diff --git a/.clomonitor.yml b/.clomonitor.yml new file mode 100644 index 00000000..8a14c3b1 --- /dev/null +++ b/.clomonitor.yml @@ -0,0 +1,21 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# CLOMonitor metadata file +# This file must be located at the root of the repository + +# Checks exemptions +exemptions: + - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions) + reason: "Project is a library and does not create an artifact" # Justification of this exemption (mandatory, it will be displayed on the UI) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8d2b1f50..ccd96740 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + version: 2 updates: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..98bbd925 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,92 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..5b0608ae --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,41 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5 diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000..88cc7ad5 --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,28 @@ +name: "Fossa Scan" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + fossa-scan: + env: + FOSSA_API_KEY: ${{ secrets.fossaApiKey }} + runs-on: ubuntu-latest + steps: + - if: ${{ env.FOSSA_API_KEY != '' }} + name: "Checkout Code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - if: ${{ env.FOSSA_API_KEY != '' }} + name: "Run FOSSA Scan" + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 + with: + api-key: ${{ env.FOSSA_API_KEY }} diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index e07b99c9..0b6a231c 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -29,12 +29,17 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: "go.mod" - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: latest args: --timeout=3m diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2861efc3..2785e946 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,14 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout name: release on: [push, pull_request] + +permissions: + contents: read + jobs: fmt: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt @@ -29,6 +33,9 @@ jobs: sast: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: sast @@ -38,6 +45,9 @@ jobs: unit-test: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000..8a135b6b --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,90 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 + with: + sarif_file: results.sarif diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 1741fa2f..8528886d 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -18,17 +18,25 @@ on: push: branches: ['main', 'release-*'] pull_request: +permissions: + contents: read + jobs: license-check: name: license boilerplate check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.17.x' + go-version: '1.21.x' - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.1.1 - name: Check license headers run: | set -e diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 3a21372e..e02a3049 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -15,7 +15,7 @@ on: workflow_call: inputs: - pull_request: + pull_request: required: true type: boolean artifact-download: @@ -39,18 +39,29 @@ on: attestations: required: true type: string - + +permissions: + contents: read + jobs: witness: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 1.21.x - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@v3 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: ${{ inputs.artifact-download }} path: /tmp @@ -74,7 +85,7 @@ jobs: run: ${{ inputs.command }} - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: ${{ inputs.artifact-upload-name }} path: ${{ inputs.artifact-upload-path }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..221048da --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,28 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index b65ee56d..571772ec 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -131,4 +131,3 @@ For answers to common questions about this code of conduct, see the FAQ at [Mozilla CoC]: https://github.com/mozilla/diversity [FAQ]: https://www.contributor-covenant.org/faq [translations]: https://www.contributor-covenant.org/translations - diff --git a/CONTRIBUTORS.md b/CONTRIBUTING.md similarity index 100% rename from CONTRIBUTORS.md rename to CONTRIBUTING.md diff --git a/DEPENDENCY.md b/DEPENDENCY.md new file mode 100644 index 00000000..99f74a1c --- /dev/null +++ b/DEPENDENCY.md @@ -0,0 +1,42 @@ +# Environment Dependencies Policy + +## Purpose + +This policy describes how Witness maintainers consume third-party packages. + +## Scope + +This policy applies to all Witness maintainers and all third-party packages used in the Witness project. + +## Policy + +Witness maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of Witness. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the Witness codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to Witness, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of Witness? +2. Research the package. Is it well-maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the Witness codebase. +5. Update the Witness documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the Witness maintainers. +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis. + +## Credits + +This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md) diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 7c46c8b9..32441f9a 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -5,4 +5,4 @@ | Cole Kennedy (TestifySec) | [@colek42](https://github.com/colek42) | | John Kjell (TestifySec) | [@jkjell](https://github.com/jkjell) | | Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) | -| Aditya Sirish (NYU) | [@adityasaky](https://github.com/adityasaky) | \ No newline at end of file +| Aditya Sirish (NYU) | [@adityasaky](https://github.com/adityasaky) | diff --git a/Makefile b/Makefile index f717d8a7..bc9258ae 100644 --- a/Makefile +++ b/Makefile @@ -18,3 +18,10 @@ controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessar $(CONTROLLER_GEN): $(LOCALBIN) test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) + +.PHONY: test +test: ## Run the go unit tests + go test -v -coverprofile=profile.cov -covermode=atomic ./... + +help: ## Display this help screen + @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/README.md b/README.md index a1c9c198..2741e8d7 100644 --- a/README.md +++ b/README.md @@ -1,299 +1,32 @@ - -[![asciicast](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D.svg)](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D) - -## Witness is a pluggable framework for supply chain security - -Witness prevents tampering of build materials and verifies the integrity of the build process from source to target. It works by wrapping commands executed in a continuous integration process. Its attestation system is pluggable and offers support out of the box for most major CI and infrastructure providers. Verification of Witness metadata and a secure PKI distribution system will mitigate against many software supply chain attack vectors and can be used as a framework for automated governance. - -Witness is an implementation of the in-toto spec including [ITE-5](https://github.com/in-toto/ITE/tree/master/ITE/5), [ITE-6](https://github.com/in-toto/ITE/tree/master/ITE/6), [ITE-7](https://github.com/in-toto/ITE/tree/master/ITE/7) with an [embedded rego policy engine](https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api). - -- Does **NOT** require elevated privileges. -- Can run in a containerized or non-containerized environment -- Records secure hashes of materials, artifacts, and events occurring during the CI process -- Integrations with cloud identity services -- Keyless signing with [SPIFFE/SPIRE](https://spiffe.io/) -- Support for uploading attestation evidence to rekor server (sigstore) -- Build policy enforcement with Open Policy Agent. -- Alpha support for tracing and process tampering prevention -- Verifies file integrity between CI steps, and across air gap. -- Experimental Windows and ARM Support - -## Usage - -- [Run](docs/witness_run.md) - Runs the provided command and records attestations about the execution. -- [Sign](docs/witness_sign.md) - Signs the provided file with the provided key. -- [Verify](docs/witness_verify.md) - Verifies a witness policy. - -## TOC - -- [Witness Attestors](#witness-attestors) - - [What is a witness attestor?](#what-is-a-witness-attestor) - - [Attestor Security Model](#attestor-security-model) - - [Attestor Life Cycle](#attestor-life-cycle) - - [Attestation Lifecycle](#attestation-lifecycle) - - [Attestor Types](#attestor-types) - - [Pre Run Attestors](#pre-run-attestors) - - [Internal Attestors](#internal-attestors) - - [Post Run Attestors](#post-run-attestors) - - [AttestationCollection](#attestationcollection) - - [Attestor Subjects](#attestor-subjects) - - [Witness Policy](#witness-policy) - - [What is a witness policy?](#what-is-a-witness-policy) - - [Witness Verification](#witness-verification) - - [Verification Lifecycle](#verification-lifecycle) - - [Using SPIRE for Keyless Signing](#using-spire-for-keyless-signing) - - [Witness Examples](#witness-examples) - - [Media](#media) - - [Roadmap](#roadmap) - - [Support](#support) - -## Getting Started - -### Download the Binary -[Releases](https://github.com/testifysec/witness/releases) -``` -curl -LO https://github.com/testifysec/witness/releases/download/${VERSION}/witness_${VERSION}_${ARCH}.tar.gz -tar -xzf witness_${VERSION}_${ARCH}.tar.gz -``` - -### Create a Keypair - -> Witness supports keyless signing with [SPIRE](https://spiffe.io/)! - -``` -openssl genpkey -algorithm ed25519 -outform PEM -out testkey.pem -openssl pkey -in testkey.pem -pubout > testpub.pem -``` - -### Create a Witness configuration - -> - This file generally resides in your source code repository along with the public keys generated above. -> - `.witness yaml` is the default location for the configuration file -> - `witness help` will show all configuration options -> - command-line arguments overrides configuration file values. - -``` -## .witness.yaml - -run: - key: testkey.pem - trace: false -verify: - attestations: - - "test-att.json" - policy: policy-signed.json - publickey: testpub.pem -``` - -### Record attestations for a build step - -> - The `-a {attestor}` flag allows you to define which attestors run -> - ex. `-a maven -a was -a gitlab` would be used for a maven build running on a GitLab runner on GCP. -> - Defining step names is important, these will be used in the policy. -> - This should happen as a part of a CI step - -``` -witness run --step build -o test-att.json -- go build -o=testapp . -``` - -### View the attestation data in the signed DSSE Envelope - -> - This data can be stored and retrieved from rekor! -> - This is the data that is evaluated against the Rego policy - -``` -cat test-att.json | jq -r .payload | base64 -d | jq -``` - -### Create a Policy File - -Look [here](docs/policy.md) for full documentation on Witness Policies. - -> - Make sure to replace the keys in this file with the ones from the step above (sed command below). -> - Rego policies should be base64 encoded -> - Steps are bound to keys. Policy can be written to check the certificate data. For example, we can require a step is signed by a key with a specific `CN` attribute. -> - Witness will require all attestations to succeed -> - Witness will evaluate the rego policy against the JSON object in the corresponding attestor - -``` -## policy.json - -{ - "expires": "2023-12-17T23:57:40-05:00", - "steps": { - "build": { - "name": "build", - "attestations": [ - { - "type": "https://witness.dev/attestations/material/v0.1", - "regopolicies": [] - }, - { - "type": "https://witness.dev/attestations/command-run/v0.1", - "regopolicies": [] - }, - { - "type": "https://witness.dev/attestations/product/v0.1", - "regopolicies": [] - } - ], - "functionaries": [ - { - "publickeyid": "{{PUBLIC_KEY_ID}}" - } - ] - } - }, - "publickeys": { - "{{PUBLIC_KEY_ID}}": { - "keyid": "{{PUBLIC_KEY_ID}}", - "key": "{{B64_PUBLIC_KEY}}" - } - } -} -``` - -### Replace the variables in the policy - -``` -id=`sha256sum testpub.pem | awk '{print $1}'` && sed -i "s/{{PUBLIC_KEY_ID}}/$id/g" policy.json -pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json -``` - -### Sign The Policy File - -Keep this key safe, its owner will control the policy gates. - -``` -witness sign -f policy.json --key testkey.pem --outfile policy-signed.json -``` - -### Verify the Binary Meets Policy Requirements - -> This process works across air-gap as long as you have the signed policy file, correct binary, and public key or certificate authority corresponding to the private key that signed the policy. -> `witness verify` will return a `non-zero` exit and reason in the case of failure. Success will be silent with a `0` exit status -> for policies that require multiple steps, multiple attestations are required. - -``` -witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem -``` - -# Witness Attestors - -## What is a witness attestor? - -Witness attestors are pieces of code that assert facts about a system and store those facts in a versioned schema. Each attestor has a `Name`, `Type`, and `RunType`. The `Type` is a versioned string corresponding to the JSON schema of the attestation. For example, the AWS attestor is defined as follows: - -``` - Name = "aws" - Type = "https://witness.dev/attestations/aws/v0.1" - RunType = attestation.PreRunType -``` - -The attestation types are used when we evaluate policy against these attestations. - -## Attestor Security Model - -Attestations are only as secure as the data that feeds them. Where possible cryptographic material should be validated, evidence of validation should be included in the attestation for out-of-band validation. - -Examples of cryptographic validation is found in the [GCP](https://github.com/testifysec/witness/tree/main/pkg/attestation/gcp-iit), [AWS](https://github.com/testifysec/witness/blob/main/pkg/attestation/aws-iid/aws-iid.go), and [GitLab](https://github.com/testifysec/witness/tree/main/pkg/attestation/gitlab) attestors. - -## Attestor Life Cycle - -- **Pre-material:** Pre-material attestors run before any other attestors. These attestors generally collect information about the environment. - -- **Material:** Material attestors run after any prematerial attestors and prior to any execute attestors. Generally these collect information about state that may change after any execute attestors, such as file hashes. - -- **Execute:**: Execute attestors run after any material attestors and generally record information about some command or process that is to be executed. - -- **Product:** Product attestors run after any execute attestors and generally record information about what changed during the execute lifecycle step, such as changed or created files. - -- **Post-product:** Post-product attestors run after product attestors and generally record some additional information about specific products, such as OCI image information from a saved image tarball. - -### Attestation Lifecycle - -![](docs/assets/attestation.png) - -## Attestor Types - -### Pre-material Attestors -- [AWS](docs/attestors/aws-iid.md) - Attestor for AWS Instance Metadata -- [GCP](docs/attestors/gcp-iit.md) - Attestor for GCP Instance Identity Service -- [GitLab](docs/attestors/gitlab.md) - Attestor for GitLab Pipelines -- [Git](docs/attestors/git.md) - Attestor for Git Repository -- [Maven](docs/attestors/maven.md) Attestor for Maven Projects -- [Environment](docs/attestors/environment.md) - Attestor for environment variables (**_be careful with this - there is no way to mask values yet_**) -- [JWT](docs/attestors/jwt.md) - Attestor for JWT Tokens - -### Material Attestors -- [Material](docs/attestors/material.md) - Records secure hashes of files in current working directory - -### Execute Attestors -- [CommandRun](docs/attestors/commandrun.md) - Records traces and metadata about the actual process being run - -### Product Attestors -- [Product](docs/attestors/product.md) - Records secure hashes of files produced by commandrun attestor (only detects new files) - -### Post-product Attestors - -- [OCI](docs/attestors/oci.md) - Attestor for tar'd OCI images - -### AttestationCollection - -An `attestationCollection` is a collection of attestations that are cryptographically bound together. Because the attestations are bound together, we can trust that they all happened as part of the same attesation life cycle. Witness policy defines which attestations are required. - -### Attestor Subjects - -Attestors define subjects that act as lookup indexes. The attestationCollection can be looked up by any of the subjects defined by the attestors. - -## Witness Policy - -### What is a witness policy? - -A witness policy is a signed document that encodes the requirements for an artifact to be validated. A witness policy includes public keys for trusted functionaries, which attestations must be found, and rego policy to evaluate against the attestation meta-data. - -I witness policy allowers administrators trace the compliance status of an artifact at any point during it's lifecycle. - -## Witness Verification - -### Verification Lifecycle - -![](docs/assets/verification.png) - -## Using [SPIRE](https://github.com/spiffe/spire) for Keyless Signing - -Witness can consume ephemeral keys from a [SPIRE](https://github.com/spiffe/spire) node agent. Configure witness with the flag `--spiffe-socket` to enable keyless signing. - -During the verification process witness will use the [Rekor](https://github.com/sigstore/rekor) integrated time to make a determination on certificate validity. The SPIRE certificate only needs to remain valid long enough for the attestation to be integrated into the Rekor log. - -## Witness Examples - -- [Using Witness To Prevent SolarWinds Type Attacks](examples/solarwinds/README.md) -- [Using Witness To Find Artifacts With Hidden Vulnerable Log4j Dependencies](examples/log4shell/README.md) - -## Media - -- [Blog - What is a supply chain attestation, and why do I need it?](https://www.testifysec.com/blog/what-is-a-supply-chain-attestation/) -- [Talk - Securing the Software Supply Chain with the in-toto & SPIRE projects](https://www.youtube.com/watch?v=4lFbdkB62QI) -- [Talk - Securing the Software Supply Chain with SBOM and Attestation](https://www.youtube.com/watch?v=wX6aTZfpJv0) - -## Roadmap - -- Attestors for all major platforms -- CaC Card Attestor -- GovCloud Attestor -- OIDC Attestor -- FIDO Attestor -- Vault Key Provider -- Cloud KMS Support -- Kubernetes Admission Controller -- SIEM Collection Agent -- Cosign Signature Validation -- Notary v2 Signature Validation -- [Zarf](https://github.com/defenseunicorns/zarf) Integration -- IronBank Attestor - -## Support - -[TestifySec](https://testifysec.com) Provides support for witness and other CI security tools. -[Contact Us](mailto:info@testifysec.com) +# go-witness +A client library for [Witness](https://github.com/in-toto/witness), written in Go. + +[![Go Reference](https://pkg.go.dev/badge/github.com/in-toto/go-witness.svg)](https://pkg.go.dev/github.com/in-toto/go-witness) +[![Go Report Card](https://goreportcard.com/badge/github.com/in-toto/go-witness)](https://goreportcard.com/report/github.com/in-toto/go-witness) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8164/badge)](https://www.bestpractices.dev/projects/8164) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/in-toto/go-witness/badge)](https://securityscorecards.dev/viewer/?uri=github.com/in-toto/go-witness) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fgo-witness?ref=badge_shield&issueType=license) + +## Status +This library is currently pre-1.0 and therefore the API may be subject to breaking changes. + +## Features +- Creation and signing of in-toto attestations +- Verification of in-toto attestations and associated signatures with: + - Witness policy engine + - [OPA Rego policy language](https://www.openpolicyagent.org/docs/latest/policy-language/) +- A growing list of attestor types defined under a common interface +- A selection of attestation sources to search for attestation collections + +## Documentation +For more detail regarding the library itself, we recommend viewing [pkg.go.dev](https://pkg.go.dev/github.com/in-toto/go-witness). For +the documentation of the witness project, please view [the main witness repository](https://github.com/in-toto/witness/tree/main/docs). + +## Requirements +In order to effectively contribute to this library, you will need: +- A Unix-compatible Operating System +- GNU Make +- Go 1.19 + +## Running Tests +This repository uses Go tests for testing. You can run these tests by executing `make test`. diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..c52c5f1b --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,81 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + schema-version: 1.0.0 + expiration-date: '2024-08-31T10:10:09.000Z' + last-updated: '2023-12-20' + last-reviewed: '2023-12-20' + commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 + project-url: https://github.com/in-toto/go-witness + project-release: 'v0.2.0' + changelog: https://github.com/in-toto/go-witness/releases/tag/v0.2.0 + license: https://github.com/in-toto/go-witness/blob/main/LICENSE + +project-lifecycle: + status: active + roadmap: https://github.com/orgs/in-toto/projects/4/views/3 + bug-fixes-only: false + core-maintainers: + - https://github.com/in-toto/go-witness/MAINTAINERS.md + release-cycle: https://github.com/in-toto/go-witness/releases + +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true + contributing-policy: https://github.com/in-toto/go-witness/blob/main/CONTRIBUTING.md + code-of-conduct: https://github.com/in-toto/go-witness/blob/main/CODE_OF_CONDUCT.md + +documentation: + - https://witness.dev + +distribution-points: + - https://github.com/in-toto/go-witness/releases + +security-testing: +- tool-type: sca + tool-name: Dependabot + tool-version: 2 + tool-url: https://github.com/dependabot + integration: + ad-hoc: false + ci: true + before-release: false + +security-contacts: +- type: email + value: security@testifysec.com + primary: true + +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: security@testifysec.com + security-policy: https://github.com/in-toto/go-witness/SECURITY.md + +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/in-toto/go-witness/go.mod + sbom: + - sbom-file: https://foo.bar/sbom + sbom-format: CycloneDX + sbom-url: https://foo.bar + dependencies-lifecycle: + policy-url: https://github.com/in-toto/go-witness/SECURITY.md + comment: | + All dependencies are subject to the Witness Security Policy. + env-dependencies-policy: + policy-url: https://github.com/in-toto/go-witness/DEPENDENCY.md + comment: | + All dependencies are subject to the Witness Dependency Policy. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..2d5ae3cb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,34 @@ +# Security Policy + +## Security Bulletins + +See current security bullentins on GitHub: https://github.com/in-toto/go-witness/security/advisories + +For information regarding the security of this project please join: + +* in-toto-witness on CNCF Slack + +## Reporting a Vulnerability + +Please use the below process to report a vulnerability to the project: + +Web Form: + +1. Please visit https://github.com/in-toto/go-witness/security/advisories/new + * You will receive a confirmation email upon submission +1. You may be contacted by a maintainer to further discuss the reported item + within 3 days. Please bear with us as we seek to understand the breadth + and scope of the reported problem, recreate it, and confirm if there is an + vulnerability present. + +This project follows a 30 day disclosure timeline. + +## Supported Versions + +Information regarding supported versions of this project can be found on +in the below table: + +| Version | Supported | +| --- | --- | +| Latest | :white_check_mark: | +| <= Latest - 2 | :x: | diff --git a/archivista/download.go b/archivista/download.go index 5550d45a..cb6127b8 100644 --- a/archivista/download.go +++ b/archivista/download.go @@ -17,8 +17,8 @@ package archivista import ( "context" - archivistaapi "github.com/testifysec/archivista-api" - "github.com/testifysec/go-witness/dsse" + archivistaapi "github.com/in-toto/archivista/pkg/api" + "github.com/in-toto/go-witness/dsse" ) func (c *Client) Download(ctx context.Context, gitoid string) (dsse.Envelope, error) { diff --git a/archivista/searchgitoids.go b/archivista/searchgitoids.go index 851840dc..f52d5257 100644 --- a/archivista/searchgitoids.go +++ b/archivista/searchgitoids.go @@ -17,7 +17,7 @@ package archivista import ( "context" - archivistaapi "github.com/testifysec/archivista-api" + archivistaapi "github.com/in-toto/archivista/pkg/api" ) type searchGitoidResponse struct { diff --git a/archivista/store.go b/archivista/store.go index 0b6f682a..ccba927a 100644 --- a/archivista/store.go +++ b/archivista/store.go @@ -17,8 +17,8 @@ package archivista import ( "context" - archivistaapi "github.com/testifysec/archivista-api" - "github.com/testifysec/go-witness/dsse" + archivistaapi "github.com/in-toto/archivista/pkg/api" + "github.com/in-toto/go-witness/dsse" ) func (c *Client) Store(ctx context.Context, env dsse.Envelope) (string, error) { diff --git a/attestation/aws-iid/aws-iid.go b/attestation/aws-iid/aws-iid.go index fd9ad36b..a9bd0a6f 100644 --- a/attestation/aws-iid/aws-iid.go +++ b/attestation/aws-iid/aws-iid.go @@ -27,9 +27,9 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( @@ -42,8 +42,8 @@ const ( const ( docPath = "instance-identity/document" sigPath = "instance-identity/signature" - //https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html - //The following AWS public certificate is for all AWS Regions, except Hong Kong, Bahrain, China, and GovCloud. + // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html + // The following AWS public certificate is for all AWS Regions, except Hong Kong, Bahrain, China, and GovCloud. awsCACertPEM = `-----BEGIN CERTIFICATE----- MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw @@ -134,12 +134,12 @@ func (a *Attestor) getIID() error { svc := ec2metadata.New(&a.session, a.conf) iid, err := svc.GetDynamicData(docPath) if err != nil { - return fmt.Errorf("failed to get instance identity document: %v", err) + return fmt.Errorf("failed to get instance identity document: %w", err) } sig, err := svc.GetDynamicData(sigPath) if err != nil { - return fmt.Errorf("failed to get signature: %v", err) + return fmt.Errorf("failed to get signature: %w", err) } a.RawIID = iid @@ -147,7 +147,7 @@ func (a *Attestor) getIID() error { err = json.Unmarshal([]byte(a.RawIID), &a.EC2InstanceIdentityDocument) if err != nil { - return fmt.Errorf("failed to unmarshal iid: %v", err) + return fmt.Errorf("failed to unmarshal iid: %w", err) } return nil @@ -161,17 +161,17 @@ func (a *Attestor) Verify() error { docHash := sha256.Sum256([]byte(a.RawIID)) sigBytes, err := base64.StdEncoding.DecodeString(a.RawSig) if err != nil { - return fmt.Errorf("failed to decode signature: %v", err) + return fmt.Errorf("failed to decode signature: %w", err) } pubKey, err := getAWSCAPublicKey() if err != nil { - return fmt.Errorf("failed to get AWS public key: %v", err) + return fmt.Errorf("failed to get AWS public key: %w", err) } pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { - return fmt.Errorf("failed to marshal public key: %v", err) + return fmt.Errorf("failed to marshal public key: %w", err) } pem := pem.EncodeToMemory(&pem.Block{ @@ -182,12 +182,12 @@ func (a *Attestor) Verify() error { a.PublicKey = string(pem) if err != nil { - return fmt.Errorf("failed to encode public key: %v", err) + return fmt.Errorf("failed to encode public key: %w", err) } err = rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, docHash[:], sigBytes) if err != nil { - log.Debugf("(attestation/aws-iid) failed to verify signature: %v", err) + log.Debugf("(attestation/aws-iid) failed to verify signature: %w", err) return nil } @@ -200,25 +200,25 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.InstanceID), hashes); err == nil { subjects[fmt.Sprintf("instanceid:%s", a.EC2InstanceIdentityDocument.InstanceID)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws instanceid subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws instanceid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.AccountID), hashes); err == nil { subjects[fmt.Sprintf("accountid:%s", a.EC2InstanceIdentityDocument.AccountID)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws accountid subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws accountid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.ImageID), hashes); err == nil { subjects[fmt.Sprintf("imageid:%s", a.EC2InstanceIdentityDocument.ImageID)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws imageid subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws imageid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.EC2InstanceIdentityDocument.PrivateIP), hashes); err == nil { subjects[fmt.Sprintf("privateip:%s", a.EC2InstanceIdentityDocument.PrivateIP)] = ds } else { - log.Debugf("(attestation/aws) failed to record aws privateip subject: %v", err) + log.Debugf("(attestation/aws) failed to record aws privateip subject: %w", err) } return subjects @@ -232,7 +232,7 @@ func getAWSCAPublicKey() (*rsa.PublicKey, error) { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { - return nil, fmt.Errorf("failed to parse certificate: %v", err) + return nil, fmt.Errorf("failed to parse certificate: %w", err) } return cert.PublicKey.