remove inline function to verify helm charts in builder

aryan9600 · aryan9600 · commit a6bb5f0d5c9c · 2022-03-28T21:40:43.000+05:30
Signed-off-by: Sanskar Jaiswal &lt;jaiswalsanskar078@gmail.com&gt;
diff --git a/internal/helm/chart/builder_local.go b/internal/helm/chart/builder_local.go
@@ -26,7 +26,6 @@ import (
 	"github.com/Masterminds/semver/v3"
 	securejoin "github.com/cyphar/filepath-securejoin"
 	"helm.sh/helm/v3/pkg/chart/loader"
-	"helm.sh/helm/v3/pkg/provenance"
 	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/pkg/runtime/transform"
@@ -107,21 +106,6 @@ func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string,
 	requiresPackaging := isChartDir || opts.VersionMetadata != "" || len(opts.GetValuesFiles()) != 0
 
 	var provFilePath string
-	verifyProvFile := func(chart, provFile string) (*provenance.Verification, error) {
-		if opts.Keyring != nil {
-			if _, err := os.Stat(provFile); err != nil {
-				err = fmt.Errorf("could not load provenance file %s: %w", provFile, err)
-				return nil, &BuildError{Reason: ErrProvenanceVerification, Err: err}
-			}
-			ver, err := verifyChartWithProvFile(bytes.NewReader(opts.Keyring), chart, provFile)
-			if err != nil {
-				err = fmt.Errorf("failed to verify helm chart using provenance file: %w", err)
-				return nil, &BuildError{Reason: ErrProvenanceVerification, Err: err}
-			}
-			return ver, nil
-		}
-		return nil, nil
-	}
 
 	// If all the following is true, we do not need to package the chart:
 	// - Chart name from cached chart matches resolved name
@@ -135,16 +119,14 @@ func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string,
 				if result.Name == curMeta.Name && result.Version == curMeta.Version {
 					// We can only verify a cached chart with provenance file if we didn't
 					// package the chart ourselves, and instead stored it as is.
-					if !requiresPackaging {
+					if !requiresPackaging && opts.Keyring != nil {
 						provFilePath = provenanceFilePath(opts.CachedChart)
-						ver, err := verifyProvFile(opts.CachedChart, provFilePath)
+						ver, err := verifyChartWithProvFile(bytes.NewReader(opts.Keyring), opts.CachedChart, provFilePath)
 						if err != nil {
-							return nil, err
-						}
-						if ver != nil {
-							result.VerificationSignature = buildVerificationSig(ver)
-							result.ProvFilePath = provFilePath
+							return nil, &BuildError{Reason: ErrProvenanceVerification, Err: err}
 						}
+						result.VerificationSignature = buildVerificationSig(ver)
+						result.ProvFilePath = provFilePath
 					}
 					result.Path = opts.CachedChart
 					result.ValuesFiles = opts.GetValuesFiles()
@@ -158,18 +140,18 @@ func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string,
 	// If the chart at the path is already packaged and no custom values files
 	// options are set, we can copy the chart without making modifications
 	if !requiresPackaging {
-		provFilePath = provenanceFilePath(p)
 		if err = copyFileToPath(localRef.Path, p); err != nil {
 			return result, &BuildError{Reason: ErrChartPull, Err: err}
 		}
-		if err = copyFileToPath(provenanceFilePath(localRef.Path), provFilePath); err != nil {
-			return result, &BuildError{Reason: ErrChartPull, Err: err}
-		}
-		ver, err := verifyProvFile(localRef.Path, provFilePath)
-		if err != nil {
-			return nil, err
-		}
-		if ver != nil {
+		if opts.Keyring != nil {
+			provFilePath = provenanceFilePath(p)
+			if err = copyFileToPath(provenanceFilePath(localRef.Path), provFilePath); err != nil {
+				return result, &BuildError{Reason: ErrChartPull, Err: err}
+			}
+			ver, err := verifyChartWithProvFile(bytes.NewReader(opts.Keyring), localRef.Path, provFilePath)
+			if err != nil {
+				return nil, err
+			}
 			result.ProvFilePath = provFilePath
 			result.VerificationSignature = buildVerificationSig(ver)
 		}
diff --git a/internal/helm/chart/builder_remote.go b/internal/helm/chart/builder_remote.go
@@ -27,7 +27,6 @@ import (
 	helmchart "helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/chartutil"
-	"helm.sh/helm/v3/pkg/provenance"
 	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/pkg/runtime/transform"
@@ -107,18 +106,6 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 
 	requiresPackaging := len(opts.GetValuesFiles()) != 0 || opts.VersionMetadata != ""
 
