-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaudit.ts
More file actions
348 lines (322 loc) · 10.7 KB
/
audit.ts
File metadata and controls
348 lines (322 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
// SPDX-FileCopyrightText: 2026 Emily <hello@emily.moe>
//
// SPDX-License-Identifier: MIT
import {
assert,
assertEquals,
assertExists,
assertObjectMatch,
} from "@std/assert";
import {
createMessage,
type PublicKey,
readKey,
readSignature,
verify,
} from "openpgp";
import {
type Activity,
manuallyAuditedMergeCommits,
manuallyAuditedNixpkgsActivities,
manuallyAuditedNixpkgsPullRequestURLs,
manuallyAuditedNixpkgsRefActivityPullRequestURLs,
type NixpkgsPullRequestURL,
} from "./axioms.ts";
import { type Facts, fromJSONFacts, type ID, type JSONFacts } from "./facts.ts";
import type {
ActorInfoFragment,
CommitSignatureInfoFragment,
PullRequestInfoFragment,
RepositoryInfoFragment,
} from "./graphql/graphql.ts";
const jsonFacts: JSONFacts = JSON.parse(
await Deno.readTextFile("./facts.json"),
);
const {
affectedRepositories,
affectedUser,
webFlowUser,
rRyantmUser,
nixpkgsCIActor,
githubActionsActor,
committers,
trustedOpenPGPPublicKeys,
riskyPullRequests,
riskyRepositoryActivity,
}: Facts = fromJSONFacts(jsonFacts);
const nixpkgs: RepositoryInfoFragment = (() => {
const nixpkgs = affectedRepositories.values().find((
{ owner: { login }, name },
) => login === "NixOS" && name === "nixpkgs");
assertExists(nixpkgs);
return nixpkgs;
})();
const manuallyAuditedNixpkgsActivitiesByID: Map<ID, Omit<Activity, "actor">> =
new Map(
manuallyAuditedNixpkgsActivities.values().map((
activity,
) => [activity.node_id, activity]),
);
function activityWasManuallyAudited(
{ repository, activity }: {
repository: RepositoryInfoFragment;
activity: Activity;
},
): boolean {
const manuallyAuditedActivity = manuallyAuditedNixpkgsActivitiesByID.get(
activity.node_id,
);
if (manuallyAuditedActivity !== undefined) {
assertEquals(repository.id, nixpkgs.id);
assertObjectMatch(activity, manuallyAuditedActivity);
return true;
} else {
return false;
}
}
const knownMergeCommitOids = new Set(
riskyPullRequests.values().flatMap(({ mergeCommit }) =>
mergeCommit === null ? [] : [mergeCommit.oid]
),
);
function auditAffectedRepositoryActivity(): boolean {
return affectedRepositories.values().every((repository) => {
const riskyActivities = riskyRepositoryActivity.get(repository.id);
assertExists(riskyActivities);
return riskyActivities.values().every((activity) =>
activityWasManuallyAudited({ repository, activity }) ||
// Harmless.
activity.activity_type === "branch_deletion" ||
// Pull request merges are audited separately.
(
activity.activity_type === "pr_merge" &&
knownMergeCommitOids.has(activity.after)
)
);
});
}
// The GitHub API signature verification likes to return
// `GPGVERIFY_ERROR` a lot, so we have to verify signatures ourselves
// to get reliable results.
const trustedOpenPGPPublicKeyObjects: Map<ID, PublicKey[]> = new Map(
await Promise.all(
trustedOpenPGPPublicKeys.entries().map(async ([id, armoredKeys]) =>
[
id,
await Promise.all(
armoredKeys.map((armoredKey) => readKey({ armoredKey })),
),
] as const
),
),
);
async function verifyCommitSignature(
{ commit, committer }: {
commit: CommitSignatureInfoFragment;
committer: ActorInfoFragment;
},
): Promise<boolean> {
if (commit?.signature?.__typename !== "GpgSignature") {
return false;
}
const { signature: { payload, signature } } = commit;
const verificationKeys = trustedOpenPGPPublicKeyObjects.get(committer.id);
assertExists(verificationKeys);
const { signatures } = await verify({
message: await createMessage({ text: payload }),
signature: await readSignature({ armoredSignature: signature }),
verificationKeys,
config: {
// See <https://github.com/openpgpjs/openpgpjs/issues/1800> for
// some discussion. Expiry times are somewhat fake for Git commit
// signing to begin with anyway…
allowInsecureVerificationWithReformattedKeys: true,
},
});
return (await Promise.all(
signatures.flatMap(({ keyID, verified }) =>
verificationKeys.map(async (key) =>
key.getKeyID().equals(keyID) && await verified
)
),
)).some((verified) => verified);
}
// PR merge commits signed by GitHub’s signature are trusted to not
// do any funny business (conflict resolution, “evil merges”, etc.).