(*rsa.PublicKey), nil diff --git a/attestation/aws-iid/aws-iid_test.go b/attestation/aws-iid/aws-iid_test.go index 870a9b17..bcda075b 100644 --- a/attestation/aws-iid/aws-iid_test.go +++ b/attestation/aws-iid/aws-iid_test.go @@ -24,14 +24,14 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" ) const iid = `{ "devpayProductCodes" : null, - "marketplaceProductCodes" : [ "1abc2defghijklm3nopqrs4tu" ], + "marketplaceProductCodes" : [ "1abc2defghijklm3nopqrs4tu" ], "availabilityZone" : "us-west-2b", "privateIp" : "10.158.112.84", "version" : "2017-09-30", diff --git a/attestation/collection.go b/attestation/collection.go index 2697a81e..9add8895 100644 --- a/attestation/collection.go +++ b/attestation/collection.go @@ -19,7 +19,7 @@ import ( "fmt" "time" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) const CollectionType = "https://witness.testifysec.com/attestation-collection/v0.1" diff --git a/attestation/commandrun/commandrun.go b/attestation/commandrun/commandrun.go index ff6675c6..5379700e 100644 --- a/attestation/commandrun/commandrun.go +++ b/attestation/commandrun/commandrun.go @@ -20,9 +20,9 @@ import ( "os" "os/exec" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/environment" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/environment" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/attestation/commandrun/tracing_linux.go b/attestation/commandrun/tracing_linux.go index c9e63dc2..53d20d3d 100644 --- a/attestation/commandrun/tracing_linux.go +++ b/attestation/commandrun/tracing_linux.go @@ -26,10 +26,10 @@ import ( "strconv" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/environment" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/environment" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" "golang.org/x/sys/unix" ) @@ -112,12 +112,12 @@ func (p *ptraceContext) runTrace() error { if status.Stopped() && isPtraceTrap { injectedSig = 0 if err := p.nextSyscall(pid); err != nil { - log.Debugf("(tracing) got error while processing syscall: %v", err) + log.Debugf("(tracing) got error while processing syscall: %w", err) } } if err := unix.PtraceSyscall(pid, injectedSig); err != nil { - log.Debugf("(tracing) got error from ptrace syscall: %v", err) + log.Debugf("(tracing) got error from ptrace syscall: %w", err) } } } diff --git a/attestation/commandrun/tracing_linux_test.go b/attestation/commandrun/tracing_linux_test.go index 188d21b6..5a5f2676 100644 --- a/attestation/commandrun/tracing_linux_test.go +++ b/attestation/commandrun/tracing_linux_test.go @@ -31,7 +31,7 @@ TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 -Groups: +Groups: NStgid: 214 NSpid: 214 NSpgid: 0 diff --git a/attestation/commandrun/tracing_unsupported.go b/attestation/commandrun/tracing_unsupported.go index 23023c72..55353dc1 100644 --- a/attestation/commandrun/tracing_unsupported.go +++ b/attestation/commandrun/tracing_unsupported.go @@ -20,7 +20,7 @@ import ( "errors" "os/exec" - "github.com/testifysec/go-witness/attestation" + "github.com/in-toto/go-witness/attestation" ) func enableTracing(c *exec.Cmd) { diff --git a/attestation/context.go b/attestation/context.go index 80bab148..748829c5 100644 --- a/attestation/context.go +++ b/attestation/context.go @@ -21,8 +21,8 @@ import ( "os" "time" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) type RunType string @@ -185,7 +185,7 @@ func (ctx *AttestationContext) runAttestor(attestor Attestor) error { log.Infof("Starting %v attestor...", attestor.Name()) startTime := time.Now() if err := attestor.Attest(ctx); err != nil { - log.Errorf("Error running %v attestor: %v", attestor.Name(), err) + log.Errorf("Error running %v attestor: %w", attestor.Name(), err) ctx.completedAttestors = append(ctx.completedAttestors, CompletedAttestor{ Attestor: attestor, StartTime: startTime, diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go index e27d056b..bb3e3d96 100644 --- a/attestation/environment/environment.go +++ b/attestation/environment/environment.go @@ -20,7 +20,7 @@ import ( "runtime" "strings" - "github.com/testifysec/go-witness/attestation" + "github.com/in-toto/go-witness/attestation" ) const ( diff --git a/attestation/environment/environment_test.go b/attestation/environment/environment_test.go index 7a86ef58..b958cd32 100644 --- a/attestation/environment/environment_test.go +++ b/attestation/environment/environment_test.go @@ -18,8 +18,8 @@ import ( "os" "testing" + "github.com/in-toto/go-witness/attestation" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" ) func TestEnvironment(t *testing.T) { diff --git a/attestation/factory.go b/attestation/factory.go index cfcf2cc6..abc0bb4d 100644 --- a/attestation/factory.go +++ b/attestation/factory.go @@ -17,8 +17,8 @@ package attestation import ( "fmt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" ) var ( @@ -35,7 +35,7 @@ type Attestor interface { } // Subjecter allows attestors to expose bits of information that will be added to -// the in-toto statement as subjects. External services such as Rekor and Archivist +// the in-toto statement as subjects. External services such as Rekor and Archivista // use in-toto subjects as indexes back to attestations. type Subjecter interface { Subjects() map[string]cryptoutil.DigestSet diff --git a/attestation/file/file.go b/attestation/file/file.go index 4b648c7f..40752b28 100644 --- a/attestation/file/file.go +++ b/attestation/file/file.go @@ -21,8 +21,8 @@ import ( "path/filepath" "github.com/edwarnicke/gitoid" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) // recordArtifacts will walk basePath and record the digests of each file with each of the functions in hashes. diff --git a/attestation/file/file_test.go b/attestation/file/file_test.go index a4269bf1..9f4dc0da 100644 --- a/attestation/file/file_test.go +++ b/attestation/file/file_test.go @@ -20,8 +20,8 @@ import ( "path/filepath" "testing" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) func TestBrokenSymlink(t *testing.T) { diff --git a/attestation/gcp-iit/gcp-iit.go b/attestation/gcp-iit/gcp-iit.go index d970acc8..84ea433d 100644 --- a/attestation/gcp-iit/gcp-iit.go +++ b/attestation/gcp-iit/gcp-iit.go @@ -22,10 +22,10 @@ import ( "net/url" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/jwt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/jwt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -102,6 +102,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { tokenURL := identityTokenURL(defaultIdentityTokenHost, defaultServiceAccount) identityToken, err := getMetadata(tokenURL) if err != nil { + // status.Errorf does not support %w directive return status.Errorf(codes.Internal, "unable to retrieve valid identity token: %v", err) } @@ -150,7 +151,7 @@ func (a *Attestor) getInstanceData() { for k, v := range endpoints { data, err := getMetadata(v) if err != nil { - log.Warnf("failed to retrieve gcp metadata from %v: %v", v, err) + log.Warnf("failed to retrieve gcp metadata from %v: %w", v, err) continue } metadata[k] = string(data) @@ -165,7 +166,7 @@ func (a *Attestor) getInstanceData() { projID, projNum, err := parseJWTProjectInfo(a.JWT) if err != nil { - log.Warnf("unable to parse gcp project info from JWT: %v\n", err) + log.Warnf("unable to parse gcp project info from JWT: %w\n", err) } a.ProjectID = projID @@ -179,31 +180,31 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.InstanceID), hashes); err == nil { subjects[fmt.Sprintf("instanceid:%v", a.InstanceID)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp instanceid subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp instanceid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.InstanceHostname), hashes); err == nil { subjects[fmt.Sprintf("instancename:%v", a.InstanceHostname)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp instancename subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp instancename subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectID), hashes); err == nil { subjects[fmt.Sprintf("projectid:%v", a.ProjectID)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp projectid subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp projectid subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectNumber), hashes); err == nil { subjects[fmt.Sprintf("projectnumber:%v", a.ProjectNumber)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp projectnumber subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp projectnumber subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ClusterUID), hashes); err == nil { subjects[fmt.Sprintf("clusteruid:%v", a.ClusterUID)] = ds } else { - log.Debugf("(attestation/gcp) failed to record gcp clusteruid subject: %v", err) + log.Debugf("(attestation/gcp) failed to record gcp clusteruid subject: %w", err) } return subjects diff --git a/attestation/git/git.go b/attestation/git/git.go index 2978b4d7..1a92634e 100644 --- a/attestation/git/git.go +++ b/attestation/git/git.go @@ -23,8 +23,8 @@ import ( "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/attestation/git/git_test.go b/attestation/git/git_test.go index c4d93dc4..30c06944 100644 --- a/attestation/git/git_test.go +++ b/attestation/git/git_test.go @@ -26,8 +26,8 @@ import ( "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" + "github.com/in-toto/go-witness/attestation" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" ) func TestNew(t *testing.T) { diff --git a/attestation/github/github.go b/attestation/github/github.go