Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Checking attestors for duplicates #361

Merged
merged 7 commits into from
Jan 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 18 additions & 5 deletions cmd/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,26 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
attestors = append(attestors, commandrun.New(commandrun.WithCommand(args), commandrun.WithTracing(ro.Tracing)))
}

addtlAttestors, err := attestation.Attestors(ro.Attestations)
if err != nil {
return fmt.Errorf("failed to create attestors := %w", err)
for _, a := range ro.Attestations {
duplicate := false
for _, att := range attestors {
if a != att.Name() {
} else {
log.Warnf("Attestator %s already declared, skipping", a)
duplicate = true
break
}
}

if !duplicate {
attestor, err := attestation.GetAttestor(a)
if err != nil {
return fmt.Errorf("failed to create attestor: %w", err)
}
attestors = append(attestors, attestor)
}
}

attestors = append(attestors, addtlAttestors...)
for _, attestor := range attestors {
setters, ok := ro.AttestorOptSetters[attestor.Name()]
if !ok {
Expand Down Expand Up @@ -120,7 +134,6 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)),
witness.RunWithTimestampers(timestampers...),
)

if err != nil {
return err
}
Expand Down
75 changes: 75 additions & 0 deletions cmd/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,20 @@ import (
"crypto/rand"
"crypto/rsa"
"encoding/json"
"fmt"
"os"
"path/filepath"
"strings"
"testing"

"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/dsse"
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/signer"
"github.com/in-toto/go-witness/signer/file"
"github.com/in-toto/witness/options"
"github.com/sirupsen/logrus"
"github.com/sirupsen/logrus/hooks/test"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
Expand Down Expand Up @@ -171,3 +176,73 @@ func TestRunHashesOptions(t *testing.T) {
})
}
}

func TestRunDuplicateAttestors(t *testing.T) {
tests := []struct {
name string
attestors []string
expectWarn int
}{
{
name: "No duplicate attestors",
attestors: []string{"environment"},
expectWarn: 0,
},
{
name: "duplicate attestors",
attestors: []string{"environment", "environment"},
expectWarn: 1,
},
{
name: "duplicate attestor due to default",
attestors: []string{"product"},
expectWarn: 1,
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
fmt.Println(tt.name)
testLogger, hook := test.NewNullLogger()
log.SetLogger(testLogger)

privatekey, err := rsa.GenerateKey(rand.Reader, keybits)
require.NoError(t, err)
signer := cryptoutil.NewRSASigner(privatekey, crypto.SHA256)

workingDir := t.TempDir()
attestationPath := filepath.Join(workingDir, "outfile.txt")
runOptions := options.RunOptions{
WorkingDir: workingDir,
Attestations: tt.attestors,
OutFilePath: attestationPath,
StepName: "teststep",
Tracing: false,
}

args := []string{
"bash",
"-c",
"echo 'test' > test.txt",
}

err = runRun(context.Background(), runOptions, args, signer)
if tt.expectWarn > 0 {
c := 0
for _, entry := range hook.AllEntries() {
fmt.Println(tt.name, "log:", entry.Message)
if entry.Level == logrus.WarnLevel && strings.Contains(entry.Message, "already declared, skipping") {
c++
}
}
assert.Equal(t, tt.expectWarn, c)
} else {
require.NoError(t, err)
attestationBytes, err := os.ReadFile(attestationPath)
require.NoError(t, err)
env := dsse.Envelope{}
require.NoError(t, json.Unmarshal(attestationBytes, &env))
}
})
}
}
3 changes: 2 additions & 1 deletion docs/witness_run.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ witness run [cmd] [flags]

```
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-a, --attestations strings Attestations to record (default [environment,git])
-a, --attestations strings Attestations to record ('product' and 'material' are always recorded) (default [environment,git])
--attestor-product-exclude-glob string Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation.
--attestor-product-include-glob string Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. (default "*")
--enable-archivista Use Archivista to store or retrieve attestations
Expand All @@ -22,6 +22,7 @@ witness run [cmd] [flags]
-k, --signer-file-key-path string Path to the file containing the private key
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
--signer-fulcio-url string Fulcio address to sign with
Expand Down
1 change: 1 addition & 0 deletions docs/witness_sign.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ witness sign [file] [flags]
-k, --signer-file-key-path string Path to the file containing the private key
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
jkjell marked this conversation as resolved.
Show resolved Hide resolved
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
--signer-fulcio-url string Fulcio address to sign with
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,13 @@ module github.com/in-toto/witness
go 1.19

require (
github.com/in-toto/go-witness v0.2.0
github.com/in-toto/go-witness v0.2.1
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.15.0
github.com/stretchr/testify v1.8.4
k8s.io/apimachinery v0.26.11
k8s.io/apimachinery v0.26.12
)

require (
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20=
github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0=
github.com/in-toto/go-witness v0.2.0 h1:lxp3+Kc4Der2C1jV9ZePjSCEHUr2NsB4sImXI5sZHu4=
github.com/in-toto/go-witness v0.2.0/go.mod h1:Jr6ZlYoVfTS3hjUSmJ10J8qiHjpF1cfSE4NLAIJpbLw=
github.com/in-toto/go-witness v0.2.1 h1:eAxMBWUPbz3oPU3lsfEYi/Kdj6weej2umm59bOXPJSU=
github.com/in-toto/go-witness v0.2.1/go.mod h1:xURJVj4QRD3xnzOJps7gT0pMCFPpAHcPqDC3EyuLuUE=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
Expand Down Expand Up @@ -749,8 +749,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/apimachinery v0.26.11 h1:w//840HHdwSRKqD15j9YX9HLlU6RPlfrvW0xEhLk2+0=
k8s.io/apimachinery v0.26.11/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y=
k8s.io/apimachinery v0.26.12 h1:y+OgufxqLIZtyXIydRhjLBGzrYLF+qwiDdCFXYOjeN4=
k8s.io/apimachinery v0.26.12/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y=
k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M=
k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/utils v0.0.0-20230115233650-391b47cb4029 h1:L8zDtT4jrxj+TaQYD0k8KNlr556WaVQylDXswKmX+dE=
Expand Down
2 changes: 1 addition & 1 deletion options/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ func (ro *RunOptions) AddFlags(cmd *cobra.Command) {
ro.SignerOptions.AddFlags(cmd)
ro.ArchivistaOptions.AddFlags(cmd)
cmd.Flags().StringVarP(&ro.WorkingDir, "workingdir", "d", "", "Directory from which commands will run")
cmd.Flags().StringSliceVarP(&ro.Attestations, "attestations", "a", []string{"environment", "git"}, "Attestations to record")
cmd.Flags().StringSliceVarP(&ro.Attestations, "attestations", "a", []string{"environment", "git"}, "Attestations to record ('product' and 'material' are always recorded)")
cmd.Flags().StringSliceVar(&ro.Hashes, "hashes", []string{"sha256"}, "Hashes selected for digest calculation. Defaults to SHA256")
cmd.Flags().StringVarP(&ro.OutFilePath, "outfile", "o", "", "File to which to write signed data. Defaults to stdout")
cmd.Flags().StringVarP(&ro.StepName, "step", "s", "", "Name of the step being run")
Expand Down
Loading