refactor: match distroless (#22)

MODULE.bazel

@@ -7,7 +7,7 @@ module(
 )
 
 bazel_dep(name = "bazel_skylib", version = "1.5.0")
-bazel_dep(name = "aspect_bazel_lib", version = "2.5.0")
+bazel_dep(name = "aspect_bazel_lib", version = "2.5.1")
 
 bazel_lib_toolchains = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 bazel_lib_toolchains.tar()

distroless/BUILD.bazel

@@ -33,4 +33,5 @@ bzl_library(
     name = "toolchains",
     srcs = ["toolchains.bzl"],
     visibility = ["//visibility:public"],
+    deps = ["@aspect_bazel_lib//lib:repositories"],
 )

distroless/dependencies.bzl

@@ -17,7 +17,7 @@ def http_archive(name, **kwargs):
 # changes in this function should be marked as BREAKING in the commit message
 # and released only in semver majors.
 # This is all fixed by bzlmod, so we just tolerate it for now.
-def rules_distroless_dependencies():
+def distroless_dependencies():
     # The minimal version of bazel_skylib we require
     http_archive(
         name = "bazel_skylib",
@@ -30,7 +30,7 @@ def rules_distroless_dependencies():
 
     http_archive(
         name = "aspect_bazel_lib",
-        sha256 = "f5ea76682b209cc0bd90d0f5a3b26d2f7a6a2885f0c5f615e72913f4805dbb0d",
-        strip_prefix = "bazel-lib-2.5.0",
-        url = "https://github.com/aspect-build/bazel-lib/releases/download/v2.5.0/bazel-lib-v2.5.0.tar.gz",
+        sha256 = "a59096e01b43d86c6667a869f0e90e0c4b1d4cb03c3d3a972a32ff687c750ac2",
+        strip_prefix = "bazel-lib-2.5.1",
+        url = "https://github.com/aspect-build/bazel-lib/releases/download/v2.5.1/bazel-lib-v2.5.1.tar.gz",
     )

distroless/private/BUILD.bazel

@@ -57,6 +57,7 @@ bzl_library(
     srcs = ["passwd.bzl"],
     visibility = ["//distroless:__subpackages__"],
     deps = [
+        ":util",
         "@aspect_bazel_lib//lib:expand_template",
         "@aspect_bazel_lib//lib:tar",
         "@aspect_bazel_lib//lib:utils",
@@ -77,6 +78,7 @@ bzl_library(
     visibility = ["//distroless:__subpackages__"],
     deps = [
         ":tar",
+        ":util",
         "@aspect_bazel_lib//lib:tar",
     ],
 )
@@ -92,5 +94,14 @@ bzl_library(
     name = "tar",
     srcs = ["tar.bzl"],
     visibility = ["//distroless:__subpackages__"],
-    deps = ["@aspect_bazel_lib//lib:tar"],
+    deps = [
+        "@aspect_bazel_lib//lib:tar",
+        "@bazel_skylib//lib:sets",
+    ],
+)
+
+bzl_library(
+    name = "util",
+    srcs = ["util.bzl"],
+    visibility = ["//distroless:__subpackages__"],
 )

distroless/private/cacerts.bzl

@@ -53,8 +53,10 @@ def _cacerts_impl(ctx):
 
     output = ctx.actions.declare_file(ctx.attr.name + ".tar.gz")
     mtree = tar_lib.create_mtree(ctx)
-    mtree.add_file_with_parents("/etc/ssl/certs/ca-certificates.crt", cacerts)
-    mtree.add_file_with_parents("/usr/share/doc/ca-certificates/copyright", copyright)
+    mtree.add_parents("/etc/ssl/certs", time = ctx.attr.time)
+    mtree.add_file("/etc/ssl/certs/ca-certificates.crt", cacerts, time = ctx.attr.time, mode = ctx.attr.mode)
+    mtree.add_parents("/usr/share/doc/ca-certificates", time = ctx.attr.time)
+    mtree.add_file("/usr/share/doc/ca-certificates/copyright", copyright, time = ctx.attr.time, mode = ctx.attr.mode)
     mtree.build(output = output, mnemonic = "CaCertsTarGz", inputs = [cacerts, copyright])
 
     return [
@@ -74,6 +76,14 @@ cacerts = rule(
             allow_single_file = [".tar.xz", ".tar.gz", ".tar"],
             mandatory = True,
         ),
+        "mode": attr.string(
+            doc = "mode for the entries",
+            default = "0555",
+        ),
+        "time": attr.string(
+            doc = "time for the entries",
+            default = "0.0",
+        ),
     },
     implementation = _cacerts_impl,
     toolchains = [tar_lib.TOOLCHAIN_TYPE],

distroless/private/group.bzl

@@ -1,26 +1,22 @@
-"osrelease"
+"group"
 
-load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template")
 load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@aspect_bazel_lib//lib:utils.bzl", "propagate_common_rule_attributes")
 load("@bazel_skylib//rules:write_file.bzl", "write_file")
+load(":tar.bzl", "tar_lib")
+load(":util.bzl", "util")
 