index ef394210..c768e3b7 100644 --- a/attestation/github/github.go +++ b/attestation/github/github.go @@ -26,10 +26,10 @@ import ( "strings" "github.com/davecgh/go-spew/spew" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/jwt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/jwt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( @@ -140,13 +140,13 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if pipelineSubj, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.PipelineUrl), hashes); err == nil { subjects[fmt.Sprintf("pipelineurl:%v", a.PipelineUrl)] = pipelineSubj } else { - log.Debugf("(attestation/github) failed to record github pipelineurl subject: %v", err) + log.Debugf("(attestation/github) failed to record github pipelineurl subject: %w", err) } if projectSubj, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectUrl), hashes); err == nil { subjects[fmt.Sprintf("projecturl:%v", a.ProjectUrl)] = projectSubj } else { - log.Debugf("(attestation/github) failed to record github projecturl subject: %v", err) + log.Debugf("(attestation/github) failed to record github projecturl subject: %w", err) } return subjects diff --git a/attestation/gitlab/gitlab.go b/attestation/gitlab/gitlab.go index ba0b9517..b9663b0a 100644 --- a/attestation/gitlab/gitlab.go +++ b/attestation/gitlab/gitlab.go @@ -20,10 +20,10 @@ import ( "os" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/jwt" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/jwt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( @@ -122,19 +122,19 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.PipelineUrl), hashes); err == nil { subjects[fmt.Sprintf("pipelineurl:%v", a.PipelineUrl)] = ds } else { - log.Debugf("(attestation/gitlab) failed to record gitlab pipelineurl subject: %v", err) + log.Debugf("(attestation/gitlab) failed to record gitlab pipelineurl subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.JobUrl), hashes); err == nil { subjects[fmt.Sprintf("joburl:%v", a.JobUrl)] = ds } else { - log.Debugf("(attestation/gitlab) failed to record gitlab joburl subject: %v", err) + log.Debugf("(attestation/gitlab) failed to record gitlab joburl subject: %w", err) } if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(a.ProjectUrl), hashes); err == nil { subjects[fmt.Sprintf("projecturl:%v", a.ProjectUrl)] = ds } else { - log.Debugf("(attestation/gitlab) failed to record gitlab projecturl subject: %v", err) + log.Debugf("(attestation/gitlab) failed to record gitlab projecturl subject: %w", err) } return subjects diff --git a/attestation/jwt/jwt.go b/attestation/jwt/jwt.go index 56952543..1eb2ca12 100644 --- a/attestation/jwt/jwt.go +++ b/attestation/jwt/jwt.go @@ -19,7 +19,7 @@ import ( "fmt" "net/http" - "github.com/testifysec/go-witness/attestation" + "github.com/in-toto/go-witness/attestation" "gopkg.in/square/go-jose.v2" "gopkg.in/square/go-jose.v2/jwt" ) diff --git a/attestation/material/material.go b/attestation/material/material.go index 84394d33..458515a1 100644 --- a/attestation/material/material.go +++ b/attestation/material/material.go @@ -17,9 +17,9 @@ package material import ( "encoding/json" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/file" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/file" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/attestation/maven/maven.go b/attestation/maven/maven.go index 801852a8..9e50034d 100644 --- a/attestation/maven/maven.go +++ b/attestation/maven/maven.go @@ -21,9 +21,9 @@ import ( "io" "os" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( @@ -121,14 +121,14 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { if ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(projectSubject), hashes); err == nil { subjects[projectSubject] = ds } else { - log.Debugf("(attestation/maven) failed to record %v subject: %v", projectSubject, err) + log.Debugf("(attestation/maven) failed to record %v subject: %w", projectSubject, err) } for _, dep := range a.Dependencies { depSubject := fmt.Sprintf("dependency:%v/%v@%v", dep.GroupId, dep.ArtifactId, dep.Version) depDigest, err := cryptoutil.CalculateDigestSetFromBytes([]byte(depSubject), hashes) if err != nil { - log.Debugf("(attestation/maven) failed to record %v subject: %v", depSubject, err) + log.Debugf("(attestation/maven) failed to record %v subject: %w", depSubject, err) } subjects[depSubject] = depDigest diff --git a/attestation/maven/maven_test.go b/attestation/maven/maven_test.go index ab1df6b9..9934433e 100644 --- a/attestation/maven/maven_test.go +++ b/attestation/maven/maven_test.go @@ -19,9 +19,9 @@ import ( "path/filepath" "testing" + "github.com/in-toto/go-witness/attestation" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" ) func writeTempPomXml(t *testing.T) (string, error) { diff --git a/attestation/oci/oci.go b/attestation/oci/oci.go index de8f3386..0f6dcb93 100644 --- a/attestation/oci/oci.go +++ b/attestation/oci/oci.go @@ -26,9 +26,9 @@ import ( "os" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" ) const ( @@ -99,7 +99,7 @@ func (m *Manifest) getImageID(ctx *attestation.AttestationContext, tarFilePath s imageID, err := cryptoutil.CalculateDigestSetFromBytes(b, ctx.Hashes()) if err != nil { - log.Debugf("(attestation/oci) error calculating image id: %v", err) + log.Debugf("(attestation/oci) error calculating image id: %w", err) return nil, err } @@ -127,18 +127,18 @@ func (a *Attestor) RunType() attestation.RunType { func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { if err := a.getCandidate(ctx); err != nil { - log.Debugf("(attestation/oci) error getting candidate: %v", err) + log.Debugf("(attestation/oci) error getting candidate: %w", err) return err } if err := a.parseMaifest(ctx); err != nil { - log.Debugf("(attestation/oci) error parsing manifest: %v", err) + log.Debugf("(attestation/oci) error parsing manifest: %w", err) return err } imageID, err := a.Manifest[0].getImageID(ctx, a.tarFilePath) if err != nil { - log.Debugf("(attestation/oci) error getting image id: %v", err) + log.Debugf("(attestation/oci) error getting image id: %w", err) return err } @@ -241,7 +241,7 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { for _, tag := range a.ImageTags { hash, err := cryptoutil.CalculateDigestSetFromBytes([]byte(tag), hashes) if err != nil { - log.Debugf("(attestation/oci) error calculating image tag: %v", err) + log.Debugf("(attestation/oci) error calculating image tag: %w", err) continue } subj[fmt.Sprintf("imagetag:%s", tag)] = hash diff --git a/attestation/oci/oci_test.go b/attestation/oci/oci_test.go index 4b75a125..faca7495 100644 --- a/attestation/oci/oci_test.go +++ b/attestation/oci/oci_test.go @@ -20,9 +20,9 @@ import ( "os" "testing" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" ) type testProducter struct { diff --git a/attestation/product/product.go b/attestation/product/product.go index 3ef24571..1754d841 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -24,10 +24,10 @@ import ( "path/filepath" "github.com/gobwas/glob" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/file" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/file" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" ) const ( diff --git a/attestation/product/product_test.go b/attestation/product/product_test.go index 76502b74..21aead8a 100644 --- a/attestation/product/product_test.go +++ b/attestation/product/product_test.go @@ -23,10 +23,10 @@ import ( "strings" "testing" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" ) func TestFromDigestMap(t *testing.T) { diff --git a/attestation/sarif/sarif.go b/attestation/sarif/sarif.go index c5e09972..1dac7d87 100644 --- a/attestation/sarif/sarif.go +++ b/attestation/sarif/sarif.go @@ -21,10 +21,10 @@ import ( "os" "strings" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" "github.com/owenrumney/go-sarif/sarif" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" ) const ( @@ -71,7 +71,7 @@ func (a *Attestor) RunType() attestation.RunType { func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { if err := a.getCandidate(ctx); err != nil { - log.Debugf("(attestation/sarif) error getting candidate: %v", err) + log.Debugf("(attestation/sarif) error getting candidate: %w", err) return err } @@ -113,7 +113,7 @@ func (a *Attestor) getCandidate(ctx *attestation.AttestationContext) error { //check to see if we can unmarshal into sarif type if err := json.Unmarshal(reportBytes, &a.Report); err != nil { - log.Debugf("(attestation/sarif) error unmarshaling report: %v", err) + log.Debugf("(attestation/sarif) error unmarshaling report: %w", err) continue } diff --git a/dsse/dsse_test.go b/dsse/dsse_test.go index 1df34b3f..7a63e251 100644 --- a/dsse/dsse_test.go +++ b/dsse/dsse_test.go @@ -28,9 +28,9 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) func createRsaKey() (*rsa.PrivateKey, *rsa.PublicKey, error) { diff --git a/dsse/sign.go b/dsse/sign.go index 570934a3..25b958ec 100644 --- a/dsse/sign.go +++ b/dsse/sign.go @@ -21,7 +21,7 @@ import ( "fmt" "io" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type Timestamper interface { diff --git a/dsse/verify.go b/dsse/verify.go index f1a90393..b74c24ed 100644 --- a/dsse/verify.go +++ b/dsse/verify.go @@ -21,7 +21,7 @@ import ( "io" "time" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type TimestampVerifier interface { diff --git a/go.mod b/go.mod index 6d6c876c..d8e42716 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/testifysec/go-witness +module github.com/in-toto/go-witness go 1.19 @@ -7,52 +7,53 @@ require ( github.com/digitorus/pkcs7 v0.0.0-20230220124406-51331ccfc40f github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425 github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d - github.com/go-git/go-git/v5 v5.5.2 + github.com/go-git/go-git/v5 v5.11.0 + github.com/in-toto/archivista v0.2.0 github.com/mattn/go-isatty v0.0.20 github.com/open-policy-agent/opa v0.49.2 github.com/owenrumney/go-sarif v1.1.1 github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 - github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 go.step.sm/crypto v0.25.2 - golang.org/x/sys v0.13.0 + golang.org/x/sys v0.15.0 google.golang.org/grpc v1.56.3 gopkg.in/square/go-jose.v2 v2.6.0 - k8s.io/apimachinery v0.26.11 + k8s.io/apimachinery v0.26.12 ) require ( + dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.0.0 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect - github.com/cloudflare/circl v1.3.3 // indirect + github.com/cloudflare/circl v1.3.7 // indirect github.com/coreos/go-oidc/v3 v3.5.0 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect - github.com/go-logr/logr v1.2.3 // indirect + github.com/go-logr/logr v1.2.