-
Notifications
You must be signed in to change notification settings - Fork 24
Expand file tree
/
Copy pathprovenance-assert.go
More file actions
147 lines (128 loc) · 4.37 KB
/
provenance-assert.go
File metadata and controls
147 lines (128 loc) · 4.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
package cmd
import (
"encoding/base64"
"encoding/json"
"io"
"os"
"strings"
"github.com/gitpod-io/leeway/pkg/leeway"
"github.com/gitpod-io/leeway/pkg/provutil"
"github.com/in-toto/in-toto-golang/in_toto"
log "github.com/sirupsen/logrus"
"github.com/spf13/cobra"
"sigs.k8s.io/bom/pkg/provenance"
)
// provenanceExportCmd represents the provenance assert command
var provenanceAssertCmd = &cobra.Command{
Use: "assert <package|file://pathToAFile>",
Short: "Makes assertions about the provenance of a package",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {
bundleFN, pkgFN, pkg, err := getProvenanceTarget(cmd, args)
if err != nil {
log.WithError(err).Fatal("cannot locate bundle")
}
var assertions provutil.Assertions
if signed, err := cmd.Flags().GetBool("signed"); err != nil {
log.Fatal(err)
} else if signed {
log.Warn("checking signatures is most likely broken and will probably return false results")
var keyPath string
if pkg == nil {
keyPath = os.Getenv("LEEWAY_PROVENANCE_KEYPATH")
} else {
keyPath = pkg.C.W.Provenance.KeyPath
}
if keyPath == "" {
log.Fatal("no key path specified - use the LEEWAY_PROVENANCE_KEYPATH to specify one")
}
var key in_toto.Key
err := key.LoadKeyDefaults(keyPath)
if err != nil {
log.WithError(err).Fatal("cannot load key from " + pkg.C.W.Provenance.KeyPath)
}
assertions = append(assertions, provutil.AssertSignedWith(key))
}
if do, err := cmd.Flags().GetBool("built-with-leeway"); err != nil {
log.Fatal(err)
} else if do {
assertions = append(assertions, provutil.AssertBuiltWithLeeway)
}
if ver, err := cmd.Flags().GetString("built-with-leeway-version"); err != nil {
log.Fatal(err)
} else if ver != "" {
assertions = append(assertions, provutil.AssertBuiltWithLeewayVersion(ver))
}
if do, err := cmd.Flags().GetBool("git-only"); err != nil {
log.Fatal(err)
} else if do {
assertions = append(assertions, provutil.AssertGitMaterialOnly)
}
var failures []provutil.Violation
stmt := provenance.NewSLSAStatement()
assert := func(env *provenance.Envelope) error {
if env.PayloadType != in_toto.PayloadType {
log.Warnf("only supporting %s payloads, not %s - skipping", in_toto.PayloadType, env.PayloadType)
return nil
}
failures = append(assertions.AssertBundle(env), failures...)
raw, err := base64.StdEncoding.DecodeString(env.Payload)
if err != nil {
return err
}
err = json.Unmarshal(raw, &stmt)
if err != nil {
return err
}
failures = append(assertions.AssertStatement(stmt), failures...)
return nil
}
if pkg == nil {
var f *os.File
f, err = os.Open(bundleFN)
if err != nil {
log.WithError(err).Fatalf("cannot open attestation bundle %s", bundleFN)
}
defer f.Close()
err = provutil.DecodeBundle(f, assert)
} else {
err = leeway.AccessAttestationBundleInCachedArchive(pkgFN, func(bundle io.Reader) error {
return provutil.DecodeBundle(bundle, assert)
})
}
if err != nil {
log.WithError(err).Fatal("cannot assert attestation bundle")
}
if len(failures) != 0 {
for _, f := range failures {
log.Error(f.String())
}
log.Fatal("failed")
}
},
}
func getProvenanceTarget(cmd *cobra.Command, args []string) (bundleFN, pkgFN string, pkg *leeway.Package, err error) {
if strings.HasPrefix(args[0], "file://") {
bundleFN = strings.TrimPrefix(args[0], "file://")
} else {
_, pkg, _, _ = getTarget(args, false)
if pkg == nil {
log.Fatal("provenance export requires a package")
}
_, cache := getBuildOpts(cmd)
var ok bool
pkgFN, ok = cache.Location(pkg)
if !ok {
log.Fatalf("%s is not built", pkg.FullName())
}
}
return
}
func init() {
provenanceAssertCmd.Flags().Bool("signed", false, "ensure that all entries in the attestation bundle are signed and valid under the given key")
provenanceAssertCmd.Flags().Bool("built-with-leeway", false, "ensure that all entries in the attestation bundle are built by leeway")
provenanceAssertCmd.Flags().String("built-with-leeway-version", "", "ensure that all entries in the attestation bundle are built by a specific leeway version")
provenanceAssertCmd.Flags().Bool("git-only", false, "ensure that all entries in the attestation bundle are built directly from Git (i.e. only have git material entries)")
addBuildFlags(provenanceAssertCmd)
provenanceCmd.AddCommand(provenanceAssertCmd)
}