Skip to content

Commit

Permalink
Fix initial pre-commit violations (#319)
Browse files Browse the repository at this point in the history
* Fix initial pre-commit violations

---------

Signed-off-by: John Kjell <[email protected]>
  • Loading branch information
jkjell authored Dec 7, 2023
1 parent a56715e commit b19afc8
Show file tree
Hide file tree
Showing 14 changed files with 51 additions and 46 deletions.
2 changes: 2 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,6 @@ repos:
rev: v4.4.0
hooks:
- id: end-of-file-fixer
exclude: ^docs/
exclude_types: [markdown]
- id: trailing-whitespace
1 change: 0 additions & 1 deletion CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,4 +131,3 @@ For answers to common questions about this code of conduct, see the FAQ at
[Mozilla CoC]: https://github.com/mozilla/diversity
[FAQ]: https://www.contributor-covenant.org/faq
[translations]: https://www.contributor-covenant.org/translations

2 changes: 1 addition & 1 deletion MAINTAINERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@
| Cole Kennedy (TestifySec) | [@colek42](https://github.com/colek42) |
| John Kjell (TestifySec) | [@jkjell](https://github.com/jkjell) |
| Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) |
| Aditya Sirish (NYU) | [@adityasaky](https://github.com/adityasaky) |
| Aditya Sirish (NYU) | [@adityasaky](https://github.com/adityasaky) |
20 changes: 10 additions & 10 deletions dev/build-and-push-builders.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,27 +19,27 @@ cd ..
go mod tidy
go mod vendor
make
cd dev
cd dev || exit

RED='\033[0;31m'

sha=$(git rev-parse --short HEAD)
tag=$(git describe --tags $(git rev-list --tags --max-count=1))
imagetag=`echo registry.gitlab.com/testifysec/demos/witness-demo/builder:${tag}-${sha}-golang-1.17.3`
tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
imagetag=registry.gitlab.com/testifysec/demos/witness-demo/builder:"${tag}"-"${sha}"-golang-1.17.3


docker build -f ./Dockerfile.go-builder -t ${imagetag} ./../
docker push ${imagetag}
docker build -f ./Dockerfile.go-builder -t "${imagetag}" ./../
docker push "${imagetag}"

printf "Published witness image to:\n${RED}${imagetag}\n"
printf "Published witness image to:\n%s%s\n" "${RED}" "${imagetag}"

nodeIDs=($(kubectl -n spire exec -it spire-server-0 -- /opt/spire/bin/spire-server agent list | grep 'spiffe://dev.testifysec.com/spire/agent/gcp_iit' | cut -f 2- -d ':' | tr -d ' ' | tr -d '\r'))
IFS=" " read -r -a nodeIDs <<< "$(kubectl -n spire exec -it spire-server-0 -- /opt/spire/bin/spire-server agent list | grep 'spiffe://dev.testifysec.com/spire/agent/gcp_iit' | cut -f 2- -d ':' | tr -d ' ' | tr -d '\r'))"

for node in ${nodeIDs[@]}; do
for node in "${nodeIDs[@]}"; do
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-parentID ${node} \
-parentID "${node}" \
-spiffeID spiffe://dev.testifysec.com/witness-demo/builder \
-selector k8s:container-image:${imagetag} \
-selector k8s:container-image:"${imagetag}" \
-selector k8s:ns:gitlab-runner
done
2 changes: 2 additions & 0 deletions docgen/verify.sh
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
#!/bin/sh

# Copyright 2021 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
Expand Down
2 changes: 1 addition & 1 deletion docs/attestor.md
Original file line number Diff line number Diff line change
@@ -1 +1 @@
# WIP
# WIP
8 changes: 4 additions & 4 deletions docs/policy.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Policies

TestifySec Witness policies allow users to make assertions and test attestation collections generated during a `Witness run`.
Examples of when a policy could be enforced include
Examples of when a policy could be enforced include

- within a [Kubernetes admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)
- at the end of a CI/CD pipeline
- prior to image promotion, or
- prior to image promotion, or
- before deployment to an execution environment.

