feat: add a method for parsing the descriptor from a payload

[byronchien]

Adds a helper to get the descriptor from the payload. Needed here instead of in notation-core-go since the payload needs to be parsed to envelope.Payload (in notation-go internal)

suggested order for review: notation-go #261 (this one) => notation-core-go #111 => notation #527 =>notation #528

Signed-off-by: Byron Chien chienb@amazon.com

[patrickzheng200]

Just an open discussion, where are we using this new method? Looks like it's a helper function but not used in notation.go.

[byronchien]

Just an open discussion, where are we using this new method? Looks like it's a helper function but not used in notation.go.

using this function in inspect (PR here). Added the helper in notation-go rather than notation since it relies on a type not exported from notation-go (envelope.Payload).

[patrickzheng200]

Just an open discussion, where are we using this new method? Looks like it's a helper function but not used in notation.go.

using this function in inspect (PR here). Added the helper in notation-go rather than notation since it relies on a type not exported from notation-go (envelope.Payload).

I see. IMO, notation.go should only expose APIs related to the core processes such as Sign and Verify. As a library code, this is to keep notation-go as clean as possible. Notation CLI also has its own internal/envelope file. We could add envelope.Payload struct to this file and move this helper function into Notation CLI.
(Note: notation CLI is one of the users of notation-go library. there will be non-CLI users as well.)

[byronchien]

Just an open discussion, where are we using this new method? Looks like it's a helper function but not used in notation.go.

using this function in inspect (PR here). Added the helper in notation-go rather than notation since it relies on a type not exported from notation-go (envelope.Payload).

I see. IMO, notation.go should only expose APIs related to the core processes such as Sign and Verify. As a library code, this is to keep notation-go as clean as possible. Notation CLI also has its own internal/envelope file. We could add envelope.Payload struct to this file and move this helper function into Notation CLI. (Note: notation CLI is one of the users of notation-go library. there will be non-CLI users as well.)

makes sense, will add the struct and helper to notation instead

[shizhMSFT]

According to effective go, Get prefix should be dropped.

Suggested change

	func GetDescriptorFromPayload(payload *signature.Payload) (*ocispec.Descriptor, error) {
	func DescriptorFromPayload(payload *signature.Payload) (*ocispec.Descriptor, error) {

[shizhMSFT]

Note: the descriptor was signed but may not be trusted.

[shizhMSFT]

The word Payload in DescriptorFromPayload is too broad. Consider DescriptorFromSignaturePayload.

[shizhMSFT]

Security concern: payload media type is not checked before parsing.

[byronchien]

can parse the payload to an intermediate struct to check mediatype before parsing to the final payload struct.

[byronchien]

added DescriptorFromSignaturePayload to notation in #528