feat: plugins as OCI artifacts

.devcontainer/Dockerfile

@@ -31,6 +31,10 @@ RUN curl -Lo oras.tar.gz https://github.com/oras-project/oras/releases/download/
   && mv oras-install/oras /usr/local/bin/ \
   && rm -rf ./oras-install oras.tar.gz
 
+ARG KUBEBUILDER_VERSION="3.8.0"
+RUN curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_linux_amd64 -o /usr/local/bin/kubebuilder \
+  && chmod +x /usr/local/bin/kubebuilder
+
 # [Optional] Uncomment this section to install additional OS packages.
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
   && apt-get -y install --no-install-recommends protobuf-compiler libprotobuf-dev

api/v1alpha1/store_types.go

@@ -29,6 +29,8 @@ type StoreSpec struct {
 	Name string `json:"name,omitempty"`
 	// Plugin path, optional
 	Address string `json:"address,omitempty"`
+	// OCI Artifact source to download the plugin from, optional
+	Source string `json:"source,omitempty"`
 
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters of the store

api/v1alpha1/verifier_types.go

@@ -34,6 +34,9 @@ type VerifierSpec struct {
 	// # Optional. URL/file path
 	Address string `json:"address,omitempty"`
 
+	// OCI Artifact source to download the plugin from, optional
+	Source string `json:"source,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters for this verifier
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`

charts/ratify/crds/store-customresourcedefinition.yaml

@@ -39,10 +39,13 @@ spec:
                 description: Parameters of this store
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              source:
+                description: OCI Artifact source to download the plugin from, optional
+                type: string
             type: object
           status:
             description: StoreStatus defines the observed state of Store
             type: object
         type: object
     served: true
-    storage: true
+    storage: true

charts/ratify/crds/verifier-customresourcedefinition.yaml

@@ -42,10 +42,13 @@ spec:
                 description: Parameters of this verifier
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              source:
+                description: OCI Artifact source to download the plugin from, optional
+                type: string
             type: object
           status:
             description: VerifierStatus defines the observed state of Verifier
             type: object
         type: object
     served: true
-    storage: true
+    storage: true

config/crd/bases/config.ratify.deislabs.io_stores.yaml

@@ -45,6 +45,9 @@ spec:
                 description: Parameters of the store
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              source:
+                description: OCI Artifact source to download the plugin from, optional
+                type: string
             type: object
           status:
             description: StoreStatus defines the observed state of Store

config/crd/bases/config.ratify.deislabs.io_verifiers.yaml

@@ -48,6 +48,9 @@ spec:
                 description: Parameters for this verifier
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              source:
+                description: OCI Artifact source to download the plugin from, optional
+                type: string
             type: object
           status:
             description: VerifierStatus defines the observed state of Verifier

config/samples/config_v1alpha1_verifier_sample.yaml

@@ -0,0 +1,9 @@
+apiVersion: config.ratify.deislabs.io/v1alpha1
+kind: Verifier
+metadata:
+  name: verifier-sample
+spec:
+  name: sample
+  artifactTypes: application/spdx+json
+  source: noelfdpo.azurecr.io/sample-plugin:v1
+  parameters: {}

httpserver/Dockerfile

@@ -34,7 +34,7 @@ ARG RATIFY_FOLDER=$HOME/.ratify/
 WORKDIR /
 
 COPY --from=builder /app/out/ratify /app/
-COPY --from=builder /app/out/plugins ${RATIFY_FOLDER}/plugins
+COPY --from=builder --chown=65532:65532 /app/out/plugins ${RATIFY_FOLDER}/plugins
 COPY --from=builder /app/config/config.json ${RATIFY_FOLDER}
 
 ENV RATIFY_CONFIG=${RATIFY_FOLDER}

pkg/common/plugin/download.go

@@ -0,0 +1,111 @@
+package plugin
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"time"
+
+	"github.com/deislabs/ratify/pkg/ocispecs"
+	"github.com/deislabs/ratify/pkg/referrerstore/oras/authprovider"
+	"github.com/sirupsen/logrus"
+	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+)
+
+func DownloadPlugin(name string, source string, pluginBinDir string) error {
+	ctx := context.TODO()
+
+	// Initialize a repository
+	repository, err := remote.NewRepository(source)
+	if err != nil {
+		return err
+	}
+
+	// TODO: move the ORAS auth code into a separate package that's not referrerstore-specific
+	repository.Client = &auth.Client{
+		Client: &http.Client{Timeout: 10 * time.Second, Transport: http.DefaultTransport.(*http.Transport).Clone()},
+		Header: http.Header{
+			"User-Agent": {"ratify"},
+		},
+		Cache: auth.NewCache(),
+		Credential: func(ctx context.Context, registry string) (auth.Credential, error) {
+			authProvider, err := authprovider.CreateAuthProviderFromConfig(nil)
+			if err != nil {
+				return auth.EmptyCredential, err
+			}
+
+			authConfig, err := authProvider.Provide(ctx, source)
+			if err != nil {
+				return auth.EmptyCredential, err
+			}
+
+			if authConfig.Username != "" || authConfig.Password != "" || authConfig.IdentityToken != "" {
+				return auth.Credential{
+					Username:     authConfig.Username,
+					Password:     authConfig.Password,
+					RefreshToken: authConfig.IdentityToken,
+				}, nil
+			}
+			return auth.EmptyCredential, nil
+		},
+	}
+
+	// read the reference manifest
+	logrus.Infof("Downloading plugin %s from %s", name, source)
+	referenceManifestDescriptor, err := repository.Resolve(ctx, source)
+	if err != nil {
+		return err
+	}
+	logrus.Debugf("Resolved plugin manifest: %v", referenceManifestDescriptor)
+
+	manifestReader, err := repository.Fetch(ctx, referenceManifestDescriptor)
+	if err != nil {
+		return err
+	}
+
+	manifestBytes, err := io.ReadAll(manifestReader)
+	if err != nil {
+		return err
+	}
+
+	referenceManifest := ocispecs.ReferenceManifest{}
+	if err := json.Unmarshal(manifestBytes, &referenceManifest); err != nil {
+		return err
+	}
+
+	// Download the contents of the first blob as the named plugin. This matches `oras push registry.example.com/sample-plugin:v1 ./sample`
+	// TODO: should this be "first/only blob of media type `application/vnd.ratify.plugin`"?
+	blobReference := fmt.Sprintf("%s@%s", source, referenceManifest.Blobs[0].Digest)
+	logrus.Debugf("Downloading blob %s", blobReference)
+	_, blobReader, err := repository.Blobs().FetchReference(ctx, blobReference)
+	if err != nil {
+		return err
+	}
+
+	pluginPath := path.Join(pluginBinDir, name)
+	logrus.Infof("Downloading plugin %s to %s", name, pluginPath)
+	pluginFile, err := os.Create(pluginPath)
+	if err != nil {
+		return err
+	}
+
+	defer pluginFile.Close()
+	_, err = io.Copy(pluginFile, blobReader)
+	if err != nil {
+		return err
+	}
+
+	// Mark the plugin as executable
+	logrus.Debugf("Marking plugin %s as executable", pluginPath)
+	err = os.Chmod(pluginPath, 0700)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/controllers/store_controller.go

