policy configuration
+// without prompting.
+// - If isOciPolicy is true, it will import OCI trust policy configuration.
+// Otherwise, it will import blob trust policy configuration.
+func Import(filePath string, force, isOCIPolicy bool) error {
+	// read configuration
+	policyJSON, err := os.ReadFile(filePath)
+	if err != nil {
+		return fmt.Errorf("failed to read trust policy file: %w", err)
+	}
+
+	// parse and validate
+	var doc policy = &trustpolicy.OCIDocument{}
+	if !isOCIPolicy {
+		doc = &trustpolicy.BlobDocument{}
+	}
+	if err = json.Unmarshal(policyJSON, doc); err != nil {
+		return fmt.Errorf("failed to parse trust policy configuration: %w", err)
+	}
+	if err = doc.Validate(); err != nil {
+		return fmt.Errorf("failed to validate trust policy: %w", err)
+	}
+
+	// optional confirmation
+	if !force {
+		if isOCIPolicy {
+			_, err = trustpolicy.LoadDocument()
+		} else {
+			_, err = trustpolicy.LoadBlobDocument()
+		}
+		if err == nil {
+			confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The trust policy file already exists, do you want to overwrite it?", force)
+			if err != nil {
+				return err
+			}
+			if !confirmed {
+				return nil
+			}
+		}
+	} else {
+		fmt.Fprintln(os.Stderr, "Warning: existing trust policy configuration file will be overwritten")
+	}
+
+	// write
+	trustPolicyName := dir.PathOCITrustPolicy
+	if !isOCIPolicy {
+		trustPolicyName = dir.PathBlobTrustPolicy
+	}
+	policyPath, err := dir.ConfigFS().SysPath(trustPolicyName)
+	if err != nil {
+		return fmt.Errorf("failed to obtain path of trust policy file: %w", err)
+	}
+	if err = osutil.WriteFile(policyPath, policyJSON); err != nil {
+		return fmt.Errorf("failed to write trust policy file: %w", err)
+	}
+
+	// clear old trust policy
+	if isOCIPolicy {
+		oldPolicyPath, err := dir.ConfigFS().SysPath(dir.PathTrustPolicy)
+		if err != nil {
+			return fmt.Errorf("failed to obtain path of trust policy file: %w", err)
+		}
+		if err := osutil.RemoveIfExists(oldPolicyPath); err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: failed to clear old trust policy %q: %v\n", oldPolicyPath, err)
+		}
+	}
+
+	_, err = fmt.Fprintln(os.Stdout, "Trust policy configuration imported successfully.")
+	return err
+}

cmd/notation/internal/policy/show.go

@@ -0,0 +1,88 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+
+	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+)
+
+// Show shows trust policy configuration.
+//
+// - If isOciPolicy is true, it will show OCI trust policy configuration.
+// Otherwise, it will show blob trust policy configuration.
+func Show(isOCIPolicy bool) error {
+	var (
+		doc        policy
+		policyJSON []byte
+		err        error
+	)
+	if isOCIPolicy {
+		doc = &trustpolicy.OCIDocument{}
+		policyJSON, err = loadOCIDocument()
+	} else {
+		doc = &trustpolicy.BlobDocument{}
+		policyJSON, err = loadBlobDocument()
+	}
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return fmt.Errorf("failed to show trust policy as the trust policy file does not exist.\nYou can import one using `notation policy import <path-to-policy.json>`")
+		}
+		return fmt.Errorf("failed to show trust policy: %w", err)
+	}
+
+	if err = json.Unmarshal(policyJSON, &doc); err == nil {
+		err = doc.Validate()
+	}
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %s\n", err.Error())
+		fmt.Fprintf(os.Stderr, "Existing trust policy configuration is invalid, you may update or create a new one via `notation policy import <path-to-policy.json>`\n")
+		// not returning to show the invalid policy configuration
+	}
+
+	// show policy content
+	_, err = os.Stdout.Write(policyJSON)
+	return err
+}
+
+func loadOCIDocument() ([]byte, error) {
+	f, err := dir.ConfigFS().Open(dir.PathOCITrustPolicy)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return nil, err
+		}
+		f, err = dir.ConfigFS().Open(dir.PathTrustPolicy)
+		if err != nil {
+			return nil, err
+		}
+	}
+	defer f.Close()
+	return io.ReadAll(f)
+}
+
+func loadBlobDocument() ([]byte, error) {
+	f, err := dir.ConfigFS().Open(dir.PathBlobTrustPolicy)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return io.ReadAll(f)
+}

cmd/notation/main.go

@@ -17,6 +17,7 @@ import (
 	"os"
 
 	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation/cmd/notation/blob"
 	"github.com/notaryproject/notation/cmd/notation/cert"
 	"github.com/notaryproject/notation/cmd/notation/plugin"
 	"github.com/notaryproject/notation/cmd/notation/policy"
@@ -51,6 +52,7 @@ func main() {
 		},
 	}
 	cmd.AddCommand(
+		blob.Cmd(),
 		signCommand(nil),
 		verifyCommand(nil),
 		listCommand(nil),

cmd/notation/policy/import.go

@@ -14,14 +14,9 @@
 package policy
 
 import (
-	"encoding/json"
 	"fmt"
-	"os"
 
-	"github.com/notaryproject/notation-go/dir"
-	"github.com/notaryproject/notation-go/verifier/trustpolicy"
-	"github.com/notaryproject/notation/cmd/notation/internal/cmdutil"
-	"github.com/notaryproject/notation/internal/osutil"
+	"github.com/notaryproject/notation/cmd/notation/internal/policy"
 	"github.com/spf13/cobra"
 )
 
@@ -50,52 +45,9 @@ Example - Import trust policy configuration from a file:
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.filePath = args[0]
-			return runImport(cmd, opts)
+			return policy.Import(opts.filePath, opts.force, true)
 		},
 	}
 	command.Flags().BoolVar(&opts.force, "force", false, "override the existing trust policy configuration, never prompt")
 	return command
 }
-
-func runImport(command *cobra.Command, opts importOpts) error {
-	// read configuration
-	policyJSON, err := os.ReadFile(opts.filePath)
-	if err != nil {
-		return fmt.Errorf("failed to read trust policy file: %w", err)
-	}
-
-	// parse and validate
-	var doc trustpolicy.Document
-	if err = json.Unmarshal(policyJSON, &doc); err != nil {
-		return fmt.Errorf("failed to parse trust policy configuration: %w", err)
-	}
-	if err = doc.Validate(); err != nil {
-		return fmt.Errorf("failed to validate trust policy: %w", err)
-	}
-
-	// optional confirmation
-	if !opts.force {
-		if _, err := trustpolicy.LoadDocument(); err == nil {
-			confirmed, err := cmdutil.AskForConfirmation(os.Stdin, "The trust policy file already exists, do you want to overwrite it?", opts.force)
-			if err != nil {
-				return err
-			}
-			if !confirmed {
-				return nil
-			}
-		}
-	} else {
-		fmt.Fprintln(os.Stderr, "Warning: existing trust policy configuration file will be overwritten")
-	}
-
-	// write
-	policyPath, err := dir.ConfigFS().SysPath(dir.PathTrustPolicy)
-	if err != nil {
-		return fmt.Errorf("failed to obtain path of trust policy file: %w", err)
-	}
-	if err = osutil.WriteFile(policyPath, policyJSON); err != nil {
-		return fmt.Errorf("failed to write trust policy file: %w", err)
-	}
-	_, err = fmt.Fprintln(os.Stdout, "Trust policy configuration imported successfully.")
-	return err
-}