-	verifyProvFile := func(chart, provFile string) (*provenance.Verification, error) {
-		if opts.Keyring != nil {
-			ver, err := verifyChartWithProvFile(bytes.NewReader(opts.Keyring), chart, provFile)
-			if err != nil {
-				err = fmt.Errorf("failed to verify helm chart using provenance file %s: %w", provFile, err)
-				return nil, &BuildError{Reason: ErrProvenanceVerification, Err: err}
-			}
-			return ver, nil
-		}
-		return nil, nil
-	}
-
 	var provFilePath string
 
 	// If all the following is true, we do not need to download and/or build the chart:
@@ -133,16 +120,14 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 				if result.Name == curMeta.Name && result.Version == curMeta.Version {
 					// We can only verify a cached chart with provenance file if we didn't
 					// package the chart ourselves, and instead stored it as is.
-					if !requiresPackaging {
+					if !requiresPackaging && opts.Keyring != nil {
 						provFilePath = provenanceFilePath(opts.CachedChart)
-						ver, err := verifyProvFile(opts.CachedChart, provFilePath)
+						ver, err := verifyChartWithProvFile(bytes.NewReader(opts.Keyring), opts.CachedChart, provFilePath)
 						if err != nil {
 							return nil, err
 						}
-						if ver != nil {
-							result.ProvFilePath = provFilePath
-							result.VerificationSignature = buildVerificationSig(ver)
-						}
+						result.ProvFilePath = provFilePath
+						result.VerificationSignature = buildVerificationSig(ver)
 					}
 					result.Path = opts.CachedChart
 					result.ValuesFiles = opts.GetValuesFiles()
@@ -178,14 +163,13 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 		if err != nil {
 			return nil, err
 		}
-		ver, err := verifyProvFile(chart.Name(), provFilePath)
+		ver, err := verifyChartWithProvFile(bytes.NewReader(opts.Keyring), chart.Name(), provFilePath)
+
 		if err != nil {
 			return nil, err
 		}
-		if ver != nil {
-			result.ProvFilePath = provFilePath
-			result.VerificationSignature = buildVerificationSig(ver)
-		}
+		result.ProvFilePath = provFilePath
+		result.VerificationSignature = buildVerificationSig(ver)
 	}
 
 	// Use literal chart copy from remote if no custom values files options are
diff --git a/internal/helm/chart/verify.go b/internal/helm/chart/verify.go
@@ -55,6 +55,9 @@ func verifyChartWithProvFile(keyring io.Reader, chartPath, provFilePath string)
 
 	sig := &provenance.Signatory{KeyRing: ring}
 	verification, err := sig.Verify(chartPath, provFilePath)
+	if err != nil {
+		err = fmt.Errorf("failed to verify helm chart using provenance file: %w", err)
+	}
 	return verification, err
 }
 

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,9 @@ func verifyChartWithProvFile(keyring io.Reader, chartPath, provFilePath string)`
`55`	`55`
`56`	`56`	`sig := &provenance.Signatory{KeyRing: ring}`
`57`	`57`	`verification, err := sig.Verify(chartPath, provFilePath)`
	`58`	`+ if err != nil {`
	`59`	`+ err = fmt.Errorf("failed to verify helm chart using provenance file: %w", err)`
	`60`	`+ }`
`58`	`61`	`return verification, err`
`59`	`62`	`}`
`60`	`63`