-def _get_attr(o, k, d):
-    if k in o:
-        return o[k]
-    if hasattr(o, k):
-        return getattr(o, k)
-    return d
-
-def group(name, groups, **kwargs):
+def group(name, entries, time = "0.0", mode = "0644", **kwargs):
     """
     Create a group file from array of dicts.
 
     https://www.ibm.com/docs/en/aix/7.2?topic=files-etcgroup-file#group_security__a21597b8__title__1
 
     Args:
         name: name of the target
-        groups: an array of dicts which will be serialized into single group file.
+        entries: an array of dicts which will be serialized into single group file.
+        mode: mode for the entry
+        time: time for the entry
         **kwargs: other named arguments to expanded targets. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).
     """
     common_kwargs = propagate_common_rule_attributes(kwargs)
@@ -29,36 +25,29 @@ def group(name, groups, **kwargs):
         content = [
             # See https://www.ibm.com/docs/en/aix/7.2?topic=files-etcgroup-file#group_security__a3179518__title__1
             ":".join([
-                entry["name"],
-                _get_attr(entry, "password", "!"),  # not used. Group administrators are provided instead of group passwords.
-                str(entry["gid"]),
-                ",".join(entry["users"]),
+                util.get_attr(entry, "name"),
+                util.get_attr(entry, "password", "!"),  # not used. Group administrators are provided instead of group passwords.
+                str(util.get_attr(entry, "gid")),
+                ",".join(util.get_attr(entry, "users", [])),
             ])
-            for entry in groups
+            for entry in entries
         ] + [""],
         out = "%s.content" % name,
         **common_kwargs
     )
 
-    # TODO: remove this expansion target once https://github.com/aspect-build/bazel-lib/issues/653 is fixed.
-    expand_template(
-        name = "%s_mtree" % name,
-        out = "%s.mtree" % name,
-        data = [":%s_content" % name],
-        stamp = 0,
-        template = [
-            "#mtree",
-            "etc/group uid=0 gid=0 mode=0644 time=0.0 type=file content={content}",
-            "",
-        ],
-        substitutions = {
-            "{content}": "$(BINDIR)/$(rootpath :%s_content)" % name,
-        },
-        **common_kwargs
+    mtree = tar_lib.create_mtree()
+    mtree.entry(
+        "etc/group",
+        "file",
+        mode = mode,
+        time = time,
+        content = "$(BINDIR)/$(rootpath :%s_content)" % name,
     )
+
     tar(
         name = name,
         srcs = [":%s_content" % name],
-        mtree = ":%s_mtree" % name,
+        mtree = mtree.content(),
         **common_kwargs
     )

distroless/private/home.bzl

@@ -2,6 +2,7 @@
 
 load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load(":tar.bzl", "tar_lib")
+load(":util.bzl", "util")
 
 def home(name, dirs, **kwargs):
     """
@@ -12,22 +13,21 @@ def home(name, dirs, **kwargs):
         dirs: array of home directory dicts.
         **kwargs: other named arguments to that is passed to tar. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).
     """
-    mtree = []
+    mtree = tar_lib.create_mtree()
 
     for home in dirs:
-        mtree.extend(
-            tar_lib.mtree.add_directory_with_parents(
-                home["home"],
-                uid = str(home["uid"]),
-                gid = str(home["gid"]),
-                # the default matches https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L81C24-L81C27
-                mode = getattr(home, "gid", "700"),
-            ),
+        mtree.add_dir(
+            util.get_attr(home, "home"),
+            uid = str(util.get_attr(home, "uid")),
+            gid = str(util.get_attr(home, "gid")),
+            time = str(util.get_attr(home, "time", 0)),
+            # the default matches https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L81C24-L81C27
+            mode = str(util.get_attr(home, "mode", "700")),
         )
 
     tar(
         name = name,
         srcs = [],
-        mtree = mtree,
+        mtree = mtree.content(),
         **kwargs
     )

distroless/private/java_keystore.bzl

@@ -23,7 +23,8 @@ def _java_keystore_impl(ctx):
 
     output = ctx.actions.declare_file(ctx.attr.name + ".tar.gz")
     mtree = tar_lib.create_mtree(ctx)
-    mtree.add_file_with_parents("/etc/ssl/certs/java/cacerts", jks)
+    mtree.add_parents("/etc/ssl/certs/java", mode = ctx.attr.mode, time = ctx.attr.time)
+    mtree.add_file("/etc/ssl/certs/java/cacerts", jks, mode = ctx.attr.mode, time = ctx.attr.time)
     mtree.build(output = output, mnemonic = "JavaKeyStore", inputs = [jks])
 
     return [
@@ -46,6 +47,14 @@ java_keystore = rule(
             mandatory = True,
             allow_empty = False,
         ),
+        "mode": attr.string(
+            doc = "mode for the entries",
+            default = "0555",
+        ),
+        "time": attr.string(
+            doc = "time for the entries",
+            default = "0.0",
+        ),
     },
     implementation = _java_keystore_impl,
     toolchains = [

distroless/private/os_release.bzl

@@ -1,11 +1,17 @@
-"osrelease"
+"os release"
 
-load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template")
 load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@aspect_bazel_lib//lib:utils.bzl", "propagate_common_rule_attributes")
 load("@bazel_skylib//rules:write_file.bzl", "write_file")
+load(":tar.bzl", "tar_lib")
 
-def os_release(name, content, path = "/usr/lib/os-release", **kwargs):
+def os_release(
+        name,
+        content,
+        path = "/usr/lib/os-release",
+        mode = "0555",
+        time = "0",
+        **kwargs):
     """
     Create an Operating System Identification file from a key, value dictionary.
 
