Merge pull request #1602 from technosophos/feat/fetch-prov

feat(helm): add 'helm fetch --prov' to fetch prov info

cmd/helm/downloader/chart_downloader.go

@@ -44,6 +44,10 @@ const (
 	// VerifyAlways will always attempt a verification, and will fail if the
 	// verification fails.
 	VerifyAlways
+	// VerifyLater will fetch verification data, but not do any verification.
+	// This is to accommodate the case where another step of the process will
+	// perform verification.
+	VerifyLater
 )
 
 // ChartDownloader handles downloading a chart.
@@ -65,6 +69,7 @@ type ChartDownloader struct {
 // If Verify is set to VerifyNever, the verification will be nil.
 // If Verify is set to VerifyIfPossible, this will return a verification (or nil on failure), and print a warning on failure.
 // If Verify is set to VerifyAlways, this will return a verification or an error if the verification fails.
+// If Verify is set to VerifyLater, this will download the prov file (if it exists), but not verify it.
 //
 // For VerifyNever and VerifyIfPossible, the Verification may be empty.
 //
@@ -104,11 +109,13 @@ func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *proven
 			return destfile, nil, err
 		}
 
-		ver, err = VerifyChart(destfile, c.Keyring)
-		if err != nil {
-			// Fail always in this case, since it means the verification step
-			// failed.
-			return destfile, ver, err
+		if c.Verify != VerifyLater {
+			ver, err = VerifyChart(destfile, c.Keyring)
+			if err != nil {
+				// Fail always in this case, since it means the verification step
+				// failed.
+				return destfile, ver, err
+			}
 		}
 	}
 	return destfile, ver, nil

cmd/helm/downloader/chart_downloader_test.go

@@ -153,3 +153,47 @@ func TestDownloadTo(t *testing.T) {
 		return
 	}
 }
+
+func TestDownloadTo_VerifyLater(t *testing.T) {
+	hh, err := ioutil.TempDir("", "helm-downloadto-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(hh)
+
+	dest := filepath.Join(hh, "dest")
+	os.MkdirAll(dest, 0755)
+
+	// Set up a fake repo
+	srv := repotest.NewServer(hh)
+	defer srv.Stop()
+	if _, err := srv.CopyCharts("testdata/*.tgz*"); err != nil {
+		t.Error(err)
+		return
+	}
+
+	c := ChartDownloader{
+		HelmHome: helmpath.Home("testdata/helmhome"),
+		Out:      os.Stderr,
+		Verify:   VerifyLater,
+	}
+	cname := "/signtest-0.1.0.tgz"
+	where, _, err := c.DownloadTo(srv.URL()+cname, "", dest)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if expect := filepath.Join(dest, cname); where != expect {
+		t.Errorf("Expected download to %s, got %s", expect, where)
+	}
+
+	if _, err := os.Stat(filepath.Join(dest, cname)); err != nil {
+		t.Error(err)
+		return
+	}
+	if _, err := os.Stat(filepath.Join(dest, cname+".prov")); err != nil {
+		t.Error(err)
+		return
+	}
+}

cmd/helm/fetch.go

@@ -51,8 +51,9 @@ type fetchCmd struct {
 	destdir  string
 	version  string
 
-	verify  bool
-	keyring string
+	verify      bool
+	verifyLater bool
+	keyring     string
 
 	out io.Writer
 }
@@ -82,6 +83,7 @@ func newFetchCmd(out io.Writer) *cobra.Command {
 	f.BoolVar(&fch.untar, "untar", false, "if set to true, will untar the chart after downloading it")
 	f.StringVar(&fch.untardir, "untardir", ".", "if untar is specified, this flag specifies the name of the directory into which the chart is expanded")
 	f.BoolVar(&fch.verify, "verify", false, "verify the package against its signature")
+	f.BoolVar(&fch.verifyLater, "prov", false, "fetch the provenance file, but don't perform verification")
 	f.StringVar(&fch.version, "version", "", "specific version of a chart. Without this, the latest version is fetched")
 	f.StringVar(&fch.keyring, "keyring", defaultKeyring(), "keyring containing public keys")
 	f.StringVarP(&fch.destdir, "destination", "d", ".", "location to write the chart. If this and tardir are specified, tardir is appended to this")
@@ -100,6 +102,8 @@ func (f *fetchCmd) run() error {
 
 	if f.verify {
 		c.Verify = downloader.VerifyAlways
+	} else if f.verifyLater {
+		c.Verify = downloader.VerifyLater
 	}
 
 	// If untar is set, we fetch to a tempdir, then untar and copy after