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect github.com/google/go-containerregistry v0.13.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kr/pretty v0.3.0 // indirect github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/pjbgf/sha1cd v0.2.3 // indirect + github.com/pjbgf/sha1cd v0.3.0 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/rogpeppe/go-internal v1.8.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect - github.com/skeema/knownhosts v1.1.0 // indirect + github.com/skeema/knownhosts v1.2.1 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/zclconf/go-cty v1.12.1 // indirect - golang.org/x/mod v0.8.0 // indirect + golang.org/x/mod v0.12.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/tools v0.6.0 // indirect + golang.org/x/tools v0.13.0 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/klog/v2 v2.90.0 // indirect @@ -62,18 +63,16 @@ require ( ) require ( - github.com/Microsoft/go-winio v0.6.0 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect - github.com/acomagu/bufpipe v1.0.3 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect github.com/aws/aws-sdk-go v1.44.334 github.com/emirpasic/gods v1.18.1 // indirect github.com/ghodss/yaml v1.0.0 // indirect - github.com/go-git/gcfg v1.5.0 // indirect - github.com/go-git/go-billy/v5 v5.4.1 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.5.0 // indirect github.com/gobwas/glob v0.2.3 github.com/golang/protobuf v1.5.3 // indirect - github.com/imdario/mergo v0.3.13 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect @@ -87,10 +86,10 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/zeebo/errs v1.3.0 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/net v0.17.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/crypto v0.17.0 // indirect + golang.org/x/net v0.19.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index dea9197c..fdcfeed1 100644 --- a/go.sum +++ b/go.sum @@ -1,38 +1,36 @@ cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= -github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= -github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= -github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8= -github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA= -github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= -github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk= -github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= -github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= -github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aws/aws-sdk-go v1.44.334 h1:h2bdbGb//fez6Sv6PaYv868s9liDeoYM6hYsAqTB4MU= github.com/aws/aws-sdk-go v1.44.334/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= -github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= +github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/coreos/go-oidc/v3 v3.5.0 h1:VxKtbccHZxs8juq7RdJntSqtXFtde9YpNpGn0yqgEHw= github.com/coreos/go-oidc/v3 v3.5.0/go.mod h1:ecXRtV4romGPeO6ieExAsUK9cb/3fp9hXNz1tlv8PIM= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -49,6 +47,7 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d h1:4l+Uq5zFWSagXgGFaKRRVWJrnlzeathyagWgYUltCgY= github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d/go.mod h1:WxWwA3EYuCQjlR5EBUX3uaTS8bh9BOa7BcqVREHQ0uQ= +github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= @@ -59,23 +58,19 @@ github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= -github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= -github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4= -github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= -github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= -github.com/go-git/go-billy/v5 v5.4.0/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= -github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= -github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= -github.com/go-git/go-git-fixtures/v4 v4.3.1 h1:y5z6dd3qi8Hl+stezc8p3JxDkoTRqMAlKnXHuzrfjTQ= -github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo= -github.com/go-git/go-git/v5 v5.5.2 h1:v8lgZa5k9ylUw+OR/roJHTxR4QItsNFI5nKtAXFuynw= -github.com/go-git/go-git/v5 v5.5.2/go.mod h1:BE5hUJ5yaV2YMxhmaP4l6RBQ08kMxKSPD4BlxtH7OjI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= +github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= +github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4= +github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-rod/rod v0.112.6 h1:zMirUmhsBeshMWyf285BD0UGtGq54HfThLDGSjcP3lU= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= @@ -84,6 +79,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= @@ -97,8 +93,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-containerregistry v0.13.0 h1:y1C7Z3e149OJbOPDBxLYR8ITPz8dTKqQwjErKVHJC8k= github.com/google/go-containerregistry v0.13.0/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -108,11 +103,10 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 h1:1JYBfzqrWPcCclBwxFCPAou9n+q github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0/go.mod h1:YDZoGHuwE+ov0c8smSH49WLF3F2LaWnYYuDVd+EWrc0= github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXpNvOEDLDc= github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20= +github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= @@ -126,17 +120,12 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= -github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL43g16EQkPV/i8+b3l5bYQwLeoSBe7tS8= github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA= -github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= -github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= @@ -146,16 +135,15 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/open-policy-agent/opa v0.49.2 h1:n8ntRq/yDWy+cmYaqSLrHXmrT3tX8WlK28vjFQdC6W8= github.com/open-policy-agent/opa v0.49.2/go.mod h1:7L3lN5qe8xboRmEHxC5lGjo5KsRMdK+CCLiFoOCP7rU= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE= github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= -github.com/pjbgf/sha1cd v0.2.3 h1:uKQP/7QOzNtKYH7UTohZLcjF5/55EnTw0jO/Ru4jZwI= -github.com/pjbgf/sha1cd v0.2.3/go.mod h1:HOK9QrgzdHpbc2Kzip0Q1yi3M2MFGPADtR6HjG65m5M= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -166,12 +154,9 @@ github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8u github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= -github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/sigstore/fulcio v1.1.0 h1:mzzJ05Ccu8Y2inyioklNvc8MpzlGHxu8YqNeTm0dHfU= @@ -179,9 +164,9 @@ github.com/sigstore/fulcio v1.1.0/go.mod h1:zv1ZQTXZbUwQdRwajlQksc34pRas+2aZYpIZ github.com/sigstore/sigstore v1.5.2 h1:rvZSPJDH2ysoc8kjW9v4nv1UX3XwSA8y4x6Dk7hA0D4= github.com/sigstore/sigstore v1.5.2/go.mod h1:wxhp9KoaOpeb1VLKILruD283KJqPSqX+3TuBByVDZ6E= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0= -github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ= +github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY= @@ -198,8 +183,6 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76 h1:GAUgHyg4ss2DDTIYG9RuVxap2smkAGtzpXcOvNxlLic= -github.com/testifysec/archivista-api v0.0.0-20230220215059-632b84b82b76/go.mod h1:6OYeTa1OOoVuqo9i8t6GAHtwg0CgofZVfwgVt7DgrwI= github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 h1:1i/Afw3rmaR1gF3sfVkG2X6ldkikQwA9zY380LrR5YI= github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= @@ -236,17 +219,17 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -256,13 +239,14 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= @@ -270,37 +254,35 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -309,15 +291,18 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -338,10 +323,7 @@ gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVC gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= @@ -349,16 +331,14 @@ gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/apimachinery v0.26.11 h1:w//840HHdwSRKqD15j9YX9HLlU6RPlfrvW0xEhLk2+0= -k8s.io/apimachinery v0.26.11/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= +k8s.io/apimachinery v0.26.12 h1:y+OgufxqLIZtyXIydRhjLBGzrYLF+qwiDdCFXYOjeN4= +k8s.io/apimachinery v0.26.12/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= k8s.io/klog/v2 v2.90.0 h1:VkTxIV/FjRXn1fgNNcKGM8cfmL1Z33ZjXRTVxKCoF5M= k8s.io/klog/v2 v2.90.