Policies help you ensure that all expected attestations are within a collection and support embedded
Expand Down Expand Up @@ -35,7 +35,7 @@ Evaluating a Witness policy involves a few different steps:

## Schema

Policies are JSON documents that are signed and wrapped in [DSSE envelopes](https://github.com/secure-systems-lab/dsse). The DSSE payload type will be
Policies are JSON documents that are signed and wrapped in [DSSE envelopes](https://github.com/secure-systems-lab/dsse). The DSSE payload type will be
`https://witness.testifysec.com/policy/v0.1`.

### `policy` Object
Expand Down Expand Up @@ -135,7 +135,7 @@ Example of a constraint that would allow use of any certificate, as long as it b

Rego modules are expected to output a data with the name of `deny` in the case of a rego policy evaluation failure.
`deny` can be a string or an array of strings and should be populated with a human-readable string describing why the
policy was denied. Any other data output by the module will be ignored.
policy was denied. Any other data output by the module will be ignored.

Following is an example output for a valid rego policy:

Expand Down
36 changes: 18 additions & 18 deletions install-witness.sh
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
#!/bin/bash
# Copyright 2023 The Witness Contributors
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#
# http://www.apache.org/licenses/LICENSE-2.0
#
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Expand All @@ -19,16 +19,16 @@ set -eou pipefail
# Create a temporary directory for downloaded files
TEMPDIR=$(mktemp -d)
# trap syscalls and delete the temporary directory
trap "rm -rf $TEMPDIR" EXIT
trap 'rm -rf $TEMPDIR' EXIT

#install directory should be the first argument or default to /usr/local/bin
INSTALL_DIR=${1:-"/usr/local/bin"}

# resolve symlinks
INSTALL_DIR=$(readlink -f $INSTALL_DIR)
INSTALL_DIR=$(readlink -f "$INSTALL_DIR")

# check for bad install directory
if [ ! -d $INSTALL_DIR ]; then
if [ ! -d "$INSTALL_DIR" ]; then
echo "Install directory $INSTALL_DIR does not exist"
exit 1
fi
Expand All @@ -49,7 +49,7 @@ if [ "$ARCH" == "aarch64" ]; then
fi

### Determine if Arch is supported
if [ $ARCH != "amd64" ] && [ $ARCH != "arm64" ]; then
if [ "$ARCH" != "amd64" ] && [ "$ARCH" != "arm64" ]; then
echo "Unsupported architecture"
exit 1
fi
Expand All @@ -60,7 +60,7 @@ OS=$(uname -s)
OS=$(echo "$OS" | tr '[:upper:]' '[:lower:]')
FILENAME="witness_${VERSION}_${OS}_${ARCH}.tar.gz"
DOWNLOAD_URL="https://github.com/in-toto/witness/releases/download/v$VERSION/$FILENAME"
EXPECTED_CHECKSUM="$(curl -L -s https://github.com/in-toto/witness/releases/download/v$VERSION/witness_${VERSION}_checksums.txt | grep -w "witness_${VERSION}_${OS}_$ARCH.tar.gz$" | awk '{print $1}')"
EXPECTED_CHECKSUM="$(curl -L -s "https://github.com/in-toto/witness/releases/download/v$VERSION/witness_${VERSION}_checksums.txt" | grep -w "witness_${VERSION}_${OS}_$ARCH.tar.gz$" | awk '{print $1}')"
readonly EXPECTED_CHECKSUM EXPECTED_CHECKSUM

echo "Latest version of Witness is $VERSION"
Expand All @@ -70,17 +70,17 @@ echo expected checksum: "$EXPECTED_CHECKSUM"


## Check to see if OS is supported
if [ $OS != "linux" ] && [ $OS != "darwin" ]; then
if [ "$OS" != "linux" ] && [ "$OS" != "darwin" ]; then
echo "Unsupported OS"
exit 1
fi

# Download the binary to the temporary directory
cd $TEMPDIR
curl -s -LO $DOWNLOAD_URL
cd "$TEMPDIR"
curl -s -LO "$DOWNLOAD_URL"

# Verify the checksum
FILE_CHECKSUM=$(sha256sum -b witness_${VERSION}_${OS}_${ARCH}.tar.gz | awk '{print $1}')
FILE_CHECKSUM=$(sha256sum -b "witness_${VERSION}_${OS}_${ARCH}.tar.gz" | awk '{print $1}')

echo file checksum: " $FILE_CHECKSUM"

