fix: do not recreate trustpolicy secret if the content doesn't change (#1800)

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

pkg/extensions/imagetrust/image_trust_test.go

@@ -709,6 +709,15 @@ func TestAWSTrustStore(t *testing.T) {
 			},
 		}
 
+		secretsManagerCacheMock := mocks.SecretsManagerCacheMock{
+			GetSecretStringFn: func(secretID string) (string, error) {
+				return "", errUnexpectedError
+			},
+		}
+
+		_, err = imagetrust.NewCertificateAWSStorage(secretsManagerMock, secretsManagerCacheMock)
+		So(err, ShouldNotBeNil)
+
 		_, err = imagetrust.NewCertificateAWSStorage(secretsManagerMock, smCache)
 		So(err, ShouldNotBeNil)
 
@@ -913,21 +922,21 @@ func TestAWSTrustStore(t *testing.T) {
 
 		manifestDigest := image.Digest()
 
-		smanager, err := imagetrust.GetSecretsManagerClient("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		secretsManagerMock := mocks.SecretsManagerMock{
-		So(err, ShouldBeNil)
+			CreateSecretFn: func(ctx context.Context, params *secretsmanager.CreateSecretInput,
+				optFns ...func(*secretsmanager.Options),
+			) (*secretsmanager.CreateSecretOutput, error) {
+				return &secretsmanager.CreateSecretOutput{}, nil
+			},
+		}
 
-		smCache := imagetrust.GetSecretsManagerRetrieval("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		secretsManagerCacheMock := mocks.SecretsManagerCacheMock{
+			GetSecretStringFn: func(secretID string) (string, error) {
+				return "", errUnexpectedError
+			},
+		}
 
-		notationStorage, err := imagetrust.NewCertificateAWSStorage(smanager, smCache)
+		notationStorage, err := imagetrust.NewCertificateAWSStorage(secretsManagerMock, secretsManagerCacheMock)
-		So(err, ShouldBeNil)
-
-		force := true
-
-		_, err = smanager.DeleteSecret(context.Background(),
-			&secretsmanager.DeleteSecretInput{
-				SecretId:                   &trustpolicy,
-				ForceDeleteWithoutRecovery: &force,
-			})
 		So(err, ShouldBeNil)
 
 		imgTrustStore := &imagetrust.ImageTrustStore{
@@ -948,104 +957,61 @@ func TestAWSTrustStore(t *testing.T) {
 
 		manifestDigest := image.Digest()
 
-		smanager, err := imagetrust.GetSecretsManagerClient("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		secretsManagerMock := mocks.SecretsManagerMock{
-		So(err, ShouldBeNil)
+			CreateSecretFn: func(ctx context.Context, params *secretsmanager.CreateSecretInput,
+				optFns ...func(*secretsmanager.Options),
+			) (*secretsmanager.CreateSecretOutput, error) {
+				return &secretsmanager.CreateSecretOutput{}, nil
+			},
+		}
 
-		smCache := imagetrust.GetSecretsManagerRetrieval("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		secretsManagerCacheMock := mocks.SecretsManagerCacheMock{
+			GetSecretStringFn: func(secretID string) (string, error) {
+				return "invalid content", nil
+			},
+		}
 
-		notationStorage, err := imagetrust.NewCertificateAWSStorage(smanager, smCache)
+		notationStorage, err := imagetrust.NewCertificateAWSStorage(secretsManagerMock, secretsManagerCacheMock)
 		So(err, ShouldBeNil)
 
 		imgTrustStore := &imagetrust.ImageTrustStore{
 			NotationStorage: notationStorage,
 		}
 
-		force := true
-
-		_, err = smanager.DeleteSecret(context.Background(),
-			&secretsmanager.DeleteSecretInput{
-				SecretId:                   &trustpolicy,
-				ForceDeleteWithoutRecovery: &force,
-			})
-		So(err, ShouldBeNil)
-
-		description := "notation trustpolicy file"
-		secret := "invalid content"
-
-		_, err = smanager.CreateSecret(context.Background(),
-			&secretsmanager.CreateSecretInput{
-				Name:         &trustpolicy,
-				Description:  &description,
-				SecretString: &secret,
-			})
-		So(err, ShouldBeNil)
-
 		_, _, _, err = imgTrustStore.VerifySignature("notation", []byte("signature"), "", manifestDigest,
 			manifestContent, repo)
 		So(err, ShouldNotBeNil)
 