async function pullRequestMergeCommitIsTrusted(
{ state, mergeCommit }: PullRequestInfoFragment,
): Promise<boolean> {
return (
state !== "MERGED" || (
mergeCommit !== null &&
(
manuallyAuditedMergeCommits.has(mergeCommit.oid) ||
await verifyCommitSignature({
commit: mergeCommit,
committer: webFlowUser,
})
)
)
);
}
const trustedCommitterIDs: Set<ID> = new Set(
committers.values().map(({ id }) => id).filter((id) =>
id !== affectedUser.id
),
);
function pullRequestHasTrustedMerger(
{ mergedBy }: PullRequestInfoFragment,
): boolean {
return mergedBy !== null && trustedCommitterIDs.has(mergedBy?.id);
}
function pullRequestHeadCommitHasTrustedApproval(
{ headRefOid, latestOpinionatedReviews }: PullRequestInfoFragment,
): boolean {
assertExists(latestOpinionatedReviews?.nodes);
return latestOpinionatedReviews.nodes.some((review) => {
assertExists(review);
const { author, commit, state } = review;
return author !== null &&
trustedCommitterIDs.has(author.id) &&
commit?.oid === headRefOid &&
state === "APPROVED";
});
}
async function pullRequestHeadCommitWasSignedByAffectedUser(
{ commits }: PullRequestInfoFragment,
): Promise<boolean> {
assertExists(commits.nodes);
const pullRequestCommit = commits.nodes.at(-1) ?? null;
return pullRequestCommit !== null && await verifyCommitSignature({
commit: pullRequestCommit.commit,
committer: affectedUser,
});
}
const trustedAutomatedAuthorIDs: Set<ID> = new Set(
[rRyantmUser, nixpkgsCIActor, githubActionsActor].map(({ id }) => id),
);
function pullRequestHasTrustedAuthor(
{ author }: PullRequestInfoFragment,
): boolean {
return author !== null && (
trustedAutomatedAuthorIDs.has(author.id) ||
trustedCommitterIDs.has(author.id)
);
}
function parseNixpkgsPullRequestURLs(
pullRequestURLs: Set<NixpkgsPullRequestURL>,
): Set<number> {
return new Set(
pullRequestURLs.values().map((url) => {
const suffix = url.split("/").at(-1);
assertExists(suffix);
const number = Number.parseInt(suffix, 10);
assert(Number.isSafeInteger(number));
return number;
}),
);
}
const manuallyAuditedNixpkgsRefActivityPullRequestNumbers: Set<number> =
parseNixpkgsPullRequestURLs(manuallyAuditedNixpkgsRefActivityPullRequestURLs);
function pullRequestHasNoRiskyRefActivities(
{ number, state, baseRepository, headRepository, headRefName }:
PullRequestInfoFragment,
): boolean {
if (
baseRepository?.id === nixpkgs.id &&
manuallyAuditedNixpkgsRefActivityPullRequestNumbers.has(number)
) {
return true;
}
if (headRepository === null) {
// A closed pull request with a deleted repository can never be
// merged or reopened, so poses no risk. Otherwise, since the head
// repository is gone, we can’t check whether there is any risky
// activity and must return a conservative result.
return state === "CLOSED";
}
const riskyActivities = riskyRepositoryActivity.get(headRepository.id);
assertExists(riskyActivities);
return riskyActivities.values().find(({ ref, activity_type }) =>
ref === `refs/heads/${headRefName}` &&
activity_type !== "branch_deletion"
) === undefined;
}
async function pullRequestHasTrustedHeadCommit(
pullRequest: PullRequestInfoFragment,
): Promise<boolean> {
return (
// Any PR head commit in a PR that was merged by a trusted
// committer is trusted; they are expected to have performed
// standard due diligence before merging.
pullRequestHasTrustedMerger(pullRequest) ||
// Any PR head commit in a PR that was approved by a trusted
// committer at that commit is trusted; they are expected to have
// performed standard due diligence before approving.
pullRequestHeadCommitHasTrustedApproval(pullRequest) ||
// Any PR head commit signed by one of the affected user’s trusted
// PGP keys is trusted; there is no indication that their PGP keys
// were compromised in any way, so this compensates for our
// inability to assume trust for GitHub actions attributed to their
// account during the risk period.
await pullRequestHeadCommitWasSignedByAffectedUser(pullRequest) ||
// Any PR head commit in a PR with a trusted author, from a ref
// with no untrusted activity, is trusted.
(
pullRequestHasTrustedAuthor(pullRequest) &&
pullRequestHasNoRiskyRefActivities(pullRequest)
)
);
}
const manuallyAuditedNixpkgsPullRequestNumbers: Set<number> =
parseNixpkgsPullRequestURLs(
manuallyAuditedNixpkgsPullRequestURLs,
);
async function auditPullRequest(
pullRequest: PullRequestInfoFragment,
): Promise<boolean> {
// We require merge commits, if present, to be trusted upfront, as it
// is not practical to try and audit them through the GitHub web UI.
assert(await pullRequestMergeCommitIsTrusted(pullRequest));
return (
(
pullRequest.baseRepository?.id === nixpkgs.id &&
manuallyAuditedNixpkgsPullRequestNumbers.has(pullRequest.number)
) ||
await pullRequestHasTrustedHeadCommit(pullRequest) ||
(
// We don’t place trust in unmerged pull requests in general,
// so we don’t need to audit them strictly. However, it is
// possible that we may later want to infer trust in them
// through various indicators in future, like the prior
// expansion of the merge bot to pull requests authored
// by committers. Untrusted pushes to these pull requests
// during the risk period could undermine these inferences and
// pose a background risk for further compromise. Therefore, we
// require that unmerged pull requests at least have auditable
// push activity.
pullRequest.state !== "MERGED" &&
pullRequestHasNoRiskyRefActivities(pullRequest)
)
);
}
async function daijoubu(): Promise<boolean> {
return auditAffectedRepositoryActivity() &&
(await Promise.all(
riskyPullRequests.values().map(async (pullRequest) => {
if (await auditPullRequest(pullRequest)) {
return true;
} else {
console.error(
"Could not successfully audit pull request %s",
pullRequest.id,
);
return false;
}
}),
)).every((success) => success);
}
if (import.meta.main) {
assert(await daijoubu(), "Audit failed");
console.log("Audit successful");
}