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/utils v0.0.0-20230115233650-391b47cb4029 h1:L8zDtT4jrxj+TaQYD0k8KNlr556WaVQylDXswKmX+dE= diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt index 65b86227..6975adbe 100644 --- a/hack/boilerplate.go.txt +++ b/hack/boilerplate.go.txt @@ -12,4 +12,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -*/ \ No newline at end of file +*/ diff --git a/hack/test.token b/hack/test.token new file mode 100644 index 00000000..fbcb3807 --- /dev/null +++ b/hack/test.token @@ -0,0 +1 @@ +eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb29iYXIiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsIkVtYWlsIjoidGVzdEBpbi10b3RvLmlvIn0.IswtNc6aJL3zAf-lSGvuz7Okf2tBr-I3ulJ_SRUMt0k diff --git a/imports.go b/imports.go index 1fa4afee..3736edf3 100644 --- a/imports.go +++ b/imports.go @@ -17,21 +17,21 @@ package witness // all of the following imports are here so that each of the package's init functions run appropriately import ( // attestors - _ "github.com/testifysec/go-witness/attestation/aws-iid" - _ "github.com/testifysec/go-witness/attestation/commandrun" - _ "github.com/testifysec/go-witness/attestation/environment" - _ "github.com/testifysec/go-witness/attestation/gcp-iit" - _ "github.com/testifysec/go-witness/attestation/git" - _ "github.com/testifysec/go-witness/attestation/github" - _ "github.com/testifysec/go-witness/attestation/gitlab" - _ "github.com/testifysec/go-witness/attestation/jwt" - _ "github.com/testifysec/go-witness/attestation/maven" - _ "github.com/testifysec/go-witness/attestation/oci" - _ "github.com/testifysec/go-witness/attestation/sarif" + _ "github.com/in-toto/go-witness/attestation/aws-iid" + _ "github.com/in-toto/go-witness/attestation/commandrun" + _ "github.com/in-toto/go-witness/attestation/environment" + _ "github.com/in-toto/go-witness/attestation/gcp-iit" + _ "github.com/in-toto/go-witness/attestation/git" + _ "github.com/in-toto/go-witness/attestation/github" + _ "github.com/in-toto/go-witness/attestation/gitlab" + _ "github.com/in-toto/go-witness/attestation/jwt" + _ "github.com/in-toto/go-witness/attestation/maven" + _ "github.com/in-toto/go-witness/attestation/oci" + _ "github.com/in-toto/go-witness/attestation/sarif" // signer providers - _ "github.com/testifysec/go-witness/signer/file" - _ "github.com/testifysec/go-witness/signer/fulcio" - _ "github.com/testifysec/go-witness/signer/spiffe" - _ "github.com/testifysec/go-witness/signer/vault" + _ "github.com/in-toto/go-witness/signer/file" + _ "github.com/in-toto/go-witness/signer/fulcio" + _ "github.com/in-toto/go-witness/signer/spiffe" + _ "github.com/in-toto/go-witness/signer/vault" ) diff --git a/intoto/statement.go b/intoto/statement.go index ee84ff63..6574276e 100644 --- a/intoto/statement.go +++ b/intoto/statement.go @@ -16,11 +16,14 @@ package intoto import ( "encoding/json" - "github.com/testifysec/go-witness/cryptoutil" + + "github.com/in-toto/go-witness/cryptoutil" ) -const StatementType = "https://in-toto.io/Statement/v0.1" -const PayloadType = "application/vnd.in-toto+json" +const ( + StatementType = "https://in-toto.io/Statement/v0.1" + PayloadType = "application/vnd.in-toto+json" +) type Subject struct { Name string `json:"name"` diff --git a/log/log.go b/log/log.go index 3949f272..31396dc1 100644 --- a/log/log.go +++ b/log/log.go @@ -14,6 +14,10 @@ package log +import ( + "fmt" +) + var log Logger = SilentLogger{} // Logger is used by witness library code to print out relevant information at runtime. @@ -40,7 +44,8 @@ func GetLogger() Logger { } func Errorf(format string, args ...interface{}) { - log.Errorf(format, args...) + err := fmt.Errorf(format, args...) + log.Error(err) } func Error(args ...interface{}) { @@ -48,6 +53,15 @@ func Error(args ...interface{}) { } func Warnf(format string, args ...interface{}) { + // We want to wrap the error if there is one. + for _, a := range args { + if _, ok := a.(error); ok { + err := fmt.Errorf(format, args...) + log.Warn(err) + return + } + } + log.Warnf(format, args...) } @@ -56,6 +70,14 @@ func Warn(args ...interface{}) { } func Debugf(format string, args ...interface{}) { + for _, a := range args { + if _, ok := a.(error); ok { + err := fmt.Errorf(format, args...) + log.Debug(err) + return + } + } + log.Debugf(format, args...) } diff --git a/policy/constraints.go b/policy/constraints.go index d1a5ebf0..b9f92627 100644 --- a/policy/constraints.go +++ b/policy/constraints.go @@ -18,7 +18,7 @@ import ( "fmt" "net/url" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) const ( diff --git a/policy/constraints_test.go b/policy/constraints_test.go index 3afd5cba..83afab6a 100644 --- a/policy/constraints_test.go +++ b/policy/constraints_test.go @@ -28,9 +28,9 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) type checkConstraintAttributeCase struct { diff --git a/policy/errors.go b/policy/errors.go index 5b4dc8ad..88f1800b 100644 --- a/policy/errors.go +++ b/policy/errors.go @@ -19,7 +19,7 @@ import ( "strings" "time" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type ErrNoAttestations string diff --git a/policy/policy.go b/policy/policy.go index c4f57deb..3eddcd94 100644 --- a/policy/policy.go +++ b/policy/policy.go @@ -20,10 +20,10 @@ import ( "crypto/x509" "time" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" - "github.com/testifysec/go-witness/source" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" + "github.com/in-toto/go-witness/source" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -238,7 +238,7 @@ func (step Step) checkFunctionaries(verifiedStatements []source.VerifiedCollecti for _, verifier := range verifiedStatement.Verifiers { verifierID, err := verifier.KeyID() if err != nil { - log.Debugf("(policy) skipping verifier: could not get key id: %v", err) + log.Debugf("(policy) skipping verifier: could not get key id: %w", err) continue } diff --git a/policy/policy_test.go b/policy/policy_test.go index 6e767a20..6b5af3ac 100644 --- a/policy/policy_test.go +++ b/policy/policy_test.go @@ -25,13 +25,13 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/commandrun" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/intoto" + "github.com/in-toto/go-witness/source" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/commandrun" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/intoto" - "github.com/testifysec/go-witness/source" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) diff --git a/policy/rego.go b/policy/rego.go index 6a436399..51e71e81 100644 --- a/policy/rego.go +++ b/policy/rego.go @@ -20,9 +20,9 @@ import ( "encoding/json" "fmt" + "github.com/in-toto/go-witness/attestation" "github.com/open-policy-agent/opa/ast" "github.com/open-policy-agent/opa/rego" - "github.com/testifysec/go-witness/attestation" ) func EvaluateRegoPolicy(attestor attestation.Attestor, policies []RegoPolicy) error { diff --git a/policy/rego_test.go b/policy/rego_test.go index 3ae3d373..ab767e9e 100644 --- a/policy/rego_test.go +++ b/policy/rego_test.go @@ -17,9 +17,9 @@ package policy import ( "testing" + "github.com/in-toto/go-witness/attestation/git" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/attestation/git" ) func TestRegoPolicy(t *testing.T) { diff --git a/policy/step.go b/policy/step.go index 15a54001..b1b63ef0 100644 --- a/policy/step.go +++ b/policy/step.go @@ -18,8 +18,8 @@ import ( "fmt" "strings" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/source" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/source" ) // +kubebuilder:object:generate=true diff --git a/run.go b/run.go index d9c489b3..b6ccd2ca 100644 --- a/run.go +++ b/run.go @@ -19,12 +19,12 @@ import ( "encoding/json" "fmt" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/attestation/environment" - "github.com/testifysec/go-witness/attestation/git" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/intoto" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/environment" + "github.com/in-toto/go-witness/attestation/git" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/intoto" ) type runOptions struct { diff --git a/sign.go b/sign.go index 8f10a028..c2d0a58e 100644 --- a/sign.go +++ b/sign.go @@ -18,7 +18,7 @@ import ( "encoding/json" "io" - "github.com/testifysec/go-witness/dsse" + "github.com/in-toto/go-witness/dsse" ) func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error { diff --git a/signer/file/file.go b/signer/file/file.go index a52247f8..f76d8116 100644 --- a/signer/file/file.go +++ b/signer/file/file.go @@ -20,9 +20,9 @@ import ( "fmt" "os" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" ) func init() { @@ -110,20 +110,20 @@ func New(opts ...Option) FileSignerProvider { func (fsp FileSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, error) { keyFile, err := os.Open(fsp.KeyPath) if err != nil { - return nil, fmt.Errorf("failed to open key file: %v", err) + return nil, fmt.Errorf("failed to open key file: %w", err) } defer keyFile.Close() key, err := cryptoutil.TryParseKeyFromReader(keyFile) if err != nil { - return nil, fmt.Errorf("failed to load key: %v", err) + return nil, fmt.Errorf("failed to load key: %w", err) } signerOpts := []cryptoutil.SignerOption{} if fsp.CertPath != "" { leaf, err := loadCert(fsp.CertPath) if err != nil { - return nil, fmt.Errorf("failed to load certificate: %v", err) + return nil, fmt.Errorf("failed to load certificate: %w", err) } signerOpts = append(signerOpts, cryptoutil.SignWithCertificate(leaf)) @@ -134,7 +134,7 @@ func (fsp FileSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, er for _, path := range fsp.IntermediatePaths { cert, err := loadCert(path) if err != nil { - return nil, fmt.Errorf("failed to load intermediate: %v", err) + return nil, fmt.Errorf("failed to load intermediate: %w", err) } intermediates = append(intermediates, cert) @@ -149,7 +149,7 @@ func (fsp FileSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, er func loadCert(path string) (*x509.Certificate, error) { certFile, err := os.Open(path) if err != nil { - return nil, fmt.Errorf("failed to load certificate: %v", err) + return nil, fmt.Errorf("failed to load certificate: %w", err) } defer certFile.Close() diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 7b9e7966..bfc4afed 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -31,16 +31,16 @@ import ( "strings" "time" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/log" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" "github.com/mattn/go-isatty" fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" sigo "github.com/sigstore/sigstore/pkg/signature/options" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/log" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" @@ -93,7 +93,7 @@ func init() { ), registry.StringConfigOption( "token", - "Raw token to use for authentication", + "Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)", "", func(sp signer.SignerProvider, token string) (signer.SignerProvider, error) { fsp, ok := sp.