Expand All @@ -90,19 +90,19 @@ if [ "$EXPECTED_CHECKSUM" != "$FILE_CHECKSUM" ]; then
fi

# Extract and install the binary
tar -xzf witness_${VERSION}_${OS}_${ARCH}.tar.gz
tar -xzf "witness_${VERSION}_${OS}_${ARCH}.tar.gz"

# Check if the user has write permission for /usr/local/bin/witness
if [ -w $INSTALL_DIR ]; then
if [ -w "$INSTALL_DIR" ]; then
# If the user has write permission, move the binary to /usr/local/bin
mv witness $INSTALL_DIR
mv witness "$INSTALL_DIR"
else
# If the user doesn't have write permission, check if the script is running in an interactive terminal
if [ -n "$TERM" ]; then
# If the script is running in an interactive terminal, prompt for sudo and move the binary to /usr/local/bin
echo "You don't have permission to move the file, if you would like to install Witness to ${INSTALL_DIR}, please enter your password."
echo "You can also install Witness to a different directory by running this script with the directory as the first argument."
sudo -v && sudo mv witness $INSTALL_DIR
sudo -v && sudo mv witness "$INSTALL_DIR"
else
# If the script is not running in an interactive terminal, print an error message and exit
echo "You don't have permission to move the file, please run with sudo."
Expand All @@ -112,8 +112,8 @@ fi

# Return to the original directory and remove the temporary directory silently
cd - > /dev/null
rm -rf $TEMPDIR
rm -rf "$TEMPDIR"

# Check if the binary is installed
witness version
echo "Witness v${VERSION} has been installed at ${INSTALL_DIR}/witness"
echo "Witness v${VERSION} has been installed at ${INSTALL_DIR}/witness"
9 changes: 5 additions & 4 deletions test/common.sh
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
#!/bin/sh

# Copyright 2022 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
Expand All @@ -12,13 +14,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.

#/bin/sh
checkprograms() {
local result=0
result=0
for prog in "$@"
do
if ! command -v $prog > /dev/null; then
printf "$prog is required to run this script. please ensure if is installed and in your PATH\n"
if ! command -v "$prog" > /dev/null; then
printf "%s is required to run this script. please ensure if is installed and in your PATH\n" "$prog"
result=1
fi
done
Expand Down
3 changes: 2 additions & 1 deletion test/test-oci.sh
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
#!/bin/sh

# Copyright 2022 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
Expand All @@ -12,7 +14,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.

#!/bin/sh
set -e

DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
Expand Down
6 changes: 3 additions & 3 deletions test/test.sh
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
#! /bin/sh

# Copyright 2021 The Witness Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
Expand All @@ -12,7 +14,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.

#! /bin/sh
set -e

DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
Expand All @@ -35,8 +36,7 @@ rm -f ./policy-signed.json ./build.attestation.json ./package.attestation.json .
../bin/witness -c test.yaml run -k failkey.pem -o ./fail.attestation.json -- go build -o=testapp .
../bin/witness -c test.yaml run -s package -k ./testkey2.pem -o package.attestation.json -- tar czf ./testapp.tar.tgz ./testapp
set +e
../bin/witness -c test.yaml verify -a ./fail.attestation.json -a ./package.attestation.json
if [ $? -eq 0 ]; then
if ../bin/witness -c test.yaml verify -a ./fail.attestation.json -a ./package.attestation.json; then
echo "expected verify to fail"
exit 1
fi
2 changes: 1 addition & 1 deletion test/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ sign:
signer-file-key-path: testkey.pem
outfile: policy-signed.json
verify:
attestations:
attestations:
- "build.attestation.json"
- "package.attestation.json"
policy: policy-signed.json
Expand Down
2 changes: 1 addition & 1 deletion test/testkey.pem
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEII9dV22AUVzYNgjrfD2GSDou6dWLKKw+OiG39s/ZcXWi
-----END PRIVATE KEY-----
-----END PRIVATE KEY-----
2 changes: 1 addition & 1 deletion test/testpub.pem
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAf29oPP8UghByG852uBdOxrJKKn7MM5hTbP9esgOZ/k0=
-----END PUBLIC KEY-----
-----END PUBLIC KEY-----

0 comments on commit b19afc8

Please sign in to comment.