@@ -130,6 +130,7 @@ func specToStoreConfig(storeSpec configv1alpha1.StoreSpec) (rc.StorePluginConfig
 		}
 	}
 	storeConfig[types.Name] = storeSpec.Name
+	storeConfig[types.Source] = storeSpec.Source
 
 	return storeConfig, nil
 }

pkg/controllers/verifier_controller.go

@@ -133,6 +133,7 @@ func specToVerifierConfig(verifierSpec configv1alpha1.VerifierSpec) (vc.Verifier
 
 	verifierConfig[types.Name] = verifierSpec.Name
 	verifierConfig[types.ArtifactTypes] = verifierSpec.ArtifactTypes
+	verifierConfig[types.Source] = verifierSpec.Source
 
 	return verifierConfig, nil
 }

pkg/referrerstore/factory/factory.go

@@ -21,10 +21,12 @@ import (
 	"os"
 	"strings"
 
+	pluginCommon "github.com/deislabs/ratify/pkg/common/plugin"
 	"github.com/deislabs/ratify/pkg/referrerstore"
 	"github.com/deislabs/ratify/pkg/referrerstore/config"
 	"github.com/deislabs/ratify/pkg/referrerstore/plugin"
 	"github.com/deislabs/ratify/pkg/referrerstore/types"
+	"github.com/sirupsen/logrus"
 )
 
 var builtInStores = make(map[string]StoreFactory)
@@ -57,6 +59,16 @@ func CreateStoreFromConfig(storeConfig config.StorePluginConfig, configVersion s
 		return nil, fmt.Errorf("invalid plugin name for a store: %s", storeName)
 	}
 
+	// if source is specified, download the plugin
+	if source, ok := storeConfig[types.Source]; ok && source != "" {
+		sourceStr := fmt.Sprintf("%s", source)
+		err := pluginCommon.DownloadPlugin(storeNameStr, sourceStr, pluginBinDir[0])
+		if err != nil {
+			return nil, fmt.Errorf("failed to download plugin: %v", err)
+		}
+		logrus.Infof("downloaded store plugin %s from %s to %s", storeNameStr, sourceStr, pluginBinDir[0])
+	}
+
 	storeFactory, ok := builtInStores[storeNameStr]
 	if ok {
 		return storeFactory.Create(configVersion, storeConfig)

pkg/referrerstore/types/types.go

@@ -27,6 +27,7 @@ const (
 	SpecVersion string = "0.1.0"
 	Version     string = "version"
 	Name        string = "name"
+	Source      string = "source"
 )
 
 const (

pkg/verifier/factory/factory.go

@@ -21,6 +21,7 @@ import (
 	"os"
 	"strings"
 
+	pluginCommon "github.com/deislabs/ratify/pkg/common/plugin"
 	"github.com/deislabs/ratify/pkg/verifier"
 	"github.com/deislabs/ratify/pkg/verifier/config"
 	"github.com/deislabs/ratify/pkg/verifier/plugin"
@@ -59,6 +60,16 @@ func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersio
 		return nil, fmt.Errorf("invalid plugin name for a verifier: %s", verifierNameStr)
 	}
 
+	// if source is specified, download the plugin
+	if source, ok := verifierConfig[types.Source]; ok && source != "" {
+		sourceStr := fmt.Sprintf("%s", source)
+		err := pluginCommon.DownloadPlugin(verifierNameStr, sourceStr, pluginBinDir[0])
+		if err != nil {
+			return nil, fmt.Errorf("failed to download plugin: %v", err)
+		}
+		logrus.Infof("downloaded verifier plugin %s from %s to %s", verifierNameStr, sourceStr, pluginBinDir[0])
+	}
+
 	verifierFactory, ok := builtInVerifiers[verifierNameStr]
 	if ok {
 		return verifierFactory.Create(configVersion, verifierConfig)

pkg/verifier/types/types.go

@@ -28,6 +28,7 @@ const (
 	Name             string = "name"
 	ArtifactTypes    string = "artifactTypes"
 	NestedReferences string = "nestedReferences"
+	Source					 string = "source"
 )
 
 const (