(FulcioSignerProvider) @@ -114,8 +114,22 @@ func init() { if !ok { return sp, fmt.Errorf("provided signer provider is not a fulcio signer provider") } + + WithOidcRedirectUrl(oidcRedirectUrl)(&fsp) + return fsp, nil + }, + ), + registry.StringConfigOption( + "token-path", + "Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)", + "", + func(sp signer.SignerProvider, tokenPath string) (signer.SignerProvider, error) { + fsp, ok := sp.(FulcioSignerProvider) + if !ok { + return sp, fmt.Errorf("provided signer provider is not a fulcio signer provider") + } - WithOidcRedirectUrl(oidcRedirectUrl)(&fsp) + WithTokenPath(tokenPath)(&fsp) return fsp, nil }, ), @@ -127,6 +141,7 @@ type FulcioSignerProvider struct { OidcIssuer string OidcClientID string Token string + TokenPath string OidcRedirectUrl string } @@ -156,12 +171,19 @@ func WithToken(tokenOption string) Option { } } + func WithOidcRedirectUrl(oidcRedirectUrl string) Option { return func(fsp *FulcioSignerProvider) { fsp.OidcRedirectUrl = oidcRedirectUrl } } +func WithTokenPath(tokenPathOption string) Option { + return func(fsp *FulcioSignerProvider) { + fsp.TokenPath = tokenPathOption + } +} + func New(opts ...Option) FulcioSignerProvider { fsp := FulcioSignerProvider{} for _, opt := range opts { @@ -215,7 +237,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, var raw string switch { - case fsp.Token == "" && os.Getenv("GITHUB_ACTIONS") == "true": + case fsp.Token == "" && fsp.TokenPath == "" && os.Getenv("GITHUB_ACTIONS") == "true": tokenURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") if tokenURL == "" { return nil, errors.New("ACTIONS_ID_TOKEN_REQUEST_URL is not set") @@ -230,10 +252,18 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, if err != nil { return nil, err } - - case fsp.Token != "": + // we want to fail if both flags used (they're mutually exclusive) + case fsp.TokenPath != "" && fsp.Token != "": + return nil, errors.New("only one of --fulcio-token-path or --fulcio-raw-token can be used") + case fsp.Token != "" && fsp.TokenPath == "": raw = fsp.Token + case fsp.TokenPath != "" && fsp.Token == "": + f, err := os.ReadFile(fsp.TokenPath) + if err != nil { + return nil, fmt.Errorf("failed to read fulcio token from filepath %s: %w", fsp.TokenPath, err) + } + raw = string(f) case fsp.Token == "" && isatty.IsTerminal(os.Stdin.Fd()): tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", fsp.OidcRedirectUrl, oauthflow.DefaultIDTokenGetter) if err != nil { @@ -302,7 +332,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, func getCert(ctx context.Context, key *rsa.PrivateKey, fc fulciopb.CAClient, token string) (*fulciopb.SigningCertificate, error) { t, err := jwt.ParseSigned(token) if err != nil { - return nil, err + return nil, fmt.Errorf("Failed to parse jwt token for fulcio: %w", err) } var claims struct { diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index 1a062821..8f5a3dae 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -24,6 +24,7 @@ import ( "fmt" "log" "net" + "os" "strings" "testing" "time" @@ -33,6 +34,7 @@ import ( fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/stretchr/testify/require" "go.step.sm/crypto/jose" + "path/filepath" "google.golang.org/grpc" "gopkg.in/square/go-jose.v2/jwt" @@ -198,6 +200,25 @@ func TestSigner(t *testing.T) { _, err = provider.Signer(ctx) //this should be a tranport err since we cant actually test on 443 which is the default require.ErrorContains(t, err, "lookup test") + + // Test signer with token read from file + // NOTE: this function could be refactored to accept a fileSystem or io.Reader so reading the file can be mocked, + // but unsure if this is the way we want to go for now + wd, err := os.Getwd() + if err != nil { + t.Fatalf("failed to get working directory: %v", err) + } + rootDir := filepath.Dir(filepath.Dir(wd)) + tp := filepath.Join(rootDir, "hack", "test.token") + + provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp)) + _, err = provider.Signer(ctx) + require.NoError(t, err) + + // Test signer with both token read from file and raw token + provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp), WithToken(token)) + _, err = provider.Signer(ctx) + require.ErrorContains(t, err, "only one of --fulcio-token-path or --fulcio-raw-token can be used") } func generateCertChain(t *testing.T) []string { diff --git a/signer/registry.go b/signer/registry.go index a445df31..3c828fde 100644 --- a/signer/registry.go +++ b/signer/registry.go @@ -17,13 +17,11 @@ package signer import ( "context" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" ) -var ( - signerRegistry = registry.New[SignerProvider]() -) +var signerRegistry = registry.New[SignerProvider]() type SignerProvider interface { Signer(context.Context) (cryptoutil.Signer, error) diff --git a/signer/spiffe/spiffe.go b/signer/spiffe/spiffe.go index ee76fe6e..34d708e6 100644 --- a/signer/spiffe/spiffe.go +++ b/signer/spiffe/spiffe.go @@ -18,10 +18,10 @@ import ( "context" "fmt" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" "github.com/spiffe/go-spiffe/v2/workloadapi" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" ) func init() { diff --git a/signer/vault/signerprovider.go b/signer/vault/signerprovider.go index 27ec65c6..c6a19da3 100644 --- a/signer/vault/signerprovider.go +++ b/signer/vault/signerprovider.go @@ -21,9 +21,9 @@ import ( "strings" "time" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/registry" - "github.com/testifysec/go-witness/signer" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/registry" + "github.com/in-toto/go-witness/signer" ) const ( diff --git a/signer/vault/signerprovider_test.go b/signer/vault/signerprovider_test.go index c5a2f007..39c44e74 100644 --- a/signer/vault/signerprovider_test.go +++ b/signer/vault/signerprovider_test.go @@ -25,9 +25,9 @@ import ( "testing" "time" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) func createRsaKey() (*rsa.PrivateKey, *rsa.PublicKey, error) { diff --git a/source/archivista.go b/source/archivista.go index 66c4ec32..2f74f722 100644 --- a/source/archivista.go +++ b/source/archivista.go @@ -17,7 +17,7 @@ package source import ( "context" - "github.com/testifysec/go-witness/archivista" + "github.com/in-toto/go-witness/archivista" ) type ArchivistaSource struct { diff --git a/source/memory.go b/source/memory.go index df6e5609..8f7450e7 100644 --- a/source/memory.go +++ b/source/memory.go @@ -21,7 +21,7 @@ import ( "io" "os" - "github.com/testifysec/go-witness/dsse" + "github.com/in-toto/go-witness/dsse" ) type ErrDuplicateReference string diff --git a/source/source.go b/source/source.go index 7ebd5e41..1aad2bbd 100644 --- a/source/source.go +++ b/source/source.go @@ -18,9 +18,9 @@ import ( "context" "encoding/json" - "github.com/testifysec/go-witness/attestation" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/intoto" + "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/intoto" ) type CollectionEnvelope struct { diff --git a/source/verified.go b/source/verified.go index 7b9c92bb..46fc561e 100644 --- a/source/verified.go +++ b/source/verified.go @@ -17,9 +17,9 @@ package source import ( "context" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/log" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/log" ) type VerifiedCollection struct { @@ -50,7 +50,7 @@ func (s *VerifiedSource) Search(ctx context.Context, collectionName string, subj for _, toVerify := range unverified { envelopeVerifiers, err := toVerify.Envelope.Verify(s.verifyOpts...) if err != nil { - log.Debugf("(verified source) skipping envelope: couldn't verify enveloper's signature with the policy's verifiers: %+v", err) + log.Debugf("(verified source) skipping envelope: couldn't verify enveloper's signature with the policy's verifiers: %w", err) continue } diff --git a/timestamp/tsp.go b/timestamp/tsp.go index 8e6d1303..e8a1e596 100644 --- a/timestamp/tsp.go +++ b/timestamp/tsp.go @@ -26,7 +26,7 @@ import ( "github.com/digitorus/pkcs7" "github.com/digitorus/timestamp" - "github.com/testifysec/go-witness/cryptoutil" + "github.com/in-toto/go-witness/cryptoutil" ) type TSPTimestamper struct { diff --git a/timestamp/tsp_test.go b/timestamp/tsp_test.go index f9e61757..60698931 100644 --- a/timestamp/tsp_test.go +++ b/timestamp/tsp_test.go @@ -20,9 +20,9 @@ import ( "crypto/x509" "testing" + "github.com/in-toto/go-witness/cryptoutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/testifysec/go-witness/cryptoutil" ) const ( diff --git a/verify.go b/verify.go index daa91902..bb20df6b 100644 --- a/verify.go +++ b/verify.go @@ -21,18 +21,18 @@ import ( "fmt" "io" - "github.com/testifysec/go-witness/cryptoutil" - "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/policy" - "github.com/testifysec/go-witness/source" - "github.com/testifysec/go-witness/timestamp" + "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/dsse" + "github.com/in-toto/go-witness/policy" + "github.com/in-toto/go-witness/source" + "github.com/in-toto/go-witness/timestamp" ) func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error) { decoder := json.NewDecoder(r) envelope := dsse.Envelope{} if err := decoder.Decode(&envelope); err != nil { - return envelope, fmt.Errorf("failed to parse dsse envelope: %v", err) + return envelope, fmt.Errorf("failed to parse dsse envelope: %w", err) } _, err := envelope.Verify(dsse.VerifyWithVerifiers(verifiers...))