@@ -17,6 +23,8 @@ def os_release(name, content, path = "/usr/lib/os-release", **kwargs):
 
             See https://www.freedesktop.org/software/systemd/man/latest/os-release.html#Options for well known keys.
         path: where to put the file in the result archive. default: `/usr/lib/os-release`
+        mode: mode for the entry
+        time: time for the entry
         **kwargs: other named arguments to expanded targets. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).
     """
     common_kwargs = propagate_common_rule_attributes(kwargs)
@@ -30,25 +38,21 @@ def os_release(name, content, path = "/usr/lib/os-release", **kwargs):
         **common_kwargs
     )
 
-    # TODO: remove this expansion target once https://github.com/aspect-build/bazel-lib/issues/653 is fixed.
-    expand_template(
-        name = "%s_mtree" % name,
-        out = "%s.mtree" % name,
-        data = [":%s_content" % name],
-        stamp = 0,
-        template = [
-            "#mtree",
-            "%s uid=0 gid=0 mode=0755 time=0 type=file content={content}" % path.lstrip("/"),
-            "",
-        ],
-        substitutions = {
-            "{content}": "$(BINDIR)/$(rootpath :%s_content)" % name,
-        },
-        **common_kwargs
+    mtree = tar_lib.create_mtree()
+
+    i = path.rfind("/")
+    mtree.add_parents(path[0:i], time = time)
+    mtree.entry(
+        path.lstrip("/").lstrip("./"),
+        "file",
+        mode = mode,
+        time = time,
+        content = "$(BINDIR)/$(rootpath :%s_content)" % name,
     )
+
     tar(
         name = name,
         srcs = [":%s_content" % name],
-        mtree = ":%s_mtree" % name,
+        mtree = mtree.content(),
         **common_kwargs
     )

distroless/private/passwd.bzl

@@ -1,28 +1,29 @@
 "osrelease"
 
-load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template")
 load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@aspect_bazel_lib//lib:utils.bzl", "propagate_common_rule_attributes")
 load("@bazel_skylib//rules:write_file.bzl", "write_file")
+load(":tar.bzl", "tar_lib")
 
 # WARNING: the mode `0o644` is important
 # See: https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L149C54-L149C57
-def passwd(name, passwds, mode = "644", **kwargs):
+def passwd(name, entries, mode = "0644", time = "0.0", **kwargs):
     """
     Create a passwd file from array of dicts.
 
     https://www.ibm.com/docs/en/aix/7.3?topic=passwords-using-etcpasswd-file
 
     Args:
         name: name of the target
-        passwds: an array of dicts which will be serialized into single passwd file.
+        entries: an array of dicts which will be serialized into single passwd file.
 
             An example;
 
             ```
             dict(gid = 0, uid = 0, home = "/root", shell = "/bin/bash", username = "root")
             ```
-        mode: the mode bits for the passwd file
+        mode: mode for the entry
+        time: time for the entry
         **kwargs: other named arguments to expanded targets. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).
     """
     common_kwargs = propagate_common_rule_attributes(kwargs)
@@ -39,32 +40,24 @@ def passwd(name, passwds, mode = "644", **kwargs):
                 entry["home"],
                 entry["shell"],
             ])
-            for entry in passwds
+            for entry in entries
         ] + [""],
         out = "%s.content" % name,
         **common_kwargs
     )
 
-    # TODO: remove this expansion target once https://github.com/aspect-build/bazel-lib/issues/653 is fixed.
-    expand_template(
-        name = "%s_mtree" % name,
-        out = "%s.mtree" % name,
-        data = [":%s_content" % name],
-        stamp = 0,
-        template = [
-            "#mtree",
-            "./etc/passwd uid=0 gid=0 mode={mode} time=0 type=file content={content}",
-            "",
-        ],
-        substitutions = {
-            "{content}": "$(BINDIR)/$(rootpath :%s_content)" % name,
-            "{mode}": mode,
-        },
-        **common_kwargs
+    mtree = tar_lib.create_mtree()
+    mtree.entry(
+        "/etc/passwd",
+        "file",
+        mode = mode,
+        time = time,
+        content = "$(BINDIR)/$(rootpath :%s_content)" % name,
     )
+
     tar(
         name = name,
         srcs = [":%s_content" % name],
-        mtree = ":%s_mtree" % name,
+        mtree = mtree.content(),
         **common_kwargs
     )