-		smanager, err = imagetrust.GetSecretsManagerClient("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		secretsManagerCacheMock = mocks.SecretsManagerCacheMock{
-		So(err, ShouldBeNil)
+			GetSecretStringFn: func(secretID string) (string, error) {
+				return base64.StdEncoding.EncodeToString([]byte("invalid content")), nil
+			},
+		}
 
-		smCache = imagetrust.GetSecretsManagerRetrieval("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		notationStorage, err = imagetrust.NewCertificateAWSStorage(secretsManagerMock, secretsManagerCacheMock)
-
-		notationStorage, err = imagetrust.NewCertificateAWSStorage(smanager, smCache)
 		So(err, ShouldBeNil)
 
 		imgTrustStore = &imagetrust.ImageTrustStore{
 			NotationStorage: notationStorage,
 		}
 
-		_, err = smanager.DeleteSecret(context.Background(),
-			&secretsmanager.DeleteSecretInput{
-				SecretId:                   &trustpolicy,
-				ForceDeleteWithoutRecovery: &force,
-			})
-		So(err, ShouldBeNil)
-
-		newSecret := base64.StdEncoding.EncodeToString([]byte(secret))
-
-		_, err = smanager.CreateSecret(context.Background(),
-			&secretsmanager.CreateSecretInput{
-				Name:         &trustpolicy,
-				Description:  &description,
-				SecretString: &newSecret,
-			})
-		So(err, ShouldBeNil)
-
 		_, _, _, err = imgTrustStore.VerifySignature("notation", []byte("signature"), "", manifestDigest,
 			manifestContent, repo)
 		So(err, ShouldNotBeNil)
 
-		smanager, err = imagetrust.GetSecretsManagerClient("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		secretsManagerCacheMock = mocks.SecretsManagerCacheMock{
-		So(err, ShouldBeNil)
+			GetSecretStringFn: func(secretID string) (string, error) {
+				return base64.StdEncoding.EncodeToString([]byte(`{"Version": {"bad": "input"}}`)), nil
+			},
+		}
 
-		smCache = imagetrust.GetSecretsManagerRetrieval("us-east-2", os.Getenv("DYNAMODBMOCK_ENDPOINT"))
+		notationStorage, err = imagetrust.NewCertificateAWSStorage(secretsManagerMock, secretsManagerCacheMock)
-
-		notationStorage, err = imagetrust.NewCertificateAWSStorage(smanager, smCache)
 		So(err, ShouldBeNil)
 
 		imgTrustStore = &imagetrust.ImageTrustStore{
 			NotationStorage: notationStorage,
 		}
 
-		_, err = smanager.DeleteSecret(context.Background(),
-			&secretsmanager.DeleteSecretInput{
-				SecretId:                   &trustpolicy,
-				ForceDeleteWithoutRecovery: &force,
-			})
-		So(err, ShouldBeNil)
-
-		newSecret = base64.StdEncoding.EncodeToString([]byte(`{"Version": {"bad": "input"}}`))
-
-		_, err = smanager.CreateSecret(context.Background(),
-			&secretsmanager.CreateSecretInput{
-				Name:         &trustpolicy,
-				Description:  &description,
-				SecretString: &newSecret,
-			})
-		So(err, ShouldBeNil)
-
 		_, _, _, err = imgTrustStore.VerifySignature("notation", []byte("signature"), "", manifestDigest,
 			manifestContent, repo)
 		So(err, ShouldNotBeNil)

pkg/extensions/imagetrust/notation.go

@@ -171,6 +171,16 @@ func (cloud *CertificateAWSStorage) InitTrustpolicy(trustpolicy []byte) error {
 
 	_, err := cloud.secretsManagerClient.CreateSecret(context.Background(), secretInputParam)
 	if err != nil && strings.Contains(err.Error(), "the secret trustpolicy already exists.") {
+		trustpolicyContent, err := cloud.secretsManagerCache.GetSecretString(name)
+		if err != nil {
+			return err
+		}
+
+		existingTrustpolicy, err := base64.StdEncoding.DecodeString(trustpolicyContent)
+		if err == nil && bytes.Equal(trustpolicy, existingTrustpolicy) {
+			return nil
+		}
+
 		force := true
 
 		deleteSecretParam := &secretsmanager.DeleteSecretInput{